move access level to token package

ilijamt · ilijamt · commit a2aa345b983a · 2025-08-08T00:36:14.000+02:00
diff --git a/entry_role.go b/entry_role.go
@@ -11,15 +11,15 @@ import (
 )
 
 type EntryRole struct {
-	RoleName            string        `json:"role_name" structs:"role_name" mapstructure:"role_name"`
-	TTL                 time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"`
-	Path                string        `json:"path" structs:"path" mapstructure:"path"`
-	Name                string        `json:"name" structs:"name" mapstructure:"name"`
-	Scopes              []string      `json:"scopes" structs:"scopes" mapstructure:"scopes"`
-	AccessLevel         AccessLevel   `json:"access_level" structs:"access_level" mapstructure:"access_level,omitempty"`
-	TokenType           token.Type    `json:"token_type" structs:"token_type" mapstructure:"token_type"`
-	GitlabRevokesTokens bool          `json:"gitlab_revokes_token" structs:"gitlab_revokes_token" mapstructure:"gitlab_revokes_token"`
-	ConfigName          string        `json:"config_name" structs:"config_name" mapstructure:"config_name"`
+	RoleName            string            `json:"role_name" structs:"role_name" mapstructure:"role_name"`
+	TTL                 time.Duration     `json:"ttl" structs:"ttl" mapstructure:"ttl"`
+	Path                string            `json:"path" structs:"path" mapstructure:"path"`
+	Name                string            `json:"name" structs:"name" mapstructure:"name"`
+	Scopes              []string          `json:"scopes" structs:"scopes" mapstructure:"scopes"`
+	AccessLevel         token.AccessLevel `json:"access_level" structs:"access_level" mapstructure:"access_level,omitempty"`
+	TokenType           token.Type        `json:"token_type" structs:"token_type" mapstructure:"token_type"`
+	GitlabRevokesTokens bool              `json:"gitlab_revokes_token" structs:"gitlab_revokes_token" mapstructure:"gitlab_revokes_token"`
+	ConfigName          string            `json:"config_name" structs:"config_name" mapstructure:"config_name"`
 }
 
 func (e EntryRole) LogicalResponseData() map[string]any {
diff --git a/gitlab_client.go b/gitlab_client.go
@@ -32,8 +32,8 @@ type Client interface {
 	CurrentTokenInfo(ctx context.Context) (*TokenConfig, error)
 	RotateCurrentToken(ctx context.Context) (newToken *TokenConfig, oldToken *TokenConfig, err error)
 	CreatePersonalAccessToken(ctx context.Context, username string, userId int, name string, expiresAt time.Time, scopes []string) (*TokenPersonal, error)
-	CreateGroupAccessToken(ctx context.Context, groupId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (*TokenGroup, error)
-	CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (*TokenProject, error)
+	CreateGroupAccessToken(ctx context.Context, groupId string, name string, expiresAt time.Time, scopes []string, accessLevel t.AccessLevel) (*TokenGroup, error)
+	CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel t.AccessLevel) (*TokenProject, error)
 	RevokePersonalAccessToken(ctx context.Context, tokenId int) error
 	RevokeProjectAccessToken(ctx context.Context, tokenId int, projectId string) error
 	RevokeGroupAccessToken(ctx context.Context, tokenId int, groupId string) error
@@ -460,7 +460,7 @@ func (gc *gitlabClient) CreatePersonalAccessToken(ctx context.Context, username
 	return et, err
 }
 
-func (gc *gitlabClient) CreateGroupAccessToken(ctx context.Context, groupId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (et *TokenGroup, err error) {
+func (gc *gitlabClient) CreateGroupAccessToken(ctx context.Context, groupId string, name string, expiresAt time.Time, scopes []string, accessLevel t.AccessLevel) (et *TokenGroup, err error) {
 	var at *g.GroupAccessToken
 	defer func() {
 		gc.logger.Debug("Create group access token", "gat", at, "et", et, "groupId", groupId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "accessLevel", accessLevel, "error", err)
@@ -493,7 +493,7 @@ func (gc *gitlabClient) CreateGroupAccessToken(ctx context.Context, groupId stri
 	return et, err
 }
 
-func (gc *gitlabClient) CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (et *TokenProject, err error) {
+func (gc *gitlabClient) CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel t.AccessLevel) (et *TokenProject, err error) {
 	var at *g.ProjectAccessToken
 	defer func() {
 		gc.logger.Debug("Create project access token", "gat", at, "et", et, "projectId", projectId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "accessLevel", accessLevel, "error", err)
diff --git a/gitlab_client_test.go b/gitlab_client_test.go
@@ -89,11 +89,11 @@ func TestGitlabClient_InvalidToken(t *testing.T) {
 	_, err = client.GetUserIdByUsername(ctx, "username")
 	require.Error(t, err)
 
-	gatToken, err := client.CreateGroupAccessToken(ctx, "groupId", "name", timeExpiresAt, []string{"scope"}, gitlab.AccessLevelUnknown)
+	gatToken, err := client.CreateGroupAccessToken(ctx, "groupId", "name", timeExpiresAt, []string{"scope"}, token2.AccessLevelUnknown)
 	require.Error(t, err)
 	require.Nil(t, gatToken)
 
-	prjAtToken, err := client.CreateProjectAccessToken(ctx, "projectId", "name", timeExpiresAt, []string{"scope"}, gitlab.AccessLevelUnknown)
+	prjAtToken, err := client.CreateProjectAccessToken(ctx, "projectId", "name", timeExpiresAt, []string{"scope"}, token2.AccessLevelUnknown)
 	require.Error(t, err)
 	require.Nil(t, prjAtToken)
 
@@ -258,7 +258,7 @@ func TestGitlabClient_CreateAccessToken_And_Revoke(t *testing.T) {
 		"name",
 		timeExpiresAt,
 		[]string{token2.ScopeReadApi.String()},
-		gitlab.AccessLevelGuestPermissions,
+		token2.AccessLevelGuestPermissions,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, gatToken)
@@ -272,7 +272,7 @@ func TestGitlabClient_CreateAccessToken_And_Revoke(t *testing.T) {
 		"name",
 		timeExpiresAt,
 		[]string{token2.ScopeReadApi.String()},
-		gitlab.AccessLevelDeveloperPermissions,
+		token2.AccessLevelDeveloperPermissions,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, prjatToken)
diff --git a/helpers_test.go b/helpers_test.go
@@ -467,7 +467,7 @@ func (i *inMemoryClient) CreatePersonalAccessToken(ctx context.Context, username
 	return entryToken, nil
 }
 
-func (i *inMemoryClient) CreateGroupAccessToken(ctx context.Context, groupId string, name string, expiresAt time.Time, scopes []string, accessLevel gitlab.AccessLevel) (*gitlab.TokenGroup, error) {
+func (i *inMemoryClient) CreateGroupAccessToken(ctx context.Context, groupId string, name string, expiresAt time.Time, scopes []string, accessLevel t.AccessLevel) (*gitlab.TokenGroup, error) {
 	i.muLock.Lock()
 	defer i.muLock.Unlock()
 	if i.groupAccessTokenCreateError {
@@ -495,7 +495,7 @@ func (i *inMemoryClient) CreateGroupAccessToken(ctx context.Context, groupId str
 	return entryToken, nil
 }
 
-func (i *inMemoryClient) CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel gitlab.AccessLevel) (*gitlab.TokenProject, error) {
+func (i *inMemoryClient) CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel t.AccessLevel) (*gitlab.TokenProject, error) {
 	i.muLock.Lock()
 	defer i.muLock.Unlock()
 	if i.projectAccessTokenCreateError {
diff --git a/internal/errs/errs.go b/internal/errs/errs.go
@@ -18,7 +18,15 @@ var (
 	// ErrBackendNotConfigured represents an error when trying to use a backend that hasn't been properly configured
 	ErrBackendNotConfigured = errors.New("backend not configured")
 
+	// ErrUnknown represents an error indicating an unknown or unspecified condition occurred.
+	ErrUnknown = errors.New("unknown")
+
+	// ErrUnknownTokenType indicates an error when an undefined or unrecognized token type is encountered.
 	ErrUnknownTokenType = errors.New("unknown token type")
 
+	// ErrUnknownTokenScope is returned when an unrecognized or undefined token scope is encountered.
 	ErrUnknownTokenScope = errors.New("unknown token scope")
+
+	// ErrUnknownAccessLevel indicates an error caused by encountering an undefined or unrecognized access level.
+	ErrUnknownAccessLevel = errors.New("unknown access level")
 )
diff --git a/internal/token/access_level.go b/internal/token/access_level.go
@@ -1,4 +1,4 @@
-package gitlab
+package token
 
 import (
 	"errors"
diff --git a/internal/token/access_level_test.go b/internal/token/access_level_test.go
@@ -1,13 +1,13 @@
 //go:build unit
 
-package gitlab_test
+package token_test
 
 import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 
-	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab"
+	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab/internal/token"
 )
 
 func TestAccessLevel(t *testing.T) {
diff --git a/name_tpl_rand_string_test.go b/name_tpl_rand_string_test.go
@@ -20,7 +20,7 @@ func TestTokenNameGenerator_RandString(t *testing.T) {
 			Path:                "/path",
 			Name:                "{{ randHexString 8 }}",
 			Scopes:              []string{token.ScopeApi.String()},
-			AccessLevel:         g.AccessLevelNoPermissions,
+			AccessLevel:         token.AccessLevelNoPermissions,
 			TokenType:           token.TypePersonal,
 			GitlabRevokesTokens: false,
 		},
diff --git a/name_tpl_test.go b/name_tpl_test.go
@@ -29,7 +29,7 @@ func TestTokenNameGenerator(t *testing.T) {
 				Path:                "/path",
 				Name:                "{{ .role_name",
 				Scopes:              []string{token.ScopeApi.String()},
-				AccessLevel:         g.AccessLevelNoPermissions,
+				AccessLevel:         token.AccessLevelNoPermissions,
 				TokenType:           token.TypePersonal,
 				GitlabRevokesTokens: true,
 			},
@@ -45,7 +45,7 @@ func TestTokenNameGenerator(t *testing.T) {
 				Path:                "/path",
 				Name:                "{{ .role_name }}-{{ .token_type }}-access-token-{{ yesNoBool .gitlab_revokes_token }}",
 				Scopes:              []string{token.ScopeApi.String()},
-				AccessLevel:         g.AccessLevelNoPermissions,
+				AccessLevel:         token.AccessLevelNoPermissions,
 				TokenType:           token.TypePersonal,
 				GitlabRevokesTokens: true,
 			},
@@ -61,7 +61,7 @@ func TestTokenNameGenerator(t *testing.T) {
 				Path:                "/path",
 				Name:                "{{ .role_name }}-{{ .token_type }}-{{ stringsJoin .scopes \"-\" }}-{{ yesNoBool .gitlab_revokes_token }}",
 				Scopes:              []string{token.ScopeApi.String(), token.ScopeSudo.String()},
-				AccessLevel:         g.AccessLevelNoPermissions,
+				AccessLevel:         token.AccessLevelNoPermissions,
 				TokenType:           token.TypePersonal,
 				GitlabRevokesTokens: false,
 			},
@@ -77,7 +77,7 @@ func TestTokenNameGenerator(t *testing.T) {
 				Path:                "/path",
 				Name:                "{{ .role_name }}-{{ .token_type }}-{{ timeNowFormat \"2006-01\" }}",
 				Scopes:              []string{token.ScopeApi.String(), token.ScopeSudo.String()},
-				AccessLevel:         g.AccessLevelNoPermissions,
+				AccessLevel:         token.AccessLevelNoPermissions,
 				TokenType:           token.TypePersonal,
 				GitlabRevokesTokens: false,
 			},
diff --git a/name_tpl_unix_timestamp_test.go b/name_tpl_unix_timestamp_test.go
@@ -22,7 +22,7 @@ func TestTokenNameGenerator_UnixTimeStamp(t *testing.T) {
 			Path:                "/path",
 			Name:                "{{ .unix_timestamp_utc }}",
 			Scopes:              []string{token.ScopeApi.String()},
-			AccessLevel:         g.AccessLevelNoPermissions,
+			AccessLevel:         token.AccessLevelNoPermissions,
 			TokenType:           token.TypePersonal,
 			GitlabRevokesTokens: false,
 		},
diff --git a/path_role.go b/path_role.go
@@ -77,7 +77,7 @@ var (
 			DisplayAttrs: &framework.DisplayAttributes{
 				Name: "Access Level",
 			},
-			AllowedValues: utils.ToAny(ValidAccessLevels...),
+			AllowedValues: utils.ToAny(token.ValidAccessLevels...),
 		},
 		"token_type": {
 			Type:          framework.TypeString,
@@ -206,7 +206,7 @@ func (b *Backend) pathRolesWrite(ctx context.Context, req *logical.Request, data
 	var err error
 	var warnings []string
 	var tokenType token.Type
-	var accessLevel AccessLevel
+	var accessLevel token.AccessLevel
 	var configName = cmp.Or(data.Get("config_name").(string), TypeConfigDefault)
 
 	b.lockClientMutex.RLock()
@@ -221,7 +221,7 @@ func (b *Backend) pathRolesWrite(ctx context.Context, req *logical.Request, data
 	}
 
 	tokenType, _ = token.ParseType(data.Get("token_type").(string))
-	accessLevel, _ = AccessLevelParse(data.Get("access_level").(string))
+	accessLevel, _ = token.AccessLevelParse(data.Get("access_level").(string))
 
 	var role = EntryRole{
 		RoleName:            roleName,
@@ -253,42 +253,42 @@ func (b *Backend) pathRolesWrite(ctx context.Context, req *logical.Request, data
 
 	switch tokenType {
 	case token.TypePersonal:
-		validAccessLevels = ValidPersonalAccessLevels
+		validAccessLevels = token.ValidPersonalAccessLevels
 		validScopes = token.ValidPersonalTokenScopes
 		noEmptyScopes = false
 		skipFields = []string{"config_name", "access_level"}
 	case token.TypeGroup:
-		validAccessLevels = ValidGroupAccessLevels
+		validAccessLevels = token.ValidGroupAccessLevels
 		validScopes = token.ValidGroupTokenScopes
 		noEmptyScopes = false
 		skipFields = []string{"config_name"}
 	case token.TypeProject:
-		validAccessLevels = ValidProjectAccessLevels
+		validAccessLevels = token.ValidProjectAccessLevels
 		validScopes = token.ValidProjectTokenScopes
 		noEmptyScopes = false
 		skipFields = []string{"config_name"}
 	case token.TypeUserServiceAccount:
-		validAccessLevels = ValidUserServiceAccountAccessLevels
+		validAccessLevels = token.ValidUserServiceAccountAccessLevels
 		validScopes = token.ValidUserServiceAccountTokenScopes
 		noEmptyScopes = false
 		skipFields = []string{"config_name", "access_level"}
 	case token.TypeGroupServiceAccount:
-		validAccessLevels = ValidGroupServiceAccountAccessLevels
+		validAccessLevels = token.ValidGroupServiceAccountAccessLevels
 		validScopes = token.ValidGroupServiceAccountTokenScopes
 		noEmptyScopes = false
 		skipFields = []string{"config_name", "access_level"}
 	case token.TypePipelineProjectTrigger:
-		validAccessLevels = ValidPipelineProjectTriggerAccessLevels
+		validAccessLevels = token.ValidPipelineProjectTriggerAccessLevels
 		validScopes = []string{}
 		noEmptyScopes = false
 		skipFields = []string{"config_name", "access_level", "scopes"}
 	case token.TypeProjectDeploy:
-		validAccessLevels = ValidProjectDeployAccessLevels
+		validAccessLevels = token.ValidProjectDeployAccessLevels
 		validScopes = token.ValidProjectDeployTokenScopes
 		noEmptyScopes = true
 		skipFields = []string{"config_name", "access_level"}
 	case token.TypeGroupDeploy:
-		validAccessLevels = ValidGroupDeployAccessLevels
+		validAccessLevels = token.ValidGroupDeployAccessLevels
 		validScopes = token.ValidGroupDeployTokenScopes
 		noEmptyScopes = true
 		skipFields = []string{"config_name", "access_level"}
diff --git a/path_role_deploy_tokens_test.go b/path_role_deploy_tokens_test.go
@@ -29,7 +29,7 @@ func TestPathRolesDeployTokens(t *testing.T) {
 
 	var tests = []struct {
 		tokenType   token.Type
-		accessLevel gitlab.AccessLevel
+		accessLevel token.AccessLevel
 		scopes      []string
 		ttl         string
 		path        string
@@ -59,7 +59,7 @@ func TestPathRolesDeployTokens(t *testing.T) {
 					Data: map[string]any{
 						"path":         tt.path,
 						"name":         tt.name,
-						"access_level": cmp.Or(tt.accessLevel, gitlab.AccessLevelUnknown).String(),
+						"access_level": cmp.Or(tt.accessLevel, token.AccessLevelUnknown).String(),
 						"token_type":   tt.tokenType.String(),
 						"scopes":       tt.scopes,
 						"ttl":          cmp.Or(tt.ttl, "1h"),
@@ -79,7 +79,7 @@ func TestPathRolesDeployTokens(t *testing.T) {
 					Data: map[string]any{
 						"path":         tt.path,
 						"name":         tt.name,
-						"access_level": gitlab.AccessLevelNoPermissions.String(),
+						"access_level": token.AccessLevelNoPermissions.String(),
 						"token_type":   tt.tokenType.String(),
 						"ttl":          cmp.Or(tt.ttl, "1h"),
 						"scopes":       []string{},
diff --git a/path_role_pipeline_project_trigger_token_test.go b/path_role_pipeline_project_trigger_token_test.go
@@ -37,7 +37,7 @@ func TestPathRolesPipelineProjectTrigger(t *testing.T) {
 			Data: map[string]any{
 				"path":         "user",
 				"name":         "Example user personal token",
-				"access_level": gitlab.AccessLevelNoPermissions.String(),
+				"access_level": token.AccessLevelNoPermissions.String(),
 				"token_type":   token.TypePipelineProjectTrigger.String(),
 				"scopes":       []string{token.ScopeApi.String()},
 				"ttl":          "1h",
@@ -59,7 +59,7 @@ func TestPathRolesPipelineProjectTrigger(t *testing.T) {
 			Data: map[string]any{
 				"path":         "user",
 				"name":         "Example user personal token",
-				"access_level": gitlab.AccessLevelUnknown.String(),
+				"access_level": token.AccessLevelUnknown.String(),
 				"token_type":   token.TypePipelineProjectTrigger.String(),
 				"scopes":       []string{},
 				"ttl":          "1h",
@@ -80,7 +80,7 @@ func TestPathRolesPipelineProjectTrigger(t *testing.T) {
 			Data: map[string]any{
 				"path":         "user",
 				"name":         "Example user personal token",
-				"access_level": gitlab.AccessLevelUnknown.String(),
+				"access_level": token.AccessLevelUnknown.String(),
 				"token_type":   token.TypePipelineProjectTrigger.String(),
 				"scopes":       []string{},
 			},
diff --git a/path_role_test.go b/path_role_test.go
@@ -102,7 +102,7 @@ func TestPathRoles(t *testing.T) {
 					Data: map[string]any{
 						"path":                 "user",
 						"name":                 token.TypePersonal.String(),
-						"access_level":         gitlab.AccessLevelOwnerPermissions.String(),
+						"access_level":         token.AccessLevelOwnerPermissions.String(),
 						"token_type":           token.TypePersonal.String(),
 						"ttl":                  gitlab.DefaultAccessTokenMinTTL,
 						"scopes":               token.ValidPersonalTokenScopes,
@@ -146,7 +146,7 @@ func TestPathRoles(t *testing.T) {
 					Data: map[string]any{
 						"path":                 "user",
 						"name":                 token.TypeProject.String(),
-						"access_level":         gitlab.AccessLevelOwnerPermissions.String(),
+						"access_level":         token.AccessLevelOwnerPermissions.String(),
 						"token_type":           token.TypeProject.String(),
 						"ttl":                  gitlab.DefaultAccessTokenMinTTL,
 						"scopes":               token.ValidProjectTokenScopes,
@@ -191,7 +191,7 @@ func TestPathRoles(t *testing.T) {
 					Data: map[string]any{
 						"path":                 "user",
 						"name":                 token.TypeGroup.String(),
-						"access_level":         gitlab.AccessLevelOwnerPermissions.String(),
+						"access_level":         token.AccessLevelOwnerPermissions.String(),
 						"token_type":           token.TypeGroup.String(),
 						"ttl":                  gitlab.DefaultAccessTokenMinTTL,
 						"scopes":               token.ValidGroupTokenScopes,
@@ -258,7 +258,7 @@ func TestPathRoles(t *testing.T) {
 				Data: map[string]any{
 					"path":         "user",
 					"name":         "Example user personal token",
-					"access_level": gitlab.AccessLevelOwnerPermissions.String(),
+					"access_level": token.AccessLevelOwnerPermissions.String(),
 					"ttl":          "48h",
 					"token_type":   token.TypeProject.String(),
 					"scopes":       token.ValidProjectTokenScopes,
@@ -279,7 +279,7 @@ func TestPathRoles(t *testing.T) {
 				Data: map[string]any{
 					"path":                 "user",
 					"name":                 "Example project personal token",
-					"access_level":         gitlab.AccessLevelOwnerPermissions.String(),
+					"access_level":         token.AccessLevelOwnerPermissions.String(),
 					"token_type":           token.TypeProject.String(),
 					"ttl":                  "48h",
 					"scopes":               token.ValidPersonalTokenScopes,
@@ -349,7 +349,7 @@ func TestPathRoles(t *testing.T) {
 					"path":         "user",
 					"name":         "Example user personal token",
 					"ttl":          "48h",
-					"access_level": gitlab.AccessLevelOwnerPermissions.String(),
+					"access_level": token.AccessLevelOwnerPermissions.String(),
 					"token_type":   token.TypeGroup.String(),
 					"scopes":       token.ValidProjectTokenScopes,
 				},
@@ -369,7 +369,7 @@ func TestPathRoles(t *testing.T) {
 				Data: map[string]any{
 					"path":         "user",
 					"name":         "Example user personal token",
-					"access_level": gitlab.AccessLevelOwnerPermissions.String(),
+					"access_level": token.AccessLevelOwnerPermissions.String(),
 					"token_type":   token.TypeGroup.String(),
 					"scopes":       token.ValidPersonalTokenScopes,
 				},
diff --git a/path_token_role_multiple_config_test.go b/path_token_role_multiple_config_test.go
diff --git a/path_token_role_test.go b/path_token_role_test.go
diff --git a/token_with_scopes_and_access_level.go b/token_with_scopes_and_access_level.go
diff --git a/with_normal_user_gat_test.go b/with_normal_user_gat_test.go
diff --git a/with_normal_user_project_at_test.go b/with_normal_user_project_at_test.go

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package gitlab`
	`1`	`+package token`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"errors"`