add additional checks for when a project has API tokens enabled

api/server/authz/policy.go

@@ -52,6 +52,13 @@ func (h *PolicyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// first check if an api token exists in context
 	if r.Context().Value("api_token") != nil {
 		projID := reqScopes[types.ProjectScope].Resource.UInt
+		proj, _ := r.Context().Value(types.ProjectScope).(*models.Project)
+
+		if !proj.APITokensEnabled {
+			apierrors.HandleAPIError(h.config.Logger, h.config.Alerter, w, r,
+				apierrors.NewErrForbidden(fmt.Errorf("api tokens are not enabled for this project")), true)
+			return
+		}
 
 		apiToken, _ := r.Context().Value("api_token").(*models.APIToken)
 		policyLoaderOpts.ProjectToken = apiToken

api/server/authz/policy/loader.go

@@ -40,6 +40,16 @@ func (b *RepoPolicyDocumentLoader) LoadPolicyDocuments(
 			return nil, apierrors.NewErrForbidden(fmt.Errorf("project id %d does not match token id %d", opts.ProjectID, opts.ProjectToken.ProjectID))
 		}
 
+		proj, err := b.projRepo.ReadProject(opts.ProjectID)
+
+		if err != nil {
+			return nil, apierrors.NewErrForbidden(fmt.Errorf("error fetching project: %w", err))
+		}
+
+		if !proj.APITokensEnabled {
+			return nil, apierrors.NewErrForbidden(fmt.Errorf("api tokens are not enabled for this project"))
+		}
+
 		// load the policy
 		apiPolicy, reqErr := GetAPIPolicyFromUID(b.policyRepo, opts.ProjectToken.ProjectID, opts.ProjectToken.PolicyUID)
 

api/server/handlers/release/create.go

@@ -45,6 +45,7 @@ func NewCreateReleaseHandler(
 
 func (c *CreateReleaseHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	user, _ := r.Context().Value(types.UserScope).(*models.User)
+	proj, _ := r.Context().Value(types.ProjectScope).(*models.Project)
 	cluster, _ := r.Context().Value(types.ClusterScope).(*models.Cluster)
 	namespace := r.Context().Value(types.NamespaceScope).(string)
 	operationID := oauth.CreateRandomState()
@@ -122,6 +123,7 @@ func (c *CreateReleaseHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	if request.GithubActionConfig != nil {
 		_, _, err := createGitAction(
 			c.Config(),
+			proj,
 			user.ID,
 			cluster.ProjectID,
 			cluster.ID,
@@ -200,6 +202,7 @@ func createReleaseFromHelmRelease(
 
 func createGitAction(
 	config *config.Config,
+	project *models.Project,
 	userID, projectID, clusterID uint,
 	request *types.CreateGitActionConfigRequest,
 	name, namespace string,
@@ -241,7 +244,7 @@ func createGitAction(
 
 	// if this isn't a dry run, generate the token
 	if !isDryRun {
-		encoded, err = getToken(config, userID, projectID, clusterID, request)
+		encoded, err = getToken(config, project, userID, projectID, clusterID, request)
 
 		if err != nil {
 			return nil, nil, err
@@ -322,6 +325,7 @@ func createGitAction(
 
 func getToken(
 	config *config.Config,
+	proj *models.Project,
 	userID, projectID, clusterID uint,
 	request *types.CreateGitActionConfigRequest,
 ) (string, error) {
@@ -407,6 +411,10 @@ func getToken(
 		SecretKey:       hashedToken,
 	}
 
+	if !proj.APITokensEnabled {
+		return "", fmt.Errorf("api tokens are not enabled for this project")
+	}
+
 	apiToken, err = config.Repo.APIToken().CreateAPIToken(apiToken)
 
 	if err != nil {

api/server/handlers/release/get_gha_template.go

@@ -27,6 +27,7 @@ func NewGetGHATemplateHandler(
 
 func (c *GetGHATemplateHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	user, _ := r.Context().Value(types.UserScope).(*models.User)
+	proj, _ := r.Context().Value(types.ProjectScope).(*models.Project)
 	cluster, _ := r.Context().Value(types.ClusterScope).(*models.Cluster)
 	namespace := r.Context().Value(types.NamespaceScope).(string)
 
@@ -38,6 +39,7 @@ func (c *GetGHATemplateHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 
 	_, workflowYAML, err := createGitAction(
 		c.Config(),
+		proj,
 		user.ID,
 		cluster.ProjectID,
 		cluster.ID,