Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9b38dc11
Commit
9b38dc11
authored
Aug 24, 2021
by
Avielle Wolfe
Committed by
Mayra Cabrera
Aug 24, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Set `job_token_scope_enabled` to true by default
parent
13ac5782
Changes
15
Show whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
76 additions
and
16 deletions
+76
-16
db/migrate/20210819153805_set_default_job_token_scope_true.rb
...igrate/20210819153805_set_default_job_token_scope_true.rb
+17
-0
db/schema_migrations/20210819153805
db/schema_migrations/20210819153805
+1
-0
db/structure.sql
db/structure.sql
+1
-1
ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
...quests/api/internal/app_sec/dast/site_validations_spec.rb
+8
-1
spec/migrations/set_default_job_token_scope_true_spec.rb
spec/migrations/set_default_job_token_scope_true_spec.rb
+33
-0
spec/models/project_ci_cd_setting_spec.rb
spec/models/project_ci_cd_setting_spec.rb
+0
-6
spec/requests/api/generic_packages_spec.rb
spec/requests/api/generic_packages_spec.rb
+1
-1
spec/requests/api/go_proxy_spec.rb
spec/requests/api/go_proxy_spec.rb
+1
-1
spec/requests/api/maven_packages_spec.rb
spec/requests/api/maven_packages_spec.rb
+1
-1
spec/requests/api/pypi_packages_spec.rb
spec/requests/api/pypi_packages_spec.rb
+1
-1
spec/requests/api/releases_spec.rb
spec/requests/api/releases_spec.rb
+1
-1
spec/requests/api/rubygem_packages_spec.rb
spec/requests/api/rubygem_packages_spec.rb
+1
-1
spec/requests/api/terraform/modules/v1/packages_spec.rb
spec/requests/api/terraform/modules/v1/packages_spec.rb
+1
-1
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+8
-0
spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb
...ared_contexts/requests/api/npm_packages_shared_context.rb
+1
-1
No files found.
db/migrate/20210819153805_set_default_job_token_scope_true.rb
0 → 100644
View file @
9b38dc11
# frozen_string_literal: true
class
SetDefaultJobTokenScopeTrue
<
ActiveRecord
::
Migration
[
6.1
]
include
Gitlab
::
Database
::
MigrationHelpers
def
up
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
false
,
to:
true
end
end
def
down
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
true
,
to:
false
end
end
end
db/schema_migrations/20210819153805
0 → 100644
View file @
9b38dc11
195d2444bf9d5113ee589b1accdbf04efbc7fb84c2ead4deed3985b254345e07
\ No newline at end of file
db/structure.sql
View file @
9b38dc11
...
...
@@ -16997,7 +16997,7 @@ CREATE TABLE project_ci_cd_settings (
auto_rollback_enabled boolean DEFAULT false NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT
fals
e NOT NULL
job_token_scope_enabled boolean DEFAULT
tru
e NOT NULL
);
CREATE SEQUENCE project_ci_cd_settings_id_seq
ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
View file @
9b38dc11
...
...
@@ -68,10 +68,17 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
context
'when site validation and job are associated with different projects'
do
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
developer
)
}
before
do
create
(
:ci_job_token_project_scope_link
,
source_project:
job
.
project
,
target_project:
project
,
added_by:
developer
)
end
it
'returns 400'
,
:aggregate_failures
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:bad_request
)
# Temporarily forcing job_token_scope_enabled false
expect
(
response
).
to
have_gitlab_http_status
(
:bad_request
)
end
context
'when the job project belongs to the same job token scope'
do
...
...
spec/migrations/set_default_job_token_scope_true_spec.rb
0 → 100644
View file @
9b38dc11
# frozen_string_literal: true
require
'spec_helper'
require_migration!
RSpec
.
describe
SetDefaultJobTokenScopeTrue
,
schema:
20210819153805
do
let
(
:ci_cd_settings
)
{
table
(
:project_ci_cd_settings
)
}
let
(
:namespaces
)
{
table
(
:namespaces
)
}
let
(
:projects
)
{
table
(
:projects
)
}
let
(
:namespace
)
{
namespaces
.
create!
(
name:
'test'
,
path:
'path'
,
type:
'Group'
)
}
let
(
:project
)
{
projects
.
create!
(
namespace_id:
namespace
.
id
)
}
describe
'#up'
do
it
'sets the job_token_scope_enabled default to true'
do
described_class
.
new
.
up
settings
=
ci_cd_settings
.
create!
(
project_id:
project
.
id
)
expect
(
settings
.
job_token_scope_enabled
).
to
be_truthy
end
end
describe
'#down'
do
it
'sets the job_token_scope_enabled default to false'
do
described_class
.
new
.
down
settings
=
ci_cd_settings
.
create!
(
project_id:
project
.
id
)
expect
(
settings
.
job_token_scope_enabled
).
to
be_falsey
end
end
end
spec/models/project_ci_cd_setting_spec.rb
View file @
9b38dc11
...
...
@@ -21,12 +21,6 @@ RSpec.describe ProjectCiCdSetting do
end
end
describe
'#job_token_scope_enabled'
do
it
'is false by default'
do
expect
(
described_class
.
new
.
job_token_scope_enabled
).
to
be_falsey
end
end
describe
'#default_git_depth'
do
let
(
:default_value
)
{
described_class
::
DEFAULT_GIT_DEPTH
}
...
...
spec/requests/api/generic_packages_spec.rb
View file @
9b38dc11
...
...
@@ -18,7 +18,7 @@ RSpec.describe API::GenericPackages do
let_it_be
(
:project_deploy_token_wo
)
{
create
(
:project_deploy_token
,
deploy_token:
deploy_token_wo
,
project:
project
)
}
let
(
:user
)
{
personal_access_token
.
user
}
let
(
:ci_build
)
{
create
(
:ci_build
,
:running
,
user:
user
)
}
let
(
:ci_build
)
{
create
(
:ci_build
,
:running
,
user:
user
,
project:
project
)
}
let
(
:snowplow_standard_context_params
)
{
{
user:
user
,
project:
project
,
namespace:
project
.
namespace
}
}
def
auth_header
...
...
spec/requests/api/go_proxy_spec.rb
View file @
9b38dc11
...
...
@@ -11,7 +11,7 @@ RSpec.describe API::GoProxy do
let_it_be
(
:base
)
{
"
#{
Settings
.
build_gitlab_go_url
}
/
#{
project
.
full_path
}
"
}
let_it_be
(
:oauth
)
{
create
:oauth_access_token
,
scopes:
'api'
,
resource_owner:
user
}
let_it_be
(
:job
)
{
create
:ci_build
,
user:
user
,
status: :running
}
let_it_be
(
:job
)
{
create
:ci_build
,
user:
user
,
status: :running
,
project:
project
}
let_it_be
(
:pa_token
)
{
create
:personal_access_token
,
user:
user
}
let_it_be
(
:modules
)
do
...
...
spec/requests/api/maven_packages_spec.rb
View file @
9b38dc11
...
...
@@ -15,7 +15,7 @@ RSpec.describe API::MavenPackages do
let_it_be
(
:package_file
)
{
package
.
package_files
.
with_file_name_like
(
'%.xml'
).
first
}
let_it_be
(
:jar_file
)
{
package
.
package_files
.
with_file_name_like
(
'%.jar'
).
first
}
let_it_be
(
:personal_access_token
)
{
create
(
:personal_access_token
,
user:
user
)
}
let_it_be
(
:job
,
reload:
true
)
{
create
(
:ci_build
,
user:
user
,
status: :running
)
}
let_it_be
(
:job
,
reload:
true
)
{
create
(
:ci_build
,
user:
user
,
status: :running
,
project:
project
)
}
let_it_be
(
:deploy_token
)
{
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
}
let_it_be
(
:project_deploy_token
)
{
create
(
:project_deploy_token
,
deploy_token:
deploy_token
,
project:
project
)
}
let_it_be
(
:deploy_token_for_group
)
{
create
(
:deploy_token
,
:group
,
read_package_registry:
true
,
write_package_registry:
true
)
}
...
...
spec/requests/api/pypi_packages_spec.rb
View file @
9b38dc11
...
...
@@ -13,7 +13,7 @@ RSpec.describe API::PypiPackages do
let_it_be
(
:personal_access_token
)
{
create
(
:personal_access_token
,
user:
user
)
}
let_it_be
(
:deploy_token
)
{
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
}
let_it_be
(
:project_deploy_token
)
{
create
(
:project_deploy_token
,
deploy_token:
deploy_token
,
project:
project
)
}
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
user
)
}
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
user
,
project:
project
)
}
let
(
:headers
)
{
{}
}
...
...
spec/requests/api/releases_spec.rb
View file @
9b38dc11
...
...
@@ -839,7 +839,7 @@ RSpec.describe API::Releases do
context
'when a valid token is provided'
do
it
'creates the release for a running job'
do
job
.
update!
(
status: :running
)
job
.
update!
(
status: :running
,
project:
project
)
post
api
(
"/projects/
#{
project
.
id
}
/releases"
),
params:
params
.
merge
(
job_token:
job
.
token
)
expect
(
response
).
to
have_gitlab_http_status
(
:created
)
...
...
spec/requests/api/rubygem_packages_spec.rb
View file @
9b38dc11
...
...
@@ -10,7 +10,7 @@ RSpec.describe API::RubygemPackages do
let_it_be_with_reload
(
:project
)
{
create
(
:project
)
}
let_it_be
(
:personal_access_token
)
{
create
(
:personal_access_token
)
}
let_it_be
(
:user
)
{
personal_access_token
.
user
}
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
user
)
}
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
user
,
project:
project
)
}
let_it_be
(
:deploy_token
)
{
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
}
let_it_be
(
:project_deploy_token
)
{
create
(
:project_deploy_token
,
deploy_token:
deploy_token
,
project:
project
)
}
let_it_be
(
:headers
)
{
{}
}
...
...
spec/requests/api/terraform/modules/v1/packages_spec.rb
View file @
9b38dc11
...
...
@@ -12,7 +12,7 @@ RSpec.describe API::Terraform::Modules::V1::Packages do
let_it_be
(
:package
)
{
create
(
:terraform_module_package
,
project:
project
)
}
let_it_be
(
:personal_access_token
)
{
create
(
:personal_access_token
)
}
let_it_be
(
:user
)
{
personal_access_token
.
user
}
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
user
)
}
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
user
,
project:
project
)
}
let_it_be
(
:deploy_token
)
{
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
}
let_it_be
(
:project_deploy_token
)
{
create
(
:project_deploy_token
,
deploy_token:
deploy_token
,
project:
project
)
}
...
...
spec/requests/git_http_spec.rb
View file @
9b38dc11
...
...
@@ -882,6 +882,10 @@ RSpec.describe 'Git HTTP requests' do
before
do
build
.
update!
(
user:
user
)
project
.
add_reporter
(
user
)
create
(
:ci_job_token_project_scope_link
,
source_project:
project
,
target_project:
other_project
,
added_by:
user
)
end
shared_examples
'can download code only'
do
...
...
@@ -1447,6 +1451,10 @@ RSpec.describe 'Git HTTP requests' do
before
do
build
.
update!
(
project:
project
)
# can't associate it on factory create
create
(
:ci_job_token_project_scope_link
,
source_project:
project
,
target_project:
other_project
,
added_by:
user
)
end
context
'when build created by system is authenticated'
do
...
...
spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb
View file @
9b38dc11
...
...
@@ -11,7 +11,7 @@ RSpec.shared_context 'npm api setup' do
let_it_be
(
:package
,
reload:
true
)
{
create
(
:npm_package
,
project:
project
,
name:
"@
#{
group
.
path
}
/scoped_package"
)
}
let_it_be
(
:token
)
{
create
(
:oauth_access_token
,
scopes:
'api'
,
resource_owner:
user
)
}
let_it_be
(
:personal_access_token
)
{
create
(
:personal_access_token
,
user:
user
)
}
let_it_be
(
:job
,
reload:
true
)
{
create
(
:ci_build
,
user:
user
,
status: :running
)
}
let_it_be
(
:job
,
reload:
true
)
{
create
(
:ci_build
,
user:
user
,
status: :running
,
project:
project
)
}
let_it_be
(
:deploy_token
)
{
create
(
:deploy_token
,
read_package_registry:
true
,
write_package_registry:
true
)
}
let_it_be
(
:project_deploy_token
)
{
create
(
:project_deploy_token
,
deploy_token:
deploy_token
,
project:
project
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment