Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
a56447c1
Commit
a56447c1
authored
Jul 16, 2021
by
Fabio Pitino
Committed by
Stan Hu
Jul 16, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Revert "Merge branch 'enable-ff-ci-scoped-job-token' into 'master'"
parent
cb3ab957
Changes
9
Show whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
43 additions
and
25 deletions
+43
-25
config/feature_flags/development/ci_scoped_job_token.yml
config/feature_flags/development/ci_scoped_job_token.yml
+1
-1
db/migrate/20210716074555_revert_default_job_token_scope.rb
db/migrate/20210716074555_revert_default_job_token_scope.rb
+17
-0
db/schema_migrations/20210716074555
db/schema_migrations/20210716074555
+1
-0
db/structure.sql
db/structure.sql
+1
-1
doc/api/index.md
doc/api/index.md
+13
-13
ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
...quests/api/internal/app_sec/dast/site_validations_spec.rb
+2
-2
spec/models/project_ci_cd_setting_spec.rb
spec/models/project_ci_cd_setting_spec.rb
+2
-2
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+4
-4
spec/requests/lfs_http_spec.rb
spec/requests/lfs_http_spec.rb
+2
-2
No files found.
config/feature_flags/development/ci_scoped_job_token.yml
View file @
a56447c1
...
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
...
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
milestone
:
'
14.0'
milestone
:
'
14.0'
type
:
development
type
:
development
group
:
group::pipeline execution
group
:
group::pipeline execution
default_enabled
:
tru
e
default_enabled
:
fals
e
db/migrate/20210716074555_revert_default_job_token_scope.rb
0 → 100644
View file @
a56447c1
# frozen_string_literal: true
class
RevertDefaultJobTokenScope
<
ActiveRecord
::
Migration
[
6.1
]
include
Gitlab
::
Database
::
MigrationHelpers
def
up
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
true
,
to:
false
end
end
def
down
with_lock_retries
do
change_column_default
:project_ci_cd_settings
,
:job_token_scope_enabled
,
from:
false
,
to:
true
end
end
end
db/schema_migrations/20210716074555
0 → 100644
View file @
a56447c1
5cf415013b50c46fde5f12702c3f5bae808848a82eb57bfa38764947fc672ad9
\ No newline at end of file
db/structure.sql
View file @
a56447c1
...
@@ -16753,7 +16753,7 @@ CREATE TABLE project_ci_cd_settings (
...
@@ -16753,7 +16753,7 @@ CREATE TABLE project_ci_cd_settings (
auto_rollback_enabled boolean DEFAULT false NOT NULL,
auto_rollback_enabled boolean DEFAULT false NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
keep_latest_artifact boolean DEFAULT true NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
restrict_user_defined_variables boolean DEFAULT false NOT NULL,
job_token_scope_enabled boolean DEFAULT
tru
e NOT NULL
job_token_scope_enabled boolean DEFAULT
fals
e NOT NULL
);
);
CREATE SEQUENCE project_ci_cd_settings_id_seq
CREATE SEQUENCE project_ci_cd_settings_id_seq
doc/api/index.md
View file @
a56447c1
...
@@ -248,13 +248,13 @@ tries to steal tokens from other jobs.
...
@@ -248,13 +248,13 @@ tries to steal tokens from other jobs.
#### Limit GitLab CI/CD job token access
#### Limit GitLab CI/CD job token access
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
> - [Deployed behind a feature flag](../user/feature_flags.md),
en
abled by default.
> - [Deployed behind a feature flag](../user/feature_flags.md),
dis
abled by default.
> -
En
abled on GitLab.com.
> -
Dis
abled on GitLab.com.
> -
R
ecommended for production use.
> -
Not r
ecommended for production use.
> -
For GitLab self-managed instances, GitLab administrators can opt to [dis
able it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
> -
To use in GitLab self-managed instances, ask a GitLab administrator to [en
able it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
There can be
Th
is in-development feature might not be available for your use. Th
ere can be
[
risks when
disabling released features
](
../user/feature_flags.md#risks-when-disabling-released-features
)
.
[
risks when
enabling features still in development
](
../user/feature_flags.md#risks-when-enabling-features-still-in-development
)
.
Refer to this feature's version history for more details.
Refer to this feature's version history for more details.
You can limit the access scope of a project's CI/CD job token to increase the
You can limit the access scope of a project's CI/CD job token to increase the
...
@@ -292,21 +292,21 @@ the feature with more strategic control of the access permissions.
...
@@ -292,21 +292,21 @@ the feature with more strategic control of the access permissions.
##### Enable or disable CI job token scope limit **(FREE SELF)**
##### Enable or disable CI job token scope limit **(FREE SELF)**
The GitLab CI/CD job token access scope limit is under development
bu
t ready for production
The GitLab CI/CD job token access scope limit is under development
and no
t ready for production
use. It is deployed behind a feature flag that is
**
en
abled by default**
.
use. It is deployed behind a feature flag that is
**
dis
abled by default**
.
[
GitLab administrators with access to the GitLab Rails console
](
../administration/feature_flags.md
)
[
GitLab administrators with access to the GitLab Rails console
](
../administration/feature_flags.md
)
can
disable the feature
.
can
enable it
.
To
dis
able it:
To
en
able it:
```
ruby
```
ruby
Feature
.
dis
able
(
:ci_scoped_job_token
)
Feature
.
en
able
(
:ci_scoped_job_token
)
```
```
To
en
able it:
To
dis
able it:
```
ruby
```
ruby
Feature
.
en
able
(
:ci_scoped_job_token
)
Feature
.
dis
able
(
:ci_scoped_job_token
)
```
```
### Impersonation tokens
### Impersonation tokens
...
...
ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
View file @
a56447c1
...
@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
...
@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
context
'when site validation and job are associated with different projects'
do
context
'when site validation and job are associated with different projects'
do
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
developer
)
}
let_it_be
(
:job
)
{
create
(
:ci_build
,
:running
,
user:
developer
)
}
it
'returns 40
3
'
,
:aggregate_failures
do
it
'returns 40
0
'
,
:aggregate_failures
do
subject
subject
expect
(
response
).
to
have_gitlab_http_status
(
:
forbidden
)
expect
(
response
).
to
have_gitlab_http_status
(
:
bad_request
)
# Temporarily forcing job_token_scope_enabled false
end
end
context
'when the job project belongs to the same job token scope'
do
context
'when the job project belongs to the same job token scope'
do
...
...
spec/models/project_ci_cd_setting_spec.rb
View file @
a56447c1
...
@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
...
@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
end
end
describe
'#job_token_scope_enabled'
do
describe
'#job_token_scope_enabled'
do
it
'is
tru
e by default'
do
it
'is
fals
e by default'
do
expect
(
described_class
.
new
.
job_token_scope_enabled
).
to
be_
truth
y
expect
(
described_class
.
new
.
job_token_scope_enabled
).
to
be_
false
y
end
end
end
end
...
...
spec/requests/git_http_spec.rb
View file @
a56447c1
...
@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
...
@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it_behaves_like
'can download code only'
it_behaves_like
'can download code only'
it
'downloads from other project get status 40
4
'
do
it
'downloads from other project get status 40
3
'
do
clone_get
"
#{
other_project
.
full_path
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
clone_get
"
#{
other_project
.
full_path
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_gitlab_http_status
(
:
not_found
)
expect
(
response
).
to
have_gitlab_http_status
(
:
forbidden
)
end
end
end
end
...
@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
...
@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
context
'when admin mode is enabled'
,
:enable_admin_mode
do
it_behaves_like
'can download code only'
it_behaves_like
'can download code only'
it
'downloads from other project get status 40
4
'
do
it
'downloads from other project get status 40
3
'
do
clone_get
"
#{
other_project
.
full_path
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
clone_get
"
#{
other_project
.
full_path
}
.git"
,
user:
'gitlab-ci-token'
,
password:
build
.
token
expect
(
response
).
to
have_gitlab_http_status
(
:
not_found
)
expect
(
response
).
to
have_gitlab_http_status
(
:
forbidden
)
end
end
end
end
...
...
spec/requests/lfs_http_spec.rb
View file @
a56447c1
...
@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
...
@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
let
(
:pipeline
)
{
create
(
:ci_empty_pipeline
,
project:
other_project
)
}
let
(
:pipeline
)
{
create
(
:ci_empty_pipeline
,
project:
other_project
)
}
# I'm not sure what this tests that is different from the previous test
# I'm not sure what this tests that is different from the previous test
it_behaves_like
'LFS http 40
4
response'
it_behaves_like
'LFS http 40
3
response'
end
end
end
end
...
@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
...
@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
let
(
:pipeline
)
{
create
(
:ci_empty_pipeline
,
project:
other_project
)
}
let
(
:pipeline
)
{
create
(
:ci_empty_pipeline
,
project:
other_project
)
}
# I'm not sure what this tests that is different from the previous test
# I'm not sure what this tests that is different from the previous test
it_behaves_like
'LFS http 40
4
response'
it_behaves_like
'LFS http 40
3
response'
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment