search

atlassian / terraform-provider-artifactory

Terraform provider to manage Artifactory
Apache License 2.0
89 stars 42 forks source link

How to assign access token to a group or specific permissions? #88

Open sheldonhull opened 4 years ago

sheldonhull commented 4 years ago

I've looked through the issues and documentation and a bit confused.

When I created an access token through the rest api in the past, I had to assign it to a group to ensure the permissions were associated with the access token.

Right now, I have created the api token using the documented example: 

resource "artifactory_api_key" "ci" {}

However, when trying to assign this token into a group, I'm not clear how to do this from the provider documentation.

When doing via POST request, you can see I had to designate member-of-groups for the access token to be generated.


    $invokeRestMethodSplat = @{
        Method  = 'POST'
        Body    =
        @{  
            "username"     = $UserName #this is access token name, anything can be used
            "scope"        = "member-of-groups:$GroupName"
            'Content-Type' = 'application/x-www-form-urlencoded'
            'expires_in'   = 0                                  # Used to set as non-expiring
            'refreshable'  = $true # allow access tokens to be refreshed and leave user the same
        }
        Headers = @{ Authorization = "Basic $encodedCredentials" }
        Uri     = "https://$ACCOUNTNAME.jfrog.io/$ACCOUNTNAME/api/security/token"
    }
    $response = Invoke-RestMethod @invokeRestMethodSplat

What I'd thought I'd see would be something like

resource "artifactory_api_key" "ci" {
      groups = [ resource.group.id ] 
}

If you have any examples on how to do this, or an issue I missed that answered this please let me know. I plan on looking at the provider code more, but figured I'd make this visible so if it's an easy fix others might benefit, or if I contribute a PR with something I can link it to this anyway.

Appreciate the great work on this project as it solves a big need in making Jfrog more manageable.

sheldonhull commented 4 years ago

I think I've found the answer. This hasn't been implemented. I found that the go-artifactory library does support this, but it hasn't been implemented into the provider.

https://github.com/atlassian/go-artifactory/blob/6111b34bd09a5f74a3fb36a2a882687693c984a8/artifactory/v1/security.go#L904-L919

// Creates an access token
// Since: 5.0.0
// Security: Requires a valid user
func (s *SecurityService) CreateToken(ctx context.Context, opts *AccessTokenOptions) (*AccessToken, *http.Response, error) {
    path := "/api/security/token"
    req, err := s.client.NewURLEncodedRequest("POST", path, opts)
    if err != nil {
        return nil, nil, err
    }
    req.Header.Set("Accept", client.MediaTypeJson)

    token := new(AccessToken)
    resp, err := s.client.Do(ctx, req, token)
    return token, resp, err
}

This shows the creation for an access token is there, and it's the exact same api endpoint from my powershell invoke-webrequest. Looks like this needs to be added to provider for me to leverage. I'll take a look at what that might entail and if I make some progress I'll post an update. Haven't done a provider contribution yet so I need to familiarize myself with it.