Add resource access token creation enabled to table

Add to namespace settings table

Add resource access token creation enabled to table
Add to namespace settings table
2ec1bf43 · Serena Fang · c70a6991 · 2ec1bf43 · 2ec1bf43 · 2ec1bf43
Commit 2ec1bf43 authored Mar 12, 2021 by Serena Fang
10 changed files
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -268,7 +268,8 @@ class GroupsController < Groups::ApplicationController
      :subgroup_creation_level,
      :default_branch_protection,
      :default_branch_name,
-      :allow_mfa_for_subgroups
+      :allow_mfa_for_subgroups,
+      :resource_access_token_creation_allowed
    ]
  end


--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -119,6 +119,7 @@ class Group < Namespace
  end

  delegate :default_branch_name, to: :namespace_settings
+  delegate :resource_access_token_creation_allowed, :resource_access_token_creation_allowed=, :resource_access_token_creation_allowed?, to: :namespace_settings

  class << self
    def sort_by_attribute(method)

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -251,7 +251,7 @@ class GroupPolicy < BasePolicy
  end

  def resource_access_token_available?
-    true
+    group.root_ancestor.resource_access_token_creation_allowed?
  end
 end


--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -731,7 +731,11 @@ class ProjectPolicy < BasePolicy
  end

  def resource_access_token_available?
-    true
+    group = project.group
+
+    return true unless group # always enable for projects in personal namespaces
+
+    group.root_ancestor.resource_access_token_creation_allowed?
  end

  def project

--- a/db/migrate/20210312193532_add_resource_access_token_creation_allowed_to_namespace_settings.rb
+++ b/db/migrate/20210312193532_add_resource_access_token_creation_allowed_to_namespace_settings.rb
+# frozen_string_literal: true
+class AddResourceAccessTokenCreationAllowedToNamespaceSettings < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    with_lock_retries do
+      add_column :namespace_settings, :resource_access_token_creation_allowed, :boolean, default: true, null: false
+    end
+  end
+
+  def down
+    with_lock_retries do
+      remove_column :namespace_settings, :resource_access_token_creation_allowed
+    end
+  end
+end
--- a/db/schema_migrations/20210312193532
+++ b/db/schema_migrations/20210312193532
+93e92e8eca0765cb8e6e08ec90ce0143d9b31d13e4d61e1b9690dbaed5a1bb63
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -14661,6 +14661,7 @@ CREATE TABLE namespace_settings (
    default_branch_name text,
    repository_read_only boolean DEFAULT false NOT NULL,
    delayed_project_removal boolean DEFAULT false NOT NULL,
+    resource_access_token_creation_allowed boolean DEFAULT true NOT NULL,
    CONSTRAINT check_0ba93c78c7 CHECK ((char_length(default_branch_name) <= 255))
 );

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -393,10 +393,10 @@ module EE
    # Available in Core for self-managed but only paid, non-trial for .com to prevent abuse
    override :resource_access_token_available?
    def resource_access_token_available?
-      return true unless ::Gitlab.com?
+      value_from_super = super
+      return value_from_super unless ::Gitlab.com?

-      ::Feature.enabled?(:resource_access_token_feature, group, default_enabled: true) &&
-        group.feature_available_non_trial?(:resource_access_token)
+      value_from_super && group.feature_available_non_trial?(:resource_access_token)
    end
  end
 end
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -425,12 +425,15 @@ module EE
    # Available in Core for self-managed but only paid, non-trial for .com to prevent abuse
    override :resource_access_token_available?
    def resource_access_token_available?
-      return true unless ::Gitlab.com?
+      value_from_super = super

-      group = project.namespace
+      return value_from_super unless ::Gitlab.com?

-      ::Feature.enabled?(:resource_access_token_feature, group, default_enabled: true) &&
-        group.feature_available_non_trial?(:resource_access_token)
+      if project.group
+        return value_from_super && project.group.feature_available_non_trial?(:resource_access_token)
+      end
+
+      project.namespace.feature_available_non_trial?(:resource_access_token)
    end
  end
 end
--- a/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
+++ b/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
@@ -17,6 +17,18 @@ RSpec.shared_examples 'Self-managed Core resource access tokens' do

      it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
    end
+
+    context 'when resource access tokens are not available' do
+      let(:current_user) { owner }
+      let(:group) { create(:group) }
+      let(:project) { create(:project, group: group) }
+
+      before do
+        group.namespace_settings.update_column(:resource_access_token_creation_allowed, false)
+      end
+
+      it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+    end
  end

  context 'read resource access tokens' do