From 815f1fd4570afb7f15e619f84b310f9bdcbac22d Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Fri, 26 Apr 2024 16:11:16 +0200 Subject: [PATCH 01/18] Allow push to the own repo using CI_JOB_TOKEN Add schema migration Delegate push from project to settings, add project specs Update git access specs Add ci_ prefix Prepare git access check around ci job token push Add push_repository_for_job_token_allowed to ci_cd_settings Replace migration with enable_lock_retries, add a test with a push to another project Changelog: added --- app/models/project.rb | 7 ---- app/policies/project_policy.rb | 4 +++ lib/api/entities/project.rb | 1 + lib/api/helpers/projects_helpers.rb | 2 ++ spec/lib/gitlab/git_access_spec.rb | 8 +++++ spec/models/project_ci_cd_setting_spec.rb | 6 ++++ spec/policies/project_policy_spec.rb | 42 +++++++++++++---------- spec/requests/api/project_attributes.yml | 1 + spec/requests/api/projects_spec.rb | 3 +- 9 files changed, 47 insertions(+), 27 deletions(-) diff --git a/app/models/project.rb b/app/models/project.rb index 626e67af608132..d8f0aa8b646946 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -542,7 +542,6 @@ def self.integration_association_name(name) delegate :job_token_scope_enabled, :job_token_scope_enabled=, prefix: :ci_outbound with_options prefix: :ci do - delegate :pipeline_variables_minimum_override_role, :pipeline_variables_minimum_override_role= delegate :push_repository_for_job_token_allowed, :push_repository_for_job_token_allowed= delegate :default_git_depth, :default_git_depth= delegate :forward_deployment_enabled, :forward_deployment_enabled= @@ -3103,12 +3102,6 @@ def restrict_user_defined_variables? ci_cd_settings.restrict_user_defined_variables? end - def override_pipeline_variables_allowed?(access_level) - return false unless ci_cd_settings - - ci_cd_settings.override_pipeline_variables_allowed?(access_level) - end - def ci_push_repository_for_job_token_allowed? return false unless ci_cd_settings diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index bb6f917d426916..121551de7a2bce 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -254,6 +254,10 @@ class ProjectPolicy < BasePolicy @user&.from_ci_job_token? && project.ci_push_repository_for_job_token_allowed? && @user.ci_job_token_scope.self_referential?(project) end + condition(:push_repository_for_job_token_allowed) do + @user&.from_ci_job_token? && @subject.ci_push_repository_for_job_token_allowed? && @user.ci_job_token_scope.self_referential?(project) + end + condition(:packages_disabled, scope: :subject) { !@subject.packages_enabled } condition(:runner_registration_token_enabled, scope: :subject) { @subject.namespace.allow_runner_registration_token? } diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb index fcb7dee20b4bba..d54be30a120cce 100644 --- a/lib/api/entities/project.rb +++ b/lib/api/entities/project.rb @@ -134,6 +134,7 @@ class Project < BasicProjectDetails expose :auto_devops_deploy_strategy, documentation: { type: 'string', example: 'continuous' } do |project, options| project.auto_devops.nil? ? 'continuous' : project.auto_devops.deploy_strategy end + expose :ci_push_repository_for_job_token_allowed, documentation: { type: 'boolean' } end expose :ci_config_path, documentation: { type: 'string', example: '' }, if: ->(project, options) { Ability.allowed?(options[:current_user], :read_code, project) } diff --git a/lib/api/helpers/projects_helpers.rb b/lib/api/helpers/projects_helpers.rb index 4567335757123b..2e9841f6f98ba8 100644 --- a/lib/api/helpers/projects_helpers.rb +++ b/lib/api/helpers/projects_helpers.rb @@ -117,6 +117,7 @@ module ProjectsHelpers optional :ci_separated_caches, type: Boolean, desc: 'Enable or disable separated caches based on branch protection.' optional :restrict_user_defined_variables, type: Boolean, desc: 'Restrict use of user-defined variables when triggering a pipeline' optional :ci_pipeline_variables_minimum_override_role, values: %w[no_one_allowed developer maintainer owner], type: String, desc: 'Limit ability to override CI/CD variables when triggering a pipeline to only users with at least the set minimum role' + optional :ci_push_repository_for_job_token_allowed, type: Boolean, desc: 'Allow pushing to your own repository via a job token.' end params :optional_update_params_ee do @@ -210,6 +211,7 @@ def self.update_params_at_least_one_of :model_registry_access_level, :warn_about_potentially_unwanted_characters, :ci_pipeline_variables_minimum_override_role, + :ci_push_repository_for_job_token_allowed, # TODO: remove in API v5, replaced by *_access_level :issues_enabled, diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index e2feda95b7754f..1016776ff03055 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -1347,6 +1347,14 @@ def push_access_check_build(access_project, changes) .check('git-receive-pack', changes) end + def push_access_check_build(access_project, changes) + access_class.new(actor, access_project, protocol, + authentication_abilities: build_authentication_abilities_allowed_push, + repository_path: "#{access_project.full_path}.git", + redirected_path: redirected_path, auth_result_type: auth_result_type) + .check('git-receive-pack', changes) + end + def push_changes(changes) access.check('git-receive-pack', changes) end diff --git a/spec/models/project_ci_cd_setting_spec.rb b/spec/models/project_ci_cd_setting_spec.rb index 93c26afadbecd6..00ec396caf929d 100644 --- a/spec/models/project_ci_cd_setting_spec.rb +++ b/spec/models/project_ci_cd_setting_spec.rb @@ -27,6 +27,12 @@ end end + describe '#push_repository_for_job_token_allowed' do + it 'is false by default' do + expect(described_class.new.push_repository_for_job_token_allowed).to be_falsey + end + end + describe '#separated_caches' do it 'is true by default' do expect(described_class.new.separated_caches).to be_truthy diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 428648e3bed891..a9d1ae9a10d8c0 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -3785,24 +3785,28 @@ def permissions_abilities(role) let(:policy) { :build_push_code } - where(:user_role, :project_visibility, :push_repository_for_job_token_allowed, :self_referential_project, :allowed) do - :maintainer | :public | true | true | true - :owner | :public | true | true | true - :maintainer | :private | true | true | true - :developer | :public | true | true | true - :reporter | :public | true | true | false - :guest | :public | true | true | false - :guest | :private | true | true | false - :guest | :internal | true | true | false - :anonymous | :public | true | true | false - :maintainer | :public | false | true | false - :maintainer | :public | true | false | false - :maintainer | :public | false | false | false + where(:user_role, :project_visibility, :token_scope_enabled, :push_repository_for_job_token_allowed, :self_referential_project, :allowed) do + :maintainer | :public | true | true | true | true + :owner | :public | true | true | true | true + :maintainer | :private | true | true | true | true + :developer | :public | true | true | true | true + :reporter | :public | true | true | true | false + :guest | :public | true | true | true | false + :guest | :private | true | true | true | false + :guest | :internal | true | true | true | false + :anonymous | :public | true | true | true | false + :maintainer | :public | true | false | true | false + :maintainer | :public | true | true | false | false + :maintainer | :public | true | false | false | false end with_them do let(:current_user) do - public_send(user_role) + if user_role == :anonymous + anonymous + else + public_send(user_role) + end end let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) } @@ -3817,14 +3821,14 @@ def permissions_abilities(role) project.add_maintainer(maintainer) project.add_maintainer(owner) - project.ci_inbound_job_token_scope_enabled = true + project.ci_inbound_job_token_scope_enabled = token_scope_enabled project.save! - ci_cd_settings = project.ci_cd_settings - ci_cd_settings.push_repository_for_job_token_allowed = push_repository_for_job_token_allowed - ci_cd_settings.save! - if user_role != :anonymous + ci_cd_settings = project.ci_cd_settings + ci_cd_settings.push_repository_for_job_token_allowed = push_repository_for_job_token_allowed + ci_cd_settings.save! + if self_referential_project allow(current_user).to receive(:ci_job_token_scope).and_return(current_user.set_ci_job_token_scope!(self_referential_job)) else diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml index c5d798f004f11d..5f7597e841eefd 100644 --- a/spec/requests/api/project_attributes.yml +++ b/spec/requests/api/project_attributes.yml @@ -103,6 +103,7 @@ ci_cd_settings: - push_repository_for_job_token_allowed remapped_attributes: pipeline_variables_minimum_override_role: ci_pipeline_variables_minimum_override_role + push_repository_for_job_token_allowed: ci_push_repository_for_job_token_allowed default_git_depth: ci_default_git_depth forward_deployment_enabled: ci_forward_deployment_enabled forward_deployment_rollback_allowed: ci_forward_deployment_rollback_allowed diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 1fe8de1f048719..b39c4320558e4c 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -3306,7 +3306,8 @@ def failure_message(diff) 'build_timeout', 'auto_devops_enabled', 'auto_devops_deploy_strategy', - 'import_error' + 'import_error', + 'ci_push_repository_for_job_token_allowed' ) end end -- GitLab From bf0db74c995bdad0c60b88ac27d2a3076b3acc05 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Tue, 4 Jun 2024 13:30:07 +0200 Subject: [PATCH 02/18] Adjust rebased conflicts --- app/models/project.rb | 7 +++++ app/policies/project_policy.rb | 4 --- spec/lib/gitlab/git_access_spec.rb | 8 ------ spec/policies/project_policy_spec.rb | 42 +++++++++++++--------------- 4 files changed, 26 insertions(+), 35 deletions(-) diff --git a/app/models/project.rb b/app/models/project.rb index d8f0aa8b646946..626e67af608132 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -542,6 +542,7 @@ def self.integration_association_name(name) delegate :job_token_scope_enabled, :job_token_scope_enabled=, prefix: :ci_outbound with_options prefix: :ci do + delegate :pipeline_variables_minimum_override_role, :pipeline_variables_minimum_override_role= delegate :push_repository_for_job_token_allowed, :push_repository_for_job_token_allowed= delegate :default_git_depth, :default_git_depth= delegate :forward_deployment_enabled, :forward_deployment_enabled= @@ -3102,6 +3103,12 @@ def restrict_user_defined_variables? ci_cd_settings.restrict_user_defined_variables? end + def override_pipeline_variables_allowed?(access_level) + return false unless ci_cd_settings + + ci_cd_settings.override_pipeline_variables_allowed?(access_level) + end + def ci_push_repository_for_job_token_allowed? return false unless ci_cd_settings diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 121551de7a2bce..bb6f917d426916 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -254,10 +254,6 @@ class ProjectPolicy < BasePolicy @user&.from_ci_job_token? && project.ci_push_repository_for_job_token_allowed? && @user.ci_job_token_scope.self_referential?(project) end - condition(:push_repository_for_job_token_allowed) do - @user&.from_ci_job_token? && @subject.ci_push_repository_for_job_token_allowed? && @user.ci_job_token_scope.self_referential?(project) - end - condition(:packages_disabled, scope: :subject) { !@subject.packages_enabled } condition(:runner_registration_token_enabled, scope: :subject) { @subject.namespace.allow_runner_registration_token? } diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index 1016776ff03055..e2feda95b7754f 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -1347,14 +1347,6 @@ def push_access_check_build(access_project, changes) .check('git-receive-pack', changes) end - def push_access_check_build(access_project, changes) - access_class.new(actor, access_project, protocol, - authentication_abilities: build_authentication_abilities_allowed_push, - repository_path: "#{access_project.full_path}.git", - redirected_path: redirected_path, auth_result_type: auth_result_type) - .check('git-receive-pack', changes) - end - def push_changes(changes) access.check('git-receive-pack', changes) end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index a9d1ae9a10d8c0..428648e3bed891 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -3785,28 +3785,24 @@ def permissions_abilities(role) let(:policy) { :build_push_code } - where(:user_role, :project_visibility, :token_scope_enabled, :push_repository_for_job_token_allowed, :self_referential_project, :allowed) do - :maintainer | :public | true | true | true | true - :owner | :public | true | true | true | true - :maintainer | :private | true | true | true | true - :developer | :public | true | true | true | true - :reporter | :public | true | true | true | false - :guest | :public | true | true | true | false - :guest | :private | true | true | true | false - :guest | :internal | true | true | true | false - :anonymous | :public | true | true | true | false - :maintainer | :public | true | false | true | false - :maintainer | :public | true | true | false | false - :maintainer | :public | true | false | false | false + where(:user_role, :project_visibility, :push_repository_for_job_token_allowed, :self_referential_project, :allowed) do + :maintainer | :public | true | true | true + :owner | :public | true | true | true + :maintainer | :private | true | true | true + :developer | :public | true | true | true + :reporter | :public | true | true | false + :guest | :public | true | true | false + :guest | :private | true | true | false + :guest | :internal | true | true | false + :anonymous | :public | true | true | false + :maintainer | :public | false | true | false + :maintainer | :public | true | false | false + :maintainer | :public | false | false | false end with_them do let(:current_user) do - if user_role == :anonymous - anonymous - else - public_send(user_role) - end + public_send(user_role) end let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) } @@ -3821,14 +3817,14 @@ def permissions_abilities(role) project.add_maintainer(maintainer) project.add_maintainer(owner) - project.ci_inbound_job_token_scope_enabled = token_scope_enabled + project.ci_inbound_job_token_scope_enabled = true project.save! - if user_role != :anonymous - ci_cd_settings = project.ci_cd_settings - ci_cd_settings.push_repository_for_job_token_allowed = push_repository_for_job_token_allowed - ci_cd_settings.save! + ci_cd_settings = project.ci_cd_settings + ci_cd_settings.push_repository_for_job_token_allowed = push_repository_for_job_token_allowed + ci_cd_settings.save! + if user_role != :anonymous if self_referential_project allow(current_user).to receive(:ci_job_token_scope).and_return(current_user.set_ci_job_token_scope!(self_referential_job)) else -- GitLab From 2f9bb971fcba9b7907fa58a287263ea0e07d5408 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Wed, 5 Jun 2024 19:47:26 +0200 Subject: [PATCH 03/18] Add GraphQL request and mutation for push repository settings --- .../ci/project_ci_cd_settings_update.rb | 5 +++++ app/graphql/types/ci/ci_cd_setting_type.rb | 7 +++++++ .../api/graphql/ci/ci_cd_setting_spec.rb | 2 ++ .../ci/project_ci_cd_settings_update_spec.rb | 20 ++++++++++++++++++- 4 files changed, 33 insertions(+), 1 deletion(-) diff --git a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb index 7df277641bf32e..8875bbacee6c38 100644 --- a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb +++ b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb @@ -32,6 +32,11 @@ class ProjectCiCdSettingsUpdate < BaseMutation description: 'Indicates CI/CD job tokens generated in other projects ' \ 'have restricted access to this project.' + argument :push_repository_for_job_token_allowed, GraphQL::Types::Boolean, + required: false, + description: 'Indicates the ability to push to the original project ' \ + 'repository using a job token' + field :ci_cd_settings, Types::Ci::CiCdSettingType, null: false, diff --git a/app/graphql/types/ci/ci_cd_setting_type.rb b/app/graphql/types/ci/ci_cd_setting_type.rb index f6f2fe0ef9d0d4..3ce1e65d28f954 100644 --- a/app/graphql/types/ci/ci_cd_setting_type.rb +++ b/app/graphql/types/ci/ci_cd_setting_type.rb @@ -37,6 +37,13 @@ class CiCdSettingType < BaseObject null: true, description: 'Project the CI/CD settings belong to.', authorize: :admin_project + field :push_repository_for_job_token_allowed, + GraphQL::Types::Boolean, + null: true, + description: 'Indicates the ability to push to the original project ' \ + 'repository using a job token', + method: :push_repository_for_job_token_allowed?, + authorize: :admin_project end end end diff --git a/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb b/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb index db9b6bfbf5c2fc..2600c818391b75 100644 --- a/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb +++ b/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb @@ -49,6 +49,8 @@ expect(settings_data['jobTokenScopeEnabled']).to eql project.ci_cd_settings.job_token_scope_enabled? expect(settings_data['inboundJobTokenScopeEnabled']).to eql( project.ci_cd_settings.inbound_job_token_scope_enabled?) + expect(settings_data['pushRepositoryForJobTokenAllowed']).to eql( + project.ci_cd_settings.push_repository_for_job_token_allowed?) if Gitlab.ee? expect(settings_data['mergeTrainsEnabled']).to eql project.ci_cd_settings.merge_trains_enabled? diff --git a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb index 6e101d07b9f20b..8e07416a8f5f61 100644 --- a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb +++ b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb @@ -18,7 +18,8 @@ full_path: project.full_path, keep_latest_artifact: false, job_token_scope_enabled: false, - inbound_job_token_scope_enabled: false + inbound_job_token_scope_enabled: false, + push_repository_for_job_token_allowed: false } end @@ -69,6 +70,23 @@ expect(project.ci_outbound_job_token_scope_enabled).to eq(false) end + context 'when push_repository_for_job_token_allowed requested to be true' do + let(:variables) do + { + full_path: project.full_path, + push_repository_for_job_token_allowed: true + } + end + + it 'updates push_repository_for_job_token_allowed' do + post_graphql_mutation(mutation, current_user: user) + project.reload + + expect(response).to have_gitlab_http_status(:success) + expect(project.ci_cd_settings.push_repository_for_job_token_allowed).to eq(true) + end + end + context 'when job_token_scope_enabled: true' do let(:variables) do { -- GitLab From c87ca04bfd24f52271f4edff88b3e00a9c503d5e Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Wed, 5 Jun 2024 19:49:02 +0200 Subject: [PATCH 04/18] Update graphql docs --- doc/api/graphql/reference/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index a98d44929ad09b..c05557590113ed 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -7328,6 +7328,7 @@ Input type: `ProjectCiCdSettingsUpdateInput` | `mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merged results pipelines are enabled for the project. | | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. | | `mergeTrainsSkipTrainAllowed` | [`Boolean`](#boolean) | Indicates whether an option is allowed to merge without refreshing the merge train. Ignored unless the `merge_trains_skip_train` feature flag is also enabled. | +| `pushRepositoryForJobTokenAllowed` | [`Boolean`](#boolean) | Indicates the ability to push to the original project repository using a job token. | #### Fields @@ -29014,6 +29015,7 @@ four standard [pagination arguments](#pagination-arguments): | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Whether merge trains are enabled. | | `mergeTrainsSkipTrainAllowed` | [`Boolean!`](#boolean) | Whether merge immediately is allowed for merge trains. | | `project` | [`Project`](#project) | Project the CI/CD settings belong to. | +| `pushRepositoryForJobTokenAllowed` | [`Boolean`](#boolean) | Indicates the ability to push to the original project repository using a job token. | ### `ProjectDataTransfer` -- GitLab From 59f5ac3b9da1f781fd499b31817cb48622844349 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Wed, 5 Jun 2024 20:18:47 +0200 Subject: [PATCH 05/18] Extend ci_cd_setting_type spec with push repository --- spec/graphql/types/ci/ci_cd_setting_type_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/graphql/types/ci/ci_cd_setting_type_spec.rb b/spec/graphql/types/ci/ci_cd_setting_type_spec.rb index 5fdfb405e239f8..cac4a062a731f9 100644 --- a/spec/graphql/types/ci/ci_cd_setting_type_spec.rb +++ b/spec/graphql/types/ci/ci_cd_setting_type_spec.rb @@ -9,6 +9,7 @@ expected_fields = %w[ inbound_job_token_scope_enabled job_token_scope_enabled keep_latest_artifact merge_pipelines_enabled project + push_repository_for_job_token_allowed ] if Gitlab.ee? -- GitLab From 4a547fdbd2917d7dc2a4ab32205d0c3b1a22ac9a Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Thu, 6 Jun 2024 12:17:24 +0200 Subject: [PATCH 06/18] Add, update docs --- doc/api/projects.md | 7 +++++++ doc/ci/jobs/ci_job_token.md | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/doc/api/projects.md b/doc/api/projects.md index 1426544408f08e..337e1ad7dc2352 100644 --- a/doc/api/projects.md +++ b/doc/api/projects.md @@ -245,6 +245,8 @@ When the user is authenticated and `simple` is not set this returns something li "ci_job_token_scope_enabled": false, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "maintainer", + "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "build_timeout": 3600, "auto_cancel_pending_pipelines": "enabled", @@ -421,6 +423,7 @@ GET /users/:user_id/projects "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [], "only_allow_merge_if_pipeline_succeeds": false, @@ -542,6 +545,7 @@ GET /users/:user_id/projects "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [], "only_allow_merge_if_pipeline_succeeds": false, @@ -1214,6 +1218,7 @@ GET /projects/:id "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [ { @@ -1756,6 +1761,8 @@ General project attributes: | `ci_allow_fork_pipelines_to_run_in_parent_project` | boolean | No | Enable or disable [running pipelines in the parent project for merge requests from forks](../ci/pipelines/merge_request_pipelines.md#run-pipelines-in-the-parent-project). _([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325189) in GitLab 15.3.)_ | | `ci_separated_caches` | boolean | No | Set whether or not caches should be [separated](../ci/caching/index.md#cache-key-names) by branch protection status. | | `ci_restrict_pipeline_cancellation_role` | string | No | Set the [role required to cancel a pipeline or job](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). One of `developer`, `maintainer`, or `no_one`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/429921) in GitLab 16.8. Premium and Ultimate only. | +| `ci_pipeline_variables_minimum_override_role` | string | No | When `restrict_user_defined_variables` you can specify which role can override variables. One of `owner`, `developer`, `owner` or `no_one_allowed`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/440338) in GitLab 17.1. | +| `ci_push_repository_for_job_token_allowed` | boolean | No | Enable or disable pushing to the project repository using job token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. | | `container_expiration_policy_attributes` | hash | No | Update the image cleanup policy for this project. Accepts: `cadence` (string), `keep_n` (integer), `older_than` (string), `name_regex` (string), `name_regex_delete` (string), `name_regex_keep` (string), `enabled` (boolean). | | `container_registry_enabled` | boolean | No | _(Deprecated)_ Enable container registry for this project. Use `container_registry_access_level` instead. | | `default_branch` | string | No | The [default branch](../user/project/repository/branches/default.md) name. | diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 20914b0d828ce0..743cfb3cd6ddf0 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -278,3 +278,14 @@ While troubleshooting CI/CD job token authentication issues, be aware that: - To remove project access. - The CI job token becomes invalid if the job is no longer running, has been erased, or if the project is in the process of being deleted. + +### Allow push to the project's repository using job token + +WARNING: +Enabling pushing via job token poses a performance risk. It's crucial to thoroughly test and implement validation measures to prevent infinite loops. + +By default, pushing to the repository using a job token is disabled. + +You can enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`pushRepositoryForJobTokenAllowed`) and [REST](../../api/projects#edit-project) API (`ci_push_repository_for_job_token_allowed`). + +You are only permitted to push to the repository of the project where the job is running. \ No newline at end of file -- GitLab From 9ff6e9ea639f064f55f8a20acf0b758c41a1ac0e Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Thu, 6 Jun 2024 12:18:07 +0200 Subject: [PATCH 07/18] Add trailing line --- doc/ci/jobs/ci_job_token.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 743cfb3cd6ddf0..1248f8a511b8b9 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -288,4 +288,4 @@ By default, pushing to the repository using a job token is disabled. You can enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`pushRepositoryForJobTokenAllowed`) and [REST](../../api/projects#edit-project) API (`ci_push_repository_for_job_token_allowed`). -You are only permitted to push to the repository of the project where the job is running. \ No newline at end of file +You are only permitted to push to the repository of the project where the job is running. -- GitLab From 059a1f0a3acadec086f735d0721e4ef60696115a Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Thu, 6 Jun 2024 12:22:45 +0200 Subject: [PATCH 08/18] Extend more examples with new attributes --- doc/api/projects.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/api/projects.md b/doc/api/projects.md index 337e1ad7dc2352..2c7a195fa75ca4 100644 --- a/doc/api/projects.md +++ b/doc/api/projects.md @@ -423,6 +423,7 @@ GET /users/:user_id/projects "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "maintainer", "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [], @@ -545,6 +546,7 @@ GET /users/:user_id/projects "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "maintainer", "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [], @@ -1218,6 +1220,7 @@ GET /projects/:id "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "maintainer", "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [ @@ -2382,6 +2385,8 @@ Example response: "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "maintainer", + "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [], "only_allow_merge_if_pipeline_succeeds": false, @@ -2514,6 +2519,8 @@ Example response: "ci_allow_fork_pipelines_to_run_in_parent_project": true, "ci_separated_caches": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "maintainer", + "ci_push_repository_for_job_token_allowed": false, "public_jobs": true, "shared_with_groups": [], "only_allow_merge_if_pipeline_succeeds": false, -- GitLab From 99b3379339febbd7aec04c65be6f1300edc8efeb Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Thu, 6 Jun 2024 12:27:14 +0200 Subject: [PATCH 09/18] Fix reference link --- doc/ci/jobs/ci_job_token.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 1248f8a511b8b9..ce0146189fb0de 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -286,6 +286,6 @@ Enabling pushing via job token poses a performance risk. It's crucial to thoroug By default, pushing to the repository using a job token is disabled. -You can enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`pushRepositoryForJobTokenAllowed`) and [REST](../../api/projects#edit-project) API (`ci_push_repository_for_job_token_allowed`). +You can enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`pushRepositoryForJobTokenAllowed`) and [REST](../../api/projects.md#edit-project) API (`ci_push_repository_for_job_token_allowed`). You are only permitted to push to the repository of the project where the job is running. -- GitLab From 019cd472a399c1ba316d00820d19e343237f177d Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Thu, 6 Jun 2024 12:53:15 +0200 Subject: [PATCH 10/18] Adjust roles list on min override role --- doc/api/projects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/projects.md b/doc/api/projects.md index 2c7a195fa75ca4..20efe81111abd5 100644 --- a/doc/api/projects.md +++ b/doc/api/projects.md @@ -1764,7 +1764,7 @@ General project attributes: | `ci_allow_fork_pipelines_to_run_in_parent_project` | boolean | No | Enable or disable [running pipelines in the parent project for merge requests from forks](../ci/pipelines/merge_request_pipelines.md#run-pipelines-in-the-parent-project). _([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325189) in GitLab 15.3.)_ | | `ci_separated_caches` | boolean | No | Set whether or not caches should be [separated](../ci/caching/index.md#cache-key-names) by branch protection status. | | `ci_restrict_pipeline_cancellation_role` | string | No | Set the [role required to cancel a pipeline or job](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). One of `developer`, `maintainer`, or `no_one`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/429921) in GitLab 16.8. Premium and Ultimate only. | -| `ci_pipeline_variables_minimum_override_role` | string | No | When `restrict_user_defined_variables` you can specify which role can override variables. One of `owner`, `developer`, `owner` or `no_one_allowed`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/440338) in GitLab 17.1. | +| `ci_pipeline_variables_minimum_override_role` | string | No | When `restrict_user_defined_variables` is enabled, you can specify which role can override variables. One of `owner`, `maintainer`, `developer` or `no_one_allowed`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/440338) in GitLab 17.1. | | `ci_push_repository_for_job_token_allowed` | boolean | No | Enable or disable pushing to the project repository using job token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. | | `container_expiration_policy_attributes` | hash | No | Update the image cleanup policy for this project. Accepts: `cadence` (string), `keep_n` (integer), `older_than` (string), `name_regex` (string), `name_regex_delete` (string), `name_regex_keep` (string), `enabled` (boolean). | | `container_registry_enabled` | boolean | No | _(Deprecated)_ Enable container registry for this project. Use `container_registry_access_level` instead. | -- GitLab From 6cc7f1bf59623cfd05e5a7587b895f18d65f3931 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Fri, 7 Jun 2024 12:41:27 +0200 Subject: [PATCH 11/18] Add an rspec for REST API --- spec/requests/api/projects_spec.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index b39c4320558e4c..856f8de9780ace 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -4058,6 +4058,20 @@ def failure_message(diff) let(:failed_status_code) { :not_found } end + describe 'updating ci_push_repository_for_job_token_allowed attribute' do + it 'is disabled by default' do + expect(project.ci_push_repository_for_job_token_allowed).to be_falsey + end + + it 'enables push to repository using job token' do + put(api(path, user), params: { ci_push_repository_for_job_token_allowed: true }) + + expect(response).to have_gitlab_http_status(:ok) + expect(project.reload.ci_push_repository_for_job_token_allowed).to be_truthy + expect(json_response['ci_push_repository_for_job_token_allowed']).to eq(true) + end + end + describe 'updating packages_enabled attribute' do it 'is enabled by default' do expect(project.packages_enabled).to be true -- GitLab From 7294ced2cf96c2244a49d51eb5b0005430f7ce9b Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Tue, 11 Jun 2024 18:16:07 +0000 Subject: [PATCH 12/18] Thanks for the great suggestions - applied --- doc/api/projects.md | 2 +- doc/ci/jobs/ci_job_token.md | 13 +++++++++---- lib/api/helpers/projects_helpers.rb | 2 +- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/doc/api/projects.md b/doc/api/projects.md index 20efe81111abd5..950ae249c65c87 100644 --- a/doc/api/projects.md +++ b/doc/api/projects.md @@ -1765,7 +1765,7 @@ General project attributes: | `ci_separated_caches` | boolean | No | Set whether or not caches should be [separated](../ci/caching/index.md#cache-key-names) by branch protection status. | | `ci_restrict_pipeline_cancellation_role` | string | No | Set the [role required to cancel a pipeline or job](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). One of `developer`, `maintainer`, or `no_one`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/429921) in GitLab 16.8. Premium and Ultimate only. | | `ci_pipeline_variables_minimum_override_role` | string | No | When `restrict_user_defined_variables` is enabled, you can specify which role can override variables. One of `owner`, `maintainer`, `developer` or `no_one_allowed`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/440338) in GitLab 17.1. | -| `ci_push_repository_for_job_token_allowed` | boolean | No | Enable or disable pushing to the project repository using job token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. | +| `ci_push_repository_for_job_token_allowed` | boolean | No | Enable or disable the ability to push to the project repository using job token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. | | `container_expiration_policy_attributes` | hash | No | Update the image cleanup policy for this project. Accepts: `cadence` (string), `keep_n` (integer), `older_than` (string), `name_regex` (string), `name_regex_delete` (string), `name_regex_keep` (string), `enabled` (boolean). | | `container_registry_enabled` | boolean | No | _(Deprecated)_ Enable container registry for this project. Use `container_registry_access_level` instead. | | `default_branch` | string | No | The [default branch](../user/project/repository/branches/default.md) name. | diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index ce0146189fb0de..37bd7ee07be5d4 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -279,13 +279,18 @@ While troubleshooting CI/CD job token authentication issues, be aware that: - The CI job token becomes invalid if the job is no longer running, has been erased, or if the project is in the process of being deleted. -### Allow push to the project's repository using job token +### Push to a project repository using a job token +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. WARNING: -Enabling pushing via job token poses a performance risk. It's crucial to thoroughly test and implement validation measures to prevent infinite loops. +Pushing via job token is still in development and is not yet optimized for performance. +If you enable this feature for testing, you must thoroughly test and implement validation measures +to prevent infinite loops of "push" pipelines triggering more pipelines. -By default, pushing to the repository using a job token is disabled. +By default, pushing to a project repository by authenticating with a job token is disabled. +To enable this ability, you can: -You can enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`pushRepositoryForJobTokenAllowed`) and [REST](../../api/projects.md#edit-project) API (`ci_push_repository_for_job_token_allowed`). +- Enable the [`pushRepositoryForJobTokenAllowed`](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) GraphQL endpoint. +- Enable the [`ci_push_repository_for_job_token_allowed`](../../api/projects.md#edit-project) REST API endpoint. You are only permitted to push to the repository of the project where the job is running. diff --git a/lib/api/helpers/projects_helpers.rb b/lib/api/helpers/projects_helpers.rb index 2e9841f6f98ba8..d15579d478c63a 100644 --- a/lib/api/helpers/projects_helpers.rb +++ b/lib/api/helpers/projects_helpers.rb @@ -117,7 +117,7 @@ module ProjectsHelpers optional :ci_separated_caches, type: Boolean, desc: 'Enable or disable separated caches based on branch protection.' optional :restrict_user_defined_variables, type: Boolean, desc: 'Restrict use of user-defined variables when triggering a pipeline' optional :ci_pipeline_variables_minimum_override_role, values: %w[no_one_allowed developer maintainer owner], type: String, desc: 'Limit ability to override CI/CD variables when triggering a pipeline to only users with at least the set minimum role' - optional :ci_push_repository_for_job_token_allowed, type: Boolean, desc: 'Allow pushing to your own repository via a job token.' + optional :ci_push_repository_for_job_token_allowed, type: Boolean, desc: 'Allow pushing to this project's repository by authenticating with a CI/CD job token generated in this project.' end params :optional_update_params_ee do -- GitLab From 9de3731970090d58553303f3180e159863201c72 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Tue, 11 Jun 2024 20:37:16 +0200 Subject: [PATCH 13/18] Update graphQl -- GitLab From 64932eac9cd3ef9e1fef2f84a3ad53c0880f2d34 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Tue, 11 Jun 2024 20:39:40 +0200 Subject: [PATCH 14/18] Corrected apostrophe syntax --- lib/api/helpers/projects_helpers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/api/helpers/projects_helpers.rb b/lib/api/helpers/projects_helpers.rb index d15579d478c63a..562af336d57b68 100644 --- a/lib/api/helpers/projects_helpers.rb +++ b/lib/api/helpers/projects_helpers.rb @@ -117,7 +117,7 @@ module ProjectsHelpers optional :ci_separated_caches, type: Boolean, desc: 'Enable or disable separated caches based on branch protection.' optional :restrict_user_defined_variables, type: Boolean, desc: 'Restrict use of user-defined variables when triggering a pipeline' optional :ci_pipeline_variables_minimum_override_role, values: %w[no_one_allowed developer maintainer owner], type: String, desc: 'Limit ability to override CI/CD variables when triggering a pipeline to only users with at least the set minimum role' - optional :ci_push_repository_for_job_token_allowed, type: Boolean, desc: 'Allow pushing to this project's repository by authenticating with a CI/CD job token generated in this project.' + optional :ci_push_repository_for_job_token_allowed, type: Boolean, desc: "Allow pushing to this project's repository by authenticating with a CI/CD job token generated in this project." end params :optional_update_params_ee do -- GitLab From 78c8221c9634e25d0e65ec382f94f31109207e81 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Tue, 11 Jun 2024 20:41:01 +0200 Subject: [PATCH 15/18] Fix title syntex in the doc --- doc/ci/jobs/ci_job_token.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 37bd7ee07be5d4..99412fb96ac39e 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -280,6 +280,7 @@ While troubleshooting CI/CD job token authentication issues, be aware that: or if the project is in the process of being deleted. ### Push to a project repository using a job token + > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. WARNING: -- GitLab From e2f07c9f88b1ed66eeaabbcf0f10b52175ec7f70 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Wed, 19 Jun 2024 08:18:53 +0200 Subject: [PATCH 16/18] Change milestone to 17.2 --- doc/api/projects.md | 2 +- doc/ci/jobs/ci_job_token.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/projects.md b/doc/api/projects.md index 950ae249c65c87..cc663d93d98f16 100644 --- a/doc/api/projects.md +++ b/doc/api/projects.md @@ -1765,7 +1765,7 @@ General project attributes: | `ci_separated_caches` | boolean | No | Set whether or not caches should be [separated](../ci/caching/index.md#cache-key-names) by branch protection status. | | `ci_restrict_pipeline_cancellation_role` | string | No | Set the [role required to cancel a pipeline or job](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). One of `developer`, `maintainer`, or `no_one`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/429921) in GitLab 16.8. Premium and Ultimate only. | | `ci_pipeline_variables_minimum_override_role` | string | No | When `restrict_user_defined_variables` is enabled, you can specify which role can override variables. One of `owner`, `maintainer`, `developer` or `no_one_allowed`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/440338) in GitLab 17.1. | -| `ci_push_repository_for_job_token_allowed` | boolean | No | Enable or disable the ability to push to the project repository using job token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. | +| `ci_push_repository_for_job_token_allowed` | boolean | No | Enable or disable the ability to push to the project repository using job token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.2. | | `container_expiration_policy_attributes` | hash | No | Update the image cleanup policy for this project. Accepts: `cadence` (string), `keep_n` (integer), `older_than` (string), `name_regex` (string), `name_regex_delete` (string), `name_regex_keep` (string), `enabled` (boolean). | | `container_registry_enabled` | boolean | No | _(Deprecated)_ Enable container registry for this project. Use `container_registry_access_level` instead. | | `default_branch` | string | No | The [default branch](../user/project/repository/branches/default.md) name. | diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 99412fb96ac39e..6b878900527172 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -281,7 +281,7 @@ While troubleshooting CI/CD job token authentication issues, be aware that: ### Push to a project repository using a job token -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.1. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.2. WARNING: Pushing via job token is still in development and is not yet optimized for performance. -- GitLab From bd84df7874b2216330b3c96faff63dca6db8296e Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Thu, 20 Jun 2024 16:15:52 +0200 Subject: [PATCH 17/18] Add a feature flag allow_push_repository_for_job_token and update docs --- app/policies/project_policy.rb | 6 ++++- doc/ci/jobs/ci_job_token.md | 3 ++- spec/policies/project_policy_spec.rb | 33 +++++++++++++++++----------- 3 files changed, 27 insertions(+), 15 deletions(-) diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index bb6f917d426916..03f740b1e44b1e 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -251,7 +251,11 @@ class ProjectPolicy < BasePolicy end condition(:push_repository_for_job_token_allowed) do - @user&.from_ci_job_token? && project.ci_push_repository_for_job_token_allowed? && @user.ci_job_token_scope.self_referential?(project) + if ::Feature.enabled?(:allow_push_repository_for_job_token, @subject) + @user&.from_ci_job_token? && project.ci_push_repository_for_job_token_allowed? && @user.ci_job_token_scope.self_referential?(project) + else + false + end end condition(:packages_disabled, scope: :subject) { !@subject.packages_enabled } diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 6b878900527172..4c85bb8754c895 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -281,7 +281,7 @@ While troubleshooting CI/CD job token authentication issues, be aware that: ### Push to a project repository using a job token -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.2. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/389060) in GitLab 17.2. [with a flag](../../administration/feature_flags.md) named `allow_push_repository_for_job_token`. Disabled by default. WARNING: Pushing via job token is still in development and is not yet optimized for performance. @@ -291,6 +291,7 @@ to prevent infinite loops of "push" pipelines triggering more pipelines. By default, pushing to a project repository by authenticating with a job token is disabled. To enable this ability, you can: +- Feature flag named `allow_push_repository_for_job_token` should be enabled. - Enable the [`pushRepositoryForJobTokenAllowed`](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) GraphQL endpoint. - Enable the [`ci_push_repository_for_job_token_allowed`](../../api/projects.md#edit-project) REST API endpoint. diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 428648e3bed891..a78d0afba67840 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -3785,19 +3785,24 @@ def permissions_abilities(role) let(:policy) { :build_push_code } - where(:user_role, :project_visibility, :push_repository_for_job_token_allowed, :self_referential_project, :allowed) do - :maintainer | :public | true | true | true - :owner | :public | true | true | true - :maintainer | :private | true | true | true - :developer | :public | true | true | true - :reporter | :public | true | true | false - :guest | :public | true | true | false - :guest | :private | true | true | false - :guest | :internal | true | true | false - :anonymous | :public | true | true | false - :maintainer | :public | false | true | false - :maintainer | :public | true | false | false - :maintainer | :public | false | false | false + where(:user_role, :project_visibility, :push_repository_for_job_token_allowed, :self_referential_project, :allowed, :ff_disabled) do + :maintainer | :public | true | true | true | false + :owner | :public | true | true | true | false + :maintainer | :private | true | true | true | false + :developer | :public | true | true | true | false + :reporter | :public | true | true | false | false + :guest | :public | true | true | false | false + :guest | :private | true | true | false | false + :guest | :internal | true | true | false | false + :anonymous | :public | true | true | false | false + :maintainer | :public | false | true | false | false + :maintainer | :public | true | false | false | false + :maintainer | :public | false | false | false | false + :maintainer | :public | true | true | false | true + :owner | :public | true | true | false | true + :maintainer | :private | true | true | false | true + :developer | :public | true | true | false | true + :reporter | :public | true | true | false | true end with_them do @@ -3811,6 +3816,8 @@ def permissions_abilities(role) let(:scope_project) { public_send(:private_project) } before do + stub_feature_flags(allow_push_repository_for_job_token: false) if ff_disabled + project.add_guest(guest) project.add_reporter(reporter) project.add_developer(developer) -- GitLab From a1bdb352d83785a33891266483d451a2fcb43d87 Mon Sep 17 00:00:00 2001 From: Dmytro Biryukov Date: Thu, 20 Jun 2024 18:14:04 +0200 Subject: [PATCH 18/18] Add a ff definition --- .../development/allow_push_repository_for_job_token.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 config/feature_flags/development/allow_push_repository_for_job_token.yml diff --git a/config/feature_flags/development/allow_push_repository_for_job_token.yml b/config/feature_flags/development/allow_push_repository_for_job_token.yml new file mode 100644 index 00000000000000..5c0e1013e7b2c7 --- /dev/null +++ b/config/feature_flags/development/allow_push_repository_for_job_token.yml @@ -0,0 +1,8 @@ +--- +name: allow_push_repository_for_job_token +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154111 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/468320 +milestone: "17.2" +type: development +group: group::pipeline security +default_enabled: false -- GitLab