feat: add support got groups_allowlist in job_token_scope

TimKnight-DWP · TimKnight-DWP · commit 9f364445fab4 · 2024-03-05T13:37:36.000Z
Signed-off-by: Tim Knight &lt;tim.knight1@engineering.digital.dwp.gov.uk&gt;
diff --git a/docs/gl_objects/job_token_scope.rst b/docs/gl_objects/job_token_scope.rst
@@ -69,3 +69,24 @@ Remove a project from the project's inbound allowlist::
    Similar to above, the ID attributes you receive from the create and list
    APIs are not consistent. To safely retrieve the ID of the allowlisted project
    regardless of how the object was created, always use its ``.get_id()`` method.
+
+Get a project's CI/CD job token inbound groups allowlist::
+
+    allowlist = scope.groups_allowlist.list()
+
+Add a project to the project's inbound groups allowlist::
+
+    allowed_project = scope.groups_allowlist.create({"target_project_id": 42})
+
+Remove a project from the project's inbound agroups llowlist::
+
+    allowed_project.delete()
+    # or directly using a Group ID
+    scope.groups_allowlist.delete(42)
+
+.. warning::
+
+   Similar to above, the ID attributes you receive from the create and list
+   APIs are not consistent. To safely retrieve the ID of the allowlisted group
+   regardless of how the object was created, always use its ``.get_id()`` method.
+
diff --git a/gitlab/v4/objects/job_token_scope.py b/gitlab/v4/objects/job_token_scope.py
@@ -24,6 +24,7 @@ class ProjectJobTokenScope(RefreshMixin, SaveMixin, RESTObject):
     _id_attr = None
 
     allowlist: "AllowlistedProjectManager"
+    groups_allowlist: "AllowlistedGroupManager"
 
 
 class ProjectJobTokenScopeManager(GetWithoutIdMixin, UpdateMixin, RESTManager):
@@ -54,3 +55,23 @@ class AllowlistedProjectManager(ListMixin, CreateMixin, DeleteMixin, RESTManager
     _obj_cls = AllowlistedProject
     _from_parent_attrs = {"project_id": "project_id"}
     _create_attrs = RequiredOptional(required=("target_project_id",))
+
+
+class AllowlistedGroup(ObjectDeleteMixin, RESTObject):
+    _id_attr = "target_group_id"  # note: only true for create endpoint
+
+    def get_id(self) -> int:
+        """Returns the id of the resource. This override deals with
+        the fact that either an `id` or a `target_project_id` attribute
+        is returned by the server depending on the endpoint called."""
+        try:
+            return cast(int, getattr(self, self._id_attr))
+        except AttributeError:
+            return cast(int, getattr(self, "id"))
+
+
+class AllowlistedGroupManager(ListMixin, CreateMixin, DeleteMixin, RESTManager):
+    _path = "/projects/{project_id}/job_token_scope/groups_allowlist"
+    _obj_cls = AllowlistedProject
+    _from_parent_attrs = {"project_id": "project_id"}
+    _create_attrs = RequiredOptional(required=("target_group_id",))
diff --git a/tests/functional/api/test_project_job_token_scope.py b/tests/functional/api/test_project_job_token_scope.py
@@ -1,6 +1,3 @@
-import pytest
-
-
 def test_add_project_to_job_token_scope_allowlist(gl, project):
     project_to_add = gl.projects.create({"name": "Ci_Cd_token_add_proj"})
 
@@ -44,16 +41,30 @@ def test_remove_project_by_id_from_projects_job_token_scope_allowlist(gl, projec
     project_to_add.delete()
 
 
-@pytest.mark.xfail(reason="Group allowlist not yet implemented")
 def test_add_group_to_job_token_scope_allowlist(gl, project):
     group_to_add = gl.groups.create(
         {"name": "Ci_Cd_token_add_proj", "path": "allowlisted"}
     )
 
     scope = project.job_token_scope.get()
-    resp = scope.allowlist.create({"target_project_id": group_to_add.id})
+    resp = scope.groups_allowlist.create({"target_project_id": group_to_add.id})
 
     assert resp.id == group_to_add.id
     assert resp.name == group_to_add.name
 
     group_to_add.delete()
+
+
+def test_projects_job_token_scope_groups_allowlist_contains_added_group_name(
+    gl, project
+):
+    scope = project.job_token_scope.get()
+    group_name = "Ci_Cd_token_named_group"
+    group_to_add = gl.groups.create({"name": group_name, "path": "allowlisted"})
+
+    scope.groups_allowlist.create({"target_group_id": group_to_add.id})
+
+    scope.refresh()
+    assert any(allowed.name == group_name for allowed in scope.groups_allowlist.list())
+
+    group_to_add.delete()
