From 941cf2109aaf8fef8da20e975512e82222899b69 Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Thu, 13 Oct 2022 16:47:26 -0400 Subject: [PATCH] Rename to reflect outbound scope Rename ci_job_token_scope_enabled to ci_outbound_job_token_scope_enabled --- app/models/ci/job_token/scope.rb | 2 +- app/models/project.rb | 4 ++-- ee/spec/models/project_spec.rb | 24 ++++++++++++++++++- lib/api/entities/ci/job_basic.rb | 2 +- lib/api/entities/project.rb | 2 +- spec/factories/projects.rb | 4 ++-- .../ci/job_token_scope/add_project_spec.rb | 2 +- .../ci/job_token_scope/remove_project_spec.rb | 2 +- .../ci/job_token_scope_resolver_spec.rb | 6 ++--- .../types/ci/job_token_scope_type_spec.rb | 2 +- spec/models/ci/job_token/scope_spec.rb | 4 ++-- spec/models/project_spec.rb | 24 ++++++++++++++++--- spec/policies/project_policy_spec.rb | 2 +- .../ci/job_token_scope/add_project_spec.rb | 2 +- .../ci/job_token_scope/remove_project_spec.rb | 2 +- .../ci/project_ci_cd_settings_update_spec.rb | 6 ++--- .../add_project_service_spec.rb | 2 +- .../remove_project_service_spec.rb | 2 +- .../project_ci_cd_settings_shared_examples.rb | 10 ++++---- 19 files changed, 72 insertions(+), 32 deletions(-) diff --git a/app/models/ci/job_token/scope.rb b/app/models/ci/job_token/scope.rb index 26a49d6a7301e9..1aa49b95201aa6 100644 --- a/app/models/ci/job_token/scope.rb +++ b/app/models/ci/job_token/scope.rb @@ -23,7 +23,7 @@ def initialize(project) def includes?(target_project) # if the setting is disabled any project is considered to be in scope. - return true unless source_project.ci_job_token_scope_enabled? + return true unless source_project.ci_outbound_job_token_scope_enabled? target_project.id == source_project.id || Ci::JobToken::ProjectScopeLink.from_project(source_project).to_project(target_project).exists? diff --git a/app/models/project.rb b/app/models/project.rb index 5bface252f1bb8..d15cf9b8041100 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -476,7 +476,7 @@ def self.integration_association_name(name) delegate :dashboard_timezone, to: :metrics_setting, allow_nil: true, prefix: true delegate :default_git_depth, :default_git_depth=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :forward_deployment_enabled, :forward_deployment_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true - delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true + delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci_outbound, allow_nil: true delegate :inbound_job_token_scope_enabled, :inbound_job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true delegate :opt_in_jwt, :opt_in_jwt=, to: :ci_cd_settings, prefix: :ci, allow_nil: true @@ -2894,7 +2894,7 @@ def ci_allow_fork_pipelines_to_run_in_parent_project? ci_cd_settings.allow_fork_pipelines_to_run_in_parent_project? end - def ci_job_token_scope_enabled? + def ci_outbound_job_token_scope_enabled? return false unless ci_cd_settings ci_cd_settings.job_token_scope_enabled? diff --git a/ee/spec/models/project_spec.rb b/ee/spec/models/project_spec.rb index 881240a7e149b9..c73edc59aeb4a4 100644 --- a/ee/spec/models/project_spec.rb +++ b/ee/spec/models/project_spec.rb @@ -63,7 +63,29 @@ it { is_expected.to have_many(:security_scans) } it { is_expected.to have_many(:security_trainings) } - include_examples 'ci_cd_settings delegation' + include_examples 'ci_cd_settings delegation' do + let(:attributes_with_prefix) do + { + 'group_runners_enabled' => '', + 'default_git_depth' => 'ci_', + 'forward_deployment_enabled' => 'ci_', + 'keep_latest_artifact' => '', + 'restrict_user_defined_variables' => '', + 'runner_token_expiration_interval' => '', + 'separated_caches' => 'ci_', + 'opt_in_jwt' => 'ci_', + 'allow_fork_pipelines_to_run_in_parent_project' => 'ci_', + 'inbound_job_token_scope_enabled' => 'ci_', + 'job_token_scope_enabled' => 'ci_outbound_', + # EE only + 'auto_rollback_enabled' => '', + 'merge_pipelines_enabled' => '', + 'merge_trains_enabled' => '' + } + end + + let(:exclude_attributes) { [] } + end describe '#merge_pipelines_enabled?' do it_behaves_like 'a ci_cd_settings predicate method' do diff --git a/lib/api/entities/ci/job_basic.rb b/lib/api/entities/ci/job_basic.rb index 3d9318ec428cbd..fb975475cf546e 100644 --- a/lib/api/entities/ci/job_basic.rb +++ b/lib/api/entities/ci/job_basic.rb @@ -21,7 +21,7 @@ class JobBasic < Grape::Entity expose :project do expose :ci_job_token_scope_enabled do |job| - job.project.ci_job_token_scope_enabled? + job.project.ci_outbound_job_token_scope_enabled? end end end diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb index b3907397fbb9fc..f158695f605c3b 100644 --- a/lib/api/entities/project.rb +++ b/lib/api/entities/project.rb @@ -104,7 +104,7 @@ class Project < BasicProjectDetails expose :runners_token, if: lambda { |_project, options| options[:user_can_admin_project] } expose :ci_default_git_depth expose :ci_forward_deployment_enabled - expose :ci_job_token_scope_enabled + expose(:ci_job_token_scope_enabled) { |p, _| p.ci_outbound_job_token_scope_enabled? } expose :ci_separated_caches expose :ci_opt_in_jwt expose :ci_allow_fork_pipelines_to_run_in_parent_project diff --git a/spec/factories/projects.rb b/spec/factories/projects.rb index 1e14b3088db618..b62995dce428b9 100644 --- a/spec/factories/projects.rb +++ b/spec/factories/projects.rb @@ -54,7 +54,7 @@ import_last_error { nil } forward_deployment_enabled { nil } restrict_user_defined_variables { nil } - ci_job_token_scope_enabled { nil } + ci_outbound_job_token_scope_enabled { nil } ci_inbound_job_token_scope_enabled { nil } runner_token_expiration_interval { nil } runner_token_expiration_interval_human_readable { nil } @@ -113,7 +113,7 @@ project.merge_trains_enabled = evaluator.merge_trains_enabled unless evaluator.merge_trains_enabled.nil? project.keep_latest_artifact = evaluator.keep_latest_artifact unless evaluator.keep_latest_artifact.nil? project.restrict_user_defined_variables = evaluator.restrict_user_defined_variables unless evaluator.restrict_user_defined_variables.nil? - project.ci_job_token_scope_enabled = evaluator.ci_job_token_scope_enabled unless evaluator.ci_job_token_scope_enabled.nil? + project.ci_outbound_job_token_scope_enabled = evaluator.ci_outbound_job_token_scope_enabled unless evaluator.ci_outbound_job_token_scope_enabled.nil? project.ci_inbound_job_token_scope_enabled = evaluator.ci_inbound_job_token_scope_enabled unless evaluator.ci_inbound_job_token_scope_enabled.nil? project.runner_token_expiration_interval = evaluator.runner_token_expiration_interval unless evaluator.runner_token_expiration_interval.nil? project.runner_token_expiration_interval_human_readable = evaluator.runner_token_expiration_interval_human_readable unless evaluator.runner_token_expiration_interval_human_readable.nil? diff --git a/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb b/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb index 412be5f16a40e1..727db7e23611b7 100644 --- a/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb +++ b/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb @@ -8,7 +8,7 @@ describe '#resolve' do let_it_be(:project) do - create(:project, ci_job_token_scope_enabled: true).tap(&:save!) + create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) end let_it_be(:target_project) { create(:project) } diff --git a/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb b/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb index 0e706ea6e0c5c9..d399e73f394635 100644 --- a/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb +++ b/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb @@ -7,7 +7,7 @@ end describe '#resolve' do - let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } let_it_be(:target_project) { create(:project) } let_it_be(:link) do diff --git a/spec/graphql/resolvers/ci/job_token_scope_resolver_spec.rb b/spec/graphql/resolvers/ci/job_token_scope_resolver_spec.rb index 1bfd6fbf6b9e29..59ece15b745cb1 100644 --- a/spec/graphql/resolvers/ci/job_token_scope_resolver_spec.rb +++ b/spec/graphql/resolvers/ci/job_token_scope_resolver_spec.rb @@ -6,7 +6,7 @@ include GraphqlHelpers let_it_be(:current_user) { create(:user) } - let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } specify do expect(described_class).to have_nullable_graphql_type(::Types::Ci::JobTokenScopeType) @@ -21,7 +21,7 @@ end it 'returns the same project in the allow list of projects for the Ci Job Token when scope is not enabled' do - allow(project).to receive(:ci_job_token_scope_enabled?).and_return(false) + allow(project).to receive(:ci_outbound_job_token_scope_enabled?).and_return(false) expect(resolve_scope.all_projects).to contain_exactly(project) end @@ -40,7 +40,7 @@ context 'when job token scope is disabled' do before do - project.update!(ci_job_token_scope_enabled: false) + project.update!(ci_outbound_job_token_scope_enabled: false) end it 'resolves projects' do diff --git a/spec/graphql/types/ci/job_token_scope_type_spec.rb b/spec/graphql/types/ci/job_token_scope_type_spec.rb index 18f4d762d1e711..569b59d6c7090b 100644 --- a/spec/graphql/types/ci/job_token_scope_type_spec.rb +++ b/spec/graphql/types/ci/job_token_scope_type_spec.rb @@ -12,7 +12,7 @@ end describe 'query' do - let(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } let_it_be(:current_user) { create(:user) } let(:query) do diff --git a/spec/models/ci/job_token/scope_spec.rb b/spec/models/ci/job_token/scope_spec.rb index 4b95adf8476e0f..1e3f6d044d2690 100644 --- a/spec/models/ci/job_token/scope_spec.rb +++ b/spec/models/ci/job_token/scope_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' RSpec.describe Ci::JobToken::Scope do - let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } let(:scope) { described_class.new(project) } @@ -53,7 +53,7 @@ context 'when project scope setting is disabled' do before do - project.ci_job_token_scope_enabled = false + project.ci_outbound_job_token_scope_enabled = false end it 'considers any project to be part of the scope' do diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 767cda952b0267..d983730e702a64 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -845,6 +845,8 @@ end describe 'delegation' do + let_it_be(:project) { create(:project) } + [:add_guest, :add_reporter, :add_developer, :add_maintainer, :add_member, :add_members].each do |method| it { is_expected.to delegate_method(method).to(:team) } end @@ -887,8 +889,24 @@ end include_examples 'ci_cd_settings delegation' do - # Skip attributes defined in EE code + let(:attributes_with_prefix) do + { + 'group_runners_enabled' => '', + 'default_git_depth' => 'ci_', + 'forward_deployment_enabled' => 'ci_', + 'keep_latest_artifact' => '', + 'restrict_user_defined_variables' => '', + 'runner_token_expiration_interval' => '', + 'separated_caches' => 'ci_', + 'opt_in_jwt' => 'ci_', + 'allow_fork_pipelines_to_run_in_parent_project' => 'ci_', + 'inbound_job_token_scope_enabled' => 'ci_', + 'job_token_scope_enabled' => 'ci_outbound_' + } + end + let(:exclude_attributes) do + # Skip attributes defined in EE code %w( merge_pipelines_enabled merge_trains_enabled @@ -909,8 +927,8 @@ end end - describe '#ci_job_token_scope_enabled?' do - it_behaves_like 'a ci_cd_settings predicate method', prefix: 'ci_' do + describe '#ci_outbound_job_token_scope_enabled?' do + it_behaves_like 'a ci_cd_settings predicate method', prefix: 'ci_outbound_' do let(:delegated_method) { :job_token_scope_enabled? } end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 49709d47645475..e94fc4debee3fd 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2437,7 +2437,7 @@ def set_access_level(access_level) before do current_user.set_ci_job_token_scope!(job) current_user.external = external_user - scope_project.update!(ci_job_token_scope_enabled: token_scope_enabled) + scope_project.update!(ci_outbound_job_token_scope_enabled: token_scope_enabled) end it "enforces the expected permissions" do diff --git a/spec/requests/api/graphql/mutations/ci/job_token_scope/add_project_spec.rb b/spec/requests/api/graphql/mutations/ci/job_token_scope/add_project_spec.rb index 5269c60b50a389..b2f84ab2869110 100644 --- a/spec/requests/api/graphql/mutations/ci/job_token_scope/add_project_spec.rb +++ b/spec/requests/api/graphql/mutations/ci/job_token_scope/add_project_spec.rb @@ -5,7 +5,7 @@ RSpec.describe 'CiJobTokenScopeAddProject' do include GraphqlHelpers - let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } let_it_be(:target_project) { create(:project) } let(:variables) do diff --git a/spec/requests/api/graphql/mutations/ci/job_token_scope/remove_project_spec.rb b/spec/requests/api/graphql/mutations/ci/job_token_scope/remove_project_spec.rb index b62291d1ebdf89..2b0adf89f404ba 100644 --- a/spec/requests/api/graphql/mutations/ci/job_token_scope/remove_project_spec.rb +++ b/spec/requests/api/graphql/mutations/ci/job_token_scope/remove_project_spec.rb @@ -5,7 +5,7 @@ RSpec.describe 'CiJobTokenScopeRemoveProject' do include GraphqlHelpers - let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } let_it_be(:target_project) { create(:project) } let_it_be(:link) do diff --git a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb index 6cca618726bd4a..c808cf5ede95de 100644 --- a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb +++ b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb @@ -8,7 +8,7 @@ let_it_be(:project) do create(:project, keep_latest_artifact: true, - ci_job_token_scope_enabled: true, + ci_outbound_job_token_scope_enabled: true, ci_inbound_job_token_scope_enabled: true ).tap(&:save!) end @@ -66,7 +66,7 @@ project.reload expect(response).to have_gitlab_http_status(:success) - expect(project.ci_job_token_scope_enabled).to eq(false) + expect(project.ci_outbound_job_token_scope_enabled).to eq(false) end it 'does not update job_token_scope_enabled if not specified' do @@ -77,7 +77,7 @@ project.reload expect(response).to have_gitlab_http_status(:success) - expect(project.ci_job_token_scope_enabled).to eq(true) + expect(project.ci_outbound_job_token_scope_enabled).to eq(true) end describe 'inbound_job_token_scope_enabled' do diff --git a/spec/services/ci/job_token_scope/add_project_service_spec.rb b/spec/services/ci/job_token_scope/add_project_service_spec.rb index bb6df4268dd112..bf7df3a5595fe2 100644 --- a/spec/services/ci/job_token_scope/add_project_service_spec.rb +++ b/spec/services/ci/job_token_scope/add_project_service_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Ci::JobTokenScope::AddProjectService do let(:service) { described_class.new(project, current_user) } - let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } let_it_be(:target_project) { create(:project) } let_it_be(:current_user) { create(:user) } diff --git a/spec/services/ci/job_token_scope/remove_project_service_spec.rb b/spec/services/ci/job_token_scope/remove_project_service_spec.rb index 155e60ac48e9dc..c3f9081cbd893f 100644 --- a/spec/services/ci/job_token_scope/remove_project_service_spec.rb +++ b/spec/services/ci/job_token_scope/remove_project_service_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Ci::JobTokenScope::RemoveProjectService do let(:service) { described_class.new(project, current_user) } - let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } let_it_be(:target_project) { create(:project) } let_it_be(:current_user) { create(:user) } diff --git a/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb b/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb index c92e819db19095..3caf58da4d2925 100644 --- a/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb +++ b/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb @@ -5,12 +5,14 @@ context 'when ci_cd_settings is destroyed but project is not' do it 'allows methods delegated to ci_cd_settings to be nil', :aggregate_failures do - project = create(:project) attributes = project.ci_cd_settings.attributes.keys - %w(id project_id) - exclude_attributes + + expect(attributes).to match_array(attributes_with_prefix.keys) + project.ci_cd_settings.destroy! project.reload - attributes.each do |attr| - method = project.respond_to?("ci_#{attr}") ? "ci_#{attr}" : attr + attributes_with_prefix.each do |attr, prefix| + method = "#{prefix}#{attr}" expect(project.send(method)).to be_nil, "#{attr} was not nil" end end @@ -20,8 +22,6 @@ RSpec.shared_examples 'a ci_cd_settings predicate method' do |prefix: ''| using RSpec::Parameterized::TableSyntax - let_it_be(:project) { create(:project) } - context 'when ci_cd_settings is nil' do before do allow(project).to receive(:ci_cd_settings).and_return(nil) -- GitLab