python-gitlab · max-wittig · Sep 6, 2019 · Sep 5, 2019
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -14,6 +14,7 @@ per_page = ${GITLAB_PER_PAGE:-10}
 url = ${GITLAB_URL:-https://gitlab.com}
 private_token = ${GITLAB_PRIVATE_TOKEN}
 oauth_token = ${GITLAB_OAUTH_TOKEN}
+job_token = ${GITLAB_JOB_TOKEN}
 http_username = ${GITLAB_HTTP_USERNAME}
 http_password = ${GITLAB_HTTP_PASSWORD}
 EOF

diff --git a/docs/api-usage.rst b/docs/api-usage.rst
@@ -19,6 +19,10 @@ To connect to a GitLab server, create a ``gitlab.Gitlab`` object:
   # oauth token authentication
   gl = gitlab.Gitlab('http://10.0.0.1', oauth_token='my_long_token_here')

+   # job token authentication (to be used in CI)
+   import os
+   gl = gitlab.Gitlab('http://10.0.0.1', job_token=os.environ['CI_JOB_TOKEN'])
+
   # username/password authentication (for GitLab << 10.2)
   gl = gitlab.Gitlab('http://10.0.0.1', email='jdoe', password='s3cr3t')


diff --git a/docs/cli.rst b/docs/cli.rst
@@ -83,9 +83,9 @@ You must define the ``url`` in each GitLab server section.
   If the GitLab server you are using redirects requests from http to https,
   make sure to use the ``https://`` protocol in the ``url`` definition.

-Only one of ``private_token`` or ``oauth_token`` should be defined. If neither
-are defined an anonymous request will be sent to the Gitlab server, with very
-limited permissions.
+Only one of ``private_token``, ``oauth_token`` or ``job_token`` should be
+defined. If neither are defined an anonymous request will be sent to the Gitlab
+server, with very limited permissions.

 .. list-table:: GitLab server options
   :header-rows: 1
@@ -96,10 +96,12 @@ limited permissions.
     - URL for the GitLab server
   * - ``private_token``
     - Your user token. Login/password is not supported. Refer to `the official
-       documentation`__ to learn how to obtain a token.
+       documentation`_pat to learn how to obtain a token.
   * - ``oauth_token``
     - An Oauth token for authentication. The Gitlab server must be configured
       to support this authentication method.
+   * - ``job_token``
+     - Your job token. See `the official  documentation`_job-token to learn how to obtain a token.
   * - ``api_version``
     - GitLab API version to use (``3`` or ``4``). Defaults to ``4`` since
       version 1.3.0.
@@ -108,7 +110,8 @@ limited permissions.
   * - ``http_password``
     - Password for optional HTTP authentication

-__ https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html
+.. _pat: https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html
+.. _job-token: https://docs.gitlab.com/ce/api/jobs.html#get-job-artifacts

 CLI
 ===

diff --git a/gitlab/__init__.py b/gitlab/__init__.py
@@ -60,6 +60,7 @@ class Gitlab(object):
        url (str): The URL of the GitLab server.
        private_token (str): The user private token
        oauth_token (str): An oauth token
+        job_token (str): A CI job token
        email (str): The user email or login.
        password (str): The user password (associated with email).
        ssl_verify (bool|str): Whether SSL certificates should be validated. If
@@ -76,6 +77,7 @@ def __init__(
        url,
        private_token=None,
        oauth_token=None,
+        job_token=None,
        email=None,
        password=None,
        ssl_verify=True,
@@ -107,6 +109,7 @@ def __init__(
        self.http_username = http_username
        self.http_password = http_password
        self.oauth_token = oauth_token
+        self.job_token = job_token
        self._set_auth_info()

        #: Create a session object for requests
@@ -195,6 +198,7 @@ def from_config(cls, gitlab_id=None, config_files=None):
            config.url,
            private_token=config.private_token,
            oauth_token=config.oauth_token,
+            job_token=config.job_token,
            ssl_verify=config.ssl_verify,
            timeout=config.timeout,
            http_username=config.http_username,
@@ -211,7 +215,7 @@ def auth(self):
        The `user` attribute will hold a `gitlab.objects.CurrentUser` object on
        success.
        """
-        if self.private_token or self.oauth_token:
+        if self.private_token or self.oauth_token or self.job_token:
            self._token_auth()
        else:
            self._credentials_auth()
@@ -346,9 +350,16 @@ def _construct_url(self, id_, obj, parameters, action=None):
            return url

    def _set_auth_info(self):
-        if self.private_token and self.oauth_token:
+        if (
+            sum(
+                bool(arg)
+                for arg in [self.private_token, self.oauth_token, self.job_token]
+            )
+            != 1
+        ):
            raise ValueError(
-                "Only one of private_token or oauth_token should " "be defined"
+                "Only one of private_token, oauth_token or job_token should "
+                "be defined"
            )
        if (self.http_username and not self.http_password) or (
            not self.http_username and self.http_password
@@ -364,12 +375,19 @@ def _set_auth_info(self):

        self._http_auth = None
        if self.private_token:
-            self.headers["PRIVATE-TOKEN"] = self.private_token
            self.headers.pop("Authorization", None)
+            self.headers["PRIVATE-TOKEN"] = self.private_token
+            self.headers.pop("JOB-TOKEN", None)

        if self.oauth_token:
            self.headers["Authorization"] = "Bearer %s" % self.oauth_token
            self.headers.pop("PRIVATE-TOKEN", None)
+            self.headers.pop("JOB-TOKEN", None)
+
+        if self.job_token:
+            self.headers.pop("Authorization", None)
+            self.headers.pop("PRIVATE-TOKEN", None)
+            self.headers["JOB-TOKEN"] = self.job_token

        if self.http_username:
            self._http_auth = requests.auth.HTTPBasicAuth(

diff --git a/gitlab/cli.py b/gitlab/cli.py
@@ -202,7 +202,7 @@ def main():

    try:
        gl = gitlab.Gitlab.from_config(gitlab_id, config_files)
-        if gl.private_token or gl.oauth_token:
+        if gl.private_token or gl.oauth_token or gl.job_token:
            gl.auth()
    except Exception as e:
        die(str(e))

diff --git a/gitlab/config.py b/gitlab/config.py
@@ -122,6 +122,12 @@ def __init__(self, gitlab_id=None, config_files=None):
        except Exception:
            pass

+        self.job_token = None
+        try:
+            self.job_token = self._config.get(self.gitlab_id, "job_token")
+        except Exception:
+            pass
+
        self.http_username = None
        self.http_password = None
        try:

diff --git a/gitlab/tests/test_gitlab.py b/gitlab/tests/test_gitlab.py
@@ -403,17 +403,31 @@ def test_private_token_auth(self):
        gl = Gitlab("http://localhost", private_token="private_token", api_version="4")
        self.assertEqual(gl.private_token, "private_token")
        self.assertEqual(gl.oauth_token, None)
+        self.assertEqual(gl.job_token, None)
        self.assertEqual(gl._http_auth, None)
-        self.assertEqual(gl.headers["PRIVATE-TOKEN"], "private_token")
        self.assertNotIn("Authorization", gl.headers)
+        self.assertEqual(gl.headers["PRIVATE-TOKEN"], "private_token")
+        self.assertNotIn("JOB-TOKEN", gl.headers)

    def test_oauth_token_auth(self):
        gl = Gitlab("http://localhost", oauth_token="oauth_token", api_version="4")
        self.assertEqual(gl.private_token, None)
        self.assertEqual(gl.oauth_token, "oauth_token")
+        self.assertEqual(gl.job_token, None)
        self.assertEqual(gl._http_auth, None)
        self.assertEqual(gl.headers["Authorization"], "Bearer oauth_token")
        self.assertNotIn("PRIVATE-TOKEN", gl.headers)
+        self.assertNotIn("JOB-TOKEN", gl.headers)
+
+    def test_job_token_auth(self):
+        gl = Gitlab("http://localhost", job_token="CI_JOB_TOKEN", api_version="4")
+        self.assertEqual(gl.private_token, None)
+        self.assertEqual(gl.oauth_token, None)
+        self.assertEqual(gl.job_token, "CI_JOB_TOKEN")
+        self.assertEqual(gl._http_auth, None)
+        self.assertNotIn("Authorization", gl.headers)
+        self.assertNotIn("PRIVATE-TOKEN", gl.headers)
+        self.assertEqual(gl.headers["JOB-TOKEN"], "CI_JOB_TOKEN")

    def test_http_auth(self):
        gl = Gitlab(
@@ -425,6 +439,7 @@ def test_http_auth(self):
        )
        self.assertEqual(gl.private_token, "private_token")
        self.assertEqual(gl.oauth_token, None)
+        self.assertEqual(gl.job_token, None)
        self.assertIsInstance(gl._http_auth, requests.auth.HTTPBasicAuth)
        self.assertEqual(gl.headers["PRIVATE-TOKEN"], "private_token")
        self.assertNotIn("Authorization", gl.headers)