Automatic merge of gitlab-org/gitlab master

app/assets/stylesheets/page_bundles/new_namespace.scss

@@ -17,10 +17,10 @@ $new-namespace-panel-height: 240px;
 
 .new-namespace-panel {
   &:hover {
-    background-color: $gray-10;
+    background-color: var(--gray-50, $gray-10);
   }
 
-  color: $purple-700;
+  color: var(--purple-700, $purple-700);
   min-height: $new-namespace-panel-height;
   text-align: center;
   @include media-breakpoint-up(lg) {

app/assets/stylesheets/startup/startup-dark.scss

@@ -11,6 +11,7 @@ body.gl-dark {
   --green-700: #91d4a8;
   --blue-400: #1f75cb;
   --orange-400: #ab6100;
+  --purple-100: #2f2a6b;
   --gl-text-color: #fafafa;
   --border-color: #4f4f4f;
   --black: #fff;
@@ -1524,7 +1525,7 @@ svg.s16 {
   background-color: #660e00;
 }
 .identicon.bg2 {
-  background-color: #f4f0ff;
+  background-color: #232150;
 }
 .identicon.bg3 {
   background-color: #f1f1ff;
@@ -1651,7 +1652,7 @@ body.gl-dark .nav-sidebar li.active > a {
 body.gl-dark .nav-sidebar .fly-out-top-item a,
 body.gl-dark .nav-sidebar .fly-out-top-item.active a,
 body.gl-dark .nav-sidebar .fly-out-top-item .fly-out-top-item-container {
-  background-color: #2f2a6b;
+  background-color: var(--purple-100, #e1d8f9);
   color: var(--black, #333);
 }
 body.gl-dark .logo-text svg {
@@ -1746,6 +1747,17 @@ body.gl-dark {
   --indigo-900: #ebebfa;
   --indigo-950: #f7f7ff;
   --indigo-900-alpha-008: rgba(235, 235, 250, 0.08);
+  --purple-50: #232150;
+  --purple-100: #2f2a6b;
+  --purple-200: #453894;
+  --purple-300: #5943b6;
+  --purple-400: #694cc0;
+  --purple-500: #7b58cf;
+  --purple-600: #9475db;
+  --purple-700: #ac93e6;
+  --purple-800: #cbbbf2;
+  --purple-900: #e1d8f9;
+  --purple-950: #f4f0ff;
   --gl-text-color: #fafafa;
   --border-color: #4f4f4f;
   --white: #333;

app/assets/stylesheets/themes/_dark.scss

@@ -72,6 +72,18 @@ $indigo-900: #ebebfa;
 $indigo-950: #f7f7ff;
 $indigo-900-alpha-008: rgba($indigo-900, 0.08);
 
+$purple-50: #232150;
+$purple-100: #2f2a6b;
+$purple-200: #453894;
+$purple-300: #5943b6;
+$purple-400: #694cc0;
+$purple-500: #7b58cf;
+$purple-600: #9475db;
+$purple-700: #ac93e6;
+$purple-800: #cbbbf2;
+$purple-900: #e1d8f9;
+$purple-950: #f4f0ff;
+
 $gray-lightest: #222;
 $gray-light: $gray-50;
 $gray-lighter: #303030;
@@ -163,6 +175,18 @@ body.gl-dark {
   --indigo-950: #{$indigo-950};
   --indigo-900-alpha-008: #{$indigo-900-alpha-008};
 
+  --purple-50: #{$purple-50};
+  --purple-100: #{$purple-100};
+  --purple-200: #{$purple-200};
+  --purple-300: #{$purple-300};
+  --purple-400: #{$purple-400};
+  --purple-500: #{$purple-500};
+  --purple-600: #{$purple-600};
+  --purple-700: #{$purple-700};
+  --purple-800: #{$purple-800};
+  --purple-900: #{$purple-900};
+  --purple-950: #{$purple-950};
+
   --gl-text-color: #{$gray-900};
   --border-color: #{$border-color};
 

app/assets/stylesheets/themes/theme_helper.scss

@@ -184,7 +184,7 @@
       a:hover,
       &.active a,
       .fly-out-top-item-container {
-        background-color: $purple-900;
+        background-color: var(--purple-100, $purple-900);
         color: var(--black, $white);
       }
     }

db/migrate/20210819153805_set_default_job_token_scope_true.rb

+# frozen_string_literal: true
+
+class SetDefaultJobTokenScopeTrue < ActiveRecord::Migration[6.1]
+  include Gitlab::Database::MigrationHelpers
+
+  def up
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
+    end
+  end
+
+  def down
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
+    end
+  end
+end

db/schema_migrations/20210819153805

+195d2444bf9d5113ee589b1accdbf04efbc7fb84c2ead4deed3985b254345e07
\ No newline at end of file

db/structure.sql

@@ -16996,7 +16996,7 @@ CREATE TABLE project_ci_cd_settings (
     auto_rollback_enabled boolean DEFAULT false NOT NULL,
     keep_latest_artifact boolean DEFAULT true NOT NULL,
     restrict_user_defined_variables boolean DEFAULT false NOT NULL,
-    job_token_scope_enabled boolean DEFAULT false NOT NULL
+    job_token_scope_enabled boolean DEFAULT true NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq

ee/app/assets/stylesheets/startup/startup-dark.scss

@@ -11,6 +11,7 @@ body.gl-dark {
   --green-700: #91d4a8;
   --blue-400: #1f75cb;
   --orange-400: #ab6100;
+  --purple-100: #2f2a6b;
   --gl-text-color: #fafafa;
   --border-color: #4f4f4f;
   --black: #fff;
@@ -1524,7 +1525,7 @@ svg.s16 {
   background-color: #660e00;
 }
 .identicon.bg2 {
-  background-color: #f4f0ff;
+  background-color: #232150;
 }
 .identicon.bg3 {
   background-color: #f1f1ff;
@@ -1651,7 +1652,7 @@ body.gl-dark .nav-sidebar li.active > a {
 body.gl-dark .nav-sidebar .fly-out-top-item a,
 body.gl-dark .nav-sidebar .fly-out-top-item.active a,
 body.gl-dark .nav-sidebar .fly-out-top-item .fly-out-top-item-container {
-  background-color: #2f2a6b;
+  background-color: var(--purple-100, #e1d8f9);
   color: var(--black, #333);
 }
 body.gl-dark .logo-text svg {
@@ -1746,6 +1747,17 @@ body.gl-dark {
   --indigo-900: #ebebfa;
   --indigo-950: #f7f7ff;
   --indigo-900-alpha-008: rgba(235, 235, 250, 0.08);
+  --purple-50: #232150;
+  --purple-100: #2f2a6b;
+  --purple-200: #453894;
+  --purple-300: #5943b6;
+  --purple-400: #694cc0;
+  --purple-500: #7b58cf;
+  --purple-600: #9475db;
+  --purple-700: #ac93e6;
+  --purple-800: #cbbbf2;
+  --purple-900: #e1d8f9;
+  --purple-950: #f4f0ff;
   --gl-text-color: #fafafa;
   --border-color: #4f4f4f;
   --white: #333;

ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb

@@ -68,10 +68,17 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
       context 'when site validation and job are associated with different projects' do
         let_it_be(:job) { create(:ci_build, :running, user: developer) }
 
+        before do
+          create(:ci_job_token_project_scope_link,
+                 source_project: job.project,
+                 target_project: project,
+                 added_by: developer)
+        end
+
         it 'returns 400', :aggregate_failures do
           subject
 
-          expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
+          expect(response).to have_gitlab_http_status(:bad_request)
         end
 
         context 'when the job project belongs to the same job token scope' do

spec/migrations/set_default_job_token_scope_true_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe SetDefaultJobTokenScopeTrue, schema: 20210819153805 do
+  let(:ci_cd_settings) { table(:project_ci_cd_settings) }
+  let(:namespaces) { table(:namespaces) }
+  let(:projects) { table(:projects) }
+
+  let(:namespace) { namespaces.create!(name: 'test', path: 'path', type: 'Group') }
+  let(:project) { projects.create!(namespace_id: namespace.id) }
+
+  describe '#up' do
+    it 'sets the job_token_scope_enabled default to true' do
+      described_class.new.up
+
+      settings = ci_cd_settings.create!(project_id: project.id)
+
+      expect(settings.job_token_scope_enabled).to be_truthy
+    end
+  end
+
+  describe '#down' do
+    it 'sets the job_token_scope_enabled default to false' do
+      described_class.new.down
+
+      settings = ci_cd_settings.create!(project_id: project.id)
+
+      expect(settings.job_token_scope_enabled).to be_falsey
+    end
+  end
+end

spec/models/project_ci_cd_setting_spec.rb

@@ -21,12 +21,6 @@ RSpec.describe ProjectCiCdSetting do
     end
   end
 
-  describe '#job_token_scope_enabled' do
-    it 'is false by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_falsey
-    end
-  end
-
   describe '#default_git_depth' do
     let(:default_value) { described_class::DEFAULT_GIT_DEPTH }
 

spec/requests/api/generic_packages_spec.rb

@@ -18,7 +18,7 @@ RSpec.describe API::GenericPackages do
   let_it_be(:project_deploy_token_wo) { create(:project_deploy_token, deploy_token: deploy_token_wo, project: project) }
 
   let(:user) { personal_access_token.user }
-  let(:ci_build) { create(:ci_build, :running, user: user) }
+  let(:ci_build) { create(:ci_build, :running, user: user, project: project) }
   let(:snowplow_standard_context_params) { { user: user, project: project, namespace: project.namespace } }
 
   def auth_header

spec/requests/api/go_proxy_spec.rb

@@ -11,7 +11,7 @@ RSpec.describe API::GoProxy do
   let_it_be(:base) { "#{Settings.build_gitlab_go_url}/#{project.full_path}" }
 
   let_it_be(:oauth) { create :oauth_access_token, scopes: 'api', resource_owner: user }
-  let_it_be(:job) { create :ci_build, user: user, status: :running }
+  let_it_be(:job) { create :ci_build, user: user, status: :running, project: project }
   let_it_be(:pa_token) { create :personal_access_token, user: user }
 
   let_it_be(:modules) do

spec/requests/api/maven_packages_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe API::MavenPackages do
   let_it_be(:package_file) { package.package_files.with_file_name_like('%.xml').first }
   let_it_be(:jar_file) { package.package_files.with_file_name_like('%.jar').first }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
-  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running) }
+  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
   let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, write_package_registry: true) }

spec/requests/api/pypi_packages_spec.rb

@@ -13,7 +13,7 @@ RSpec.describe API::PypiPackages do
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
-  let_it_be(:job) { create(:ci_build, :running, user: user) }
+  let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
 
   let(:headers) { {} }
 

spec/requests/api/releases_spec.rb

@@ -839,7 +839,7 @@ RSpec.describe API::Releases do
 
       context 'when a valid token is provided' do
         it 'creates the release for a running job' do
-          job.update!(status: :running)
+          job.update!(status: :running, project: project)
           post api("/projects/#{project.id}/releases"), params: params.merge(job_token: job.token)
 
           expect(response).to have_gitlab_http_status(:created)

spec/requests/api/rubygem_packages_spec.rb

@@ -10,7 +10,7 @@ RSpec.describe API::RubygemPackages do
   let_it_be_with_reload(:project) { create(:project) }
   let_it_be(:personal_access_token) { create(:personal_access_token) }
   let_it_be(:user) { personal_access_token.user }
-  let_it_be(:job) { create(:ci_build, :running, user: user) }
+  let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
   let_it_be(:headers) { {} }

spec/requests/api/terraform/modules/v1/packages_spec.rb

@@ -12,7 +12,7 @@ RSpec.describe API::Terraform::Modules::V1::Packages do
   let_it_be(:package) { create(:terraform_module_package, project: project) }
   let_it_be(:personal_access_token) { create(:personal_access_token) }
   let_it_be(:user) { personal_access_token.user }
-  let_it_be(:job) { create(:ci_build, :running, user: user) }
+  let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
 

spec/requests/git_http_spec.rb

@@ -882,6 +882,10 @@ RSpec.describe 'Git HTTP requests' do
             before do
               build.update!(user: user)
               project.add_reporter(user)
+              create(:ci_job_token_project_scope_link,
+                     source_project: project,
+                     target_project: other_project,
+                     added_by: user)
             end
 
             shared_examples 'can download code only' do
@@ -1447,6 +1451,10 @@ RSpec.describe 'Git HTTP requests' do
 
           before do
             build.update!(project: project) # can't associate it on factory create
+            create(:ci_job_token_project_scope_link,
+                    source_project: project,
+                    target_project: other_project,
+                    added_by: user)
           end
 
           context 'when build created by system is authenticated' do

spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb

@@ -11,7 +11,7 @@ RSpec.shared_context 'npm api setup' do
   let_it_be(:package, reload: true) { create(:npm_package, project: project, name: "@#{group.path}/scoped_package") }
   let_it_be(:token) { create(:oauth_access_token, scopes: 'api', resource_owner: user) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
-  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running) }
+  let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running, project: project) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }