Revert "Merge branch 'enable-ff-ci-scoped-job-token' into 'master'"

a56447c1 · Fabio Pitino · Stan Hu · cb3ab957 · a56447c1 · a56447c1
Commit a56447c1 authored Jul 16, 2021 by Fabio Pitino Committed by Stan Hu Jul 16, 2021
9 changed files
--- a/config/feature_flags/development/ci_scoped_job_token.yml
+++ b/config/feature_flags/development/ci_scoped_job_token.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
 milestone: '14.0'
 type: development
 group: group::pipeline execution
-default_enabled: true
+default_enabled: false
--- a/db/migrate/20210716074555_revert_default_job_token_scope.rb
+++ b/db/migrate/20210716074555_revert_default_job_token_scope.rb
+# frozen_string_literal: true
+
+class RevertDefaultJobTokenScope < ActiveRecord::Migration[6.1]
+  include Gitlab::Database::MigrationHelpers
+
+  def up
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
+    end
+  end
+
+  def down
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
+    end
+  end
+end
--- a/db/schema_migrations/20210716074555
+++ b/db/schema_migrations/20210716074555
+5cf415013b50c46fde5f12702c3f5bae808848a82eb57bfa38764947fc672ad9
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -16753,7 +16753,7 @@ CREATE TABLE project_ci_cd_settings (
    auto_rollback_enabled boolean DEFAULT false NOT NULL,
    keep_latest_artifact boolean DEFAULT true NOT NULL,
    restrict_user_defined_variables boolean DEFAULT false NOT NULL,
-    job_token_scope_enabled boolean DEFAULT true NOT NULL
+    job_token_scope_enabled boolean DEFAULT false NOT NULL
 );

 CREATE SEQUENCE project_ci_cd_settings_id_seq
--- a/doc/api/index.md
+++ b/doc/api/index.md
@@ -248,13 +248,13 @@ tries to steal tokens from other jobs.
 #### Limit GitLab CI/CD job token access

 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
-> - [Deployed behind a feature flag](../user/feature_flags.md), enabled by default.
-> - Enabled on GitLab.com.
-> - Recommended for production use.
-> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
+> - [Deployed behind a feature flag](../user/feature_flags.md), disabled by default.
+> - Disabled on GitLab.com.
+> - Not recommended for production use.
+> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**

-There can be
-[risks when disabling released features](../user/feature_flags.md#risks-when-disabling-released-features).
+This in-development feature might not be available for your use. There can be
+[risks when enabling features still in development](../user/feature_flags.md#risks-when-enabling-features-still-in-development).
 Refer to this feature's version history for more details.

 You can limit the access scope of a project's CI/CD job token to increase the
@@ -292,21 +292,21 @@ the feature with more strategic control of the access permissions.

 ##### Enable or disable CI job token scope limit **(FREE SELF)**

-The GitLab CI/CD job token access scope limit is under development but ready for production
-use. It is deployed behind a feature flag that is **enabled by default**.
+The GitLab CI/CD job token access scope limit is under development and not ready for production
+use. It is deployed behind a feature flag that is **disabled by default**.
 [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
-can disable the feature.
+can enable it.

-To disable it:
+To enable it:

 ```ruby
-Feature.disable(:ci_scoped_job_token)
+Feature.enable(:ci_scoped_job_token)
 ```

-To enable it:
+To disable it:

 ```ruby
-Feature.enable(:ci_scoped_job_token)
+Feature.disable(:ci_scoped_job_token)
 ```

 ### Impersonation tokens

--- a/ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
+++ b/ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
      context 'when site validation and job are associated with different projects' do
        let_it_be(:job) { create(:ci_build, :running, user: developer) }

-        it 'returns 403', :aggregate_failures do
+        it 'returns 400', :aggregate_failures do
          subject

-          expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
        end

        context 'when the job project belongs to the same job token scope' do

--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
  end

  describe '#job_token_scope_enabled' do
-    it 'is true by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_truthy
+    it 'is false by default' do
+      expect(described_class.new.job_token_scope_enabled).to be_falsey
    end
  end


--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'

-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token

-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end

@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'

-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token

-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end


--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
                  let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }

                  # I'm not sure what this tests that is different from the previous test
-                  it_behaves_like 'LFS http 404 response'
+                  it_behaves_like 'LFS http 403 response'
                end
              end

@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
                let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }

                # I'm not sure what this tests that is different from the previous test
-                it_behaves_like 'LFS http 404 response'
+                it_behaves_like 'LFS http 403 response'
              end
            end