From c46a7e5c1ddf32300186be3d7c7beef08db753cb Mon Sep 17 00:00:00 2001
From: Mireya Andres <mandres@gitlab.com>
Date: Wed, 18 Jan 2023 16:09:54 +0800
Subject: [PATCH 1/2] Add GQL endpoint for toggling JWT access

When `opt_in_jwt` is enabled, JWT must be manually declared in each job
that needs it.

Changelog: added
---
 .../mutations/ci/project_ci_cd_settings_update.rb  |  4 ++++
 app/graphql/types/ci/ci_cd_setting_type.rb         |  5 +++++
 doc/api/graphql/reference/index.md                 |  3 +++
 spec/requests/api/graphql/ci/ci_cd_setting_spec.rb |  1 +
 .../ci/project_ci_cd_settings_update_spec.rb       | 14 ++++++++++++--
 5 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
index 934d62e92cf3d7..d214aa46cfc8aa 100644
--- a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
+++ b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
@@ -27,6 +27,10 @@ class ProjectCiCdSettingsUpdate < BaseMutation
         description: 'Indicates CI/CD job tokens generated in other projects ' \
           'have restricted access to this project.'
 
+      argument :opt_in_jwt, GraphQL::Types::Boolean,
+        required: false,
+        description: 'When disabled, the JSON Web Token is always available in all jobs in the pipeline.'
+
       field :ci_cd_settings,
         Types::Ci::CiCdSettingType,
         null: false,
diff --git a/app/graphql/types/ci/ci_cd_setting_type.rb b/app/graphql/types/ci/ci_cd_setting_type.rb
index 574791b79e6b7f..dd6647b749dc1b 100644
--- a/app/graphql/types/ci/ci_cd_setting_type.rb
+++ b/app/graphql/types/ci/ci_cd_setting_type.rb
@@ -30,6 +30,11 @@ class CiCdSettingType < BaseObject
       field :merge_trains_enabled, GraphQL::Types::Boolean, null: true,
                                                             description: 'Whether merge trains are enabled.',
                                                             method: :merge_trains_enabled?
+      field :opt_in_jwt,
+            GraphQL::Types::Boolean,
+            null: true,
+            description: 'When disabled, the JSON Web Token is always available in all jobs in the pipeline.',
+            method: :opt_in_jwt?
       field :project, Types::ProjectType, null: true,
                                           description: 'Project the CI/CD settings belong to.'
     end
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 4bd7702474f8dc..01096eeb04b85b 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -1148,6 +1148,7 @@ Input type: `CiCdSettingsUpdateInput`
 | <a id="mutationcicdsettingsupdatekeeplatestartifact"></a>`keepLatestArtifact` | [`Boolean`](#boolean) | Indicates if the latest artifact should be kept for the project. |
 | <a id="mutationcicdsettingsupdatemergepipelinesenabled"></a>`mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merge pipelines are enabled for the project. |
 | <a id="mutationcicdsettingsupdatemergetrainsenabled"></a>`mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. |
+| <a id="mutationcicdsettingsupdateoptinjwt"></a>`optInJwt` | [`Boolean`](#boolean) | When disabled, the JSON Web Token is always available in all jobs in the pipeline. |
 
 #### Fields
 
@@ -4458,6 +4459,7 @@ Input type: `ProjectCiCdSettingsUpdateInput`
 | <a id="mutationprojectcicdsettingsupdatekeeplatestartifact"></a>`keepLatestArtifact` | [`Boolean`](#boolean) | Indicates if the latest artifact should be kept for the project. |
 | <a id="mutationprojectcicdsettingsupdatemergepipelinesenabled"></a>`mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merge pipelines are enabled for the project. |
 | <a id="mutationprojectcicdsettingsupdatemergetrainsenabled"></a>`mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. |
+| <a id="mutationprojectcicdsettingsupdateoptinjwt"></a>`optInJwt` | [`Boolean`](#boolean) | When disabled, the JSON Web Token is always available in all jobs in the pipeline. |
 
 #### Fields
 
@@ -18702,6 +18704,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="projectcicdsettingkeeplatestartifact"></a>`keepLatestArtifact` | [`Boolean`](#boolean) | Whether to keep the latest builds artifacts. |
 | <a id="projectcicdsettingmergepipelinesenabled"></a>`mergePipelinesEnabled` | [`Boolean`](#boolean) | Whether merge pipelines are enabled. |
 | <a id="projectcicdsettingmergetrainsenabled"></a>`mergeTrainsEnabled` | [`Boolean`](#boolean) | Whether merge trains are enabled. |
+| <a id="projectcicdsettingoptinjwt"></a>`optInJwt` | [`Boolean`](#boolean) | When disabled, the JSON Web Token is always available in all jobs in the pipeline. |
 | <a id="projectcicdsettingproject"></a>`project` | [`Project`](#project) | Project the CI/CD settings belong to. |
 
 ### `ProjectMember`
diff --git a/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb b/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb
index 0437a30eccd95c..95cabfea2fc9d8 100644
--- a/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb
+++ b/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb
@@ -50,6 +50,7 @@
       expect(settings_data['jobTokenScopeEnabled']).to eql project.ci_cd_settings.job_token_scope_enabled?
       expect(settings_data['inboundJobTokenScopeEnabled']).to eql(
         project.ci_cd_settings.inbound_job_token_scope_enabled?)
+      expect(settings_data['optInJwt']).to eql project.ci_cd_settings.opt_in_jwt?
     end
   end
 end
diff --git a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
index 7a6ee7c2ecca48..578ad114e1224d 100644
--- a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
+++ b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
@@ -18,7 +18,8 @@
       full_path: project.full_path,
       keep_latest_artifact: false,
       job_token_scope_enabled: false,
-      inbound_job_token_scope_enabled: false
+      inbound_job_token_scope_enabled: false,
+      opt_in_jwt: true
     }
   end
 
@@ -52,7 +53,7 @@
     let_it_be(:user) { project.first_owner }
 
     it 'updates ci cd settings' do
-      post_graphql_mutation(mutation, current_user: user)
+      post_graphql_mutation(mutativon, current_user: user)
 
       project.reload
 
@@ -117,6 +118,15 @@
       end
     end
 
+    it 'updates ci_opt_in_jwt' do
+      post_graphql_mutation(mutation, current_user: user)
+
+      project.reload
+
+      expect(response).to have_gitlab_http_status(:success)
+      expect(project.ci_opt_in_jwt).to eq(true)
+    end
+
     context 'when bad arguments are provided' do
       let(:variables) { { full_path: '', keep_latest_artifact: false } }
 
-- 
GitLab


From efcb4500b615b9ef9a7bbccbb75a3ca24e66ed70 Mon Sep 17 00:00:00 2001
From: Marius Bobin <mbobin@gitlab.com>
Date: Wed, 18 Jan 2023 13:42:44 +0000
Subject: [PATCH 2/2] Fix typo in spec

---
 .../graphql/mutations/ci/project_ci_cd_settings_update_spec.rb  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
index 578ad114e1224d..99e55c44773ce9 100644
--- a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
+++ b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
@@ -53,7 +53,7 @@
     let_it_be(:user) { project.first_owner }
 
     it 'updates ci cd settings' do
-      post_graphql_mutation(mutativon, current_user: user)
+      post_graphql_mutation(mutation, current_user: user)
 
       project.reload
 
-- 
GitLab