Merge branch 'js/disable_feed_token' into 'master'

Add Setting to disable feed_tokens

See merge request gitlab-org/gitlab!48600

app/helpers/application_settings_helper.rb

@@ -198,6 +198,7 @@ module ApplicationSettingsHelper
       :default_project_visibility,
       :default_projects_limit,
       :default_snippet_visibility,
+      :disable_feed_token,
       :disabled_oauth_sign_in_sources,
       :domain_denylist,
       :domain_denylist_enabled,

app/models/application_setting.rb

@@ -426,6 +426,9 @@ class ApplicationSetting < ApplicationRecord
   attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_truncated_aes_256_gcm
   attr_encrypted :cloud_license_auth_token, encryption_options_base_truncated_aes_256_gcm
 
+  validates :disable_feed_token,
+            inclusion: { in: [true, false], message: 'must be a boolean value' }
+
   before_validation :ensure_uuid!
 
   before_save :ensure_runners_registration_token

app/models/application_setting_implementation.rb

@@ -58,6 +58,7 @@ module ApplicationSettingImplementation
         default_projects_limit: Settings.gitlab['default_projects_limit'],
         default_snippet_visibility: Settings.gitlab.default_projects_features['visibility_level'],
         diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
+        disable_feed_token: false,
         disabled_oauth_sign_in_sources: [],
         dns_rebinding_protection_enabled: true,
         domain_allowlist: Settings.gitlab['domain_allowlist'],

app/models/user.rb

@@ -1659,7 +1659,7 @@ class User < ApplicationRecord
   # we do this on read since migrating all existing users is not a feasible
   # solution.
   def feed_token
-    ensure_feed_token!
+    Gitlab::CurrentSettings.disable_feed_token ? nil : ensure_feed_token!
   end
 
   # Each existing user needs to have a `static_object_token`.

app/views/admin/application_settings/_visibility_and_access.html.haml

@@ -66,4 +66,12 @@
       .form-group
         = f.label field_name, "#{type.upcase} SSH keys", class: 'label-bold'
         = f.select field_name, key_restriction_options_for_select(type), {}, class: 'form-control'
+
+    .form-group
+      %label.label-bold= s_('AdminSettings|Feed token')
+      .form-check
+        = f.check_box :disable_feed_token, class: 'form-check-input'
+        = f.label :disable_feed_token, class: 'form-check-label' do
+          = s_('AdminSettings|Disable feed token')
+
   = f.submit _('Save changes'), class: "gl-button btn btn-success"

app/views/profiles/personal_access_tokens/index.html.haml

@@ -32,22 +32,23 @@
         active_tokens: @active_personal_access_tokens,
         revoke_route_helper: ->(token) { revoke_profile_personal_access_token_path(token) }
 
-%hr
-.row.gl-mt-3
-  .col-lg-4.profile-settings-sidebar
-    %h4.gl-mt-0
-      = s_('AccessTokens|Feed token')
-    %p
-      = s_('AccessTokens|Your feed token is used to authenticate you when your RSS reader loads a personalized RSS feed or when your calendar application loads a personalized calendar, and is included in those feed URLs.')
-    %p
-      = s_('AccessTokens|It cannot be used to access any other data.')
-  .col-lg-8.feed-token-reset
-    = label_tag :feed_token, s_('AccessTokens|Feed token'), class: 'label-bold'
-    = text_field_tag :feed_token, current_user.feed_token, class: 'form-control js-select-on-focus', readonly: true
-    %p.form-text.text-muted
-      - reset_link = link_to s_('AccessTokens|reset it'), [:reset, :feed_token, :profile], method: :put, data: { confirm: s_('AccessTokens|Are you sure? Any RSS or calendar URLs currently in use will stop working.') }
-      - reset_message = s_('AccessTokens|Keep this token secret. Anyone who gets ahold of it can read activity and issue RSS feeds or your calendar feed as if they were you. You should %{link_reset_it} if that ever happens.') % { link_reset_it: reset_link }
-      = reset_message.html_safe
+- unless Gitlab::CurrentSettings.disable_feed_token
+  %hr
+  .row.gl-mt-3
+    .col-lg-4.profile-settings-sidebar
+      %h4.gl-mt-0
+        = s_('AccessTokens|Feed token')
+      %p
+        = s_('AccessTokens|Your feed token is used to authenticate you when your RSS reader loads a personalized RSS feed or when your calendar application loads a personalized calendar, and is included in those feed URLs.')
+      %p
+        = s_('AccessTokens|It cannot be used to access any other data.')
+    .col-lg-8.feed-token-reset
+      = label_tag :feed_token, s_('AccessTokens|Feed token'), class: 'label-bold'
+      = text_field_tag :feed_token, current_user.feed_token, class: 'form-control js-select-on-focus', readonly: true
+      %p.form-text.text-muted
+        - reset_link = link_to s_('AccessTokens|reset it'), [:reset, :feed_token, :profile], method: :put, data: { confirm: s_('AccessTokens|Are you sure? Any RSS or calendar URLs currently in use will stop working.') }
+        - reset_message = s_('AccessTokens|Keep this token secret. Anyone who gets ahold of it can read activity and issue RSS feeds or your calendar feed as if they were you. You should %{link_reset_it} if that ever happens.') % { link_reset_it: reset_link }
+        = reset_message.html_safe
 
 - if incoming_email_token_enabled?
   %hr

changelogs/unreleased/js-disable_feed_token.yml

+---
+title: Add Setting to disable feed_tokens
+merge_request: 48600
+author:
+type: added

db/migrate/20201126172030_add_feed_token_off_to_settings.rb

+# frozen_string_literal: true
+
+class AddFeedTokenOffToSettings < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  def change
+    add_column :application_settings, :disable_feed_token, :boolean, null: false, default: false
+  end
+end

db/schema_migrations/20201126172030

+65dcc2a53d48acc83dbfc5276e8cfc1eee5f20ffea8355d86df1f2d5b329061b
\ No newline at end of file

db/structure.sql

@@ -9371,6 +9371,7 @@ CREATE TABLE application_settings (
     encrypted_cloud_license_auth_token_iv text,
     secret_detection_revocation_token_types_url text,
     cloud_license_enabled boolean DEFAULT false NOT NULL,
+    disable_feed_token boolean DEFAULT false NOT NULL,
     CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),
     CONSTRAINT check_17d9558205 CHECK ((char_length((kroki_url)::text) <= 1024)),
     CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)),

doc/api/settings.md

@@ -233,6 +233,7 @@ listed in the descriptions of the relevant settings.
 | `default_snippet_visibility`             | string           | no                                   | What visibility level new snippets receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. |
 | `deletion_adjourned_period`              | integer          | no                                   | **(PREMIUM ONLY)** The number of days to wait before deleting a project or group that is marked for deletion. Value must be between 0 and 90.
 | `diff_max_patch_bytes`                   | integer          | no                                   | Maximum diff patch size (Bytes). |
+| `disable_feed_token`                     | boolean          | no                                   | Disable display of RSS/Atom and calendar feed tokens ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/231493) in GitLab 13.7) |
 | `disabled_oauth_sign_in_sources`         | array of strings | no                                   | Disabled OAuth sign-in sources. |
 | `dns_rebinding_protection_enabled`       | boolean          | no                                   | Enforce DNS rebinding attack protection. |
 | `domain_denylist_enabled`                | boolean          | no                                   | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. |

lib/api/settings.rb

@@ -52,6 +52,7 @@ module API
       optional :default_project_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default project visibility'
       optional :default_projects_limit, type: Integer, desc: 'The maximum number of personal projects'
       optional :default_snippet_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default snippet visibility'
+      optional :disable_feed_token, type: Boolean, desc: 'Disable display of RSS/Atom and Calendar `feed_tokens`'
       optional :disabled_oauth_sign_in_sources, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Disable certain OAuth sign-in sources'
       optional :domain_denylist_enabled, type: Boolean, desc: 'Enable domain denylist for sign ups'
       optional :domain_denylist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'

lib/gitlab/auth/auth_finders.rb

@@ -46,6 +46,7 @@ module Gitlab
 
       def find_user_from_feed_token(request_format)
         return unless valid_rss_format?(request_format)
+        return if Gitlab::CurrentSettings.disable_feed_token
 
         # NOTE: feed_token was renamed from rss_token but both needs to be supported because
         #       users might have already added the feed to their RSS reader before the rename

locale/gitlab.pot

@@ -1963,6 +1963,9 @@ msgstr ""
 msgid "AdminSettings|Auto DevOps domain"
 msgstr ""
 
+msgid "AdminSettings|Disable feed token"
+msgstr ""
+
 msgid "AdminSettings|Elasticsearch, PlantUML, Slack application, Third party offers, Snowplow, Amazon EKS have moved to Settings > General."
 msgstr ""
 
@@ -1972,6 +1975,9 @@ msgstr ""
 msgid "AdminSettings|Environment variables are protected by default"
 msgstr ""
 
+msgid "AdminSettings|Feed token"
+msgstr ""
+
 msgid "AdminSettings|Go to General Settings"
 msgstr ""
 

spec/helpers/calendar_helper_spec.rb

@@ -18,5 +18,14 @@ RSpec.describe CalendarHelper do
         expect(helper.calendar_url_options[:feed_token]).to be_nil
       end
     end
+
+    context 'when feed token disabled' do
+      it "does not have a feed_token" do
+        current_user = create(:user)
+        allow(helper).to receive(:current_user).and_return(current_user)
+        allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
+        expect(helper.calendar_url_options[:feed_token]).to be_nil
+      end
+    end
   end
 end

spec/helpers/rss_helper_spec.rb

@@ -18,5 +18,14 @@ RSpec.describe RssHelper do
         expect(helper.rss_url_options[:feed_token]).to be_nil
       end
     end
+
+    context 'when feed_token disabled' do
+      it "does not have a feed_token" do
+        current_user = create(:user)
+        allow(helper).to receive(:current_user).and_return(current_user)
+        allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
+        expect(helper.rss_url_options[:feed_token]).to be_nil
+      end
+    end
   end
 end

spec/lib/gitlab/auth/auth_finders_spec.rb

@@ -147,6 +147,13 @@ RSpec.describe Gitlab::Auth::AuthFinders do
           expect(find_user_from_feed_token(:rss)).to eq user
         end
 
+        it 'returns nil if valid feed_token and disabled' do
+          allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
+          set_param(:feed_token, user.feed_token)
+
+          expect(find_user_from_feed_token(:rss)).to be_nil
+        end
+
         it 'returns nil if feed_token is blank' do
           expect(find_user_from_feed_token(:rss)).to be_nil
         end

spec/models/user_spec.rb

@@ -1523,6 +1523,16 @@ RSpec.describe User do
       expect(feed_token).not_to be_blank
       expect(user.reload.feed_token).to eq feed_token
     end
+
+    it 'ensures no feed token when disabled' do
+      allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)
+
+      user = create(:user, feed_token: nil)
+      feed_token = user.feed_token
+
+      expect(feed_token).to be_blank
+      expect(user.reload.feed_token).to be_blank
+    end
   end
 
   describe 'static object token' do