[Remove FF] Limit GitLab CI/CD job token access

8cf25ba9 · Fabio Pitino · Marius Bobin · 28383338 · 8cf25ba9 · 8cf25ba9
Commit 8cf25ba9 authored Nov 26, 2021 by Fabio Pitino Committed by Marius Bobin Nov 26, 2021
6 changed files
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -12,7 +12,6 @@ module Projects
      before_action :define_variables
      before_action do
        push_frontend_feature_flag(:ajax_new_deploy_token, @project)
-        push_frontend_feature_flag(:ci_scoped_job_token, @project, default_enabled: :yaml)
      end
      helper_method :highlight_badge

--- a/app/finders/ci/auth_job_finder.rb
+++ b/app/finders/ci/auth_job_finder.rb
@@ -16,7 +16,7 @@ module Ci
        validate_job!(job)
-        if job.user && Feature.enabled?(:ci_scoped_job_token, job.project, default_enabled: :yaml)
+        if job.user
          job.user.set_ci_job_token_scope!(job)
        end
      end

--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -96,15 +96,14 @@
    .settings-content
      = render 'ci/deploy_freeze/index'
- if Feature.enabled?(:ci_scoped_job_token, @project, default_enabled: :yaml)
+%section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
-  %section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
+  .settings-header
-    .settings-header
+    %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
-      %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
+      = _("Token Access")
-        = _("Token Access")
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
-      %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
+      = expanded ? _('Collapse') : _('Expand')
-        = expanded ? _('Collapse') : _('Expand')
+    %p
-      %p
+      = _("Control which projects can be accessed by API requests authenticated with this project's CI_JOB_TOKEN CI/CD variable. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API.")
-        = _("Control which projects can be accessed by API requests authenticated with this project's CI_JOB_TOKEN CI/CD variable. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API.")
+      = link_to _('Learn more'), help_page_path('ci/jobs/ci_job_token'), target: '_blank', rel: 'noopener noreferrer'
-        = link_to _('Learn more'), help_page_path('ci/jobs/ci_job_token'), target: '_blank', rel: 'noopener noreferrer'
+  .settings-content
-    .settings-content
+    = render 'ci/token_access/index'
-      = render 'ci/token_access/index'
--- a/config/feature_flags/development/ci_scoped_job_token.yml
+++ b/config/feature_flags/development/ci_scoped_job_token.yml
---
-name: ci_scoped_job_token
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62733
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
-milestone: '14.0'
-type: development
-group: group::pipeline execution
-default_enabled: true
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -61,11 +61,7 @@ tries to steal tokens from other jobs.
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. [Deployed behind the `:ci_scoped_job_token` feature flag](../../user/feature_flags.md), disabled by default.
 > - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.4.
+> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.6.
-FLAG:
-On self-managed GitLab, by default this feature is available. To hide the feature,
-ask an administrator to [disable the `ci_scoped_job_token` flag](../../administration/feature_flags.md).
-On GitLab.com, this feature is available.
 You can limit the access scope of a project's CI/CD job token to increase the
 job token's security. A job token might give extra permissions that aren't necessary

--- a/spec/finders/ci/auth_job_finder_spec.rb
+++ b/spec/finders/ci/auth_job_finder_spec.rb
@@ -70,17 +70,6 @@ RSpec.describe Ci::AuthJobFinder do
        expect(subject.user).to be_from_ci_job_token
        expect(subject.user.ci_job_token_scope.source_project).to eq(job.project)
      end
-      context 'when feature flag ci_scoped_job_token is disabled' do
-        before do
-          stub_feature_flags(ci_scoped_job_token: false)
-        end
-        it 'does not set ci_job_token_scope on the job user' do
-          expect(subject).to eq(job)
-          expect(subject.user).not_to be_from_ci_job_token
-        end
-      end
    end
  end
 end