testing for access level

README.md

@@ -18,7 +18,7 @@ This is a backend pluing to be used with Vault. This plugin generates [Gitlab Pr
 ## Requirements
 
 - Gitlab instance with **13.10** or later for API compatibility
-- You need **14.2** or later to have access level
+- You need **14.1** or later to have access level
 - Self-managed instances on Free and above. Or, GitLab SaaS Premium and above
 - a token of a user with maintainer or higher permission in a project
 

plugin/path_token.go

@@ -41,20 +41,19 @@ var accessTokenSchema = map[string]*framework.FieldSchema{
 		Type:        framework.TypeTime,
 		Description: "The token expires at midnight UTC on that date",
 	},
-	// Not valid until gitlab 14.1
-	// "access_level": {
-	// 	Type:        framework.TypeInt,
-	// 	Description: "access level of project access token",
-	//  Default: accessLevelMaintainer,
-	// },
+	"access_level": {
+		Type:        framework.TypeInt,
+		Description: "access level of project access token",
+	},
 }
 
 func tokenDetails(pat *PAT) map[string]interface{} {
 	d := map[string]interface{}{
-		"token":  pat.Token,
-		"id":     pat.ID,
-		"name":   pat.Name,
-		"scopes": pat.Scopes,
+		"token":        pat.Token,
+		"id":           pat.ID,
+		"name":         pat.Name,
+		"scopes":       pat.Scopes,
+		"access_level": pat.AccessLevel,
 	}
 	if pat.ExpiresAt != nil {
 		d["expires_at"] = time.Time(*pat.ExpiresAt)

plugin/path_token_role_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/xanzy/go-gitlab"
 )
 
 func TestAccRoleToken(t *testing.T) {
@@ -34,8 +35,6 @@ func TestAccRoleToken(t *testing.T) {
 	ID := envAsInt("GITLAB_PROJECT_ID", 1)
 
 	t.Run("successfully create", func(t *testing.T) {
-		t.Parallel()
-
 		data := map[string]interface{}{
 			"id":     ID,
 			"name":   "vault-role-test",
@@ -49,7 +48,32 @@ func TestAccRoleToken(t *testing.T) {
 
 		assert.NotEmpty(t, resp.Data["token"], "no token returned")
 		assert.NotEmpty(t, resp.Data["id"], "no id returned")
+		assert.NotEmpty(t, resp.Data["access_level"], "no access_level returned")
 		assert.NotEmpty(t, resp.Data["expires_at"], "default is 1d for expires_at")
+
+		// check for default value
+		assert.Equal(t, gitlab.AccessLevelValue(40), resp.Data["access_level"])
+	})
+
+	t.Run("successfully create token for role with access level", func(t *testing.T) {
+		data := map[string]interface{}{
+			"id":           ID,
+			"name":         "vault-role-test-access-level",
+			"access_level": 30,
+			"scopes":       []string{"read_api"},
+		}
+		roleName := "successful-access-level"
+		mustRoleCreate(t, backend, req.Storage, roleName, data)
+		resp, err := testIssueRoleToken(t, backend, req, roleName, nil)
+		require.NoError(t, err)
+		require.False(t, resp.IsError())
+
+		assert.NotEmpty(t, resp.Data["token"], "no token returned")
+		assert.NotEmpty(t, resp.Data["id"], "no id returned")
+		assert.NotEmpty(t, resp.Data["access_level"], "no access_level returned")
+		assert.NotEmpty(t, resp.Data["expires_at"], "default is 1d for expires_at")
+
+		assert.Equal(t, gitlab.AccessLevelValue(30), resp.Data["access_level"])
 	})
 
 	t.Run("non-existing role", func(t *testing.T) {

plugin/path_token_test.go

@@ -68,7 +68,27 @@ func TestAccToken(t *testing.T) {
 		assert.NotEmpty(t, resp.Data["token"], "no token returned")
 		assert.NotEmpty(t, resp.Data["id"], "no id returned")
 		assert.Contains(t, resp.Data["expires_at"].(time.Time).String(), e.Format("2006-01-02"))
+	})
+
+	t.Run("successfully create with access level", func(t *testing.T) {
+		t.Parallel()
 
+		e := time.Now().Add(time.Hour * 24)
+		d := map[string]interface{}{
+			"id":           ID,
+			"name":         "vault-test-access-level",
+			"scopes":       []string{"read_api"},
+			"access_level": 30,
+			"expires_at":   e.Unix(),
+		}
+		resp, err := testIssueToken(t, backend, req, d)
+		require.NoError(t, err)
+		require.False(t, resp.IsError())
+
+		assert.NotEmpty(t, resp.Data["token"], "no token returned")
+		assert.NotEmpty(t, resp.Data["id"], "no id returned")
+		assert.NotEmpty(t, resp.Data["access_level"], "no access_level returned")
+		assert.Contains(t, resp.Data["expires_at"].(time.Time).String(), e.Format("2006-01-02"))
 	})
 
 	t.Run("validation failure", func(t *testing.T) {