Merge branch 'reset-job-token-scope-enabled' into 'master'

Make job_token_scope_enabled project setting false by default

See merge request gitlab-org/gitlab!64962

app/models/project_ci_cd_setting.rb

@@ -16,7 +16,6 @@ class ProjectCiCdSetting < ApplicationRecord
     allow_nil: true
 
   default_value_for :forward_deployment_enabled, true
-  default_value_for :job_token_scope_enabled, true
 
   def forward_deployment_enabled?
     super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true)

ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb

@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
       context 'when site validation and job are associated with different projects' do
         let_it_be(:job) { create(:ci_build, :running, user: developer) }
 
-        it 'returns 403', :aggregate_failures do
+        it 'returns 400', :aggregate_failures do
           subject
 
-          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
         end
 
         context 'when the job project belongs to the same job token scope' do

spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb

@@ -7,7 +7,10 @@ RSpec.describe Mutations::Ci::JobTokenScope::AddProject do
   end
 
   describe '#resolve' do
-    let_it_be(:project) { create(:project) }
+    let_it_be(:project) do
+      create(:project, ci_job_token_scope_enabled: true).tap(&:save!)
+    end
+
     let_it_be(:target_project) { create(:project) }
 
     let(:target_project_path) { target_project.full_path }

spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe Mutations::Ci::JobTokenScope::RemoveProject do
   end
 
   describe '#resolve' do
-    let_it_be(:project) { create(:project) }
+    let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
     let_it_be(:target_project) { create(:project) }
 
     let_it_be(:link) do

spec/graphql/resolvers/ci/job_token_scope_resolver_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
   include GraphqlHelpers
 
   let_it_be(:current_user) { create(:user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
 
   specify do
     expect(described_class).to have_nullable_graphql_type(::Types::Ci::JobTokenScopeType)
@@ -37,6 +37,16 @@ RSpec.describe Resolvers::Ci::JobTokenScopeResolver do
           expect(resolve_scope.all_projects).to contain_exactly(project, link.target_project)
         end
       end
+
+      context 'when job token scope is disabled' do
+        before do
+          project.update!(ci_job_token_scope_enabled: false)
+        end
+
+        it 'returns nil' do
+          expect(resolve_scope).to be_nil
+        end
+      end
     end
 
     context 'without access to scope' do

spec/graphql/types/ci/job_token_scope_type_spec.rb

@@ -12,7 +12,7 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
   end
 
   describe 'query' do
-    let_it_be(:project) { create(:project) }
+    let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
     let_it_be(:current_user) { create(:user) }
 
     let(:query) do
@@ -59,6 +59,16 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do
             expect(returned_project_paths).to contain_exactly(project.path)
           end
         end
+
+        context 'when job token scope is disabled' do
+          before do
+            project.ci_cd_settings.update!(job_token_scope_enabled: false)
+          end
+
+          it 'returns nil' do
+            expect(subject.dig('data', 'project', 'ciJobTokenScope')).to be_nil
+          end
+        end
       end
     end
   end

spec/models/ci/job_token/scope_spec.rb

@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 RSpec.describe Ci::JobToken::Scope do
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
 
   let(:scope) { described_class.new(project) }
 

spec/models/project_ci_cd_setting_spec.rb

@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
   end
 
   describe '#job_token_scope_enabled' do
-    it 'is true by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_truthy
+    it 'is false by default' do
+      expect(described_class.new.job_token_scope_enabled).to be_falsey
     end
   end
 

spec/policies/project_policy_spec.rb

@@ -1423,6 +1423,7 @@ RSpec.describe ProjectPolicy do
 
     before do
       current_user.set_ci_job_token_scope!(job)
+      scope_project.update!(ci_job_token_scope_enabled: true)
     end
 
     context 'when accessing a private project' do
@@ -1442,6 +1443,14 @@ RSpec.describe ProjectPolicy do
         end
 
         it { is_expected.to be_disallowed(:guest_access) }
+
+        context 'when job token scope is disabled' do
+          before do
+            scope_project.update!(ci_job_token_scope_enabled: false)
+          end
+
+          it { is_expected.to be_allowed(:guest_access) }
+        end
       end
     end
 
@@ -1462,6 +1471,14 @@ RSpec.describe ProjectPolicy do
         end
 
         it { is_expected.to be_disallowed(:public_access) }
+
+        context 'when job token scope is disabled' do
+          before do
+            scope_project.update!(ci_job_token_scope_enabled: false)
+          end
+
+          it { is_expected.to be_allowed(:public_access) }
+        end
       end
     end
   end

spec/requests/api/graphql/mutations/ci/ci_cd_settings_update_spec.rb

@@ -5,7 +5,10 @@ require 'spec_helper'
 RSpec.describe 'CiCdSettingsUpdate' do
   include GraphqlHelpers
 
-  let_it_be(:project) { create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true) }
+  let_it_be(:project) do
+    create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true)
+      .tap(&:save!)
+  end
 
   let(:variables) do
     {

spec/requests/api/graphql/mutations/ci/job_token_scope/add_project_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe 'CiJobTokenScopeAddProject' do
   include GraphqlHelpers
 
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
   let_it_be(:target_project) { create(:project) }
 
   let(:variables) do

spec/requests/api/graphql/mutations/ci/job_token_scope/remove_project_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe 'CiJobTokenScopeRemoveProject' do
   include GraphqlHelpers
 
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
   let_it_be(:target_project) { create(:project) }
 
   let_it_be(:link) do

spec/requests/git_http_spec.rb

@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
               context 'when admin mode is enabled', :enable_admin_mode do
                 it_behaves_like 'can download code only'
 
-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                   clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
 
-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                 end
               end
 
@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
               context 'when admin mode is enabled', :enable_admin_mode do
                 it_behaves_like 'can download code only'
 
-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                   clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
 
-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                 end
               end
 

spec/requests/lfs_http_spec.rb

@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
                   let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
 
                   # I'm not sure what this tests that is different from the previous test
-                  it_behaves_like 'LFS http 404 response'
+                  it_behaves_like 'LFS http 403 response'
                 end
               end
 
@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
                 let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
 
                 # I'm not sure what this tests that is different from the previous test
-                it_behaves_like 'LFS http 404 response'
+                it_behaves_like 'LFS http 403 response'
               end
             end
 

spec/services/ci/job_token_scope/add_project_service_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe Ci::JobTokenScope::AddProjectService do
   let(:service) { described_class.new(project, current_user) }
 
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
   let_it_be(:target_project) { create(:project) }
   let_it_be(:current_user) { create(:user) }
 

spec/services/ci/job_token_scope/remove_project_service_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe Ci::JobTokenScope::RemoveProjectService do
   let(:service) { described_class.new(project, current_user) }
 
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) }
   let_it_be(:target_project) { create(:project) }
   let_it_be(:current_user) { create(:user) }