[Remove FF] Limit GitLab CI/CD job token access

8cf25ba9 · Fabio Pitino · Marius Bobin · 28383338 · 8cf25ba9 · 8cf25ba9
Commit 8cf25ba9 authored Nov 26, 2021 by Fabio Pitino Committed by Marius Bobin Nov 26, 2021
6 changed files
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -12,7 +12,6 @@ module Projects
      before_action :define_variables
      before_action do
        push_frontend_feature_flag(:ajax_new_deploy_token, @project)
-        push_frontend_feature_flag(:ci_scoped_job_token, @project, default_enabled: :yaml)
      end

      helper_method :highlight_badge

--- a/app/finders/ci/auth_job_finder.rb
+++ b/app/finders/ci/auth_job_finder.rb
@@ -16,7 +16,7 @@ module Ci

        validate_job!(job)

-        if job.user && Feature.enabled?(:ci_scoped_job_token, job.project, default_enabled: :yaml)
+        if job.user
          job.user.set_ci_job_token_scope!(job)
        end
      end

--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -96,8 +96,7 @@
    .settings-content
      = render 'ci/deploy_freeze/index'

- if Feature.enabled?(:ci_scoped_job_token, @project, default_enabled: :yaml)
-  %section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
+%section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
  .settings-header
    %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
      = _("Token Access")

--- a/config/feature_flags/development/ci_scoped_job_token.yml
+++ b/config/feature_flags/development/ci_scoped_job_token.yml
---
-name: ci_scoped_job_token
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62733
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
-milestone: '14.0'
-type: development
-group: group::pipeline execution
-default_enabled: true
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -61,11 +61,7 @@ tries to steal tokens from other jobs.

 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. [Deployed behind the `:ci_scoped_job_token` feature flag](../../user/feature_flags.md), disabled by default.
 > - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.4.
-
-FLAG:
-On self-managed GitLab, by default this feature is available. To hide the feature,
-ask an administrator to [disable the `ci_scoped_job_token` flag](../../administration/feature_flags.md).
-On GitLab.com, this feature is available.
+> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.6.

 You can limit the access scope of a project's CI/CD job token to increase the
 job token's security. A job token might give extra permissions that aren't necessary

--- a/spec/finders/ci/auth_job_finder_spec.rb
+++ b/spec/finders/ci/auth_job_finder_spec.rb
@@ -70,17 +70,6 @@ RSpec.describe Ci::AuthJobFinder do
        expect(subject.user).to be_from_ci_job_token
        expect(subject.user.ci_job_token_scope.source_project).to eq(job.project)
      end
-
-      context 'when feature flag ci_scoped_job_token is disabled' do
-        before do
-          stub_feature_flags(ci_scoped_job_token: false)
-        end
-
-        it 'does not set ci_job_token_scope on the job user' do
-          expect(subject).to eq(job)
-          expect(subject.user).not_to be_from_ci_job_token
-        end
-      end
    end
  end
 end