[pat] Update Personal Access Token

easyCZ · roboquat · commit 56428450228f · 2022-11-25T05:47:54.000-03:00
diff --git a/components/gitpod-db/go/personal_access_token.go b/components/gitpod-db/go/personal_access_token.go
@@ -180,6 +180,56 @@ func ListPersonalAccessTokensForUser(ctx context.Context, conn *gorm.DB, userID
 	}, nil
 }
 
+type UpdatePersonalAccessTokenOpts struct {
+	TokenID uuid.UUID
+	UserID  uuid.UUID
+	Name    *string
+	Scopes  *Scopes
+}
+
+func UpdatePersonalAccessTokenForUser(ctx context.Context, conn *gorm.DB, opts UpdatePersonalAccessTokenOpts) (PersonalAccessToken, error) {
+	if opts.TokenID == uuid.Nil {
+		return PersonalAccessToken{}, errors.New("Token ID is required to udpate personal access token for user")
+	}
+	if opts.UserID == uuid.Nil {
+		return PersonalAccessToken{}, errors.New("User ID is required to udpate personal access token for user")
+	}
+
+	var cols []string
+	update := PersonalAccessToken{}
+	if opts.Name != nil {
+		cols = append(cols, "name")
+		update.Name = *opts.Name
+	}
+
+	if opts.Scopes != nil {
+		cols = append(cols, "scopes")
+		update.Scopes = *opts.Scopes
+	}
+
+	if len(cols) == 0 {
+		return GetPersonalAccessTokenForUser(ctx, conn, opts.TokenID, opts.UserID)
+	}
+
+	tx := conn.
+		WithContext(ctx).
+		Table((&PersonalAccessToken{}).TableName()).
+		Where("id = ?", opts.TokenID).
+		Where("userId = ?", opts.UserID).
+		Where("deleted = ?", 0).
+		Select(cols).
+		Updates(update)
+	if tx.Error != nil {
+		return PersonalAccessToken{}, fmt.Errorf("failed to update personal access token: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return PersonalAccessToken{}, fmt.Errorf("token (ID: %s) for user (ID: %s) does not exist: %w", opts.TokenID, opts.UserID, ErrorNotFound)
+	}
+
+	return GetPersonalAccessTokenForUser(ctx, conn, opts.TokenID, opts.UserID)
+}
+
 type Scopes []string
 
 // Scan() and Value() allow having a list of strings as a type for Scopes
diff --git a/components/gitpod-db/go/personal_access_token_test.go b/components/gitpod-db/go/personal_access_token_test.go
@@ -238,3 +238,71 @@ func TestListPersonalAccessTokensForUser_PaginateThroughResults(t *testing.T) {
 	require.Len(t, batch3.Results, 1)
 	require.EqualValues(t, batch3.Total, total)
 }
+
+func TestUpdatePersonalAccessTokenForUser(t *testing.T) {
+
+	newName := "second"
+	newScopes := db.Scopes([]string{})
+
+	t.Run("not found when record does not exist", func(t *testing.T) {
+		conn := dbtest.ConnectForTests(t)
+
+		_, err := db.UpdatePersonalAccessTokenForUser(context.Background(), conn, db.UpdatePersonalAccessTokenOpts{
+			TokenID: uuid.New(),
+			UserID:  uuid.New(),
+			Name:    &newName,
+		})
+		require.Error(t, err)
+		require.ErrorIs(t, err, db.ErrorNotFound)
+	})
+
+	t.Run("no update when all options are nil", func(t *testing.T) {
+		conn := dbtest.ConnectForTests(t)
+
+		created := dbtest.CreatePersonalAccessTokenRecords(t, conn, dbtest.NewPersonalAccessToken(t, db.PersonalAccessToken{
+			Name: "first",
+		}))[0]
+
+		udpated, err := db.UpdatePersonalAccessTokenForUser(context.Background(), conn, db.UpdatePersonalAccessTokenOpts{
+			TokenID: created.ID,
+			UserID:  created.UserID,
+		})
+		require.NoError(t, err)
+		require.Equal(t, created, udpated)
+	})
+
+	t.Run("updates name when it is not nil", func(t *testing.T) {
+		conn := dbtest.ConnectForTests(t)
+
+		created := dbtest.CreatePersonalAccessTokenRecords(t, conn, dbtest.NewPersonalAccessToken(t, db.PersonalAccessToken{
+			Name: "first",
+		}))[0]
+
+		udpated, err := db.UpdatePersonalAccessTokenForUser(context.Background(), conn, db.UpdatePersonalAccessTokenOpts{
+			TokenID: created.ID,
+			UserID:  created.UserID,
+			Name:    &newName,
+		})
+		require.NoError(t, err)
+		require.Equal(t, newName, udpated.Name)
+		require.Equal(t, created.Scopes, udpated.Scopes)
+	})
+
+	t.Run("updates scopes when it is not nil", func(t *testing.T) {
+		conn := dbtest.ConnectForTests(t)
+
+		created := dbtest.CreatePersonalAccessTokenRecords(t, conn, dbtest.NewPersonalAccessToken(t, db.PersonalAccessToken{
+			Name:   "first",
+			Scopes: db.Scopes([]string{"foo"}),
+		}))[0]
+
+		udpated, err := db.UpdatePersonalAccessTokenForUser(context.Background(), conn, db.UpdatePersonalAccessTokenOpts{
+			TokenID: created.ID,
+			UserID:  created.UserID,
+			Scopes:  &newScopes,
+		})
+		require.NoError(t, err)
+		require.Equal(t, created.Name, udpated.Name)
+		require.Len(t, udpated.Scopes, len(newScopes))
+	})
+}
diff --git a/components/public-api-server/pkg/apiv1/tokens.go b/components/public-api-server/pkg/apiv1/tokens.go
@@ -12,6 +12,8 @@ import (
 	"sort"
 	"strings"
 
+	"google.golang.org/protobuf/proto"
+
 	connect "github.com/bufbuild/connect-go"
 	"github.com/gitpod-io/gitpod/common-go/experiments"
 	"github.com/gitpod-io/gitpod/common-go/log"
@@ -23,6 +25,7 @@ import (
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/proxy"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/uuid"
+	"google.golang.org/protobuf/types/known/fieldmaskpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 	"gorm.io/gorm"
 )
@@ -198,23 +201,75 @@ func (s *TokensService) RegeneratePersonalAccessToken(ctx context.Context, req *
 }
 
 func (s *TokensService) UpdatePersonalAccessToken(ctx context.Context, req *connect.Request[v1.UpdatePersonalAccessTokenRequest]) (*connect.Response[v1.UpdatePersonalAccessTokenResponse], error) {
-	tokenID, err := validateTokenID(req.Msg.GetToken().GetId())
+	const (
+		nameField   = "name"
+		scopesField = "scopes"
+	)
+	var (
+		updatableMask = fieldmaskpb.FieldMask{Paths: []string{nameField, scopesField}}
+	)
+
+	tokenReq := req.Msg.GetToken()
+
+	tokenID, err := validateTokenID(tokenReq.GetId())
+	if err != nil {
+		return nil, err
+	}
+
+	mask, err := validateFieldMask(req.Msg.GetUpdateMask(), tokenReq)
 	if err != nil {
 		return nil, err
 	}
 
+	// If no mask fields are specified, we treat the request as updating all updatable fields
+	if len(mask.GetPaths()) == 0 {
+		mask = &updatableMask
+	}
+
 	conn, err := getConnection(ctx, s.connectionPool)
 	if err != nil {
 		return nil, err
 	}
 
-	_, _, err = s.getUser(ctx, conn)
+	_, userID, err := s.getUser(ctx, conn)
 	if err != nil {
 		return nil, err
 	}
 
-	log.Infof("Handling UpdatePersonalAccessToken request for Token ID '%s'", tokenID.String())
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("gitpod.experimental.v1.TokensService.UpdatePersonalAccessToken is not implemented"))
+	toUpdate := fieldmaskpb.Intersect(mask, &updatableMask)
+	updateOpts := db.UpdatePersonalAccessTokenOpts{
+		TokenID: tokenID,
+		UserID:  userID,
+	}
+
+	for _, path := range toUpdate.GetPaths() {
+		switch path {
+		case nameField:
+			name, err := validatePersonalAccessTokenName(tokenReq.GetName())
+			if err != nil {
+				return nil, err
+			}
+
+			updateOpts.Name = &name
+		case scopesField:
+			scopes, err := validateScopes(tokenReq.GetScopes())
+			if err != nil {
+				return nil, err
+			}
+			dbScopes := db.Scopes(scopes)
+			updateOpts.Scopes = &dbScopes
+		}
+	}
+
+	token, err := db.UpdatePersonalAccessTokenForUser(ctx, s.dbConn, updateOpts)
+	if err != nil {
+		log.WithError(err).Error("Failed to update PAT for user")
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Failed to update token (ID %s) for user (ID %s).", tokenID.String(), userID.String()))
+	}
+
+	return connect.NewResponse(&v1.UpdatePersonalAccessTokenResponse{
+		Token: personalAccessTokenToAPI(token, ""),
+	}), nil
 }
 
 func (s *TokensService) DeletePersonalAccessToken(ctx context.Context, req *connect.Request[v1.DeletePersonalAccessTokenRequest]) (*connect.Response[v1.DeletePersonalAccessTokenResponse], error) {
@@ -374,3 +429,16 @@ func validateScopes(scopes []string) ([]string, error) {
 
 	return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("Tokens can currently only have no scopes (empty), or all scopes represented as [%s, %s]", allFunctionsScope, defaultResourceScope))
 }
+
+func validateFieldMask(mask *fieldmaskpb.FieldMask, message proto.Message) (*fieldmaskpb.FieldMask, error) {
+	if mask == nil {
+		return &fieldmaskpb.FieldMask{}, nil
+	}
+
+	mask.Normalize()
+	if !mask.IsValid(message) {
+		return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("Invalid field mask specified."))
+	}
+
+	return mask, nil
+}
diff --git a/components/public-api-server/pkg/apiv1/tokens_test.go b/components/public-api-server/pkg/apiv1/tokens_test.go
@@ -13,6 +13,8 @@ import (
 	"testing"
 	"time"
 
+	"google.golang.org/protobuf/types/known/fieldmaskpb"
+
 	connect "github.com/bufbuild/connect-go"
 	"github.com/gitpod-io/gitpod/common-go/experiments"
 	"github.com/gitpod-io/gitpod/common-go/experiments/experimentstest"
@@ -514,10 +516,16 @@ func TestTokensService_UpdatePersonalAccessToken(t *testing.T) {
 		serverMock.EXPECT().GetLoggedInUser(gomock.Any()).Return(user, nil)
 		serverMock.EXPECT().GetTeams(gomock.Any()).Return(teams, nil)
 
-		_, err := client.UpdatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.UpdatePersonalAccessTokenRequest{
-			Token: &v1.PersonalAccessToken{
-				Id: uuid.New().String(),
-			},
+		token := &v1.PersonalAccessToken{
+			Id:   uuid.New().String(),
+			Name: "foo-bar",
+		}
+		mask, err := fieldmaskpb.New(token, "name")
+		require.NoError(t, err)
+
+		_, err = client.UpdatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.UpdatePersonalAccessTokenRequest{
+			Token:      token,
+			UpdateMask: mask,
 		}))
 
 		require.Error(t, err, "This feature is currently in beta. If you would like to be part of the beta, please contact us.")
@@ -544,18 +552,81 @@ func TestTokensService_UpdatePersonalAccessToken(t *testing.T) {
 		require.Equal(t, connect.CodeInvalidArgument, connect.CodeOf(err))
 	})
 
-	t.Run("unimplemented when feature flag enabled", func(t *testing.T) {
+	t.Run("default updates both name and scopes, when no mask specified", func(t *testing.T) {
 		serverMock, _, client := setupTokensService(t, withTokenFeatureEnabled)
 
+		serverMock.EXPECT().GetLoggedInUser(gomock.Any()).Return(user, nil).Times(2)
+
+		createResponse, err := client.CreatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.CreatePersonalAccessTokenRequest{
+			Token: &v1.PersonalAccessToken{
+				Name:           "first",
+				ExpirationTime: timestamppb.Now(),
+			},
+		}))
+		require.NoError(t, err)
+
+		updateResponse, err := client.UpdatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.UpdatePersonalAccessTokenRequest{
+			Token: &v1.PersonalAccessToken{
+				Id:     createResponse.Msg.GetToken().GetId(),
+				Name:   "second",
+				Scopes: []string{allFunctionsScope, defaultResourceScope},
+			},
+		}))
+		require.NoError(t, err)
+		require.Equal(t, "second", updateResponse.Msg.GetToken().GetName())
+		require.Equal(t, []string{allFunctionsScope, defaultResourceScope}, updateResponse.Msg.GetToken().GetScopes())
+	})
+
+	t.Run("updates only name, when mask specifies name", func(t *testing.T) {
+		serverMock, dbConn, client := setupTokensService(t, withTokenFeatureEnabled)
+
 		serverMock.EXPECT().GetLoggedInUser(gomock.Any()).Return(user, nil)
 
-		_, err := client.UpdatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.UpdatePersonalAccessTokenRequest{
+		created := dbtest.CreatePersonalAccessTokenRecords(t, dbConn, dbtest.NewPersonalAccessToken(t, db.PersonalAccessToken{
+			Name:   "first",
+			UserID: uuid.MustParse(user.ID),
+			Scopes: db.Scopes{allFunctionsScope, defaultResourceScope},
+		}))[0]
+
+		updateResponse, err := client.UpdatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.UpdatePersonalAccessTokenRequest{
 			Token: &v1.PersonalAccessToken{
-				Id: uuid.New().String(),
+				Id:     created.ID.String(),
+				Name:   "second",
+				Scopes: []string{allFunctionsScope, defaultResourceScope},
+			},
+			UpdateMask: &fieldmaskpb.FieldMask{
+				Paths: []string{"name"},
 			},
 		}))
+		require.NoError(t, err)
+		require.Equal(t, "second", updateResponse.Msg.GetToken().GetName())
+		require.Equal(t, []string(created.Scopes), updateResponse.Msg.GetToken().GetScopes())
+	})
 
-		require.Equal(t, connect.CodeUnimplemented, connect.CodeOf(err))
+	t.Run("updates only scopes, when mask specifies scopes", func(t *testing.T) {
+		serverMock, dbConn, client := setupTokensService(t, withTokenFeatureEnabled)
+
+		serverMock.EXPECT().GetLoggedInUser(gomock.Any()).Return(user, nil)
+
+		created := dbtest.CreatePersonalAccessTokenRecords(t, dbConn, dbtest.NewPersonalAccessToken(t, db.PersonalAccessToken{
+			Name:   "first",
+			UserID: uuid.MustParse(user.ID),
+			Scopes: db.Scopes{allFunctionsScope, defaultResourceScope},
+		}))[0]
+
+		updateResponse, err := client.UpdatePersonalAccessToken(context.Background(), connect.NewRequest(&v1.UpdatePersonalAccessTokenRequest{
+			Token: &v1.PersonalAccessToken{
+				Id:     created.ID.String(),
+				Name:   "second",
+				Scopes: []string{allFunctionsScope, defaultResourceScope},
+			},
+			UpdateMask: &fieldmaskpb.FieldMask{
+				Paths: []string{"scopes"},
+			},
+		}))
+		require.NoError(t, err)
+		require.Equal(t, "first", updateResponse.Msg.GetToken().GetName())
+		require.Equal(t, []string{allFunctionsScope, defaultResourceScope}, updateResponse.Msg.GetToken().GetScopes())
 	})
 }
 
