Add application create API

changelogs/unreleased/24035-api-create-application.yml

@@ -0,0 +1,4 @@
+---
+title: Add application create API
+merge_request: 8160
+author: Nicolas Merelli @PNSalocin

doc/api/applications.md

@@ -0,0 +1,33 @@
+# Applications API
+
+## Create a application
+
+Create a application by posting a JSON payload.
+
+User must be admin to do that.
+
+Returns `200` if the request succeeds.
+
+```
+POST /applications
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `name` | string | yes | The name of the application |
+| `redirect_uri` | string | yes | The redirect URI of the application |
+| `scopes` | string | yes | The scopes of the application |
+
+```bash
+curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" --data "name=MyApplication&redirect_uri=http://redirect.uri&scopes=" https://gitlab.example.com/api/v3/applications
+```
+
+Example response:
+
+```json
+{  
+    "application_id": "5832fc6e14300a0d962240a8144466eef4ee93ef0d218477e55f11cf12fc3737",
+    "secret": "ee1dd64b6adc89cf7e2c23099301ccc2c61b441064e9324d963c46902a85ec34",
+    "callback_url": "http://redirect.uri"
+}
+```

lib/api/api.rb

@@ -106,6 +106,7 @@ module API
 
     # Keep in alphabetical order
     mount ::API::AccessRequests
+    mount ::API::Applications
     mount ::API::AwardEmoji
     mount ::API::Boards
     mount ::API::Branches

lib/api/applications.rb

@@ -0,0 +1,26 @@
+module API
+  # External applications API
+  class Applications < Grape::API
+    before { authenticated_as_admin! }
+
+    resource :applications do
+      desc 'Create a new application' do
+        success Entities::Application
+      end
+      params do
+        requires :name, type: String, desc: 'Application name'
+        requires :redirect_uri, type: String, desc: 'Application redirect URI'
+        requires :scopes, type: String, desc: 'Application scopes'
+      end
+      post do
+        application = Doorkeeper::Application.new(declared_params)
+
+        if application.save
+          present application, with: Entities::Application
+        else
+          render_validation_error! application
+        end
+      end
+    end
+  end
+end

lib/api/entities.rb

@@ -1157,5 +1157,11 @@ module API
         pages_domain
       end
     end
+
+    class Application < Grape::Entity
+      expose :uid, as: :application_id
+      expose :secret
+      expose :redirect_uri, as: :callback_url
+    end
   end
 end

spec/requests/api/applications_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+
+describe API::Applications, :api do
+  include ApiHelpers
+
+  let(:admin_user) { create(:user, admin: true) }
+  let(:user) { create(:user, admin: false) }
+
+  describe 'POST /applications' do
+    context 'authenticated and authorized user' do
+      it 'creates and returns an OAuth application' do
+        expect do
+          post api('/applications', admin_user), name: 'application_name', redirect_uri: 'http://application.url', scopes: ''
+        end.to change { Doorkeeper::Application.count }.by 1
+
+        application = Doorkeeper::Application.find_by(name: 'application_name', redirect_uri: 'http://application.url')
+
+        expect(response).to have_http_status 201
+        expect(json_response).to be_a Hash
+        expect(json_response['application_id']).to eq application.uid
+        expect(json_response['secret']).to eq application.secret
+        expect(json_response['callback_url']).to eq application.redirect_uri
+      end
+
+      it 'does not allow creating an application with the wrong redirect_uri format' do
+        expect do
+          post api('/applications', admin_user), name: 'application_name', redirect_uri: 'wrong_url_format', scopes: ''
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status 400
+        expect(json_response).to be_a Hash
+        expect(json_response['message']['redirect_uri'][0]).to eq('must be an absolute URI.')
+      end
+
+      it 'does not allow creating an application without a name' do
+        expect do
+          post api('/applications', admin_user), redirect_uri: 'http://application.url', scopes: ''
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status 400
+        expect(json_response).to be_a Hash
+        expect(json_response['error']).to eq('name is missing')
+      end
+
+      it 'does not allow creating an application without a redirect_uri' do
+        expect do
+          post api('/applications', admin_user), name: 'application_name', scopes: ''
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status 400
+        expect(json_response).to be_a Hash
+        expect(json_response['error']).to eq('redirect_uri is missing')
+      end
+
+      it 'does not allow creating an application without scopes' do
+        expect do
+          post api('/applications', admin_user), name: 'application_name', redirect_uri: 'http://application.url'
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status 400
+        expect(json_response).to be_a Hash
+        expect(json_response['error']).to eq('scopes is missing')
+      end
+    end
+
+    context 'authorized user without authorization' do
+      it 'does not create application' do
+        expect do
+          post api('/applications', user), name: 'application_name', redirect_uri: 'http://application.url', scopes: ''
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status 403
+      end
+    end
+
+    context 'non-authenticated user' do
+      it 'does not create application' do
+        expect do
+          post api('/applications'), name: 'application_name', redirect_uri: 'http://application.url'
+        end.not_to change { Doorkeeper::Application.count }
+
+        expect(response).to have_http_status 401
+      end
+    end
+  end
+end