From b64bcbff21d33f21d1661db68e3c3f0ad334f430 Mon Sep 17 00:00:00 2001
From: Allison Browne <abrowne@gitlab.com>
Date: Fri, 10 Feb 2023 10:04:58 -0500
Subject: [PATCH 1/4] Add inbound access control to projects

Allow projects to control which projects are given access to
themselves through a given projects job token. Users can now create
a allowlist of projects that can access their project through a CI job.
If the feature is disabled in the CI/CD settings UI then all projects
can access your project.

Changelog: added
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111694
---
 .../ci/project_ci_cd_settings_update.rb        |  4 +---
 app/models/ci/job_token/scope.rb               |  3 +--
 app/models/project_ci_cd_setting.rb            |  4 ----
 .../ci/job_token_scope/add_project_service.rb  |  2 --
 .../development/ci_inbound_job_token_scope.yml |  8 --------
 spec/models/ci/job_token/scope_spec.rb         |  8 --------
 spec/models/project_ci_cd_setting_spec.rb      | 18 ++----------------
 .../ci/project_ci_cd_settings_update_spec.rb   | 15 ---------------
 8 files changed, 4 insertions(+), 58 deletions(-)
 delete mode 100644 config/feature_flags/development/ci_inbound_job_token_scope.yml

diff --git a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
index d214aa46cfc8aa..87a5a0558d2c96 100644
--- a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
+++ b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
@@ -38,9 +38,7 @@ class ProjectCiCdSettingsUpdate < BaseMutation
 
       def resolve(full_path:, **args)
         project = authorized_find!(full_path)
-
-        args.delete(:inbound_job_token_scope_enabled) unless Feature.enabled?(:ci_inbound_job_token_scope, project)
-
+        
         settings = project.ci_cd_settings
         settings.update(args)
 
diff --git a/app/models/ci/job_token/scope.rb b/app/models/ci/job_token/scope.rb
index 20775077bd8bd0..f389c642fd8b83 100644
--- a/app/models/ci/job_token/scope.rb
+++ b/app/models/ci/job_token/scope.rb
@@ -58,8 +58,7 @@ def outbound_accessible?(accessed_project)
       end
 
       def inbound_accessible?(accessed_project)
-        # if the flag or setting is disabled any project is considered to be in scope.
-        return true unless Feature.enabled?(:ci_inbound_job_token_scope, accessed_project)
+        # if the setting is disabled any project is considered to be in scope.
         return true unless accessed_project.ci_inbound_job_token_scope_enabled?
 
         inbound_linked_as_accessible?(accessed_project)
diff --git a/app/models/project_ci_cd_setting.rb b/app/models/project_ci_cd_setting.rb
index 8741a341ad3d10..cc9003423be687 100644
--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -20,10 +20,6 @@ class ProjectCiCdSetting < ApplicationRecord
   attribute :forward_deployment_enabled, default: true
   attribute :separated_caches, default: true
 
-  default_value_for :inbound_job_token_scope_enabled do |settings|
-    Feature.enabled?(:ci_inbound_job_token_scope, settings.project)
-  end
-
   chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval
 
   def keep_latest_artifacts_available?
diff --git a/app/services/ci/job_token_scope/add_project_service.rb b/app/services/ci/job_token_scope/add_project_service.rb
index 15553ad6e925dd..4f745042f074e9 100644
--- a/app/services/ci/job_token_scope/add_project_service.rb
+++ b/app/services/ci/job_token_scope/add_project_service.rb
@@ -6,8 +6,6 @@ class AddProjectService < ::BaseService
       include EditScopeValidations
 
       def execute(target_project, direction: :outbound)
-        direction = :outbound if Feature.disabled?(:ci_inbound_job_token_scope)
-
         validate_edit!(project, target_project, current_user)
 
         link = allowlist(direction)
diff --git a/config/feature_flags/development/ci_inbound_job_token_scope.yml b/config/feature_flags/development/ci_inbound_job_token_scope.yml
deleted file mode 100644
index a0e2e09dde583f..00000000000000
--- a/config/feature_flags/development/ci_inbound_job_token_scope.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: ci_inbound_job_token_scope
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/99165
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/376063
-milestone: '15.5'
-type: development
-group: group::pipeline execution
-default_enabled: true
diff --git a/spec/models/ci/job_token/scope_spec.rb b/spec/models/ci/job_token/scope_spec.rb
index 9ae061a3702f4c..51f0f4878e7858 100644
--- a/spec/models/ci/job_token/scope_spec.rb
+++ b/spec/models/ci/job_token/scope_spec.rb
@@ -160,13 +160,5 @@
 
       include_examples 'enforces outbound scope only'
     end
-
-    context 'when inbound scope flag disabled' do
-      before do
-        stub_feature_flags(ci_inbound_job_token_scope: false)
-      end
-
-      include_examples 'enforces outbound scope only'
-    end
   end
 end
diff --git a/spec/models/project_ci_cd_setting_spec.rb b/spec/models/project_ci_cd_setting_spec.rb
index 2c490c33747137..0a818147bfc0b3 100644
--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@@ -27,22 +27,8 @@
     end
   end
 
-  describe '#set_default_for_inbound_job_token_scope_enabled' do
-    context 'when feature flag ci_inbound_job_token_scope is enabled' do
-      before do
-        stub_feature_flags(ci_inbound_job_token_scope: true)
-      end
-
-      it { is_expected.to be_inbound_job_token_scope_enabled }
-    end
-
-    context 'when feature flag ci_inbound_job_token_scope is disabled' do
-      before do
-        stub_feature_flags(ci_inbound_job_token_scope: false)
-      end
-
-      it { is_expected.not_to be_inbound_job_token_scope_enabled }
-    end
+  describe '#default_for_inbound_job_token_scope_enabled' do
+    it { is_expected.to be_inbound_job_token_scope_enabled }
   end
 
   describe '#default_git_depth' do
diff --git a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
index 99e55c44773ce9..0951d165d46a11 100644
--- a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
+++ b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb
@@ -101,21 +101,6 @@
         expect(response).to have_gitlab_http_status(:success)
         expect(project.ci_inbound_job_token_scope_enabled).to eq(true)
       end
-
-      context 'when ci_inbound_job_token_scope disabled' do
-        before do
-          stub_feature_flags(ci_inbound_job_token_scope: false)
-        end
-
-        it 'does not update inbound_job_token_scope_enabled' do
-          post_graphql_mutation(mutation, current_user: user)
-
-          project.reload
-
-          expect(response).to have_gitlab_http_status(:success)
-          expect(project.ci_inbound_job_token_scope_enabled).to eq(true)
-        end
-      end
     end
 
     it 'updates ci_opt_in_jwt' do
-- 
GitLab


From 8e8e4b6fa78e329fe7476fe1fb795c361ff27a5d Mon Sep 17 00:00:00 2001
From: Allison Browne <abrowne@gitlab.com>
Date: Fri, 10 Feb 2023 11:44:48 -0500
Subject: [PATCH 2/4] Fix rubocop violation

---
 app/graphql/mutations/ci/project_ci_cd_settings_update.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
index 87a5a0558d2c96..fcba729d460161 100644
--- a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
+++ b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb
@@ -38,7 +38,7 @@ class ProjectCiCdSettingsUpdate < BaseMutation
 
       def resolve(full_path:, **args)
         project = authorized_find!(full_path)
-        
+
         settings = project.ci_cd_settings
         settings.update(args)
 
-- 
GitLab


From 8b8b82320dbd50637035ac2034bd70f54d561bf4 Mon Sep 17 00:00:00 2001
From: Payton Burdette <pburdette@gitlab.com>
Date: Mon, 13 Feb 2023 14:21:30 -0500
Subject: [PATCH 3/4] Remove ff from frontend

---
 .../token_access/components/token_access_app.vue   |  9 +--------
 .../projects/settings/ci_cd_controller.rb          |  4 ----
 .../frontend/token_access/token_access_app_spec.js | 14 ++------------
 3 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/app/assets/javascripts/token_access/components/token_access_app.vue b/app/assets/javascripts/token_access/components/token_access_app.vue
index 59d5975773561c..089159ac87b763 100644
--- a/app/assets/javascripts/token_access/components/token_access_app.vue
+++ b/app/assets/javascripts/token_access/components/token_access_app.vue
@@ -1,5 +1,4 @@
 <script>
-import glFeatureFlagMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import OutboundTokenAccess from './outbound_token_access.vue';
 import InboundTokenAccess from './inbound_token_access.vue';
 import OptInJwt from './opt_in_jwt.vue';
@@ -10,17 +9,11 @@ export default {
     InboundTokenAccess,
     OptInJwt,
   },
-  mixins: [glFeatureFlagMixin()],
-  computed: {
-    inboundTokenAccessEnabled() {
-      return this.glFeatures.ciInboundJobTokenScope;
-    },
-  },
 };
 </script>
 <template>
   <div>
-    <inbound-token-access v-if="inboundTokenAccessEnabled" class="gl-pb-5" />
+    <inbound-token-access class="gl-pb-5" />
     <outbound-token-access class="gl-py-5" />
     <opt-in-jwt />
   </div>
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index 4ca665679c02f3..b330aacf3e95f1 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -12,10 +12,6 @@ class CiCdController < Projects::ApplicationController
       before_action :check_builds_available!
       before_action :define_variables
 
-      before_action do
-        push_frontend_feature_flag(:ci_inbound_job_token_scope, @project)
-      end
-
       helper_method :highlight_badge
 
       feature_category :continuous_integration
diff --git a/spec/frontend/token_access/token_access_app_spec.js b/spec/frontend/token_access/token_access_app_spec.js
index 7f269ee5fda4e3..cff16fd125c0c0 100644
--- a/spec/frontend/token_access/token_access_app_spec.js
+++ b/spec/frontend/token_access/token_access_app_spec.js
@@ -11,12 +11,8 @@ describe('TokenAccessApp component', () => {
   const findInboundTokenAccess = () => wrapper.findComponent(InboundTokenAccess);
   const findOptInJwt = () => wrapper.findComponent(OptInJwt);
 
-  const createComponent = (flagState = false) => {
-    wrapper = shallowMount(TokenAccessApp, {
-      provide: {
-        glFeatures: { ciInboundJobTokenScope: flagState },
-      },
-    });
+  const createComponent = () => {
+    wrapper = shallowMount(TokenAccessApp);
   };
 
   describe('default', () => {
@@ -32,12 +28,6 @@ describe('TokenAccessApp component', () => {
       expect(findOutboundTokenAccess().exists()).toBe(true);
     });
 
-    it('does not render the inbound token access component', () => {
-      expect(findInboundTokenAccess().exists()).toBe(false);
-    });
-  });
-
-  describe('with feature flag enabled', () => {
     it('renders the inbound token access component', () => {
       createComponent(true);
 
-- 
GitLab


From b05b8d24a8eda2f505498c062105c7c00e33b8d3 Mon Sep 17 00:00:00 2001
From: Allison Browne <abrowne@gitlab.com>
Date: Fri, 17 Feb 2023 16:30:02 -0500
Subject: [PATCH 4/4] Set default in delegated methods

---
 app/models/project.rb                                         | 2 +-
 spec/models/project_spec.rb                                   | 2 +-
 .../models/project_ci_cd_settings_shared_examples.rb          | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/models/project.rb b/app/models/project.rb
index 1909ed8dfdd1c5..003735419f01be 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2974,7 +2974,7 @@ def ci_outbound_job_token_scope_enabled?
   end
 
   def ci_inbound_job_token_scope_enabled?
-    return false unless ci_cd_settings
+    return true unless ci_cd_settings
 
     ci_cd_settings.inbound_job_token_scope_enabled?
   end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 5304fec506e534..36cd8e75b15794 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -1151,7 +1151,7 @@
     end
 
     describe '#ci_inbound_job_token_scope_enabled?' do
-      it_behaves_like 'a ci_cd_settings predicate method', prefix: 'ci_' do
+      it_behaves_like 'a ci_cd_settings predicate method', prefix: 'ci_', default: true do
         let(:delegated_method) { :inbound_job_token_scope_enabled? }
       end
     end
diff --git a/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb b/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb
index 3caf58da4d2925..f1af1760e8d462 100644
--- a/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb
+++ b/spec/support/shared_examples/models/project_ci_cd_settings_shared_examples.rb
@@ -19,7 +19,7 @@
   end
 end
 
-RSpec.shared_examples 'a ci_cd_settings predicate method' do |prefix: ''|
+RSpec.shared_examples 'a ci_cd_settings predicate method' do |prefix: '', default: false|
   using RSpec::Parameterized::TableSyntax
 
   context 'when ci_cd_settings is nil' do
@@ -28,7 +28,7 @@
     end
 
     it 'returns false' do
-      expect(project.send("#{prefix}#{delegated_method}")).to be(false)
+      expect(project.send("#{prefix}#{delegated_method}")).to be(default)
     end
   end
 
-- 
GitLab