Enable ci_scoped_job_token by default

ce5ac2c0 · Fabio Pitino · Bob Van Landuyt · 06ffc9fd · ce5ac2c0 · ce5ac2c0
Commit ce5ac2c0 authored Jul 15, 2021 by Fabio Pitino Committed by Bob Van Landuyt Jul 15, 2021
9 changed files
--- a/config/feature_flags/development/ci_scoped_job_token.yml
+++ b/config/feature_flags/development/ci_scoped_job_token.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
 milestone: '14.0'
 type: development
 group: group::pipeline execution
-default_enabled: false
+default_enabled: true
--- a/db/migrate/20210709132707_change_default_job_token_scope_enabled.rb
+++ b/db/migrate/20210709132707_change_default_job_token_scope_enabled.rb
+# frozen_string_literal: true
+class ChangeDefaultJobTokenScopeEnabled < ActiveRecord::Migration[6.1]
+  include Gitlab::Database::MigrationHelpers
+  def up
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
+    end
+  end
+  def down
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
+    end
+  end
+end
--- a/db/schema_migrations/20210709132707
+++ b/db/schema_migrations/20210709132707
+e0a2de69a3c9d616b87207b764e33fa3326627e065f28fc200c1414f08ee9fff
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -16751,7 +16751,7 @@ CREATE TABLE project_ci_cd_settings (
    auto_rollback_enabled boolean DEFAULT false NOT NULL,
    keep_latest_artifact boolean DEFAULT true NOT NULL,
    restrict_user_defined_variables boolean DEFAULT false NOT NULL,
-    job_token_scope_enabled boolean DEFAULT false NOT NULL
+    job_token_scope_enabled boolean DEFAULT true NOT NULL
 );
 CREATE SEQUENCE project_ci_cd_settings_id_seq
--- a/doc/api/index.md
+++ b/doc/api/index.md
@@ -248,13 +248,13 @@ tries to steal tokens from other jobs.
 #### Limit GitLab CI/CD job token access
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
-> - [Deployed behind a feature flag](../user/feature_flags.md), disabled by default.
+> - [Deployed behind a feature flag](../user/feature_flags.md), enabled by default.
-> - Disabled on GitLab.com.
+> - Enabled on GitLab.com.
-> - Not recommended for production use.
+> - Recommended for production use.
-> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
+> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
-This in-development feature might not be available for your use. There can be
+There can be
-[risks when enabling features still in development](../user/feature_flags.md#risks-when-enabling-features-still-in-development).
+[risks when disabling released features](../user/feature_flags.md#risks-when-disabling-released-features).
 Refer to this feature's version history for more details.
 You can limit the access scope of a project's CI/CD job token to increase the
@@ -292,21 +292,21 @@ the feature with more strategic control of the access permissions.
 ##### Enable or disable CI job token scope limit **(FREE SELF)**
-The GitLab CI/CD job token access scope limit is under development and not ready for production
+The GitLab CI/CD job token access scope limit is under development but ready for production
-use. It is deployed behind a feature flag that is **disabled by default**.
+use. It is deployed behind a feature flag that is **enabled by default**.
 [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
-can enable it.
+can disable the feature.
-To enable it:
+To disable it:
 ```ruby
-Feature.enable(:ci_scoped_job_token)
+Feature.disable(:ci_scoped_job_token)
 ```
-To disable it:
+To enable it:
 ```ruby
-Feature.disable(:ci_scoped_job_token)
+Feature.enable(:ci_scoped_job_token)
 ```
 ### Impersonation tokens

--- a/ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
+++ b/ee/spec/requests/api/internal/app_sec/dast/site_validations_spec.rb
@@ -68,10 +68,10 @@ RSpec.describe API::Internal::AppSec::Dast::SiteValidations do
      context 'when site validation and job are associated with different projects' do
        let_it_be(:job) { create(:ci_build, :running, user: developer) }
-        it 'returns 400', :aggregate_failures do
+        it 'returns 403', :aggregate_failures do
          subject
-          expect(response).to have_gitlab_http_status(:bad_request) # Temporarily forcing job_token_scope_enabled false
+          expect(response).to have_gitlab_http_status(:forbidden)
        end
        context 'when the job project belongs to the same job token scope' do

--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
  end
  describe '#job_token_scope_enabled' do
-    it 'is false by default' do
+    it 'is true by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_falsey
+      expect(described_class.new.job_token_scope_enabled).to be_truthy
    end
  end

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'
-                it 'downloads from other project get status 403' do
+                it 'downloads from other project get status 404' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
-                  expect(response).to have_gitlab_http_status(:forbidden)
+                  expect(response).to have_gitlab_http_status(:not_found)
                end
              end
@@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'
-                it 'downloads from other project get status 403' do
+                it 'downloads from other project get status 404' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
-                  expect(response).to have_gitlab_http_status(:forbidden)
+                  expect(response).to have_gitlab_http_status(:not_found)
                end
              end

--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
                  let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
                  # I'm not sure what this tests that is different from the previous test
-                  it_behaves_like 'LFS http 403 response'
+                  it_behaves_like 'LFS http 404 response'
                end
              end
@@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
                let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
                # I'm not sure what this tests that is different from the previous test
-                it_behaves_like 'LFS http 403 response'
+                it_behaves_like 'LFS http 404 response'
              end
            end