From d279399c0e00a248612685f7c068919b4345cb35 Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Tue, 4 Oct 2022 08:04:13 -0400 Subject: [PATCH 1/3] Allow to toggle inbound job token Allow toggling the inbound job token scope setting via a graphql mutation Changelog: changed --- .../ci/project_ci_cd_settings_update.rb | 9 +++- app/graphql/types/ci/ci_cd_setting_type.rb | 9 +++- .../ci_inbound_job_token_scope.yml | 8 ++++ doc/api/graphql/reference/index.md | 9 ++-- .../api/graphql/ci/ci_cd_setting_spec.rb | 2 + .../ci/project_ci_cd_settings_update_spec.rb | 47 +++++++++++++++++-- 6 files changed, 76 insertions(+), 8 deletions(-) create mode 100644 config/feature_flags/development/ci_inbound_job_token_scope.yml diff --git a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb index b0cffa2c088ee4..d23e206912bafe 100644 --- a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb +++ b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb @@ -19,7 +19,11 @@ class ProjectCiCdSettingsUpdate < BaseMutation argument :job_token_scope_enabled, GraphQL::Types::Boolean, required: false, - description: 'Indicates CI job tokens generated in this project have restricted access to resources.' + description: 'Indicates CI job tokens generated in this project have restricted access to other projects.' + + argument :inbound_job_token_scope_enabled, GraphQL::Types::Boolean, + required: false, + description: 'Indicates CI job tokens generated in other projects have restricted access to this project.' field :ci_cd_settings, Types::Ci::CiCdSettingType, @@ -28,6 +32,9 @@ class ProjectCiCdSettingsUpdate < BaseMutation def resolve(full_path:, **args) project = authorized_find!(full_path) + + args.delete(:inbound_job_token_scope_enabled) unless Feature.enabled?(:ci_inbound_job_token_scope, project) + settings = project.ci_cd_settings settings.update(args) diff --git a/app/graphql/types/ci/ci_cd_setting_type.rb b/app/graphql/types/ci/ci_cd_setting_type.rb index bec8c72e783262..4f2eb9bb37a529 100644 --- a/app/graphql/types/ci/ci_cd_setting_type.rb +++ b/app/graphql/types/ci/ci_cd_setting_type.rb @@ -10,8 +10,15 @@ class CiCdSettingType < BaseObject field :job_token_scope_enabled, GraphQL::Types::Boolean, null: true, - description: 'Indicates CI job tokens generated in this project have restricted access to resources.', + description: 'Indicates CI job tokens generated in this project have restricted access to other projects.', method: :job_token_scope_enabled? + + field :inbound_job_token_scope_enabled, + GraphQL::Types::Boolean, + null: true, + description: 'Indicates CI job tokens generated in other projects have restricted access to this project.', + method: :inbound_job_token_scope_enabled? + field :keep_latest_artifact, GraphQL::Types::Boolean, null: true, description: 'Whether to keep the latest builds artifacts.', method: :keep_latest_artifacts_available? diff --git a/config/feature_flags/development/ci_inbound_job_token_scope.yml b/config/feature_flags/development/ci_inbound_job_token_scope.yml new file mode 100644 index 00000000000000..0a7a618531cd33 --- /dev/null +++ b/config/feature_flags/development/ci_inbound_job_token_scope.yml @@ -0,0 +1,8 @@ +--- +name: ci_inbound_job_token_scope +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/99165 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/376063 +milestone: '15.5' +type: development +group: group::pipeline execution +default_enabled: false diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index b9a0be19fa1431..ea9c0da6249168 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -1028,7 +1028,8 @@ Input type: `CiCdSettingsUpdateInput` | ---- | ---- | ----------- | | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `fullPath` | [`ID!`](#id) | Full Path of the project the settings belong to. | -| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to resources. | +| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in other projects have restricted access to this project. | +| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to other projects. | | `keepLatestArtifact` | [`Boolean`](#boolean) | Indicates if the latest artifact should be kept for this project. | | `mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merge pipelines are enabled for the project. | | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. | @@ -4168,7 +4169,8 @@ Input type: `ProjectCiCdSettingsUpdateInput` | ---- | ---- | ----------- | | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `fullPath` | [`ID!`](#id) | Full Path of the project the settings belong to. | -| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to resources. | +| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in other projects have restricted access to this project. | +| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to other projects. | | `keepLatestArtifact` | [`Boolean`](#boolean) | Indicates if the latest artifact should be kept for this project. | | `mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merge pipelines are enabled for the project. | | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. | @@ -17248,7 +17250,8 @@ four standard [pagination arguments](#connection-pagination-arguments): | Name | Type | Description | | ---- | ---- | ----------- | -| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to resources. | +| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in other projects have restricted access to this project. | +| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to other projects. | | `keepLatestArtifact` | [`Boolean`](#boolean) | Whether to keep the latest builds artifacts. | | `mergePipelinesEnabled` | [`Boolean`](#boolean) | Whether merge pipelines are enabled. | | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Whether merge trains are enabled. | diff --git a/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb b/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb index c19defa37e8a74..2dc7b9764fe979 100644 --- a/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb +++ b/spec/requests/api/graphql/ci/ci_cd_setting_spec.rb @@ -48,6 +48,8 @@ expect(settings_data['mergeTrainsEnabled']).to eql project.ci_cd_settings.merge_trains_enabled? expect(settings_data['keepLatestArtifact']).to eql project.keep_latest_artifacts_available? expect(settings_data['jobTokenScopeEnabled']).to eql project.ci_cd_settings.job_token_scope_enabled? + expect(settings_data['inboundJobTokenScopeEnabled']).to eql( + project.ci_cd_settings.inbound_job_token_scope_enabled?) end end end diff --git a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb index 394d9ff53d12fb..6cca618726bd4a 100644 --- a/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb +++ b/spec/requests/api/graphql/mutations/ci/project_ci_cd_settings_update_spec.rb @@ -6,15 +6,19 @@ include GraphqlHelpers let_it_be(:project) do - create(:project, keep_latest_artifact: true, ci_job_token_scope_enabled: true) - .tap(&:save!) + create(:project, + keep_latest_artifact: true, + ci_job_token_scope_enabled: true, + ci_inbound_job_token_scope_enabled: true + ).tap(&:save!) end let(:variables) do { full_path: project.full_path, keep_latest_artifact: false, - job_token_scope_enabled: false + job_token_scope_enabled: false, + inbound_job_token_scope_enabled: false } end @@ -76,6 +80,43 @@ expect(project.ci_job_token_scope_enabled).to eq(true) end + describe 'inbound_job_token_scope_enabled' do + it 'updates inbound_job_token_scope_enabled' do + post_graphql_mutation(mutation, current_user: user) + + project.reload + + expect(response).to have_gitlab_http_status(:success) + expect(project.ci_inbound_job_token_scope_enabled).to eq(false) + end + + it 'does not update inbound_job_token_scope_enabled if not specified' do + variables.except!(:inbound_job_token_scope_enabled) + + post_graphql_mutation(mutation, current_user: user) + + project.reload + + expect(response).to have_gitlab_http_status(:success) + expect(project.ci_inbound_job_token_scope_enabled).to eq(true) + end + + context 'when ci_inbound_job_token_scope disabled' do + before do + stub_feature_flags(ci_inbound_job_token_scope: false) + end + + it 'does not update inbound_job_token_scope_enabled' do + post_graphql_mutation(mutation, current_user: user) + + project.reload + + expect(response).to have_gitlab_http_status(:success) + expect(project.ci_inbound_job_token_scope_enabled).to eq(true) + end + end + end + context 'when bad arguments are provided' do let(:variables) { { full_path: '', keep_latest_artifact: false } } -- GitLab From 21d1c68419889fc98aea858a10ee128cd51d5bc2 Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Wed, 5 Oct 2022 09:14:59 -0400 Subject: [PATCH 2/3] Use CI/CD in documentation --- .../mutations/ci/project_ci_cd_settings_update.rb | 4 ++-- app/graphql/types/ci/ci_cd_setting_type.rb | 4 ++-- doc/api/graphql/reference/index.md | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb index d23e206912bafe..f5bd2e88cba29b 100644 --- a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb +++ b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb @@ -19,11 +19,11 @@ class ProjectCiCdSettingsUpdate < BaseMutation argument :job_token_scope_enabled, GraphQL::Types::Boolean, required: false, - description: 'Indicates CI job tokens generated in this project have restricted access to other projects.' + description: 'Indicates CI/CD job tokens generated in this project have restricted access to other projects.' argument :inbound_job_token_scope_enabled, GraphQL::Types::Boolean, required: false, - description: 'Indicates CI job tokens generated in other projects have restricted access to this project.' + description: 'Indicates CI/CD job tokens generated in other projects have restricted access to this project.' field :ci_cd_settings, Types::Ci::CiCdSettingType, diff --git a/app/graphql/types/ci/ci_cd_setting_type.rb b/app/graphql/types/ci/ci_cd_setting_type.rb index 4f2eb9bb37a529..a1dbc2220a32e5 100644 --- a/app/graphql/types/ci/ci_cd_setting_type.rb +++ b/app/graphql/types/ci/ci_cd_setting_type.rb @@ -10,13 +10,13 @@ class CiCdSettingType < BaseObject field :job_token_scope_enabled, GraphQL::Types::Boolean, null: true, - description: 'Indicates CI job tokens generated in this project have restricted access to other projects.', + description: 'Indicates CI/CD job tokens generated in this project have restricted access to other projects.', method: :job_token_scope_enabled? field :inbound_job_token_scope_enabled, GraphQL::Types::Boolean, null: true, - description: 'Indicates CI job tokens generated in other projects have restricted access to this project.', + description: 'Indicates CI/CD job tokens generated in other projects have restricted access to this project.', method: :inbound_job_token_scope_enabled? field :keep_latest_artifact, GraphQL::Types::Boolean, null: true, diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index ea9c0da6249168..54946719380999 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -1028,8 +1028,8 @@ Input type: `CiCdSettingsUpdateInput` | ---- | ---- | ----------- | | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `fullPath` | [`ID!`](#id) | Full Path of the project the settings belong to. | -| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in other projects have restricted access to this project. | -| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to other projects. | +| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI/CD job tokens generated in other projects have restricted access to this project. | +| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI/CD job tokens generated in this project have restricted access to other projects. | | `keepLatestArtifact` | [`Boolean`](#boolean) | Indicates if the latest artifact should be kept for this project. | | `mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merge pipelines are enabled for the project. | | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. | @@ -4169,8 +4169,8 @@ Input type: `ProjectCiCdSettingsUpdateInput` | ---- | ---- | ----------- | | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `fullPath` | [`ID!`](#id) | Full Path of the project the settings belong to. | -| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in other projects have restricted access to this project. | -| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to other projects. | +| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI/CD job tokens generated in other projects have restricted access to this project. | +| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI/CD job tokens generated in this project have restricted access to other projects. | | `keepLatestArtifact` | [`Boolean`](#boolean) | Indicates if the latest artifact should be kept for this project. | | `mergePipelinesEnabled` | [`Boolean`](#boolean) | Indicates if merge pipelines are enabled for the project. | | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Indicates if merge trains are enabled for the project. | @@ -17250,8 +17250,8 @@ four standard [pagination arguments](#connection-pagination-arguments): | Name | Type | Description | | ---- | ---- | ----------- | -| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in other projects have restricted access to this project. | -| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI job tokens generated in this project have restricted access to other projects. | +| `inboundJobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI/CD job tokens generated in other projects have restricted access to this project. | +| `jobTokenScopeEnabled` | [`Boolean`](#boolean) | Indicates CI/CD job tokens generated in this project have restricted access to other projects. | | `keepLatestArtifact` | [`Boolean`](#boolean) | Whether to keep the latest builds artifacts. | | `mergePipelinesEnabled` | [`Boolean`](#boolean) | Whether merge pipelines are enabled. | | `mergeTrainsEnabled` | [`Boolean`](#boolean) | Whether merge trains are enabled. | -- GitLab From 6a61512cb33402a25710d62b52aebda3d6419c8d Mon Sep 17 00:00:00 2001 From: Allison Browne Date: Wed, 5 Oct 2022 09:52:03 -0400 Subject: [PATCH 3/3] Use CI/CD in documentation --- app/graphql/mutations/ci/project_ci_cd_settings_update.rb | 6 ++++-- app/graphql/types/ci/ci_cd_setting_type.rb | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb index f5bd2e88cba29b..27b066ffcf6f6a 100644 --- a/app/graphql/mutations/ci/project_ci_cd_settings_update.rb +++ b/app/graphql/mutations/ci/project_ci_cd_settings_update.rb @@ -19,11 +19,13 @@ class ProjectCiCdSettingsUpdate < BaseMutation argument :job_token_scope_enabled, GraphQL::Types::Boolean, required: false, - description: 'Indicates CI/CD job tokens generated in this project have restricted access to other projects.' + description: 'Indicates CI/CD job tokens generated in this project ' \ + 'have restricted access to other projects.' argument :inbound_job_token_scope_enabled, GraphQL::Types::Boolean, required: false, - description: 'Indicates CI/CD job tokens generated in other projects have restricted access to this project.' + description: 'Indicates CI/CD job tokens generated in other projects ' \ + 'have restricted access to this project.' field :ci_cd_settings, Types::Ci::CiCdSettingType, diff --git a/app/graphql/types/ci/ci_cd_setting_type.rb b/app/graphql/types/ci/ci_cd_setting_type.rb index a1dbc2220a32e5..574791b79e6b7f 100644 --- a/app/graphql/types/ci/ci_cd_setting_type.rb +++ b/app/graphql/types/ci/ci_cd_setting_type.rb @@ -10,13 +10,15 @@ class CiCdSettingType < BaseObject field :job_token_scope_enabled, GraphQL::Types::Boolean, null: true, - description: 'Indicates CI/CD job tokens generated in this project have restricted access to other projects.', + description: 'Indicates CI/CD job tokens generated in this project ' \ + 'have restricted access to other projects.', method: :job_token_scope_enabled? field :inbound_job_token_scope_enabled, GraphQL::Types::Boolean, null: true, - description: 'Indicates CI/CD job tokens generated in other projects have restricted access to this project.', + description: 'Indicates CI/CD job tokens generated in other projects ' \ + 'have restricted access to this project.', method: :inbound_job_token_scope_enabled? field :keep_latest_artifact, GraphQL::Types::Boolean, null: true, -- GitLab