Merge branch '339790-disable-scoped-job-token-by-default' into 'master'

Set `job_token_scope_enabled` to false by default

See merge request gitlab-org/gitlab!69502

db/migrate/20210902171808_set_default_job_token_scope_false.rb

+# frozen_string_literal: true
+
+class SetDefaultJobTokenScopeFalse < Gitlab::Database::Migration[1.0]
+  disable_ddl_transaction!
+
+  def up
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
+    end
+  end
+
+  def down
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
+    end
+  end
+end

db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb

+# frozen_string_literal: true
+
+class DisableJobTokenScopeWhenUnused < Gitlab::Database::Migration[1.0]
+  disable_ddl_transaction!
+
+  class ProjectCiCdSetting < ApplicationRecord
+    include EachBatch
+
+    self.table_name = 'project_ci_cd_settings'
+  end
+
+  module Ci
+    module JobToken
+      class ProjectScopeLink < ApplicationRecord
+        self.table_name = 'ci_job_token_project_scope_links'
+      end
+    end
+  end
+
+  def up
+    # Disabling job token scope after db/migrate/20210902171808_set_default_job_token_scope_false.rb
+    # if users haven't configured it.
+    ProjectCiCdSetting.each_batch(of: 10_000) do |settings|
+      with_enabled_but_unused_scope(settings).each_batch(of: 500) do |settings_to_update|
+        settings_to_update.update_all(job_token_scope_enabled: false)
+      end
+    end
+  end
+
+  def down
+    # irreversible data migration
+
+    # The migration relies on the state of `job_token_scope_enabled` and
+    # updates it based on whether the feature is used or not.
+    #
+    # The inverse migration would be to set `job_token_scope_enabled: true`
+    # for those projects that have the feature disabled and unused. But there
+    # could be also existing cases where the feature is disabled and unused.
+    # For example, old projects.
+  end
+
+  private
+
+  # The presence of ProjectScopeLinks means that the job token scope
+  # is configured and we need to leave it enabled. Unused job token scope
+  # can be disabled since they weren't configured.
+  def with_enabled_but_unused_scope(settings)
+    settings
+      .where(job_token_scope_enabled: true)
+      .where.not(project_id: Ci::JobToken::ProjectScopeLink.select(:source_project_id))
+  end
+end

db/schema_migrations/20210902171808

+09b482e4716a2b0808ad83770222baed8e863a8f94f85f77ed2d557eaa348df4
\ No newline at end of file

db/schema_migrations/20210908132335

+399e35197111c257786a2bdf5dac990a26f48d2cc8493de642dcfa47ddececd2
\ No newline at end of file

db/structure.sql

@@ -17719,7 +17719,7 @@ CREATE TABLE project_ci_cd_settings (
     auto_rollback_enabled boolean DEFAULT false NOT NULL,
     keep_latest_artifact boolean DEFAULT true NOT NULL,
     restrict_user_defined_variables boolean DEFAULT false NOT NULL,
-    job_token_scope_enabled boolean DEFAULT true NOT NULL
+    job_token_scope_enabled boolean DEFAULT false NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq

spec/migrations/disable_job_token_scope_when_unused_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe DisableJobTokenScopeWhenUnused do
+  let(:ci_cd_settings) { table(:project_ci_cd_settings) }
+  let(:links) { table(:ci_job_token_project_scope_links) }
+  let(:namespaces) { table(:namespaces) }
+  let(:projects) { table(:projects) }
+
+  let(:namespace) { namespaces.create!(name: 'test', path: 'path', type: 'Group') }
+
+  let(:project_with_used_scope) { projects.create!(namespace_id: namespace.id) }
+  let!(:used_scope_settings) { ci_cd_settings.create!(project_id: project_with_used_scope.id, job_token_scope_enabled: true) }
+  let(:target_project) { projects.create!(namespace_id: namespace.id) }
+  let!(:link) { links.create!(source_project_id: project_with_used_scope.id, target_project_id: target_project.id) }
+
+  let(:project_with_unused_scope) { projects.create!(namespace_id: namespace.id) }
+  let!(:unused_scope_settings) { ci_cd_settings.create!(project_id: project_with_unused_scope.id, job_token_scope_enabled: true) }
+
+  let(:project_with_disabled_scope) { projects.create!(namespace_id: namespace.id) }
+  let!(:disabled_scope_settings) { ci_cd_settings.create!(project_id: project_with_disabled_scope.id, job_token_scope_enabled: false) }
+
+  describe '#up' do
+    it 'sets job_token_scope_enabled to false for projects not having job token scope configured' do
+      migrate!
+
+      expect(unused_scope_settings.reload.job_token_scope_enabled).to be_falsey
+    end
+
+    it 'keeps the scope enabled for projects that are using it' do
+      migrate!
+
+      expect(used_scope_settings.reload.job_token_scope_enabled).to be_truthy
+    end
+
+    it 'keeps the scope disabled for projects having it disabled' do
+      migrate!
+
+      expect(disabled_scope_settings.reload.job_token_scope_enabled).to be_falsey
+    end
+  end
+end

spec/models/project_ci_cd_setting_spec.rb

@@ -21,12 +21,6 @@ RSpec.describe ProjectCiCdSetting do
     end
   end
 
-  describe '#job_token_scope_enabled' do
-    it 'is true by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_truthy
-    end
-  end
-
   describe '#default_git_depth' do
     let(:default_value) { described_class::DEFAULT_GIT_DEPTH }