Merge branch 'add-ci-project-setting-for-token-scope' into 'master'

Add project setting to toggle job token scope See merge request gitlab-org/gitlab!63446

Merge branch 'add-ci-project-setting-for-token-scope' into 'master'
Add project setting to toggle job token scope See merge request gitlab-org/gitlab!63446
f3841248 · Shinya Maeda · b3a41f0d · 99aacbf5 · f3841248 · f3841248
Commit f3841248 authored Jun 14, 2021 by Shinya Maeda
10 changed files
--- a/app/models/ci/job_token/scope.rb
+++ b/app/models/ci/job_token/scope.rb
@@ -22,6 +22,9 @@ module Ci
      end

      def includes?(target_project)
+        # if the setting is disabled any project is considered to be in scope.
+        return true unless source_project.ci_job_token_scope_enabled?
+
        target_project.id == source_project.id ||
          Ci::JobToken::ProjectScopeLink.from_project(source_project).to_project(target_project).exists?
      end

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -423,6 +423,7 @@ class Project < ApplicationRecord
  delegate :dashboard_timezone, to: :metrics_setting, allow_nil: true, prefix: true
  delegate :default_git_depth, :default_git_depth=, to: :ci_cd_settings, prefix: :ci
  delegate :forward_deployment_enabled, :forward_deployment_enabled=, :forward_deployment_enabled?, to: :ci_cd_settings, prefix: :ci
+  delegate :job_token_scope_enabled, :job_token_scope_enabled=, :job_token_scope_enabled?, to: :ci_cd_settings, prefix: :ci
  delegate :keep_latest_artifact, :keep_latest_artifact=, :keep_latest_artifact?, :keep_latest_artifacts_available?, to: :ci_cd_settings
  delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, :restrict_user_defined_variables?,
    to: :ci_cd_settings

--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -16,6 +16,7 @@ class ProjectCiCdSetting < ApplicationRecord
    allow_nil: true

  default_value_for :forward_deployment_enabled, true
+  default_value_for :job_token_scope_enabled, true

  def forward_deployment_enabled?
    super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true)

--- a/db/migrate/20210607154719_add_job_token_scope_enabled_to_ci_cd_settings.rb
+++ b/db/migrate/20210607154719_add_job_token_scope_enabled_to_ci_cd_settings.rb
+# frozen_string_literal: true
+
+class AddJobTokenScopeEnabledToCiCdSettings < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  def up
+    with_lock_retries do
+      add_column :project_ci_cd_settings, :job_token_scope_enabled, :boolean, default: false, null: false
+    end
+  end
+
+  def down
+    with_lock_retries do
+      remove_column :project_ci_cd_settings, :job_token_scope_enabled
+    end
+  end
+end
--- a/db/schema_migrations/20210607154719
+++ b/db/schema_migrations/20210607154719
+dd6bf6ae4988e8e07247388554992d5100dedb2bd66e92c42a6bb144dc6b1937
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -16564,7 +16564,8 @@ CREATE TABLE project_ci_cd_settings (
    merge_trains_enabled boolean DEFAULT false,
    auto_rollback_enabled boolean DEFAULT false NOT NULL,
    keep_latest_artifact boolean DEFAULT true NOT NULL,
-    restrict_user_defined_variables boolean DEFAULT false NOT NULL
+    restrict_user_defined_variables boolean DEFAULT false NOT NULL,
+    job_token_scope_enabled boolean DEFAULT false NOT NULL
 );

 CREATE SEQUENCE project_ci_cd_settings_id_seq
--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -95,6 +95,7 @@ module API
      expose :runners_token, if: lambda { |_project, options| options[:user_can_admin_project] }
      expose :ci_default_git_depth
      expose :ci_forward_deployment_enabled
+      expose :ci_job_token_scope_enabled
      expose :public_builds, as: :public_jobs
      expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
        project.build_allow_git_fetch ? 'fetch' : 'clone'

--- a/spec/models/ci/job_token/scope_spec.rb
+++ b/spec/models/ci/job_token/scope_spec.rb
@@ -50,6 +50,16 @@ RSpec.describe Ci::JobToken::Scope do
      let(:target_project) { scope_link.target_project }

      it { is_expected.to be_falsey }
+
+      context 'when project scope setting is disabled' do
+        before do
+          project.ci_job_token_scope_enabled = false
+        end
+
+        it 'considers any project to be part of the scope' do
+          expect(subject).to be_truthy
+        end
+      end
    end
  end
 end
--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@@ -21,6 +21,12 @@ RSpec.describe ProjectCiCdSetting do
    end
  end

+  describe '#job_token_scope_enabled' do
+    it 'is true by default' do
+      expect(described_class.new.job_token_scope_enabled).to be_truthy
+    end
+  end
+
  describe '#default_git_depth' do
    let(:default_value) { described_class::DEFAULT_GIT_DEPTH }


--- a/spec/requests/api/project_attributes.yml
+++ b/spec/requests/api/project_attributes.yml
@@ -94,6 +94,7 @@ ci_cd_settings:
  remapped_attributes:
    default_git_depth: ci_default_git_depth
    forward_deployment_enabled: ci_forward_deployment_enabled
+    job_token_scope_enabled: ci_job_token_scope_enabled

 build_import_state: # import_state
  unexposed_attributes: