Addreses backend review suggestions

app/controllers/projects/deploy_tokens_controller.rb

@@ -23,8 +23,4 @@ class Projects::DeployTokensController < Projects::ApplicationController
   def deploy_token_params
     params.require(:deploy_token).permit(:name, :expires_at, scopes: [])
   end
-
-  def authorize_admin_project!
-    return render_404 unless can?(current_user, :admin_project, @project)
-  end
 end

app/models/deploy_token.rb

@@ -3,11 +3,12 @@ class DeployToken < ActiveRecord::Base
   include TokenAuthenticatable
   add_authentication_token_field :token
 
-  AVAILABLE_SCOPES = %w(read_repo read_registry).freeze
+  AVAILABLE_SCOPES = %w(read_repository read_registry).freeze
 
   serialize :scopes, Array # rubocop:disable Cop/ActiveRecordSerialize
 
   validates :scopes, presence: true
+  validates :project, presence: true
 
   belongs_to :project
 

app/policies/deploy_token_policy.rb

+class DeployTokenPolicy < BasePolicy
+  with_options scope: :subject, score: 0
+  condition(:master) { @subject.project.team.master?(@user) }
+
+  rule { anonymous }.prevent_all
+
+  rule { master }.policy do
+    enable :create_deploy_token
+    enable :update_deploy_token
+  end
+end

app/presenters/projects/settings/deploy_tokens_presenter.rb

@@ -44,7 +44,7 @@ module Projects
 
       def scope_descriptions
         {
-          'read_repo' => s_('DeployTokens|Allows read-only access to the repository'),
+          'read_repository' => s_('DeployTokens|Allows read-only access to the repository'),
           'read_registry' => s_('DeployTokens|Allows read-only access to the registry images')
         }
       end

changelogs/unreleased/31591-project-deploy-tokens-to-allow-permanent-access.yml

 ---
-title: Creates Deploy Tokens to allow permanent access to repo and registry
+title: Create Deploy Tokens to allow permanent access to repository and registry
 merge_request: 17894
 author:
 type: added

doc/user/project/deploy_tokens/index.md

@@ -36,7 +36,7 @@ the following table.
 
 | Scope | Description |
 | ----- | ----------- |
-|`read_repo` | Allows read-access to the repository through `git clone` |
+|`read_repository` | Allows read-access to the repository through `git clone` |
 | `read_registry` | Allows read-access to [container registry] images if a project is private and authorization is required. |
 
 ## Usage
@@ -45,7 +45,7 @@ the following table.
 
 To download a repository using a Deploy Token, you just need to:
 
-1. Create a Deploy Token with `read_repo` as a scope.
+1. Create a Deploy Token with `read_repository` as a scope.
 2. `git clone` the project using the Deploy Token:
 
 

lib/gitlab/auth.rb

@@ -5,7 +5,7 @@ module Gitlab
     REGISTRY_SCOPES = [:read_registry].freeze
 
     # Scopes used for GitLab API access
-    API_SCOPES = [:api, :read_user, :sudo, :read_repo].freeze
+    API_SCOPES = [:api, :read_user, :sudo, :read_repository].freeze
 
     # Scopes used for OpenID Connect
     OPENID_SCOPES = [:openid].freeze
@@ -165,7 +165,7 @@ module Gitlab
         abilities_by_scope = {
           api: full_authentication_abilities,
           read_registry: build_authentication_abilities - [:build_create_container_image],
-          read_repo: read_authentication_abilities - [:read_container_image]
+          read_repository: read_authentication_abilities - [:read_container_image]
         }
 
         scopes.flat_map do |scope|

spec/factories/deploy_tokens.rb

@@ -5,14 +5,14 @@ FactoryBot.define do
     sequence(:name) { |n| "PDT #{n}" }
     revoked false
     expires_at { 5.days.from_now }
-    scopes %w(read_repo read_registry)
+    scopes %w(read_repository read_registry)
 
     trait :revoked do
       revoked true
     end
 
-    trait :read_repo do
-      scopes ['read_repo']
+    trait :read_repository do
+      scopes ['read_repository']
     end
 
     trait :read_registry do

spec/lib/gitlab/auth_spec.rb

@@ -5,7 +5,7 @@ describe Gitlab::Auth do
 
   describe 'constants' do
     it 'API_SCOPES contains all scopes for API access' do
-      expect(subject::API_SCOPES).to eq %i[api read_user sudo read_repo]
+      expect(subject::API_SCOPES).to eq %i[api read_user sudo read_repository]
     end
 
     it 'OPENID_SCOPES contains all scopes for OpenID Connect' do
@@ -19,7 +19,7 @@ describe Gitlab::Auth do
     it 'optional_scopes contains all non-default scopes' do
       stub_container_registry_config(enabled: true)
 
-      expect(subject.optional_scopes).to eq %i[read_user sudo read_repo read_registry openid]
+      expect(subject.optional_scopes).to eq %i[read_user sudo read_repository read_registry openid]
     end
 
     context 'registry_scopes' do
@@ -260,10 +260,10 @@ describe Gitlab::Auth do
       let(:project) { create(:project) }
       let(:auth_failure) { Gitlab::Auth::Result.new(nil, nil) }
 
-      context 'when the deploy token has read_repo as scope' do
-        let(:deploy_token) { create(:deploy_token, :read_repo, project: project) }
+      context 'when the deploy token has read_repository as scope' do
+        let(:deploy_token) { create(:deploy_token, :read_repository, project: project) }
 
-        it 'succeeds when project is present, token is valid and has read_repo as scope' do
+        it 'succeeds when project is present, token is valid and has read_repository as scope' do
           abilities = %i(read_project download_code)
           auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, abilities)
 

spec/models/deploy_token_spec.rb

@@ -4,6 +4,7 @@ describe DeployToken do
   let(:deploy_token) { create(:deploy_token) }
 
   it { is_expected.to belong_to :project }
+  it { is_expected.to validate_presence_of :project }
 
   describe 'validations' do
     context 'with no scopes defined' do

spec/policies/deploy_token_policy_spec.rb

+require 'spec_helper'
+
+describe DeployTokenPolicy do
+  let(:current_user) { create(:user) }
+  let(:project) { create(:project) }
+  let(:deploy_token) { create(:deploy_token, project: project) }
+
+  subject { described_class.new(current_user, deploy_token) }
+
+  describe 'creating a deploy key' do
+    context 'when user is master' do
+      before do
+        project.add_master(current_user)
+      end
+
+      it { is_expected.to be_allowed(:create_deploy_token) }
+    end
+    
+    context 'when user is not master' do
+      before do
+        project.add_developer(current_user)
+      end
+
+      it { is_expected.to be_disallowed(:create_deploy_token) }
+    end
+  end
+
+  describe 'updating a deploy key' do
+    context 'when user is master' do
+      before do
+        project.add_master(current_user)
+      end
+
+      it { is_expected.to be_allowed(:update_deploy_token) }
+    end
+
+    context 'when user is not master' do
+      before do
+        project.add_developer(current_user)
+      end
+
+      it { is_expected.to be_disallowed(:update_deploy_token) }
+    end
+  end
+end

spec/presenters/projects/settings/deploy_tokens_presenter_spec.rb

@@ -9,7 +9,7 @@ describe Projects::Settings::DeployTokensPresenter do
 
   describe '#available_scopes' do
     it 'returns the all the deploy token scopes' do
-      expect(presenter.available_scopes).to match_array(%w(read_repo read_registry))
+      expect(presenter.available_scopes).to match_array(%w(read_repository read_registry))
     end
   end