Update and cleanup

Author: ilijamt

.gitignore

@@ -38,3 +38,6 @@ fabric.properties
 go.work
 tmp/
 bin/
+/coverage.html
+/coverage.out
+.envrc

README.md

@@ -17,6 +17,7 @@ through Vault.
 - Gitlab Group Access Tokens - https://docs.gitlab.com/ee/api/group_access_tokens.html
 - Gitlab User Service Account Tokens - https://docs.gitlab.com/ee/api/users.html#create-service-account-user
 - Gitlab Group Service Account Tokens - https://docs.gitlab.com/ee/api/group_service_accounts.html
+- Gitlab Pipeline Project Trigger Tokens - https://docs.gitlab.com/ee/api/pipeline_triggers.html
 
 ## Getting Started
 
@@ -92,7 +93,7 @@ The current authentication model requires providing Vault with a Gitlab Token.
 |      base_url      |   yes    |      n/a      |    no     | The address to access Gitlab                                                                                                                  |
 | auto_rotate_token  |    no    |      no       |    no     | Should we autorotate the token when it's close to expiry? (Experimental)                                                                      |
 | auto_rotate_before |    no    |      24h      |    no     | How much time should be remaining on the token validity before we should rotate it? Minimum can be set to 24h and maximum to 730h             |
-|        type        |   yes    |      n/a      |    no     | The type of gitlab instance that we use can be one of saas, self-managed or dedicated                                                          |
+|        type        |   yes    |      n/a      |    no     | The type of gitlab instance that we use can be one of saas, self-managed or dedicated                                                         |
 
 ### Role
 
@@ -105,7 +106,7 @@ The current authentication model requires providing Vault with a Gitlab Token.
 |        scopes        |    no    |      []       |    no     | List of scopes                                                                                                       |
 |      token_type      |   yes    |      n/a      |    no     | Access token type                                                                                                    |
 | gitlab_revokes_token |    no    |      no       |    no     | Gitlab revokes the token when it's time. Vault will not revoke the token when the lease expires                      |
-|        config_name   |    no    |    default    |    no     | The configuration to use for the role                                                                                |
+|     config_name      |    no    |    default    |    no     | The configuration to use for the role                                                                                |
 
 #### path
 
@@ -154,12 +155,14 @@ Depending on `gitlab_revokes_token` the TTL will change.
 
 #### access_level 
 
-It's not required if `token_type` is set to `personal`. 
+It's not required if `token_type` is set to `personal` or `pipeline-project-trigger`.
 
 For a list of available roles check https://docs.gitlab.com/ee/user/permissions.html
 
 #### scopes
 
+It's not required if `token_type` is set to `pipeline-project-trigger`.
+
 Depending on the type of token you have different scopes:
 
 * `Personal` - https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#personal-access-token-scopes
@@ -175,6 +178,7 @@ Can be
 * group
 * user-service-account
 * group-service-account
+* pipeline-project-trigger
 
 #### gitlab_revokes_token
 
@@ -326,7 +330,7 @@ token_sha1_hash       91a91bb30f816770081c570504c5e2723bcb1f38
 type                  self-managed
 ```
 
-**Important**: Token will be showed after rotation, it will not be shown again.
+**Important**: Token will be shown only after rotation, and it will not be shown again.
 
 ## Upgrading
 

gitlab_client.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/sdk/helper/logging"
-	g "github.com/xanzy/go-gitlab"
+	g "gitlab.com/gitlab-org/api/client-go"
 	"golang.org/x/time/rate"
 )
 
@@ -37,6 +37,8 @@ type Client interface {
 	CreateUserServiceAccountAccessToken(ctx context.Context, username string, userId int, name string, expiresAt time.Time, scopes []string) (*EntryToken, error)
 	RevokeUserServiceAccountAccessToken(ctx context.Context, token string) error
 	RevokeGroupServiceAccountAccessToken(ctx context.Context, token string) error
+	CreatePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, description string) error
+	RevokePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, tokenId int) error
 }
 
 type gitlabClient struct {
@@ -46,6 +48,22 @@ type gitlabClient struct {
 	logger     hclog.Logger
 }
 
+func (gc *gitlabClient) CreatePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, description string) (err error) {
+	defer func() {
+		gc.logger.Debug("Created a pipeline project trigger access token", "projectId", description, "description", "error", err)
+	}()
+
+	return err
+}
+
+func (gc *gitlabClient) RevokePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, tokenId int) (err error) {
+	defer func() {
+		gc.logger.Debug("Revoked pipeline project trigger access token", "projectId", projectId, "tokenId", tokenId, "error", err)
+	}()
+
+	return err
+}
+
 func (gc *gitlabClient) GetGroupIdByPath(ctx context.Context, path string) (groupId int, err error) {
 	defer func() {
 		gc.logger.Debug("Get group id by path", "path", path, "groupId", groupId, "error", err)

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/hashicorp/vault/api v1.15.0
 	github.com/hashicorp/vault/sdk v0.14.0
 	github.com/stretchr/testify v1.10.0
-	github.com/xanzy/go-gitlab v0.114.0
+	gitlab.com/gitlab-org/api/client-go v0.116.0
 	golang.org/x/time v0.8.0
 	google.golang.org/protobuf v1.35.2
 	gopkg.in/dnaeon/go-vcr.v4 v4.0.2
@@ -83,7 +83,7 @@ require (
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/oauth2 v0.24.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/text v0.19.0 // indirect

go.sum

@@ -239,10 +239,10 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/xanzy/go-gitlab v0.114.0 h1:0wQr/KBckwrZPfEMjRqpUz0HmsKKON9UhCYv9KDy19M=
-github.com/xanzy/go-gitlab v0.114.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+gitlab.com/gitlab-org/api/client-go v0.116.0 h1:Dy534gtZPMrnm3fAcmQRMadrcoUyFO4FQ4rXlSAdHAw=
+gitlab.com/gitlab-org/api/client-go v0.116.0/go.mod h1:B29OfnZklmaoiR7uHANh9jTyfWEgmXvZLVEnosw2Dx0=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
 go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts=
@@ -279,8 +279,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

helpers_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/require"
-	g "github.com/xanzy/go-gitlab"
+	g "gitlab.com/gitlab-org/api/client-go"
 
 	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab"
 )
@@ -164,6 +164,8 @@ type inMemoryClient struct {
 	revokeGroupServiceAccountPersonalAccessTokenError bool
 	createUserServiceAccountAccessTokenError          bool
 	createGroupServiceAccountAccessTokenError         bool
+	createPipelineProjectTriggerAccessTokenError      bool
+	revokePipelineProjectTriggerAccessTokenError      bool
 
 	calledMainToken       int
 	calledRotateMainToken int
@@ -175,6 +177,24 @@ type inMemoryClient struct {
 	accessTokens map[string]gitlab.EntryToken
 }
 
+func (i *inMemoryClient) CreatePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, description string) error {
+	i.muLock.Lock()
+	defer i.muLock.Unlock()
+	if i.createGroupServiceAccountAccessTokenError {
+		return fmt.Errorf("CreatePipelineProjectTriggerAccessToken")
+	}
+	return nil
+}
+
+func (i *inMemoryClient) RevokePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, tokenId int) error {
+	i.muLock.Lock()
+	defer i.muLock.Unlock()
+	if i.createGroupServiceAccountAccessTokenError {
+		return fmt.Errorf("RevokePipelineProjectTriggerAccessToken")
+	}
+	return nil
+}
+
 func (i *inMemoryClient) GetGroupIdByPath(ctx context.Context, path string) (int, error) {
 	idx := slices.Index(i.groups, path)
 	if idx == -1 {

path_role.go

@@ -266,6 +266,9 @@ func (b *Backend) pathRolesWrite(ctx context.Context, req *logical.Request, data
 	case TokenTypeGroupServiceAccount:
 		validAccessLevels = ValidGroupServiceAccountAccessLevels
 		skipFields = append(skipFields, "access_level")
+	case TokenPipelineProjectTrigger:
+		validAccessLevels = ValidPipelineProjectTriggerAccessLevels
+		skipFields = append(skipFields, "access_level", "scopes")
 	}
 
 	// check if all required fields are set
@@ -313,6 +316,10 @@ func (b *Backend) pathRolesWrite(ctx context.Context, req *logical.Request, data
 	if tokenType == TokenTypeGroupServiceAccount {
 		validScopes = append(validScopes, ValidGroupServiceAccountTokenScopes...)
 	}
+	if tokenType == TokenPipelineProjectTrigger {
+		validScopes = []string{}
+	}
+
 	for _, scope := range role.Scopes {
 		if !slices.Contains(validScopes, scope) {
 			invalidScopes = append(invalidScopes, scope)

path_token_role_multiple_config_test.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/require"
-	g "github.com/xanzy/go-gitlab"
+	g "gitlab.com/gitlab-org/api/client-go"
 
 	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab"
 )