Commit 9bedc00e authored by Stan Hu's avatar Stan Hu

Merge branch 'revert-58a70258' into 'master'

Revert "Merge branch 'enable-ff-ci-scoped-job-token' into 'master'"

See merge request gitlab-org/gitlab!66305
parents cb3ab957 a56447c1
...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272 ...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
milestone: '14.0' milestone: '14.0'
type: development type: development
group: group::pipeline execution group: group::pipeline execution
default_enabled: true default_enabled: false
# frozen_string_literal: true
class RevertDefaultJobTokenScope < ActiveRecord::Migration[6.1]
include Gitlab::Database::MigrationHelpers
def up
with_lock_retries do
change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
end
end
def down
with_lock_retries do
change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
end
end
end
5cf415013b50c46fde5f12702c3f5bae808848a82eb57bfa38764947fc672ad9
\ No newline at end of file
...@@ -16753,7 +16753,7 @@ CREATE TABLE project_ci_cd_settings ( ...@@ -16753,7 +16753,7 @@ CREATE TABLE project_ci_cd_settings (
auto_rollback_enabled boolean DEFAULT false NOT NULL, auto_rollback_enabled boolean DEFAULT false NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL, keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL, restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT true NOT NULL job_token_scope_enabled boolean DEFAULT false NOT NULL
); );
CREATE SEQUENCE project_ci_cd_settings_id_seq CREATE SEQUENCE project_ci_cd_settings_id_seq
...@@ -248,13 +248,13 @@ tries to steal tokens from other jobs. ...@@ -248,13 +248,13 @@ tries to steal tokens from other jobs.
#### Limit GitLab CI/CD job token access #### Limit GitLab CI/CD job token access
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
> - [Deployed behind a feature flag](../user/feature_flags.md), enabled by default. > - [Deployed behind a feature flag](../user/feature_flags.md), disabled by default.
> - Enabled on GitLab.com. > - Disabled on GitLab.com.
> - Recommended for production use. > - Not recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)** > - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
There can be This in-development feature might not be available for your use. There can be
[risks when disabling released features](../user/feature_flags.md#risks-when-disabling-released-features). [risks when enabling features still in development](../user/feature_flags.md#risks-when-enabling-features-still-in-development).
Refer to this feature's version history for more details. Refer to this feature's version history for more details.
You can limit the access scope of a project's CI/CD job token to increase the You can limit the access scope of a project's CI/CD job token to increase the
...@@ -292,21 +292,21 @@ the feature with more strategic control of the access permissions. ...@@ -292,21 +292,21 @@ the feature with more strategic control of the access permissions.
##### Enable or disable CI job token scope limit **(FREE SELF)** ##### Enable or disable CI job token scope limit **(FREE SELF)**
The GitLab CI/CD job token access scope limit is under development but ready for production The GitLab CI/CD job token access scope limit is under development and not ready for production
use. It is deployed behind a feature flag that is **enabled by default**. use. It is deployed behind a feature flag that is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md) [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
can disable the feature. can enable it.
To disable it: To enable it:
```ruby ```ruby
Feature.disable(:ci_scoped_job_token) Feature.enable(:ci_scoped_job_token)
``` ```
To enable it: To disable it:
```ruby ```ruby
Feature.enable(:ci_scoped_job_token) Feature.disable(:ci_scoped_job_token)
``` ```
### Impersonation tokens ### Impersonation tokens
......
...@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do ...@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
context 'when site validation and job are associated with different projects' do context 'when site validation and job are associated with different projects' do
let_it_be(:job) { create(:ci_build, :running, user: developer) } let_it_be(:job) { create(:ci_build, :running, user: developer) }
it 'returns 403', :aggregate_failures do it 'returns 400', :aggregate_failures do
subject subject
expect(response).to have_gitlab_http_status(:forbidden) expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
end end
context 'when the job project belongs to the same job token scope' do context 'when the job project belongs to the same job token scope' do
......
...@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do ...@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
end end
describe '#job_token_scope_enabled' do describe '#job_token_scope_enabled' do
it 'is true by default' do it 'is false by default' do
expect(described_class.new.job_token_scope_enabled).to be_truthy expect(described_class.new.job_token_scope_enabled).to be_falsey
end end
end end
......
...@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do ...@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is enabled', :enable_admin_mode do context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'can download code only' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
...@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do ...@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is enabled', :enable_admin_mode do context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'can download code only' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
......
...@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do ...@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
# I'm not sure what this tests that is different from the previous test # I'm not sure what this tests that is different from the previous test
it_behaves_like 'LFS http 404 response' it_behaves_like 'LFS http 403 response'
end end
end end
...@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do ...@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
# I'm not sure what this tests that is different from the previous test # I'm not sure what this tests that is different from the previous test
it_behaves_like 'LFS http 404 response' it_behaves_like 'LFS http 403 response'
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment