Merge branch...

Merge branch '292661-feature-flag-delete-flag-restrict-access-to-jobs-that-use-ci_debug_trace-true' into 'master'

Resolve "[Feature flag] Delete flag 'Restrict access to jobs that use `CI_DEBUG_TRACE=True`'"

See merge request gitlab-org/gitlab!49859

app/models/ci/build.rb

@@ -1020,8 +1020,6 @@ module Ci
     end
 
     def debug_mode?
-      return false unless Feature.enabled?(:restrict_access_to_build_debug_mode, default_enabled: true)
-
       # TODO: Have `debug_mode?` check against data on sent back from runner
       # to capture all the ways that variables can be set.
       # See (https://gitlab.com/gitlab-org/gitlab/-/issues/290955)

config/feature_flags/development/restrict_access_to_build_debug_mode.yml

----
-name: restrict_access_to_build_debug_mode
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48932
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/292661
-milestone: '13.7'
-type: development
-group: group::continuous integration
-default_enabled: true

doc/ci/variables/README.md

@@ -877,13 +877,7 @@ before making them visible again.
 ### Restricted access to debug logging
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7.
-> - It's [deployed behind a feature flag](../../user/feature_flags.md), enabled by default.
-> - It's enabled on GitLab.com.
-> - It's recommended for production use.
-> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-restricted-access-to-debug-logging). **(CORE ONLY)**
-
-WARNING:
-This feature might not be available to you. Check the **version history** note above for details.
+> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8.
 
 With restricted access to debug logging, only users with
 [developer or higher permissions](../../user/permissions.md#project-members-permissions)
@@ -897,25 +891,6 @@ If you add `CI_DEBUG_TRACE` as a local variable to your runners, debug logs are
 to all users with access to job logs. The permission levels are not checked by Runner,
 so you should make use of the variable in GitLab only.
 
-#### Enable or disable Restricted access to debug logging **(CORE ONLY)**
-
-Restricted Access to Debug logging is under development but ready for production use.
-It is deployed behind a feature flag that is **enabled by default**.
-[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md)
-can opt to disable it.
-
-To enable it:
-
-```ruby
-Feature.enable(:restrict_access_to_build_debug_mode)
-```
-
-To disable it:
-
-```ruby
-Feature.disable(:restrict_access_to_build_debug_mode)
-```
-
 ### Enable Debug logging
 
 To enable debug logs (traces), set the `CI_DEBUG_TRACE` variable to `true`:

spec/controllers/projects/jobs_controller_spec.rb

@@ -675,16 +675,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
 
             expect(response).to have_gitlab_http_status(:forbidden)
           end
-
-          context 'with restrict_access_to_build_debug_mode feature disabled' do
-            before do
-              stub_feature_flags(restrict_access_to_build_debug_mode: false)
-            end
-
-            it 'returns response forbidden' do
-              expect(response).to have_gitlab_http_status(:ok)
-            end
-          end
         end
       end
     end
@@ -1139,18 +1129,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
 
             expect(response).to have_gitlab_http_status(:ok)
           end
-
-          context 'with restrict_access_to_build_debug_mode feature disabled' do
-            before do
-              stub_feature_flags(restrict_access_to_build_debug_mode: false)
-            end
-
-            it 'returns response ok' do
-              response = subject
-
-              expect(response).to have_gitlab_http_status(:ok)
-            end
-          end
         end
 
         context 'without proper permissions for debug logging on a project' do
@@ -1164,18 +1142,6 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
 
             expect(response).to have_gitlab_http_status(:forbidden)
           end
-
-          context 'with restrict_access_to_build_debug_mode feature disabled' do
-            before do
-              stub_feature_flags(restrict_access_to_build_debug_mode: false)
-            end
-
-            it 'returns response ok' do
-              response = subject
-
-              expect(response).to have_gitlab_http_status(:ok)
-            end
-          end
         end
       end
     end

spec/features/projects/jobs/permissions_spec.rb

@@ -179,34 +179,6 @@ RSpec.describe 'Project Jobs Permissions' do
           expect(status_code).to eq(expected_status_code)
         end
       end
-
-      context 'when restrict_access_to_build_debug_mode feature not enabled' do
-        where(:public_builds, :user_project_role, :ci_debug_trace, :expected_status_code) do
-          true         | 'developer'      | true  | 200
-          true         | 'guest'          | true  | 200
-          true         | 'developer'      | false | 200
-          true         | 'guest'          | false | 200
-          false        | 'developer'      | true  | 200
-          false        | 'guest'          | true  | 403
-          false        | 'developer'      | false | 200
-          false        | 'guest'          | false | 403
-        end
-
-        with_them do
-          before do
-            stub_feature_flags(restrict_access_to_build_debug_mode: false)
-            ci_instance_variable.update!(value: ci_debug_trace)
-            project.update!(public_builds: public_builds)
-            project.add_role(user, user_project_role)
-          end
-
-          it 'renders trace to authorized users' do
-            visit trace_project_job_path(project, job)
-
-            expect(status_code).to eq(expected_status_code)
-          end
-        end
-      end
     end
 
     describe 'raw page' do
@@ -237,35 +209,6 @@ RSpec.describe 'Project Jobs Permissions' do
           expect(page).to have_content(expected_msg)
         end
       end
-
-      context 'when restrict_access_to_build_debug_mode feature not enabled' do
-        where(:public_builds, :user_project_role, :ci_debug_trace, :expected_status_code, :expected_msg) do
-          true         | 'developer'      | true  | 200 | nil
-          true         | 'guest'          | true  | 200 | nil
-          true         | 'developer'      | false | 200 | nil
-          true         | 'guest'          | false | 200 | nil
-          false        | 'developer'      | true  | 200 | nil
-          false        | 'guest'          | true  | 403 | 'The current user is not authorized to access the job log'
-          false        | 'developer'      | false | 200 | nil
-          false        | 'guest'          | false | 403 | 'The current user is not authorized to access the job log'
-        end
-
-        with_them do
-          before do
-            stub_feature_flags(restrict_access_to_build_debug_mode: false)
-            ci_instance_variable.update!(value: ci_debug_trace)
-            project.update!(public_builds: public_builds)
-            project.add_role(user, user_project_role)
-          end
-
-          it 'renders raw trace to authorized users' do
-            visit raw_project_job_path(project, job)
-
-            expect(status_code).to eq(expected_status_code)
-            expect(page).to have_content(expected_msg)
-          end
-        end
-      end
     end
   end
 end

spec/models/ci/build_spec.rb

@@ -4775,22 +4775,6 @@ RSpec.describe Ci::Build do
   describe '#debug_mode?' do
     subject { build.debug_mode? }
 
-    context 'when feature is disabled' do
-      before do
-        stub_feature_flags(restrict_access_to_build_debug_mode: false)
-      end
-
-      it { is_expected.to eq false }
-
-      context 'when in variables' do
-        before do
-          create(:ci_instance_variable, key: 'CI_DEBUG_TRACE', value: 'true')
-        end
-
-        it { is_expected.to eq false }
-      end
-    end
-
     context 'when CI_DEBUG_TRACE=true is in variables' do
       context 'when in instance variables' do
         before do

spec/requests/api/jobs_spec.rb

@@ -827,32 +827,6 @@ RSpec.describe API::Jobs do
           expect(response).to have_gitlab_http_status(expected_status)
         end
       end
-
-      context 'with restrict_access_to_build_debug_mode feature disabled' do
-        before do
-          stub_feature_flags(restrict_access_to_build_debug_mode: false)
-        end
-
-        where(:public_builds, :user_project_role, :expected_status) do
-          true         | 'developer'     | :ok
-          true         | 'guest'         | :ok
-          false        | 'developer'     | :ok
-          false        | 'guest'         | :forbidden
-        end
-
-        with_them do
-          before do
-            project.update!(public_builds: public_builds)
-            project.add_role(user, user_project_role)
-
-            get api("/projects/#{project.id}/jobs/#{job.id}/trace", api_user)
-          end
-
-          it 'renders trace to authorized users' do
-            expect(response).to have_gitlab_http_status(expected_status)
-          end
-        end
-      end
     end
   end