Commit 24c5d0c7 authored by Tiger Watson's avatar Tiger Watson

Merge branch '339790-disable-scoped-job-token-by-default' into 'master'

Set `job_token_scope_enabled` to false by default

See merge request gitlab-org/gitlab!69502
parents eb506c84 34b1c4df
# frozen_string_literal: true
class SetDefaultJobTokenScopeFalse < Gitlab::Database::Migration[1.0]
disable_ddl_transaction!
def up
with_lock_retries do
change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
end
end
def down
with_lock_retries do
change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
end
end
end
# frozen_string_literal: true
class DisableJobTokenScopeWhenUnused < Gitlab::Database::Migration[1.0]
disable_ddl_transaction!
class ProjectCiCdSetting < ApplicationRecord
include EachBatch
self.table_name = 'project_ci_cd_settings'
end
module Ci
module JobToken
class ProjectScopeLink < ApplicationRecord
self.table_name = 'ci_job_token_project_scope_links'
end
end
end
def up
# Disabling job token scope after db/migrate/20210902171808_set_default_job_token_scope_false.rb
# if users haven't configured it.
ProjectCiCdSetting.each_batch(of: 10_000) do |settings|
with_enabled_but_unused_scope(settings).each_batch(of: 500) do |settings_to_update|
settings_to_update.update_all(job_token_scope_enabled: false)
end
end
end
def down
# irreversible data migration
# The migration relies on the state of `job_token_scope_enabled` and
# updates it based on whether the feature is used or not.
#
# The inverse migration would be to set `job_token_scope_enabled: true`
# for those projects that have the feature disabled and unused. But there
# could be also existing cases where the feature is disabled and unused.
# For example, old projects.
end
private
# The presence of ProjectScopeLinks means that the job token scope
# is configured and we need to leave it enabled. Unused job token scope
# can be disabled since they weren't configured.
def with_enabled_but_unused_scope(settings)
settings
.where(job_token_scope_enabled: true)
.where.not(project_id: Ci::JobToken::ProjectScopeLink.select(:source_project_id))
end
end
09b482e4716a2b0808ad83770222baed8e863a8f94f85f77ed2d557eaa348df4
\ No newline at end of file
399e35197111c257786a2bdf5dac990a26f48d2cc8493de642dcfa47ddececd2
\ No newline at end of file
......@@ -17719,7 +17719,7 @@ CREATE TABLE project_ci_cd_settings (
auto_rollback_enabled boolean DEFAULT false NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT true NOT NULL
job_token_scope_enabled boolean DEFAULT false NOT NULL
);
CREATE SEQUENCE project_ci_cd_settings_id_seq
# frozen_string_literal: true
require 'spec_helper'
require_migration!
RSpec.describe DisableJobTokenScopeWhenUnused do
let(:ci_cd_settings) { table(:project_ci_cd_settings) }
let(:links) { table(:ci_job_token_project_scope_links) }
let(:namespaces) { table(:namespaces) }
let(:projects) { table(:projects) }
let(:namespace) { namespaces.create!(name: 'test', path: 'path', type: 'Group') }
let(:project_with_used_scope) { projects.create!(namespace_id: namespace.id) }
let!(:used_scope_settings) { ci_cd_settings.create!(project_id: project_with_used_scope.id, job_token_scope_enabled: true) }
let(:target_project) { projects.create!(namespace_id: namespace.id) }
let!(:link) { links.create!(source_project_id: project_with_used_scope.id, target_project_id: target_project.id) }
let(:project_with_unused_scope) { projects.create!(namespace_id: namespace.id) }
let!(:unused_scope_settings) { ci_cd_settings.create!(project_id: project_with_unused_scope.id, job_token_scope_enabled: true) }
let(:project_with_disabled_scope) { projects.create!(namespace_id: namespace.id) }
let!(:disabled_scope_settings) { ci_cd_settings.create!(project_id: project_with_disabled_scope.id, job_token_scope_enabled: false) }
describe '#up' do
it 'sets job_token_scope_enabled to false for projects not having job token scope configured' do
migrate!
expect(unused_scope_settings.reload.job_token_scope_enabled).to be_falsey
end
it 'keeps the scope enabled for projects that are using it' do
migrate!
expect(used_scope_settings.reload.job_token_scope_enabled).to be_truthy
end
it 'keeps the scope disabled for projects having it disabled' do
migrate!
expect(disabled_scope_settings.reload.job_token_scope_enabled).to be_falsey
end
end
end
......@@ -21,12 +21,6 @@ RSpec.describe ProjectCiCdSetting do
end
end
describe '#job_token_scope_enabled' do
it 'is true by default' do
expect(described_class.new.job_token_scope_enabled).to be_truthy
end
end
describe '#default_git_depth' do
let(:default_value) { described_class::DEFAULT_GIT_DEPTH }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment