From 3f96a14a1a5346656a10fec6113462339e4383cd Mon Sep 17 00:00:00 2001 From: Furkan Ayhan Date: Thu, 26 May 2022 23:20:25 +0300 Subject: [PATCH 1/4] Support group gitlab-deploy-token for CI_DEPLOY_ variables When you define gitlab-deploy-token on a group, CI pipeline jobs of projects under the group do not have CI_DEPLOY_* variables. This change will provide this. It's behind a feature flag ci_variable_for_group_gitlab_deploy_token --- app/models/group.rb | 6 +++ app/models/project.rb | 8 +++- ...variable_for_group_gitlab_deploy_token.yml | 8 ++++ doc/user/project/deploy_tokens/index.md | 6 +-- spec/models/ci/build_spec.rb | 25 +++++++++++- spec/models/group_spec.rb | 39 +++++++++++++++++++ spec/models/project_spec.rb | 20 +++++++++- 7 files changed, 104 insertions(+), 8 deletions(-) create mode 100644 config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml diff --git a/app/models/group.rb b/app/models/group.rb index 86f4b14cb6cfdb..5369e873d17f35 100644 --- a/app/models/group.rb +++ b/app/models/group.rb @@ -863,6 +863,12 @@ def feature_available?(feature, user = nil) end end + def gitlab_deploy_token + strong_memoize(:gitlab_deploy_token) do + deploy_tokens.gitlab_deploy_token + end + end + private def feature_flag_enabled_for_self_or_ancestor?(feature_flag) diff --git a/app/models/project.rb b/app/models/project.rb index a215ff2a8781c6..f1dfd27f41ad8e 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -2509,7 +2509,13 @@ def toggle_ci_cd_settings!(settings_attribute) end def gitlab_deploy_token - @gitlab_deploy_token ||= deploy_tokens.gitlab_deploy_token + strong_memoize(:gitlab_deploy_token) do + if Feature.enabled?(:ci_variable_for_group_gitlab_deploy_token, self) + deploy_tokens.gitlab_deploy_token || group&.gitlab_deploy_token + else + deploy_tokens.gitlab_deploy_token + end + end end def any_lfs_file_locks? diff --git a/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml b/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml new file mode 100644 index 00000000000000..aa10a201186bd2 --- /dev/null +++ b/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml @@ -0,0 +1,8 @@ +--- +name: ci_variable_for_group_gitlab_deploy_token +introduced_by_url: +rollout_issue_url: +milestone: '15.1' +type: development +group: group::pipeline authoring +default_enabled: false diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md index 64c18ab6f3b8f0..14c95bd9744639 100644 --- a/doc/user/project/deploy_tokens/index.md +++ b/doc/user/project/deploy_tokens/index.md @@ -203,9 +203,9 @@ docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY ``` NOTE: -The special handling for the `gitlab-deploy-token` deploy token is not -implemented for group deploy tokens. To make the group-level deploy token available for -CI/CD jobs, the `CI_DEPLOY_USER` and `CI_DEPLOY_PASSWORD` variables should be set under **Settings** to the name and token of the group deploy token respectively. +Before 15.1, the special handling for the `gitlab-deploy-token` deploy token did not +work for group deploy tokens. To make the group-level deploy token available for CI/CD jobs, +the `CI_DEPLOY_USER` and `CI_DEPLOY_PASSWORD` variables needed to be set under **Settings** to the name and token of the group deploy token respectively. ## Troubleshooting diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb index bdad18fa65901c..d0027747904962 100644 --- a/spec/models/ci/build_spec.rb +++ b/spec/models/ci/build_spec.rb @@ -3538,7 +3538,7 @@ ] end - context 'when gitlab-deploy-token exists' do + context 'when gitlab-deploy-token exists for project' do before do project.deploy_tokens << deploy_token end @@ -3548,11 +3548,32 @@ end end - context 'when gitlab-deploy-token does not exist' do + context 'when gitlab-deploy-token does not exist for project' do it 'does not include deploy token variables' do expect(subject.find { |v| v[:key] == 'CI_DEPLOY_USER'}).to be_nil expect(subject.find { |v| v[:key] == 'CI_DEPLOY_PASSWORD'}).to be_nil end + + context 'when gitlab-deploy-token exists for group' do + before do + group.deploy_tokens << deploy_token + end + + it 'includes deploy token variables' do + is_expected.to include(*deploy_token_variables) + end + + context 'when the FF ci_variable_for_group_gitlab_deploy_token is disabled' do + before do + stub_feature_flags(ci_variable_for_group_gitlab_deploy_token: false) + end + + it 'does not include deploy token variables' do + expect(subject.find { |v| v[:key] == 'CI_DEPLOY_USER'}).to be_nil + expect(subject.find { |v| v[:key] == 'CI_DEPLOY_PASSWORD'}).to be_nil + end + end + end end end diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb index e7c830ce5e7986..b48a95225270ee 100644 --- a/spec/models/group_spec.rb +++ b/spec/models/group_spec.rb @@ -3396,4 +3396,43 @@ def define_cache_expectations(cache_key) end end end + + describe '#gitlab_deploy_token' do + subject(:gitlab_deploy_token) { group.gitlab_deploy_token } + + context 'when there is a gitlab deploy token associated' do + let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, groups: [group]) } + + it { is_expected.to eq(deploy_token) } + end + + context 'when there is no a gitlab deploy token associated' do + it { is_expected.to be_nil } + end + + context 'when there is a gitlab deploy token associated but is has been revoked' do + let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, :revoked, groups: [group]) } + + it { is_expected.to be_nil } + end + + context 'when there is a gitlab deploy token associated but it is expired' do + let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, :expired, groups: [group]) } + + it { is_expected.to be_nil } + end + + context 'when there is a deploy token associated with a different name' do + let!(:deploy_token) { create(:deploy_token, :group, groups: [group]) } + + it { is_expected.to be_nil } + end + + context 'when there is a gitlab deploy token associated to a different group' do + let(:group_2) { create(:group) } + let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, groups: [group_2]) } + + it { is_expected.to be_nil } + end + end end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 44d4b99bc3640c..2686a5ddd8b0ca 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -6220,7 +6220,7 @@ def has_external_wiki describe '#gitlab_deploy_token' do let(:project) { create(:project) } - subject { project.gitlab_deploy_token } + subject(:gitlab_deploy_token) { project.gitlab_deploy_token } context 'when there is a gitlab deploy token associated' do let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) } @@ -6252,10 +6252,26 @@ def has_external_wiki context 'when there is a deploy token associated to a different project' do let(:project_2) { create(:project) } - let!(:deploy_token) { create(:deploy_token, projects: [project_2]) } + let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project_2]) } it { is_expected.to be_nil } end + + context 'when the project group has a gitlab deploy token associated' do + let(:group) { create(:group) } + let(:project) { create(:project, group: group) } + let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :group, groups: [group]) } + + it { is_expected.to eq(deploy_token) } + + context 'when the FF ci_variable_for_group_gitlab_deploy_token is disabled' do + before do + stub_feature_flags(ci_variable_for_group_gitlab_deploy_token: false) + end + + it { is_expected.to be_nil } + end + end end context 'with uploads' do -- GitLab From 6acadb796b533138e0e0841a9fa8c194f3a2f337 Mon Sep 17 00:00:00 2001 From: Furkan Ayhan Date: Thu, 26 May 2022 20:35:47 +0000 Subject: [PATCH 2/4] Apply 1 suggestion(s) to 1 file(s) --- .../development/ci_variable_for_group_gitlab_deploy_token.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml b/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml index aa10a201186bd2..6474e8aa85e5cf 100644 --- a/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml +++ b/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml @@ -1,7 +1,7 @@ --- name: ci_variable_for_group_gitlab_deploy_token -introduced_by_url: -rollout_issue_url: +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88696 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/363621 milestone: '15.1' type: development group: group::pipeline authoring -- GitLab From c868968c874b20ba0e259080fc106ca18c2b80a3 Mon Sep 17 00:00:00 2001 From: Marcel Amirault Date: Mon, 30 May 2022 10:20:28 +0000 Subject: [PATCH 3/4] Apply 2 suggestion(s) to 1 file(s) --- doc/user/project/deploy_tokens/index.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md index 14c95bd9744639..0854b95275ab18 100644 --- a/doc/user/project/deploy_tokens/index.md +++ b/doc/user/project/deploy_tokens/index.md @@ -190,6 +190,8 @@ To pull images from the Dependency Proxy, you must: ### GitLab deploy token +> Support for `gitlab-deploy-token` at the group level [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214014) in GitLab 15.1 [with a flag](../../../administration/feature_flags.md) named `ci_variable_for_group_gitlab_deploy_token`. Disabled by default. + There's a special case when it comes to deploy tokens. If a user creates one named `gitlab-deploy-token`, the username and token of the deploy token is automatically exposed to the CI/CD jobs as CI/CD variables: `CI_DEPLOY_USER` @@ -203,9 +205,10 @@ docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY ``` NOTE: -Before 15.1, the special handling for the `gitlab-deploy-token` deploy token did not -work for group deploy tokens. To make the group-level deploy token available for CI/CD jobs, -the `CI_DEPLOY_USER` and `CI_DEPLOY_PASSWORD` variables needed to be set under **Settings** to the name and token of the group deploy token respectively. +In GitLab 15.0 and earlier, the special handling for the `gitlab-deploy-token` deploy token +does not work for group deploy tokens. To make the group-level deploy token available +for CI/CD jobs, the `CI_DEPLOY_USER` and `CI_DEPLOY_PASSWORD` CI/CD variables must be +set in **Settings > CI/CD > Variables** to the name and token of the group deploy token. ## Troubleshooting -- GitLab From 70a637a545241eb05401e030724f8d58fa23aaf4 Mon Sep 17 00:00:00 2001 From: Furkan Ayhan Date: Tue, 31 May 2022 21:16:26 +0300 Subject: [PATCH 4/4] Apply review feedback --- spec/models/group_spec.rb | 3 +-- spec/models/project_spec.rb | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb index b48a95225270ee..ab92606e6fcee0 100644 --- a/spec/models/group_spec.rb +++ b/spec/models/group_spec.rb @@ -3429,8 +3429,7 @@ def define_cache_expectations(cache_key) end context 'when there is a gitlab deploy token associated to a different group' do - let(:group_2) { create(:group) } - let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, groups: [group_2]) } + let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, groups: [create(:group)]) } it { is_expected.to be_nil } end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 2686a5ddd8b0ca..21978321a0f30a 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -6272,6 +6272,23 @@ def has_external_wiki it { is_expected.to be_nil } end end + + context 'when the project and its group has a gitlab deploy token associated' do + let(:group) { create(:group) } + let(:project) { create(:project, group: group) } + let!(:project_deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) } + let!(:group_deploy_token) { create(:deploy_token, :gitlab_deploy_token, :group, groups: [group]) } + + it { is_expected.to eq(project_deploy_token) } + + context 'when the FF ci_variable_for_group_gitlab_deploy_token is disabled' do + before do + stub_feature_flags(ci_variable_for_group_gitlab_deploy_token: false) + end + + it { is_expected.to eq(project_deploy_token) } + end + end end context 'with uploads' do -- GitLab