Merge branch '332272-set-job-token-scope-enabled-by-default' into 'master'

Set `job_token_scope_enabled` to true by default

See merge request gitlab-org/gitlab!68577

db/migrate/20210819153805_set_default_job_token_scope_true.rb

+# frozen_string_literal: true
+
+class SetDefaultJobTokenScopeTrue < ActiveRecord::Migration[6.1]
+  include Gitlab::Database::MigrationHelpers
+
+  def up
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
+    end
+  end
+
+  def down
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
+    end
+  end
+end

db/schema_migrations/20210819153805

+195d2444bf9d5113ee589b1accdbf04efbc7fb84c2ead4deed3985b254345e07
\ No newline at end of file

db/structure.sql

@@ -16996,7 +16996,7 @@ CREATE TABLE project_ci_cd_settings (
     auto_rollback_enabled boolean DEFAULT false NOT NULL,
     keep_latest_artifact boolean DEFAULT true NOT NULL,
     restrict_user_defined_variables boolean DEFAULT false NOT NULL,
-    job_token_scope_enabled boolean DEFAULT false NOT NULL
+    job_token_scope_enabled boolean DEFAULT true NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq

ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb

@@ -68,10 +68,17 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
       context 'when site validation and job are associated with different projects' do
         let_it_be(:job) { create(:ci_build, :running, user: developer) }
 
+        before do
+          create(:ci_job_token_project_scope_link,
+                 source_project: job.project,
+                 target_project: project,
+                 added_by: developer)
+        end
+
         it 'returns 400', :aggregate_failures do
           subject
 
-          expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
+          expect(response).to have_gitlab_http_status(:bad_request)
         end
 
         context 'when the job project belongs to the same job token scope' do

spec/migrations/set_default_job_token_scope_true_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe SetDefaultJobTokenScopeTrue, schema: 20210819153805 do
+  let(:ci_cd_settings) { table(:project_ci_cd_settings) }
+  let(:namespaces) { table(:namespaces) }
+  let(:projects) { table(:projects) }
+
+  let(:namespace) { namespaces.create!(name: 'test', path: 'path', type: 'Group') }
+  let(:project) { projects.create!(namespace_id: namespace.id) }
+
+  describe '#up' do
+    it 'sets the job_token_scope_enabled default to true' do
+      described_class.new.up
+
+      settings = ci_cd_settings.create!(project_id: project.id)
+
+      expect(settings.job_token_scope_enabled).to be_truthy
+    end
+  end
+
+  describe '#down' do
+    it 'sets the job_token_scope_enabled default to false' do
+      described_class.new.down
+
+      settings = ci_cd_settings.create!(project_id: project.id)
+
+      expect(settings.job_token_scope_enabled).to be_falsey
+    end
+  end
+end

spec/models/project_ci_cd_setting_spec.rb

@@ -21,12 +21,6 @@ RSpec.describe ProjectCiCdSetting do
     end
   end
 
-  describe '#job_token_scope_enabled' do
-    it 'is false by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_falsey
-    end
-  end
-
   describe '#default_git_depth' do
     let(:default_value) { described_class::DEFAULT_GIT_DEPTH }
 

spec/requests/api/generic_packages_spec.rb

@@ -18,7 +18,7 @@ RSpec.describe API::GenericPackages do
   let_it_be(:project_deploy_token_wo) { create(:project_deploy_token, deploy_token: deploy_token_wo, project: project) }
 
   let(:user) { personal_access_token.user }
-  let(:ci_build) { create(:ci_build, :running, user: user) }
+  let(:ci_build) { create(:ci_build, :running, user: user, project: project) }
   let(:snowplow_standard_context_params) { { user: user, project: project, namespace: project.namespace } }
 
   def auth_header

spec/requests/api/go_proxy_spec.rb

@@ -11,7 +11,7 @@ RSpec.describe API::GoProxy do
   let_it_be(:base) { "#{Settings.build_gitlab_go_url}/#{project.full_path}" }
 
   let_it_be(:oauth) { create :oauth_access_token, scopes: 'api', resource_owner: user }
-  let_it_be(:job) { create :ci_build, user: user, status: :running }
+  let_it_be(:job) { create :ci_build, user: user, status: :running, project: project }
   let_it_be(:pa_token) { create :personal_access_token, user: user }
 
   let_it_be(:modules) do

spec/requests/api/maven_packages_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe API::MavenPackages do
   let_it_be(:package_file) { package.package_files.with_file_name_like('%.xml').first }
   let_it_be(:jar_file) { package.package_files.with_file_name_like('%.jar').first }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
-  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running) }
+  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
   let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, write_package_registry: true) }

spec/requests/api/pypi_packages_spec.rb

@@ -13,7 +13,7 @@ RSpec.describe API::PypiPackages do
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
-  let_it_be(:job) { create(:ci_build, :running, user: user) }
+  let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
 
   let(:headers) { {} }
 

spec/requests/api/releases_spec.rb

@@ -839,7 +839,7 @@ RSpec.describe API::Releases do
 
       context 'when a valid token is provided' do
         it 'creates the release for a running job' do
-          job.update!(status: :running)
+          job.update!(status: :running, project: project)
           post api("/projects/#{project.id}/releases"), params: params.merge(job_token: job.token)
 
           expect(response).to have_gitlab_http_status(:created)

spec/requests/api/rubygem_packages_spec.rb

@@ -10,7 +10,7 @@ RSpec.describe API::RubygemPackages do
   let_it_be_with_reload(:project) { create(:project) }
   let_it_be(:personal_access_token) { create(:personal_access_token) }
   let_it_be(:user) { personal_access_token.user }
-  let_it_be(:job) { create(:ci_build, :running, user: user) }
+  let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
   let_it_be(:headers) { {} }

spec/requests/api/terraform/modules/v1/packages_spec.rb

@@ -12,7 +12,7 @@ RSpec.describe API::Terraform::Modules::V1::Packages do
   let_it_be(:package) { create(:terraform_module_package, project: project) }
   let_it_be(:personal_access_token) { create(:personal_access_token) }
   let_it_be(:user) { personal_access_token.user }
-  let_it_be(:job) { create(:ci_build, :running, user: user) }
+  let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
 

spec/requests/git_http_spec.rb

@@ -882,6 +882,10 @@ RSpec.describe 'Git HTTP requests' do
             before do
               build.update!(user: user)
               project.add_reporter(user)
+              create(:ci_job_token_project_scope_link,
+                     source_project: project,
+                     target_project: other_project,
+                     added_by: user)
             end
 
             shared_examples 'can download code only' do
@@ -1447,6 +1451,10 @@ RSpec.describe 'Git HTTP requests' do
 
           before do
             build.update!(project: project) # can't associate it on factory create
+            create(:ci_job_token_project_scope_link,
+                    source_project: project,
+                    target_project: other_project,
+                    added_by: user)
           end
 
           context 'when build created by system is authenticated' do

spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb

@@ -11,7 +11,7 @@ RSpec.shared_context 'npm api setup' do
   let_it_be(:package, reload: true) { create(:npm_package, project: project, name: "@#{group.path}/scoped_package") }
   let_it_be(:token) { create(:oauth_access_token, scopes: 'api', resource_owner: user) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
-  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running) }
+  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }