Merge branch 'graphql-toggle-job-token-scope-setting' into 'master'

Allow toggle job_token_scope_enabled via GraphQL

See merge request gitlab-org/gitlab!63778

app/graphql/mutations/ci/ci_cd_settings_update.rb

@@ -17,6 +17,10 @@ module Mutations
         required: false,
         description: 'Indicates if the latest artifact should be kept for this project.'
 
+      argument :job_token_scope_enabled, GraphQL::BOOLEAN_TYPE,
+        required: false,
+        description: 'Indicates CI job tokens generated in this project have restricted access to resources.'
+
       field :ci_cd_settings,
         Types::Ci::CiCdSettingType,
         null: false,

app/graphql/types/ci/ci_cd_setting_type.rb

@@ -16,6 +16,9 @@ module Types
       field :keep_latest_artifact, GraphQL::BOOLEAN_TYPE, null: true,
         description: 'Whether to keep the latest builds artifacts.',
         method: :keep_latest_artifacts_available?
+      field :job_token_scope_enabled, GraphQL::BOOLEAN_TYPE, null: true,
+        description: 'Indicates CI job tokens generated in this project have restricted access to resources.',
+        method: :job_token_scope_enabled?
       field :project, Types::ProjectType, null: true,
         description: 'Project the CI/CD settings belong to.'
     end

doc/api/graphql/reference/index.md

@@ -766,6 +766,7 @@ Input type: `CiCdSettingsUpdateInput`
 | ---- | ---- | ----------- |
 | <a id="mutationcicdsettingsupdateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationcicdsettingsupdatefullpath"></a>`fullPath` | [`ID!`](#id) | Full Path of the project the settings belong to. |
+| <a id="mutationcicdsettingsupdatejobtokenscopeenabled"></a>`jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to resources. |
 | <a id="mutationcicdsettingsupdatekeeplatestartifact"></a>`keepLatestArtifact` | [`Boolean`](#boolean) | Indicates if the latest artifact should be kept for this project. |
 | <a id="mutationcicdsettingsupdatemergepipelinesenabled"></a>`mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merge pipelines are enabled for the project. |
 | <a id="mutationcicdsettingsupdatemergetrainsenabled"></a>`mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. |
@@ -11853,6 +11854,7 @@ Returns [`VulnerabilitySeveritiesCount`](#vulnerabilityseveritiescount).
 
 | Name | Type | Description |
 | ---- | ---- | ----------- |
+| <a id="projectcicdsettingjobtokenscopeenabled"></a>`jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to resources. |
 | <a id="projectcicdsettingkeeplatestartifact"></a>`keepLatestArtifact` | [`Boolean`](#boolean) | Whether to keep the latest builds artifacts. |
 | <a id="projectcicdsettingmergepipelinesenabled"></a>`mergePipelinesEnabled` | [`Boolean`](#boolean) | Whether merge pipelines are enabled. |
 | <a id="projectcicdsettingmergetrainsenabled"></a>`mergeTrainsEnabled` | [`Boolean`](#boolean) | Whether merge trains are enabled. |

spec/factories/projects.rb

@@ -47,6 +47,7 @@ FactoryBot.define do
       import_last_error { nil }
       forward_deployment_enabled { nil }
       restrict_user_defined_variables { nil }
+      ci_job_token_scope_enabled { nil }
     end
 
     before(:create) do |project, evaluator|
@@ -88,6 +89,7 @@ FactoryBot.define do
       project.merge_trains_enabled = evaluator.merge_trains_enabled unless evaluator.merge_trains_enabled.nil?
       project.keep_latest_artifact = evaluator.keep_latest_artifact unless evaluator.keep_latest_artifact.nil?
       project.restrict_user_defined_variables = evaluator.restrict_user_defined_variables unless evaluator.restrict_user_defined_variables.nil?
+      project.ci_job_token_scope_enabled = evaluator.ci_job_token_scope_enabled unless evaluator.ci_job_token_scope_enabled.nil?
 
       if evaluator.import_status
         import_state = project.import_state || project.build_import_state

spec/requests/api/graphql/ci/ci_cd_setting_spec.rb

@@ -47,6 +47,7 @@ RSpec.describe 'Getting Ci Cd Setting' do
       expect(settings_data['mergePipelinesEnabled']).to eql project.ci_cd_settings.merge_pipelines_enabled?
       expect(settings_data['mergeTrainsEnabled']).to eql project.ci_cd_settings.merge_trains_enabled?
       expect(settings_data['keepLatestArtifact']).to eql project.keep_latest_artifacts_available?
+      expect(settings_data['jobTokenScopeEnabled']).to eql project.ci_cd_settings.job_token_scope_enabled?
     end
   end
 end

spec/requests/api/graphql/mutations/ci/ci_cd_settings_update_spec.rb

@@ -5,8 +5,16 @@ require 'spec_helper'
 RSpec.describe 'CiCdSettingsUpdate' do
   include GraphqlHelpers
 
-  let_it_be(:project) { create(:project, keep_latest_artifact: true) }
-  let(:variables) { { full_path: project.full_path, keep_latest_artifact: false } }
+  let_it_be(:project) { create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true) }
+
+  let(:variables) do
+    {
+      full_path: project.full_path,
+      keep_latest_artifact: false,
+      job_token_scope_enabled: false
+    }
+  end
+
   let(:mutation) { graphql_mutation(:ci_cd_settings_update, variables) }
 
   context 'when unauthorized' do
@@ -45,6 +53,26 @@ RSpec.describe 'CiCdSettingsUpdate' do
       expect(project.keep_latest_artifact).to eq(false)
     end
 
+    it 'updates job_token_scope_enabled' do
+      post_graphql_mutation(mutation, current_user: user)
+
+      project.reload
+
+      expect(response).to have_gitlab_http_status(:success)
+      expect(project.ci_job_token_scope_enabled).to eq(false)
+    end
+
+    it 'does not update job_token_scope_enabled if not specified' do
+      variables.except!(:job_token_scope_enabled)
+
+      post_graphql_mutation(mutation, current_user: user)
+
+      project.reload
+
+      expect(response).to have_gitlab_http_status(:success)
+      expect(project.ci_job_token_scope_enabled).to eq(true)
+    end
+
     context 'when bad arguments are provided' do
       let(:variables) { { full_path: '', keep_latest_artifact: false } }