Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
34b1c4df
Commit
34b1c4df
authored
Sep 15, 2021
by
Avielle Wolfe
Committed by
Tiger Watson
Sep 15, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Set `job_token_scope_enabled` to false by default
parent
c8508c28
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
116 additions
and
7 deletions
+116
-7
db/migrate/20210902171808_set_default_job_token_scope_false.rb
...grate/20210902171808_set_default_job_token_scope_false.rb
+17
-0
db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb
...ate/20210908132335_disable_job_token_scope_when_unused.rb
+52
-0
db/schema_migrations/20210902171808
db/schema_migrations/20210902171808
+1
-0
db/schema_migrations/20210908132335
db/schema_migrations/20210908132335
+1
-0
db/structure.sql
db/structure.sql
+1
-1
spec/migrations/disable_job_token_scope_when_unused_spec.rb
spec/migrations/disable_job_token_scope_when_unused_spec.rb
+44
-0
spec/models/project_ci_cd_setting_spec.rb
spec/models/project_ci_cd_setting_spec.rb
+0
-6
No files found.
db/migrate/20210902171808_set_default_job_token_scope_false.rb
0 → 100644
View file @
34b1c4df
# frozen_string_literal: true
class
SetDefaultJobTokenScopeFalse
<
Gitlab
::
Database
::
Migration
[
1.0
]
disable_ddl_transaction!
def
up
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
true
,
to:
false
end
end
def
down
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
false
,
to:
true
end
end
end
db/post_migrate/20210908132335_disable_job_token_scope_when_unused.rb
0 → 100644
View file @
34b1c4df
# frozen_string_literal: true
class
DisableJobTokenScopeWhenUnused
<
Gitlab
::
Database
::
Migration
[
1.0
]
disable_ddl_transaction!
class
ProjectCiCdSetting
<
ApplicationRecord
include
EachBatch
self
.
table_name
=
'project_ci_cd_settings'
end
module
Ci
module
JobToken
class
ProjectScopeLink
<
ApplicationRecord
self
.
table_name
=
'ci_job_token_project_scope_links'
end
end
end
def
up
# Disabling job token scope after db/migrate/20210902171808_set_default_job_token_scope_false.rb
# if users haven't configured it.
ProjectCiCdSetting
.
each_batch
(
of:
10_000
)
do
|
settings
|
with_enabled_but_unused_scope
(
settings
).
each_batch
(
of:
500
)
do
|
settings_to_update
|
settings_to_update
.
update_all
(
job_token_scope_enabled:
false
)
end
end
end
def
down
# irreversible data migration
# The migration relies on the state of `job_token_scope_enabled` and
# updates it based on whether the feature is used or not.
#
# The inverse migration would be to set `job_token_scope_enabled: true`
# for those projects that have the feature disabled and unused. But there
# could be also existing cases where the feature is disabled and unused.
# For example, old projects.
end
private
# The presence of ProjectScopeLinks means that the job token scope
# is configured and we need to leave it enabled. Unused job token scope
# can be disabled since they weren't configured.
def
with_enabled_but_unused_scope
(
settings
)
settings
.
where
(
job_token_scope_enabled:
true
)
.
where
.
not
(
project_id:
Ci
::
JobToken
::
ProjectScopeLink
.
select
(
:source_project_id
))
end
end
db/schema_migrations/20210902171808
0 → 100644
View file @
34b1c4df
09b482e4716a2b0808ad83770222baed8e863a8f94f85f77ed2d557eaa348df4
\ No newline at end of file
db/schema_migrations/20210908132335
0 → 100644
View file @
34b1c4df
399e35197111c257786a2bdf5dac990a26f48d2cc8493de642dcfa47ddececd2
\ No newline at end of file
db/structure.sql
View file @
34b1c4df
...
@@ -17729,7 +17729,7 @@ CREATE TABLE project_ci_cd_settings (
...
@@ -17729,7 +17729,7 @@ CREATE TABLE project_ci_cd_settings (
auto_rollback_enabled boolean DEFAULT false NOT NULL,
auto_rollback_enabled boolean DEFAULT false NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT
tru
e NOT NULL
job_token_scope_enabled boolean DEFAULT
fals
e NOT NULL
);
);
CREATE SEQUENCE project_ci_cd_settings_id_seq
CREATE SEQUENCE project_ci_cd_settings_id_seq
spec/migrations/disable_job_token_scope_when_unused_spec.rb
0 → 100644
View file @
34b1c4df
# frozen_string_literal: true
require
'spec_helper'
require_migration!
RSpec
.
describe
DisableJobTokenScopeWhenUnused
do
let
(
:ci_cd_settings
)
{
table
(
:project_ci_cd_settings
)
}
let
(
:links
)
{
table
(
:ci_job_token_project_scope_links
)
}
let
(
:namespaces
)
{
table
(
:namespaces
)
}
let
(
:projects
)
{
table
(
:projects
)
}
let
(
:namespace
)
{
namespaces
.
create!
(
name:
'test'
,
path:
'path'
,
type:
'Group'
)
}
let
(
:project_with_used_scope
)
{
projects
.
create!
(
namespace_id:
namespace
.
id
)
}
let!
(
:used_scope_settings
)
{
ci_cd_settings
.
create!
(
project_id:
project_with_used_scope
.
id
,
job_token_scope_enabled:
true
)
}
let
(
:target_project
)
{
projects
.
create!
(
namespace_id:
namespace
.
id
)
}
let!
(
:link
)
{
links
.
create!
(
source_project_id:
project_with_used_scope
.
id
,
target_project_id:
target_project
.
id
)
}
let
(
:project_with_unused_scope
)
{
projects
.
create!
(
namespace_id:
namespace
.
id
)
}
let!
(
:unused_scope_settings
)
{
ci_cd_settings
.
create!
(
project_id:
project_with_unused_scope
.
id
,
job_token_scope_enabled:
true
)
}
let
(
:project_with_disabled_scope
)
{
projects
.
create!
(
namespace_id:
namespace
.
id
)
}
let!
(
:disabled_scope_settings
)
{
ci_cd_settings
.
create!
(
project_id:
project_with_disabled_scope
.
id
,
job_token_scope_enabled:
false
)
}
describe
'#up'
do
it
'sets job_token_scope_enabled to false for projects not having job token scope configured'
do
migrate!
expect
(
unused_scope_settings
.
reload
.
job_token_scope_enabled
).
to
be_falsey
end
it
'keeps the scope enabled for projects that are using it'
do
migrate!
expect
(
used_scope_settings
.
reload
.
job_token_scope_enabled
).
to
be_truthy
end
it
'keeps the scope disabled for projects having it disabled'
do
migrate!
expect
(
disabled_scope_settings
.
reload
.
job_token_scope_enabled
).
to
be_falsey
end
end
end
spec/models/project_ci_cd_setting_spec.rb
View file @
34b1c4df
...
@@ -21,12 +21,6 @@ RSpec.describe ProjectCiCdSetting do
...
@@ -21,12 +21,6 @@ RSpec.describe ProjectCiCdSetting do
end
end
end
end
describe
'#job_token_scope_enabled'
do
it
'is true by default'
do
expect
(
described_class
.
new
.
job_token_scope_enabled
).
to
be_truthy
end
end
describe
'#default_git_depth'
do
describe
'#default_git_depth'
do
let
(
:default_value
)
{
described_class
::
DEFAULT_GIT_DEPTH
}
let
(
:default_value
)
{
described_class
::
DEFAULT_GIT_DEPTH
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment