Commit 024ec9e0 authored by Fabio Pitino's avatar Fabio Pitino

Make job_token_scope_enabled project setting false by default

When using the default value to `true` some new projects
got this setting enabled while the feature was not fully
implemented. To fix this we need to reset any enabled
settings to `false` until the feature about
`job_token_scope_enabled` is fully available.

Changelog: fixed
parent 715fc55a
...@@ -16,7 +16,6 @@ class ProjectCiCdSetting < ApplicationRecord ...@@ -16,7 +16,6 @@ class ProjectCiCdSetting < ApplicationRecord
allow_nil: true allow_nil: true
default_value_for :forward_deployment_enabled, true default_value_for :forward_deployment_enabled, true
default_value_for :job_token_scope_enabled, true
def forward_deployment_enabled? def forward_deployment_enabled?
super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true) super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true)
......
...@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do ...@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
context 'when site validation and job are associated with different projects' do context 'when site validation and job are associated with different projects' do
let_it_be(:job) { create(:ci_build, :running, user: developer) } let_it_be(:job) { create(:ci_build, :running, user: developer) }
it 'returns 403', :aggregate_failures do it 'returns 400', :aggregate_failures do
subject subject
expect(response).to have_gitlab_http_status(:forbidden) expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
end end
context 'when the job project belongs to the same job token scope' do context 'when the job project belongs to the same job token scope' do
......
...@@ -7,7 +7,10 @@ RSpec.describe Mutations::Ci::JobTokenScope::AddProject do ...@@ -7,7 +7,10 @@ RSpec.describe Mutations::Ci::JobTokenScope::AddProject do
end end
describe '#resolve' do describe '#resolve' do
let_it_be(:project) { create(:project) } let_it_be(:project) do
create(:project, ci_job_token_scope_enabled: true).tap(&:save!)
end
let_it_be(:target_project) { create(:project) } let_it_be(:target_project) { create(:project) }
let(:target_project_path) { target_project.full_path } let(:target_project_path) { target_project.full_path }
......
...@@ -7,7 +7,7 @@ RSpec.describe Mutations::Ci::JobTokenScope::RemoveProject do ...@@ -7,7 +7,7 @@ RSpec.describe Mutations::Ci::JobTokenScope::RemoveProject do
end end
describe '#resolve' do describe '#resolve' do
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) } let_it_be(:target_project) { create(:project) }
let_it_be(:link) do let_it_be(:link) do
......
...@@ -6,7 +6,7 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do ...@@ -6,7 +6,7 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
include GraphqlHelpers include GraphqlHelpers
let_it_be(:current_user) { create(:user) } let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
specify do specify do
expect(described_class).to have_nullable_graphql_type(::Types::Ci::JobTokenScopeType) expect(described_class).to have_nullable_graphql_type(::Types::Ci::JobTokenScopeType)
...@@ -37,6 +37,16 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do ...@@ -37,6 +37,16 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
expect(resolve_scope.all_projects).to contain_exactly(project, link.target_project) expect(resolve_scope.all_projects).to contain_exactly(project, link.target_project)
end end
end end
context 'when job token scope is disabled' do
before do
project.update!(ci_job_token_scope_enabled: false)
end
it 'returns nil' do
expect(resolve_scope).to be_nil
end
end
end end
context 'without access to scope' do context 'without access to scope' do
......
...@@ -12,7 +12,7 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do ...@@ -12,7 +12,7 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
end end
describe 'query' do describe 'query' do
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:current_user) { create(:user) } let_it_be(:current_user) { create(:user) }
let(:query) do let(:query) do
...@@ -59,6 +59,16 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do ...@@ -59,6 +59,16 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
expect(returned_project_paths).to contain_exactly(project.path) expect(returned_project_paths).to contain_exactly(project.path)
end end
end end
context 'when job token scope is disabled' do
before do
project.ci_cd_settings.update!(job_token_scope_enabled: false)
end
it 'returns nil' do
expect(subject.dig('data', 'project', 'ciJobTokenScope')).to be_nil
end
end
end end
end end
end end
......
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe Ci::JobToken::Scope do RSpec.describe Ci::JobToken::Scope do
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let(:scope) { described_class.new(project) } let(:scope) { described_class.new(project) }
......
...@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do ...@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
end end
describe '#job_token_scope_enabled' do describe '#job_token_scope_enabled' do
it 'is true by default' do it 'is false by default' do
expect(described_class.new.job_token_scope_enabled).to be_truthy expect(described_class.new.job_token_scope_enabled).to be_falsey
end end
end end
......
...@@ -1423,6 +1423,7 @@ RSpec.describe ProjectPolicy do ...@@ -1423,6 +1423,7 @@ RSpec.describe ProjectPolicy do
before do before do
current_user.set_ci_job_token_scope!(job) current_user.set_ci_job_token_scope!(job)
scope_project.update!(ci_job_token_scope_enabled: true)
end end
context 'when accessing a private project' do context 'when accessing a private project' do
...@@ -1442,6 +1443,14 @@ RSpec.describe ProjectPolicy do ...@@ -1442,6 +1443,14 @@ RSpec.describe ProjectPolicy do
end end
it { is_expected.to be_disallowed(:guest_access) } it { is_expected.to be_disallowed(:guest_access) }
context 'when job token scope is disabled' do
before do
scope_project.update!(ci_job_token_scope_enabled: false)
end
it { is_expected.to be_allowed(:guest_access) }
end
end end
end end
...@@ -1462,6 +1471,14 @@ RSpec.describe ProjectPolicy do ...@@ -1462,6 +1471,14 @@ RSpec.describe ProjectPolicy do
end end
it { is_expected.to be_disallowed(:public_access) } it { is_expected.to be_disallowed(:public_access) }
context 'when job token scope is disabled' do
before do
scope_project.update!(ci_job_token_scope_enabled: false)
end
it { is_expected.to be_allowed(:public_access) }
end
end end
end end
end end
......
...@@ -5,7 +5,10 @@ require 'spec_helper' ...@@ -5,7 +5,10 @@ require 'spec_helper'
RSpec.describe 'CiCdSettingsUpdate' do RSpec.describe 'CiCdSettingsUpdate' do
include GraphqlHelpers include GraphqlHelpers
let_it_be(:project) { create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true) } let_it_be(:project) do
create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true)
.tap(&:save!)
end
let(:variables) do let(:variables) do
{ {
......
...@@ -5,7 +5,7 @@ require 'spec_helper' ...@@ -5,7 +5,7 @@ require 'spec_helper'
RSpec.describe 'CiJobTokenScopeAddProject' do RSpec.describe 'CiJobTokenScopeAddProject' do
include GraphqlHelpers include GraphqlHelpers
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) } let_it_be(:target_project) { create(:project) }
let(:variables) do let(:variables) do
......
...@@ -5,7 +5,7 @@ require 'spec_helper' ...@@ -5,7 +5,7 @@ require 'spec_helper'
RSpec.describe 'CiJobTokenScopeRemoveProject' do RSpec.describe 'CiJobTokenScopeRemoveProject' do
include GraphqlHelpers include GraphqlHelpers
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) } let_it_be(:target_project) { create(:project) }
let_it_be(:link) do let_it_be(:link) do
......
...@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do ...@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is enabled', :enable_admin_mode do context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'can download code only' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
...@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do ...@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is enabled', :enable_admin_mode do context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'can download code only' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
......
...@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do ...@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
# I'm not sure what this tests that is different from the previous test # I'm not sure what this tests that is different from the previous test
it_behaves_like 'LFS http 404 response' it_behaves_like 'LFS http 403 response'
end end
end end
...@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do ...@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
# I'm not sure what this tests that is different from the previous test # I'm not sure what this tests that is different from the previous test
it_behaves_like 'LFS http 404 response' it_behaves_like 'LFS http 403 response'
end end
end end
......
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Ci::JobTokenScope::AddProjectService do RSpec.describe Ci::JobTokenScope::AddProjectService do
let(:service) { described_class.new(project, current_user) } let(:service) { described_class.new(project, current_user) }
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) } let_it_be(:target_project) { create(:project) }
let_it_be(:current_user) { create(:user) } let_it_be(:current_user) { create(:user) }
......
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Ci::JobTokenScope::RemoveProjectService do RSpec.describe Ci::JobTokenScope::RemoveProjectService do
let(:service) { described_class.new(project, current_user) } let(:service) { described_class.new(project, current_user) }
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
let_it_be(:target_project) { create(:project) } let_it_be(:target_project) { create(:project) }
let_it_be(:current_user) { create(:user) } let_it_be(:current_user) { create(:user) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment