Commit 024ec9e0 authored by Fabio Pitino's avatar Fabio Pitino

Make job_token_scope_enabled project setting false by default

When using the default value to `true` some new projects
got this setting enabled while the feature was not fully
implemented. To fix this we need to reset any enabled
settings to `false` until the feature about
`job_token_scope_enabled` is fully available.

Changelog: fixed
parent 715fc55a
......@@ -16,7 +16,6 @@ class ProjectCiCdSetting < ApplicationRecord
allow_nil: true
default_value_for :forward_deployment_enabled, true
default_value_for :job_token_scope_enabled, true
def forward_deployment_enabled?
super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true)
......
......@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
context 'when site validation and job are associated with different projects' do
let_it_be(:job) { create(:ci_build, :running, user: developer) }
it 'returns 403', :aggregate_failures do
it 'returns 400', :aggregate_failures do
subject
expect(response).to have_gitlab_http_status(:forbidden)
expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
end
context 'when the job project belongs to the same job token scope' do
......
......@@ -7,7 +7,10 @@ RSpec.describe Mutations::Ci::JobTokenScope::AddProject do
end
describe '#resolve' do
let_it_be(:project) { create(:project) }
let_it_be(:project) do
create(:project, ci_job_token_scope_enabled: true).tap(&:save!)
end
let_it_be(:target_project) { create(:project) }
let(:target_project_path) { target_project.full_path }
......
......@@ -7,7 +7,7 @@ RSpec.describe Mutations::Ci::JobTokenScope::RemoveProject do
end
describe '#resolve' do
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) }
let_it_be(:link) do
......
......@@ -6,7 +6,7 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
include GraphqlHelpers
let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
specify do
expect(described_class).to have_nullable_graphql_type(::Types::Ci::JobTokenScopeType)
......@@ -37,6 +37,16 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
expect(resolve_scope.all_projects).to contain_exactly(project, link.target_project)
end
end
context 'when job token scope is disabled' do
before do
project.update!(ci_job_token_scope_enabled: false)
end
it 'returns nil' do
expect(resolve_scope).to be_nil
end
end
end
context 'without access to scope' do
......
......@@ -12,7 +12,7 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
end
describe 'query' do
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:current_user) { create(:user) }
let(:query) do
......@@ -59,6 +59,16 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
expect(returned_project_paths).to contain_exactly(project.path)
end
end
context 'when job token scope is disabled' do
before do
project.ci_cd_settings.update!(job_token_scope_enabled: false)
end
it 'returns nil' do
expect(subject.dig('data', 'project', 'ciJobTokenScope')).to be_nil
end
end
end
end
end
......
......@@ -3,7 +3,7 @@
require 'spec_helper'
RSpec.describe Ci::JobToken::Scope do
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let(:scope) { described_class.new(project) }
......
......@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
end
describe '#job_token_scope_enabled' do
it 'is true by default' do
expect(described_class.new.job_token_scope_enabled).to be_truthy
it 'is false by default' do
expect(described_class.new.job_token_scope_enabled).to be_falsey
end
end
......
......@@ -1423,6 +1423,7 @@ RSpec.describe ProjectPolicy do
before do
current_user.set_ci_job_token_scope!(job)
scope_project.update!(ci_job_token_scope_enabled: true)
end
context 'when accessing a private project' do
......@@ -1442,6 +1443,14 @@ RSpec.describe ProjectPolicy do
end
it { is_expected.to be_disallowed(:guest_access) }
context 'when job token scope is disabled' do
before do
scope_project.update!(ci_job_token_scope_enabled: false)
end
it { is_expected.to be_allowed(:guest_access) }
end
end
end
......@@ -1462,6 +1471,14 @@ RSpec.describe ProjectPolicy do
end
it { is_expected.to be_disallowed(:public_access) }
context 'when job token scope is disabled' do
before do
scope_project.update!(ci_job_token_scope_enabled: false)
end
it { is_expected.to be_allowed(:public_access) }
end
end
end
end
......
......@@ -5,7 +5,10 @@ require 'spec_helper'
RSpec.describe 'CiCdSettingsUpdate' do
include GraphqlHelpers
let_it_be(:project) { create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true) }
let_it_be(:project) do
create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true)
.tap(&:save!)
end
let(:variables) do
{
......
......@@ -5,7 +5,7 @@ require 'spec_helper'
RSpec.describe 'CiJobTokenScopeAddProject' do
include GraphqlHelpers
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) }
let(:variables) do
......
......@@ -5,7 +5,7 @@ require 'spec_helper'
RSpec.describe 'CiJobTokenScopeRemoveProject' do
include GraphqlHelpers
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) }
let_it_be(:link) do
......
......@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found)
expect(response).to have_gitlab_http_status(:forbidden)
end
end
......@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do
it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found)
expect(response).to have_gitlab_http_status(:forbidden)
end
end
......
......@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
# I'm not sure what this tests that is different from the previous test
it_behaves_like 'LFS http 404 response'
it_behaves_like 'LFS http 403 response'
end
end
......@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
# I'm not sure what this tests that is different from the previous test
it_behaves_like 'LFS http 404 response'
it_behaves_like 'LFS http 403 response'
end
end
......
......@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Ci::JobTokenScope::AddProjectService do
let(:service) { described_class.new(project, current_user) }
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) }
let_it_be(:current_user) { create(:user) }
......
......@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Ci::JobTokenScope::RemoveProjectService do
let(:service) { described_class.new(project, current_user) }
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) }
let_it_be(:current_user) { create(:user) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment