Merge branch 'reset-job-token-scope-enabled' into 'master'

Make job_token_scope_enabled project setting false by default See merge request gitlab-org/gitlab!64962

Merge branch 'reset-job-token-scope-enabled' into 'master'
Make job_token_scope_enabled project setting false by default See merge request gitlab-org/gitlab!64962
8157dc31 · Max Woolf · 44a778a9 · 024ec9e0 · 8157dc31 · 8157dc31
Commit 8157dc31 authored Jul 12, 2021 by Max Woolf
16 changed files
--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -16,7 +16,6 @@ class ProjectCiCdSetting < ApplicationRecord
    allow_nil: true
  default_value_for :forward_deployment_enabled, true
-  default_value_for :job_token_scope_enabled, true
  def forward_deployment_enabled?
    super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true)

--- a/ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
+++ b/ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
      context 'when site validation and job are associated with different projects' do
        let_it_be(:job) { create(:ci_build, :running, user: developer) }
-        it 'returns 403', :aggregate_failures do
+        it 'returns 400', :aggregate_failures do
          subject
-          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
        end
        context 'when the job project belongs to the same job token scope' do

--- a/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb
+++ b/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb
@@ -7,7 +7,10 @@ RSpec.describe Mutations::Ci::JobTokenScope::AddProject do
  end
  describe '#resolve' do
-    let_it_be(:project) { create(:project) }
+    let_it_be(:project) do
+      create(:project, ci_job_token_scope_enabled: true).tap(&:save!)
+    end
    let_it_be(:target_project) { create(:project) }
    let(:target_project_path) { target_project.full_path }

--- a/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb
+++ b/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Mutations::Ci::JobTokenScope::RemoveProject do
  end
  describe '#resolve' do
-    let_it_be(:project) { create(:project) }
+    let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
    let_it_be(:target_project) { create(:project) }
    let_it_be(:link) do

--- a/spec/graphql/resolvers/ci/job_token_scope_resolver_spec.rb
+++ b/spec/graphql/resolvers/ci/job_token_scope_resolver_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
  include GraphqlHelpers
  let_it_be(:current_user) { create(:user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
  specify do
    expect(described_class).to have_nullable_graphql_type(::Types::Ci::JobTokenScopeType)
@@ -37,6 +37,16 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
          expect(resolve_scope.all_projects).to contain_exactly(project, link.target_project)
        end
      end
+      context 'when job token scope is disabled' do
+        before do
+          project.update!(ci_job_token_scope_enabled: false)
+        end
+        it 'returns nil' do
+          expect(resolve_scope).to be_nil
+        end
+      end
    end
    context 'without access to scope' do

--- a/spec/graphql/types/ci/job_token_scope_type_spec.rb
+++ b/spec/graphql/types/ci/job_token_scope_type_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
  end
  describe 'query' do
-    let_it_be(:project) { create(:project) }
+    let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
    let_it_be(:current_user) { create(:user) }
    let(:query) do
@@ -59,6 +59,16 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
            expect(returned_project_paths).to contain_exactly(project.path)
          end
        end
+        context 'when job token scope is disabled' do
+          before do
+            project.ci_cd_settings.update!(job_token_scope_enabled: false)
+          end
+          it 'returns nil' do
+            expect(subject.dig('data', 'project', 'ciJobTokenScope')).to be_nil
+          end
+        end
      end
    end
  end

--- a/spec/models/ci/job_token/scope_spec.rb
+++ b/spec/models/ci/job_token/scope_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 RSpec.describe Ci::JobToken::Scope do
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
  let(:scope) { described_class.new(project) }

--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
  end
  describe '#job_token_scope_enabled' do
-    it 'is true by default' do
+    it 'is false by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_truthy
+      expect(described_class.new.job_token_scope_enabled).to be_falsey
    end
  end

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1423,6 +1423,7 @@ RSpec.describe ProjectPolicy do
    before do
      current_user.set_ci_job_token_scope!(job)
+      scope_project.update!(ci_job_token_scope_enabled: true)
    end
    context 'when accessing a private project' do
@@ -1442,6 +1443,14 @@ RSpec.describe ProjectPolicy do
        end
        it { is_expected.to be_disallowed(:guest_access) }
+        context 'when job token scope is disabled' do
+          before do
+            scope_project.update!(ci_job_token_scope_enabled: false)
+          end
+          it { is_expected.to be_allowed(:guest_access) }
+        end
      end
    end
@@ -1462,6 +1471,14 @@ RSpec.describe ProjectPolicy do
        end
        it { is_expected.to be_disallowed(:public_access) }
+        context 'when job token scope is disabled' do
+          before do
+            scope_project.update!(ci_job_token_scope_enabled: false)
+          end
+          it { is_expected.to be_allowed(:public_access) }
+        end
      end
    end
  end

--- a/spec/requests/api/graphql/mutations/ci/ci_cd_settings_update_spec.rb
+++ b/spec/requests/api/graphql/mutations/ci/ci_cd_settings_update_spec.rb
@@ -5,7 +5,10 @@ require 'spec_helper'
 RSpec.describe 'CiCdSettingsUpdate' do
  include GraphqlHelpers
-  let_it_be(:project) { create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true) }
+  let_it_be(:project) do
+    create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true)
+      .tap(&:save!)
+  end
  let(:variables) do
    {

--- a/spec/requests/api/graphql/mutations/ci/job_token_scope/add_project_spec.rb
+++ b/spec/requests/api/graphql/mutations/ci/job_token_scope/add_project_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe 'CiJobTokenScopeAddProject' do
  include GraphqlHelpers
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
  let_it_be(:target_project) { create(:project) }
  let(:variables) do

--- a/spec/requests/api/graphql/mutations/ci/job_token_scope/remove_project_spec.rb
+++ b/spec/requests/api/graphql/mutations/ci/job_token_scope/remove_project_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe 'CiJobTokenScopeRemoveProject' do
  include GraphqlHelpers
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
  let_it_be(:target_project) { create(:project) }
  let_it_be(:link) do

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'
-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end
@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'
-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end

--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
                  let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
                  # I'm not sure what this tests that is different from the previous test
-                  it_behaves_like 'LFS http 404 response'
+                  it_behaves_like 'LFS http 403 response'
                end
              end
@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
                let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
                # I'm not sure what this tests that is different from the previous test
-                it_behaves_like 'LFS http 404 response'
+                it_behaves_like 'LFS http 403 response'
              end
            end

--- a/spec/services/ci/job_token_scope/add_project_service_spec.rb
+++ b/spec/services/ci/job_token_scope/add_project_service_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe Ci::JobTokenScope::AddProjectService do
  let(:service) { described_class.new(project, current_user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
  let_it_be(:target_project) { create(:project) }
  let_it_be(:current_user) { create(:user) }

--- a/spec/services/ci/job_token_scope/remove_project_service_spec.rb
+++ b/spec/services/ci/job_token_scope/remove_project_service_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe Ci::JobTokenScope::RemoveProjectService do
  let(:service) { described_class.new(project, current_user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
  let_it_be(:target_project) { create(:project) }
  let_it_be(:current_user) { create(:user) }