From b2b8a0732f19df07ff1fb16d9438a62d717cfa05 Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Tue, 27 Sep 2022 11:56:06 -0400 Subject: [PATCH 1/5] Generate empty migration --- ...ob_token_scope_enabled_to_ci_cd_setting.rb | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb diff --git a/db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb b/db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb new file mode 100644 index 00000000000000..d6268274dd4213 --- /dev/null +++ b/db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +# See https://docs.gitlab.com/ee/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class AddColumnInboundJobTokenScopeEnabledToCiCdSetting < Gitlab::Database::Migration[2.0] + # When using the methods "add_concurrent_index" or "remove_concurrent_index" + # you must disable the use of transactions + # as these methods can not run in an existing transaction. + # When using "add_concurrent_index" or "remove_concurrent_index" methods make sure + # that either of them is the _only_ method called in the migration, + # any other changes should go in a separate migration. + # This ensures that upon failure _only_ the index creation or removing fails + # and can be retried or reverted easily. + # + # To disable transactions uncomment the following line and remove these + # comments: + # disable_ddl_transaction! + # + # Configure the `gitlab_schema` to perform data manipulation (DML). + # Visit: https://docs.gitlab.com/ee/development/database/migrations_for_multiple_databases.html + # restrict_gitlab_migration gitlab_schema: :gitlab_main + + def change + end +end -- GitLab From 3af764f71307a91e28de7d3c3f39194af0a6fdbf Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Wed, 28 Sep 2022 16:05:00 -0400 Subject: [PATCH 2/5] Add inbound_job_token_scope to ci cd settings * Add a column to keep track if the inbound job token scope is enabled Changelog: added --- ...ob_token_scope_enabled_to_ci_cd_setting.rb | 27 +++++-------------- db/schema_migrations/20220927155407 | 1 + db/structure.sql | 3 ++- 3 files changed, 10 insertions(+), 21 deletions(-) create mode 100644 db/schema_migrations/20220927155407 diff --git a/db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb b/db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb index d6268274dd4213..811138cd2f200f 100644 --- a/db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb +++ b/db/migrate/20220927155407_add_column_inbound_job_token_scope_enabled_to_ci_cd_setting.rb @@ -1,26 +1,13 @@ # frozen_string_literal: true -# See https://docs.gitlab.com/ee/development/migration_style_guide.html -# for more information on how to write migrations for GitLab. - class AddColumnInboundJobTokenScopeEnabledToCiCdSetting < Gitlab::Database::Migration[2.0] - # When using the methods "add_concurrent_index" or "remove_concurrent_index" - # you must disable the use of transactions - # as these methods can not run in an existing transaction. - # When using "add_concurrent_index" or "remove_concurrent_index" methods make sure - # that either of them is the _only_ method called in the migration, - # any other changes should go in a separate migration. - # This ensures that upon failure _only_ the index creation or removing fails - # and can be retried or reverted easily. - # - # To disable transactions uncomment the following line and remove these - # comments: - # disable_ddl_transaction! - # - # Configure the `gitlab_schema` to perform data manipulation (DML). - # Visit: https://docs.gitlab.com/ee/development/database/migrations_for_multiple_databases.html - # restrict_gitlab_migration gitlab_schema: :gitlab_main + enable_lock_retries! + + def up + add_column :project_ci_cd_settings, :inbound_job_token_scope_enabled, :boolean, default: false, null: false + end - def change + def down + remove_column :project_ci_cd_settings, :inbound_job_token_scope_enabled end end diff --git a/db/schema_migrations/20220927155407 b/db/schema_migrations/20220927155407 new file mode 100644 index 00000000000000..a704ba7cb4167a --- /dev/null +++ b/db/schema_migrations/20220927155407 @@ -0,0 +1 @@ +97bdc9d31ed93897f3133459779207b3b750530b615e243a625681d433090e94 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index d6665c0999dc03..f0eb61ab21ca28 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -19645,7 +19645,8 @@ CREATE TABLE project_ci_cd_settings ( runner_token_expiration_interval integer, separated_caches boolean DEFAULT true NOT NULL, opt_in_jwt boolean DEFAULT false NOT NULL, - allow_fork_pipelines_to_run_in_parent_project boolean DEFAULT true NOT NULL + allow_fork_pipelines_to_run_in_parent_project boolean DEFAULT true NOT NULL, + inbound_job_token_scope_enabled boolean DEFAULT false NOT NULL ); CREATE SEQUENCE project_ci_cd_settings_id_seq -- GitLab From c97d6acda69c54fcee7fb0a9cffeaed8bbc0ffdf Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Thu, 29 Sep 2022 12:08:55 -0400 Subject: [PATCH 3/5] Fix specs by adding to project_attributes.yml --- app/models/project.rb | 7 +++++++ spec/factories/projects.rb | 2 ++ spec/requests/api/project_attributes.yml | 1 + 3 files changed, 10 insertions(+) diff --git a/app/models/project.rb b/app/models/project.rb index 3387a55f20d917..e0235e8815171e 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -474,6 +474,7 @@ def self.integration_association_name(name) delegate :default_git_depth, :default_git_depth=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :forward_deployment_enabled, :forward_deployment_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true + delegate :inbound_job_token_scope_enabled, :inbound_job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true delegate :opt_in_jwt, :opt_in_jwt=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :allow_fork_pipelines_to_run_in_parent_project, :allow_fork_pipelines_to_run_in_parent_project=, to: :ci_cd_settings, prefix: :ci, allow_nil: true @@ -2889,6 +2890,12 @@ def ci_job_token_scope_enabled? ci_cd_settings.job_token_scope_enabled? end + def ci_inbound_job_token_scope_enabled? + return false unless ci_cd_settings + + ci_cd_settings.inbound_job_token_scope_enabled? + end + def restrict_user_defined_variables? return false unless ci_cd_settings diff --git a/spec/factories/projects.rb b/spec/factories/projects.rb index 871917a725ec83..0ee834a5eef5e9 100644 --- a/spec/factories/projects.rb +++ b/spec/factories/projects.rb @@ -55,6 +55,7 @@ forward_deployment_enabled { nil } restrict_user_defined_variables { nil } ci_job_token_scope_enabled { nil } + ci_inbound_job_token_scope_enabled { nil } runner_token_expiration_interval { nil } runner_token_expiration_interval_human_readable { nil } end @@ -113,6 +114,7 @@ project.keep_latest_artifact = evaluator.keep_latest_artifact unless evaluator.keep_latest_artifact.nil? project.restrict_user_defined_variables = evaluator.restrict_user_defined_variables unless evaluator.restrict_user_defined_variables.nil? project.ci_job_token_scope_enabled = evaluator.ci_job_token_scope_enabled unless evaluator.ci_job_token_scope_enabled.nil? + project.ci_inbound_job_token_scope_enabled = evaluator.ci_inbound_job_token_scope_enabled unless evaluator.ci_inbound_job_token_scope_enabled.nil? project.runner_token_expiration_interval = evaluator.runner_token_expiration_interval unless evaluator.runner_token_expiration_interval.nil? project.runner_token_expiration_interval_human_readable = evaluator.runner_token_expiration_interval_human_readable unless evaluator.runner_token_expiration_interval_human_readable.nil? diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml index 73b23e8b701b7e..04b03fdd95dc7e 100644 --- a/spec/requests/api/project_attributes.yml +++ b/spec/requests/api/project_attributes.yml @@ -99,6 +99,7 @@ ci_cd_settings: default_git_depth: ci_default_git_depth forward_deployment_enabled: ci_forward_deployment_enabled job_token_scope_enabled: ci_job_token_scope_enabled + inbound_job_token_scope_enabled: ci_inbound_job_token_scope_enabled separated_caches: ci_separated_caches opt_in_jwt: ci_opt_in_jwt allow_fork_pipelines_to_run_in_parent_project: ci_allow_fork_pipelines_to_run_in_parent_project -- GitLab From 675c25c7eb59e08be5a0602339394d798e867c7b Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Thu, 29 Sep 2022 14:56:29 -0400 Subject: [PATCH 4/5] Allow nil with delegation --- app/models/project.rb | 2 +- spec/models/project_spec.rb | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/app/models/project.rb b/app/models/project.rb index e0235e8815171e..ffb5879b9775f3 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -474,7 +474,7 @@ def self.integration_association_name(name) delegate :default_git_depth, :default_git_depth=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :forward_deployment_enabled, :forward_deployment_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :job_token_scope_enabled, :job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true - delegate :inbound_job_token_scope_enabled, :inbound_job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci + delegate :inbound_job_token_scope_enabled, :inbound_job_token_scope_enabled=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :keep_latest_artifact, :keep_latest_artifact=, to: :ci_cd_settings, allow_nil: true delegate :opt_in_jwt, :opt_in_jwt=, to: :ci_cd_settings, prefix: :ci, allow_nil: true delegate :allow_fork_pipelines_to_run_in_parent_project, :allow_fork_pipelines_to_run_in_parent_project=, to: :ci_cd_settings, prefix: :ci, allow_nil: true diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index aef665bb585f24..f2a72db70a0de3 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -912,6 +912,12 @@ end end + describe '#ci_inbound_job_token_scope_enabled?' do + it_behaves_like 'a ci_cd_settings predicate method', prefix: 'ci_' do + let(:delegated_method) { :inbound_job_token_scope_enabled? } + end + end + describe '#restrict_user_defined_variables?' do it_behaves_like 'a ci_cd_settings predicate method' do let(:delegated_method) { :restrict_user_defined_variables? } -- GitLab From 063e0ff5eeda0f70d479b82b3fa57cfa90d9ae66 Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Fri, 30 Sep 2022 10:46:00 -0400 Subject: [PATCH 5/5] Add to ignored columns for now Later we will add this column to the project api but we will mark it as unexposed for now since the feature is not released and we have not implemented reads --- spec/requests/api/project_attributes.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml index 04b03fdd95dc7e..eef6dfe9422fcb 100644 --- a/spec/requests/api/project_attributes.yml +++ b/spec/requests/api/project_attributes.yml @@ -90,16 +90,14 @@ ci_cd_settings: - id - project_id - group_runners_enabled - - merge_pipelines_enabled - merge_trains_enabled - merge_pipelines_enabled - - merge_trains_enabled - auto_rollback_enabled + - inbound_job_token_scope_enabled remapped_attributes: default_git_depth: ci_default_git_depth forward_deployment_enabled: ci_forward_deployment_enabled job_token_scope_enabled: ci_job_token_scope_enabled - inbound_job_token_scope_enabled: ci_inbound_job_token_scope_enabled separated_caches: ci_separated_caches opt_in_jwt: ci_opt_in_jwt allow_fork_pipelines_to_run_in_parent_project: ci_allow_fork_pipelines_to_run_in_parent_project -- GitLab