Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ce5ac2c0
Commit
ce5ac2c0
authored
Jul 15, 2021
by
Fabio Pitino
Committed by
Bob Van Landuyt
Jul 15, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Enable ci_scoped_job_token by default
parent
06ffc9fd
Changes
9
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
43 additions
and
25 deletions
+43
-25
config/feature_flags/development/ci_scoped_job_token.yml
config/feature_flags/development/ci_scoped_job_token.yml
+1
-1
db/migrate/20210709132707_change_default_job_token_scope_enabled.rb
.../20210709132707_change_default_job_token_scope_enabled.rb
+17
-0
db/schema_migrations/20210709132707
db/schema_migrations/20210709132707
+1
-0
db/structure.sql
db/structure.sql
+1
-1
doc/api/index.md
doc/api/index.md
+13
-13
ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
...quests/api/internal/app_sec/dast/site_validations_spec.rb
+2
-2
spec/models/project_ci_cd_setting_spec.rb
spec/models/project_ci_cd_setting_spec.rb
+2
-2
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+4
-4
spec/requests/lfs_http_spec.rb
spec/requests/lfs_http_spec.rb
+2
-2
No files found.
config/feature_flags/development/ci_scoped_job_token.yml
View file @
ce5ac2c0
...
...
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
milestone
:
'
14.0'
type
:
development
group
:
group::pipeline execution
default_enabled
:
fals
e
default_enabled
:
tru
e
db/migrate/20210709132707_change_default_job_token_scope_enabled.rb
0 → 100644
View file @
ce5ac2c0
# frozen_string_literal: true
class
ChangeDefaultJobTokenScopeEnabled
<
ActiveRecord
::
Migration
[
6.1
]
include
Gitlab
::
Database
::
MigrationHelpers
def
up
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
false
,
to:
true
end
end
def
down
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
true
,
to:
false
end
end
end
db/schema_migrations/20210709132707
0 → 100644
View file @
ce5ac2c0
e0a2de69a3c9d616b87207b764e33fa3326627e065f28fc200c1414f08ee9fff
\ No newline at end of file
db/structure.sql
View file @
ce5ac2c0
...
...
@@ -16751,7 +16751,7 @@ CREATE TABLE project_ci_cd_settings (
auto_rollback_enabled boolean DEFAULT false NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT
fals
e NOT NULL
job_token_scope_enabled boolean DEFAULT
tru
e NOT NULL
);
CREATE SEQUENCE project_ci_cd_settings_id_seq
doc/api/index.md
View file @
ce5ac2c0
...
...
@@ -248,13 +248,13 @@ tries to steal tokens from other jobs.
#### Limit GitLab CI/CD job token access
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
> - [Deployed behind a feature flag](../user/feature_flags.md),
dis
abled by default.
> -
Dis
abled on GitLab.com.
> -
Not r
ecommended for production use.
> -
To use in GitLab self-managed instances, ask a GitLab administrator to [en
able it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
> - [Deployed behind a feature flag](../user/feature_flags.md),
en
abled by default.
> -
En
abled on GitLab.com.
> -
R
ecommended for production use.
> -
For GitLab self-managed instances, GitLab administrators can opt to [dis
able it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
Th
is in-development feature might not be available for your use. Th
ere can be
[
risks when
enabling features still in development
](
../user/feature_flags.md#risks-when-enabling-features-still-in-development
)
.
There can be
[
risks when
disabling released features
](
../user/feature_flags.md#risks-when-disabling-released-features
)
.
Refer to this feature's version history for more details.
You can limit the access scope of a project's CI/CD job token to increase the
...
...
@@ -292,21 +292,21 @@ the feature with more strategic control of the access permissions.
##### Enable or disable CI job token scope limit **(FREE SELF)**
The GitLab CI/CD job token access scope limit is under development
and no
t ready for production
use. It is deployed behind a feature flag that is
**
dis
abled by default**
.
The GitLab CI/CD job token access scope limit is under development
bu
t ready for production
use. It is deployed behind a feature flag that is
**
en
abled by default**
.
[
GitLab administrators with access to the GitLab Rails console
](
../administration/feature_flags.md
)
can
enable it
.
can
disable the feature
.
To
en
able it:
To
dis
able it:
```
ruby
Feature
.
en
able
(
:ci_scoped_job_token
)
Feature
.
dis
able
(
:ci_scoped_job_token
)
```
To
dis
able it:
To
en
able it:
```
ruby
Feature
.
dis
able
(
:ci_scoped_job_token
)
Feature
.
en
able
(
:ci_scoped_job_token
)
```
### Impersonation tokens
...
...
ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
View file @
ce5ac2c0
...
...
@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
context
'when site validation and job are associated with different projects'
do
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
developer
)
}
it
'returns 40
0
'
,
:aggregate_failures
do
it
'returns 40
3
'
,
:aggregate_failures
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:
bad_request
)
# Temporarily forcing job_token_scope_enabled false
expect
(
response
).
to
have_gitlab_http_status
(
:
forbidden
)
end
context
'when the job project belongs to the same job token scope'
do
...
...
spec/models/project_ci_cd_setting_spec.rb
View file @
ce5ac2c0
...
...
@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
end
describe
'#job_token_scope_enabled'
do
it
'is
fals
e by default'
do
expect
(
described_class
.
new
.
job_token_scope_enabled
).
to
be_
false
y
it
'is
tru
e by default'
do
expect
(
described_class
.
new
.
job_token_scope_enabled
).
to
be_
truth
y
end
end
...
...
spec/requests/git_http_spec.rb
View file @
ce5ac2c0
...
...
@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it_behaves_like
'can download code only'
it
'downloads from other project get status 40
3
'
do
it
'downloads from other project get status 40
4
'
do
clone_get
"
#{
other_project
.
full_path
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_gitlab_http_status
(
:
forbidden
)
expect
(
response
).
to
have_gitlab_http_status
(
:
not_found
)
end
end
...
...
@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it_behaves_like
'can download code only'
it
'downloads from other project get status 40
3
'
do
it
'downloads from other project get status 40
4
'
do
clone_get
"
#{
other_project
.
full_path
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_gitlab_http_status
(
:
forbidden
)
expect
(
response
).
to
have_gitlab_http_status
(
:
not_found
)
end
end
...
...
spec/requests/lfs_http_spec.rb
View file @
ce5ac2c0
...
...
@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
let
(
:pipeline
)
{
create
(
:ci_empty_pipeline
,
project:
other_project
)
}
# I'm not sure what this tests that is different from the previous test
it_behaves_like
'LFS http 40
3
response'
it_behaves_like
'LFS http 40
4
response'
end
end
...
...
@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
let
(
:pipeline
)
{
create
(
:ci_empty_pipeline
,
project:
other_project
)
}
# I'm not sure what this tests that is different from the previous test
it_behaves_like
'LFS http 40
3
response'
it_behaves_like
'LFS http 40
4
response'
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment