diff --git a/app/controllers/concerns/access_tokens_actions.rb b/app/controllers/concerns/access_tokens_actions.rb index de53fd4d835828de2b1abc4bb9201603739e51aa..84cbdda1581318f4cf37d6e1d9d19a1cc2523949 100644 --- a/app/controllers/concerns/access_tokens_actions.rb +++ b/app/controllers/concerns/access_tokens_actions.rb @@ -69,7 +69,6 @@ def set_index_vars resource.members.load @scopes = Gitlab::Auth.available_scopes_for(resource) - @scopes.delete(Gitlab::Auth::K8S_PROXY_SCOPE) unless Feature.enabled?(:k8s_proxy_pat, current_user) @active_access_tokens = active_access_tokens end # rubocop:enable Gitlab/ModuleWithInstanceVariables diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb index 0e4d9f3c1544a0ce401010ee80ae7318cee50de3..4b6e2f768fadbf8de2a1332c893803c3330daed3 100644 --- a/app/controllers/profiles/personal_access_tokens_controller.rb +++ b/app/controllers/profiles/personal_access_tokens_controller.rb @@ -61,7 +61,6 @@ def personal_access_token_params def set_index_vars @scopes = Gitlab::Auth.available_scopes_for(current_user) - @scopes.delete(Gitlab::Auth::K8S_PROXY_SCOPE) unless Feature.enabled?(:k8s_proxy_pat, current_user) @active_access_tokens = active_access_tokens end diff --git a/config/feature_flags/development/k8s_proxy_pat.yml b/config/feature_flags/development/k8s_proxy_pat.yml deleted file mode 100644 index ef9101b93545f8ff3485283234879141417b5e81..0000000000000000000000000000000000000000 --- a/config/feature_flags/development/k8s_proxy_pat.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: k8s_proxy_pat -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129661 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/422961 -milestone: '16.4' -type: development -group: group::environments -default_enabled: true diff --git a/doc/integration/oauth_provider.md b/doc/integration/oauth_provider.md index af525cc8770e32c9cfafb9696d23a873b01cfe65..a7320b282bb05b9e32073965487ebbdb3fa2cdb1 100644 --- a/doc/integration/oauth_provider.md +++ b/doc/integration/oauth_provider.md @@ -85,7 +85,8 @@ The user authorization step is automatically skipped for this application. ## View all authorized applications -> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. To see all the application you've authorized with your GitLab credentials: diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index 795967e9f9174c4a34f9811b7c528b63e3032ad3..4b8de7d3dec4148c23d7e8d9325287e79ab027cb 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -138,7 +138,8 @@ token.revoke! ## Scopes for a group access token -> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. The scope determines the actions you can perform when you authenticate with a group access token. diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md index c3361040a005bdc4cfd8c50a1c8fca2118bf3473..64b2387a9c9fde5202a186a92b5e939c5b5f96e2 100644 --- a/doc/user/profile/personal_access_tokens.md +++ b/doc/user/profile/personal_access_tokens.md @@ -106,6 +106,7 @@ To view the last time a token was used: > - Personal access tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0. > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. A personal access token can perform actions based on the assigned scopes. diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md index 29d573285323a90c0c3a2c7cd1fe330de3dffafa..91251349467b43ed66a1efe49feab4b2a1aa2137 100644 --- a/doc/user/project/settings/project_access_tokens.md +++ b/doc/user/project/settings/project_access_tokens.md @@ -79,7 +79,8 @@ To revoke a project access token: ## Scopes for a project access token -> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. The scope determines the actions you can perform when you authenticate with a project access token. diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb index a88c8b69b813af250e9ee5394a207c350d6632c0..b8a2fde4e36da008e2a79e499c8e829d21ae595d 100644 --- a/lib/api/internal/kubernetes.rb +++ b/lib/api/internal/kubernetes.rb @@ -97,9 +97,7 @@ class Kubernetes < ::API::Base user = if params[:access_type] == 'session_cookie' retrieve_user_from_session_cookie elsif params[:access_type] == 'personal_access_token' - u = retrieve_user_from_personal_access_token - bad_request!('PAT authentication is not enabled') unless Feature.enabled?(:k8s_proxy_pat, u) - u + retrieve_user_from_personal_access_token end bad_request!('Unable to get user from request data') if user.nil? diff --git a/spec/controllers/profiles/personal_access_tokens_controller_spec.rb b/spec/controllers/profiles/personal_access_tokens_controller_spec.rb index 14f3f5c23cda131a06e24229708e621255c5c778..9c9a9a28879567e1aaf931f3b733f6f90209dd20 100644 --- a/spec/controllers/profiles/personal_access_tokens_controller_spec.rb +++ b/spec/controllers/profiles/personal_access_tokens_controller_spec.rb @@ -109,53 +109,5 @@ def created_token it 'sets available scopes' do expect(assigns(:scopes)).to eq(Gitlab::Auth.available_scopes_for(access_token_user)) end - - context 'with feature flag k8s_proxy_pat disabled' do - before do - stub_feature_flags(k8s_proxy_pat: false) - # Impersonation and inactive personal tokens are ignored - create(:personal_access_token, :impersonation, user: access_token_user) - create(:personal_access_token, :revoked, user: access_token_user) - get :index - end - - it "only includes details of active personal access tokens" do - active_personal_access_tokens_detail = - ::PersonalAccessTokenSerializer.new.represent([active_personal_access_token]) - - expect(assigns(:active_access_tokens).to_json).to eq(active_personal_access_tokens_detail.to_json) - end - - it "builds a PAT with name and scopes from params" do - name = 'My PAT' - scopes = 'api,read_user' - - get :index, params: { name: name, scopes: scopes } - - expect(assigns(:personal_access_token)).to have_attributes( - name: eq(name), - scopes: contain_exactly(:api, :read_user) - ) - end - - it 'returns 404 when personal access tokens are disabled' do - allow(::Gitlab::CurrentSettings).to receive_messages(personal_access_tokens_disabled?: true) - - get :index - - expect(response).to have_gitlab_http_status(:not_found) - end - - it 'returns tokens for json format' do - get :index, params: { format: :json } - - expect(json_response.count).to eq(1) - end - - it 'sets available scopes' do - expect(assigns(:scopes)) - .to eq(Gitlab::Auth.available_scopes_for(access_token_user) - [Gitlab::Auth::K8S_PROXY_SCOPE]) - end - end end end diff --git a/spec/requests/api/internal/kubernetes_spec.rb b/spec/requests/api/internal/kubernetes_spec.rb index 1e8397773be73df2ce2309d8102ba25c7fc003d6..551ed0babf18952efd3ab506e9ac3006dd4c9321 100644 --- a/spec/requests/api/internal/kubernetes_spec.rb +++ b/spec/requests/api/internal/kubernetes_spec.rb @@ -507,15 +507,6 @@ def new_token expect(response).to have_gitlab_http_status(:success) end - it 'returns 400 when the feature flag is disabled' do - deployment_project.add_member(user, :developer) - stub_feature_flags(k8s_proxy_pat: false) - - send_request(params: { agent_id: agent.id, access_type: 'personal_access_token', access_key: personal_access_token.token }) - - expect(response).to have_gitlab_http_status(:bad_request) - end - it 'returns 403 when user has no access' do send_request(params: { agent_id: agent.id, access_type: 'personal_access_token', access_key: personal_access_token.token }) diff --git a/spec/requests/groups/settings/access_tokens_controller_spec.rb b/spec/requests/groups/settings/access_tokens_controller_spec.rb index 8d386d8c1b747efe3b103b17cc1c010ba164b028..a09feeea7865de6f15dc22a37f0bc6e034b50266 100644 --- a/spec/requests/groups/settings/access_tokens_controller_spec.rb +++ b/spec/requests/groups/settings/access_tokens_controller_spec.rb @@ -116,23 +116,5 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) end - - context 'with feature flag k8s_proxy_pat disabled' do - before do - stub_feature_flags(k8s_proxy_pat: false) - get group_settings_access_tokens_path(resource) - end - - it 'includes details of the active group access tokens' do - active_access_tokens = - ::GroupAccessTokenSerializer.new.represent(resource_access_tokens.reverse, group: resource) - - expect(assigns(:active_access_tokens).to_json).to eq(active_access_tokens.to_json) - end - - it 'sets available scopes' do - expect(assigns(:scopes)).not_to include(Gitlab::Auth::K8S_PROXY_SCOPE) - end - end end end diff --git a/spec/requests/projects/settings/access_tokens_controller_spec.rb b/spec/requests/projects/settings/access_tokens_controller_spec.rb index b4cfa964ac8e03f341a74693e3da66df93a9f2df..8e0d3fed3d353ce074789baabcbeef72d736234d 100644 --- a/spec/requests/projects/settings/access_tokens_controller_spec.rb +++ b/spec/requests/projects/settings/access_tokens_controller_spec.rb @@ -117,23 +117,5 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) end - - context 'with feature flag k8s_proxy_pat disabled' do - before do - stub_feature_flags(k8s_proxy_pat: false) - get project_settings_access_tokens_path(resource) - end - - it 'includes details of the active project access tokens' do - active_access_tokens = - ::ProjectAccessTokenSerializer.new.represent(resource_access_tokens.reverse, project: resource) - - expect(assigns(:active_access_tokens).to_json).to eq(active_access_tokens.to_json) - end - - it 'sets available scopes' do - expect(assigns(:scopes)).not_to include(Gitlab::Auth::K8S_PROXY_SCOPE) - end - end end end