Commit f3841248 authored by Shinya Maeda's avatar Shinya Maeda

Merge branch 'add-ci-project-setting-for-token-scope' into 'master'

Add project setting to toggle job token scope

See merge request gitlab-org/gitlab!63446
parents b3a41f0d 99aacbf5
......@@ -22,6 +22,9 @@ module Ci
end
def includes?(target_project)
# if the setting is disabled any project is considered to be in scope.
return true unless source_project.ci_job_token_scope_enabled?
target_project.id == source_project.id ||
Ci::JobToken::ProjectScopeLink.from_project(source_project).to_project(target_project).exists?
end
......
......@@ -423,6 +423,7 @@ class Project < ApplicationRecord
delegate :dashboard_timezone, to: :metrics_setting, allow_nil: true, prefix: true
delegate :default_git_depth, :default_git_depth=, to: :ci_cd_settings, prefix: :ci
delegate :forward_deployment_enabled, :forward_deployment_enabled=, :forward_deployment_enabled?, to: :ci_cd_settings, prefix: :ci
delegate :job_token_scope_enabled, :job_token_scope_enabled=, :job_token_scope_enabled?, to: :ci_cd_settings, prefix: :ci
delegate :keep_latest_artifact, :keep_latest_artifact=, :keep_latest_artifact?, :keep_latest_artifacts_available?, to: :ci_cd_settings
delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, :restrict_user_defined_variables?,
to: :ci_cd_settings
......
......@@ -16,6 +16,7 @@ class ProjectCiCdSetting < ApplicationRecord
allow_nil: true
default_value_for :forward_deployment_enabled, true
default_value_for :job_token_scope_enabled, true
def forward_deployment_enabled?
super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true)
......
# frozen_string_literal: true
class AddJobTokenScopeEnabledToCiCdSettings < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
def up
with_lock_retries do
add_column :project_ci_cd_settings, :job_token_scope_enabled, :boolean, default: false, null: false
end
end
def down
with_lock_retries do
remove_column :project_ci_cd_settings, :job_token_scope_enabled
end
end
end
dd6bf6ae4988e8e07247388554992d5100dedb2bd66e92c42a6bb144dc6b1937
\ No newline at end of file
......@@ -16564,7 +16564,8 @@ CREATE TABLE project_ci_cd_settings (
merge_trains_enabled boolean DEFAULT false,
auto_rollback_enabled boolean DEFAULT false NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT false NOT NULL
);
CREATE SEQUENCE project_ci_cd_settings_id_seq
......@@ -95,6 +95,7 @@ module API
expose :runners_token, if: lambda { |_project, options| options[:user_can_admin_project] }
expose :ci_default_git_depth
expose :ci_forward_deployment_enabled
expose :ci_job_token_scope_enabled
expose :public_builds, as: :public_jobs
expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
project.build_allow_git_fetch ? 'fetch' : 'clone'
......
......@@ -50,6 +50,16 @@ RSpec.describe Ci::JobToken::Scope do
let(:target_project) { scope_link.target_project }
it { is_expected.to be_falsey }
context 'when project scope setting is disabled' do
before do
project.ci_job_token_scope_enabled = false
end
it 'considers any project to be part of the scope' do
expect(subject).to be_truthy
end
end
end
end
end
......@@ -21,6 +21,12 @@ RSpec.describe ProjectCiCdSetting do
end
end
describe '#job_token_scope_enabled' do
it 'is true by default' do
expect(described_class.new.job_token_scope_enabled).to be_truthy
end
end
describe '#default_git_depth' do
let(:default_value) { described_class::DEFAULT_GIT_DEPTH }
......
......@@ -94,6 +94,7 @@ ci_cd_settings:
remapped_attributes:
default_git_depth: ci_default_git_depth
forward_deployment_enabled: ci_forward_deployment_enabled
job_token_scope_enabled: ci_job_token_scope_enabled
build_import_state: # import_state
unexposed_attributes:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment