From 25038187c8d58d3da2350201cd385abf7b64257b Mon Sep 17 00:00:00 2001 From: Timo Furrer Date: Tue, 12 Sep 2023 14:16:43 +0200 Subject: [PATCH 1/3] Remove k8s_proxy_pat FF Remove the `k8s_proxy_pat` feature flag. This FF has been introduced in 16.4 and the `k8s_proxy` PAT scope has been deemed stable. Changelog: removed --- .../concerns/access_tokens_actions.rb | 1 - .../personal_access_tokens_controller.rb | 1 - .../development/k8s_proxy_pat.yml | 8 ---- lib/api/internal/kubernetes.rb | 4 +- .../personal_access_tokens_controller_spec.rb | 48 ------------------- spec/requests/api/internal/kubernetes_spec.rb | 9 ---- .../settings/access_tokens_controller_spec.rb | 18 ------- .../settings/access_tokens_controller_spec.rb | 18 ------- 8 files changed, 1 insertion(+), 106 deletions(-) delete mode 100644 config/feature_flags/development/k8s_proxy_pat.yml diff --git a/app/controllers/concerns/access_tokens_actions.rb b/app/controllers/concerns/access_tokens_actions.rb index de53fd4d835828..84cbdda1581318 100644 --- a/app/controllers/concerns/access_tokens_actions.rb +++ b/app/controllers/concerns/access_tokens_actions.rb @@ -69,7 +69,6 @@ def set_index_vars resource.members.load @scopes = Gitlab::Auth.available_scopes_for(resource) - @scopes.delete(Gitlab::Auth::K8S_PROXY_SCOPE) unless Feature.enabled?(:k8s_proxy_pat, current_user) @active_access_tokens = active_access_tokens end # rubocop:enable Gitlab/ModuleWithInstanceVariables diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb index 0e4d9f3c1544a0..4b6e2f768fadbf 100644 --- a/app/controllers/profiles/personal_access_tokens_controller.rb +++ b/app/controllers/profiles/personal_access_tokens_controller.rb @@ -61,7 +61,6 @@ def personal_access_token_params def set_index_vars @scopes = Gitlab::Auth.available_scopes_for(current_user) - @scopes.delete(Gitlab::Auth::K8S_PROXY_SCOPE) unless Feature.enabled?(:k8s_proxy_pat, current_user) @active_access_tokens = active_access_tokens end diff --git a/config/feature_flags/development/k8s_proxy_pat.yml b/config/feature_flags/development/k8s_proxy_pat.yml deleted file mode 100644 index ef9101b93545f8..00000000000000 --- a/config/feature_flags/development/k8s_proxy_pat.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: k8s_proxy_pat -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129661 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/422961 -milestone: '16.4' -type: development -group: group::environments -default_enabled: true diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb index a88c8b69b813af..b8a2fde4e36da0 100644 --- a/lib/api/internal/kubernetes.rb +++ b/lib/api/internal/kubernetes.rb @@ -97,9 +97,7 @@ class Kubernetes < ::API::Base user = if params[:access_type] == 'session_cookie' retrieve_user_from_session_cookie elsif params[:access_type] == 'personal_access_token' - u = retrieve_user_from_personal_access_token - bad_request!('PAT authentication is not enabled') unless Feature.enabled?(:k8s_proxy_pat, u) - u + retrieve_user_from_personal_access_token end bad_request!('Unable to get user from request data') if user.nil? diff --git a/spec/controllers/profiles/personal_access_tokens_controller_spec.rb b/spec/controllers/profiles/personal_access_tokens_controller_spec.rb index 14f3f5c23cda13..9c9a9a28879567 100644 --- a/spec/controllers/profiles/personal_access_tokens_controller_spec.rb +++ b/spec/controllers/profiles/personal_access_tokens_controller_spec.rb @@ -109,53 +109,5 @@ def created_token it 'sets available scopes' do expect(assigns(:scopes)).to eq(Gitlab::Auth.available_scopes_for(access_token_user)) end - - context 'with feature flag k8s_proxy_pat disabled' do - before do - stub_feature_flags(k8s_proxy_pat: false) - # Impersonation and inactive personal tokens are ignored - create(:personal_access_token, :impersonation, user: access_token_user) - create(:personal_access_token, :revoked, user: access_token_user) - get :index - end - - it "only includes details of active personal access tokens" do - active_personal_access_tokens_detail = - ::PersonalAccessTokenSerializer.new.represent([active_personal_access_token]) - - expect(assigns(:active_access_tokens).to_json).to eq(active_personal_access_tokens_detail.to_json) - end - - it "builds a PAT with name and scopes from params" do - name = 'My PAT' - scopes = 'api,read_user' - - get :index, params: { name: name, scopes: scopes } - - expect(assigns(:personal_access_token)).to have_attributes( - name: eq(name), - scopes: contain_exactly(:api, :read_user) - ) - end - - it 'returns 404 when personal access tokens are disabled' do - allow(::Gitlab::CurrentSettings).to receive_messages(personal_access_tokens_disabled?: true) - - get :index - - expect(response).to have_gitlab_http_status(:not_found) - end - - it 'returns tokens for json format' do - get :index, params: { format: :json } - - expect(json_response.count).to eq(1) - end - - it 'sets available scopes' do - expect(assigns(:scopes)) - .to eq(Gitlab::Auth.available_scopes_for(access_token_user) - [Gitlab::Auth::K8S_PROXY_SCOPE]) - end - end end end diff --git a/spec/requests/api/internal/kubernetes_spec.rb b/spec/requests/api/internal/kubernetes_spec.rb index 1e8397773be73d..551ed0babf1895 100644 --- a/spec/requests/api/internal/kubernetes_spec.rb +++ b/spec/requests/api/internal/kubernetes_spec.rb @@ -507,15 +507,6 @@ def new_token expect(response).to have_gitlab_http_status(:success) end - it 'returns 400 when the feature flag is disabled' do - deployment_project.add_member(user, :developer) - stub_feature_flags(k8s_proxy_pat: false) - - send_request(params: { agent_id: agent.id, access_type: 'personal_access_token', access_key: personal_access_token.token }) - - expect(response).to have_gitlab_http_status(:bad_request) - end - it 'returns 403 when user has no access' do send_request(params: { agent_id: agent.id, access_type: 'personal_access_token', access_key: personal_access_token.token }) diff --git a/spec/requests/groups/settings/access_tokens_controller_spec.rb b/spec/requests/groups/settings/access_tokens_controller_spec.rb index 8d386d8c1b747e..a09feeea7865de 100644 --- a/spec/requests/groups/settings/access_tokens_controller_spec.rb +++ b/spec/requests/groups/settings/access_tokens_controller_spec.rb @@ -116,23 +116,5 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) end - - context 'with feature flag k8s_proxy_pat disabled' do - before do - stub_feature_flags(k8s_proxy_pat: false) - get group_settings_access_tokens_path(resource) - end - - it 'includes details of the active group access tokens' do - active_access_tokens = - ::GroupAccessTokenSerializer.new.represent(resource_access_tokens.reverse, group: resource) - - expect(assigns(:active_access_tokens).to_json).to eq(active_access_tokens.to_json) - end - - it 'sets available scopes' do - expect(assigns(:scopes)).not_to include(Gitlab::Auth::K8S_PROXY_SCOPE) - end - end end end diff --git a/spec/requests/projects/settings/access_tokens_controller_spec.rb b/spec/requests/projects/settings/access_tokens_controller_spec.rb index b4cfa964ac8e03..8e0d3fed3d353c 100644 --- a/spec/requests/projects/settings/access_tokens_controller_spec.rb +++ b/spec/requests/projects/settings/access_tokens_controller_spec.rb @@ -117,23 +117,5 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) end - - context 'with feature flag k8s_proxy_pat disabled' do - before do - stub_feature_flags(k8s_proxy_pat: false) - get project_settings_access_tokens_path(resource) - end - - it 'includes details of the active project access tokens' do - active_access_tokens = - ::ProjectAccessTokenSerializer.new.represent(resource_access_tokens.reverse, project: resource) - - expect(assigns(:active_access_tokens).to_json).to eq(active_access_tokens.to_json) - end - - it 'sets available scopes' do - expect(assigns(:scopes)).not_to include(Gitlab::Auth::K8S_PROXY_SCOPE) - end - end end end -- GitLab From fa93f501ca8de7871a74bdd64007233331948995 Mon Sep 17 00:00:00 2001 From: phillipwells Date: Mon, 2 Oct 2023 13:56:56 -0600 Subject: [PATCH 2/3] Update FF documentation --- doc/integration/oauth_provider.md | 4 +++- doc/user/group/settings/group_access_tokens.md | 4 +++- doc/user/profile/personal_access_tokens.md | 1 + doc/user/project/settings/project_access_tokens.md | 3 ++- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/integration/oauth_provider.md b/doc/integration/oauth_provider.md index af525cc8770e32..9e1c86ce5f02e0 100644 --- a/doc/integration/oauth_provider.md +++ b/doc/integration/oauth_provider.md @@ -85,7 +85,9 @@ The user authorization step is automatically skipped for this application. ## View all authorized applications -> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. + To see all the application you've authorized with your GitLab credentials: diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index 795967e9f9174c..68e1a34b422dc0 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -138,7 +138,9 @@ token.revoke! ## Scopes for a group access token -> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. + The scope determines the actions you can perform when you authenticate with a group access token. diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md index c3361040a005bd..64b2387a9c9fde 100644 --- a/doc/user/profile/personal_access_tokens.md +++ b/doc/user/profile/personal_access_tokens.md @@ -106,6 +106,7 @@ To view the last time a token was used: > - Personal access tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0. > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. A personal access token can perform actions based on the assigned scopes. diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md index 29d573285323a9..91251349467b43 100644 --- a/doc/user/project/settings/project_access_tokens.md +++ b/doc/user/project/settings/project_access_tokens.md @@ -79,7 +79,8 @@ To revoke a project access token: ## Scopes for a project access token -> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. +> - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. The scope determines the actions you can perform when you authenticate with a project access token. -- GitLab From a904cab56cfbc997fecb11c7143061407e1b17a5 Mon Sep 17 00:00:00 2001 From: Phillip Wells Date: Mon, 2 Oct 2023 19:57:55 +0000 Subject: [PATCH 3/3] Remove extra line --- doc/integration/oauth_provider.md | 1 - doc/user/group/settings/group_access_tokens.md | 1 - 2 files changed, 2 deletions(-) diff --git a/doc/integration/oauth_provider.md b/doc/integration/oauth_provider.md index 9e1c86ce5f02e0..a7320b282bb05b 100644 --- a/doc/integration/oauth_provider.md +++ b/doc/integration/oauth_provider.md @@ -88,7 +88,6 @@ The user authorization step is automatically skipped for this application. > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. - To see all the application you've authorized with your GitLab credentials: 1. On the left sidebar, select your avatar. diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index 68e1a34b422dc0..4b8de7d3dec414 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -141,7 +141,6 @@ token.revoke! > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. - The scope determines the actions you can perform when you authenticate with a group access token. | Scope | Description | -- GitLab