Commit d218927b authored by Allison Browne's avatar Allison Browne Committed by Fabio Pitino

Delete restrict_access_to_build_debug_mode flag

Remove enabled by default feature flag for restricting
access to build debug mode.
parent 6e7646f5
...@@ -1020,8 +1020,6 @@ module Ci ...@@ -1020,8 +1020,6 @@ module Ci
end end
def debug_mode? def debug_mode?
return false unless Feature.enabled?(:restrict_access_to_build_debug_mode, default_enabled: true)
# TODO: Have `debug_mode?` check against data on sent back from runner # TODO: Have `debug_mode?` check against data on sent back from runner
# to capture all the ways that variables can be set. # to capture all the ways that variables can be set.
# See (https://gitlab.com/gitlab-org/gitlab/-/issues/290955) # See (https://gitlab.com/gitlab-org/gitlab/-/issues/290955)
......
---
name: restrict_access_to_build_debug_mode
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48932
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/292661
milestone: '13.7'
type: development
group: group::continuous integration
default_enabled: true
...@@ -877,13 +877,7 @@ before making them visible again. ...@@ -877,13 +877,7 @@ before making them visible again.
### Restricted access to debug logging ### Restricted access to debug logging
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7.
> - It's [deployed behind a feature flag](../../user/feature_flags.md), enabled by default. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8.
> - It's enabled on GitLab.com.
> - It's recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-restricted-access-to-debug-logging). **(CORE ONLY)**
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
With restricted access to debug logging, only users with With restricted access to debug logging, only users with
[developer or higher permissions](../../user/permissions.md#project-members-permissions) [developer or higher permissions](../../user/permissions.md#project-members-permissions)
...@@ -897,25 +891,6 @@ If you add `CI_DEBUG_TRACE` as a local variable to your runners, debug logs are ...@@ -897,25 +891,6 @@ If you add `CI_DEBUG_TRACE` as a local variable to your runners, debug logs are
to all users with access to job logs. The permission levels are not checked by Runner, to all users with access to job logs. The permission levels are not checked by Runner,
so you should make use of the variable in GitLab only. so you should make use of the variable in GitLab only.
#### Enable or disable Restricted access to debug logging **(CORE ONLY)**
Restricted Access to Debug logging is under development but ready for production use.
It is deployed behind a feature flag that is **enabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md)
can opt to disable it.
To enable it:
```ruby
Feature.enable(:restrict_access_to_build_debug_mode)
```
To disable it:
```ruby
Feature.disable(:restrict_access_to_build_debug_mode)
```
### Enable Debug logging ### Enable Debug logging
To enable debug logs (traces), set the `CI_DEBUG_TRACE` variable to `true`: To enable debug logs (traces), set the `CI_DEBUG_TRACE` variable to `true`:
......
...@@ -675,16 +675,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do ...@@ -675,16 +675,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
expect(response).to have_gitlab_http_status(:forbidden) expect(response).to have_gitlab_http_status(:forbidden)
end end
context 'with restrict_access_to_build_debug_mode feature disabled' do
before do
stub_feature_flags(restrict_access_to_build_debug_mode: false)
end
it 'returns response forbidden' do
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
end end
end end
...@@ -1139,18 +1129,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do ...@@ -1139,18 +1129,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
context 'with restrict_access_to_build_debug_mode feature disabled' do
before do
stub_feature_flags(restrict_access_to_build_debug_mode: false)
end
it 'returns response ok' do
response = subject
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
context 'without proper permissions for debug logging on a project' do context 'without proper permissions for debug logging on a project' do
...@@ -1164,18 +1142,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do ...@@ -1164,18 +1142,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
expect(response).to have_gitlab_http_status(:forbidden) expect(response).to have_gitlab_http_status(:forbidden)
end end
context 'with restrict_access_to_build_debug_mode feature disabled' do
before do
stub_feature_flags(restrict_access_to_build_debug_mode: false)
end
it 'returns response ok' do
response = subject
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
end end
end end
......
...@@ -179,34 +179,6 @@ RSpec.describe 'Project Jobs Permissions' do ...@@ -179,34 +179,6 @@ RSpec.describe 'Project Jobs Permissions' do
expect(status_code).to eq(expected_status_code) expect(status_code).to eq(expected_status_code)
end end
end end
context 'when restrict_access_to_build_debug_mode feature not enabled' do
where(:public_builds, :user_project_role, :ci_debug_trace, :expected_status_code) do
true | 'developer' | true | 200
true | 'guest' | true | 200
true | 'developer' | false | 200
true | 'guest' | false | 200
false | 'developer' | true | 200
false | 'guest' | true | 403
false | 'developer' | false | 200
false | 'guest' | false | 403
end
with_them do
before do
stub_feature_flags(restrict_access_to_build_debug_mode: false)
ci_instance_variable.update!(value: ci_debug_trace)
project.update!(public_builds: public_builds)
project.add_role(user, user_project_role)
end
it 'renders trace to authorized users' do
visit trace_project_job_path(project, job)
expect(status_code).to eq(expected_status_code)
end
end
end
end end
describe 'raw page' do describe 'raw page' do
...@@ -237,35 +209,6 @@ RSpec.describe 'Project Jobs Permissions' do ...@@ -237,35 +209,6 @@ RSpec.describe 'Project Jobs Permissions' do
expect(page).to have_content(expected_msg) expect(page).to have_content(expected_msg)
end end
end end
context 'when restrict_access_to_build_debug_mode feature not enabled' do
where(:public_builds, :user_project_role, :ci_debug_trace, :expected_status_code, :expected_msg) do
true | 'developer' | true | 200 | nil
true | 'guest' | true | 200 | nil
true | 'developer' | false | 200 | nil
true | 'guest' | false | 200 | nil
false | 'developer' | true | 200 | nil
false | 'guest' | true | 403 | 'The current user is not authorized to access the job log'
false | 'developer' | false | 200 | nil
false | 'guest' | false | 403 | 'The current user is not authorized to access the job log'
end
with_them do
before do
stub_feature_flags(restrict_access_to_build_debug_mode: false)
ci_instance_variable.update!(value: ci_debug_trace)
project.update!(public_builds: public_builds)
project.add_role(user, user_project_role)
end
it 'renders raw trace to authorized users' do
visit raw_project_job_path(project, job)
expect(status_code).to eq(expected_status_code)
expect(page).to have_content(expected_msg)
end
end
end
end end
end end
end end
...@@ -4775,22 +4775,6 @@ RSpec.describe Ci::Build do ...@@ -4775,22 +4775,6 @@ RSpec.describe Ci::Build do
describe '#debug_mode?' do describe '#debug_mode?' do
subject { build.debug_mode? } subject { build.debug_mode? }
context 'when feature is disabled' do
before do
stub_feature_flags(restrict_access_to_build_debug_mode: false)
end
it { is_expected.to eq false }
context 'when in variables' do
before do
create(:ci_instance_variable, key: 'CI_DEBUG_TRACE', value: 'true')
end
it { is_expected.to eq false }
end
end
context 'when CI_DEBUG_TRACE=true is in variables' do context 'when CI_DEBUG_TRACE=true is in variables' do
context 'when in instance variables' do context 'when in instance variables' do
before do before do
......
...@@ -827,32 +827,6 @@ RSpec.describe API::Jobs do ...@@ -827,32 +827,6 @@ RSpec.describe API::Jobs do
expect(response).to have_gitlab_http_status(expected_status) expect(response).to have_gitlab_http_status(expected_status)
end end
end end
context 'with restrict_access_to_build_debug_mode feature disabled' do
before do
stub_feature_flags(restrict_access_to_build_debug_mode: false)
end
where(:public_builds, :user_project_role, :expected_status) do
true | 'developer' | :ok
true | 'guest' | :ok
false | 'developer' | :ok
false | 'guest' | :forbidden
end
with_them do
before do
project.update!(public_builds: public_builds)
project.add_role(user, user_project_role)
get api("/projects/#{project.id}/jobs/#{job.id}/trace", api_user)
end
it 'renders trace to authorized users' do
expect(response).to have_gitlab_http_status(expected_status)
end
end
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment