Add latest changes from gitlab-org/gitlab@master

2021-07-16 12:10:21 +00:00 · 2021-07-16 12:10:21 +00:00 · d8bc65941a
parent d27c7afb79
commit d8bc65941a
9 changed files with 85 additions and 25 deletions
--- a/config/feature_flags/development/ci_scoped_job_token.yml
+++ b/config/feature_flags/development/ci_scoped_job_token.yml
@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272
 milestone: '14.0'
 type: development
 group: group::pipeline execution
-default_enabled: true
+default_enabled: false
--- a/db/migrate/20210716074555_revert_default_job_token_scope.rb
+++ b/db/migrate/20210716074555_revert_default_job_token_scope.rb
@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class RevertDefaultJobTokenScope < ActiveRecord::Migration[6.1]
+  include Gitlab::Database::MigrationHelpers
+
+  def up
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false
+    end
+  end
+
+  def down
+    with_lock_retries do
+      change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true
+    end
+  end
+end
--- a/db/schema_migrations/20210716074555
+++ b/db/schema_migrations/20210716074555
@ -0,0 +1 @@
+5cf415013b50c46fde5f12702c3f5bae808848a82eb57bfa38764947fc672ad9
--- a/db/structure.sql
+++ b/db/structure.sql
@ -16753,7 +16753,7 @@ CREATE TABLE project_ci_cd_settings (
    auto_rollback_enabled boolean DEFAULT false NOT NULL,
    keep_latest_artifact boolean DEFAULT true NOT NULL,
    restrict_user_defined_variables boolean DEFAULT false NOT NULL,
-    job_token_scope_enabled boolean DEFAULT true NOT NULL
+    job_token_scope_enabled boolean DEFAULT false NOT NULL
 );

 CREATE SEQUENCE project_ci_cd_settings_id_seq
--- a/doc/api/index.md
+++ b/doc/api/index.md
@ -248,13 +248,13 @@ tries to steal tokens from other jobs.
 #### Limit GitLab CI/CD job token access

 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1.
-> - [Deployed behind a feature flag](../user/feature_flags.md), enabled by default.
-> - Enabled on GitLab.com.
-> - Recommended for production use.
-> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**
+> - [Deployed behind a feature flag](../user/feature_flags.md), disabled by default.
+> - Disabled on GitLab.com.
+> - Not recommended for production use.
+> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)**

-There can be
-[risks when disabling released features](../user/feature_flags.md#risks-when-disabling-released-features).
+This in-development feature might not be available for your use. There can be
+[risks when enabling features still in development](../user/feature_flags.md#risks-when-enabling-features-still-in-development).
 Refer to this feature's version history for more details.

 You can limit the access scope of a project's CI/CD job token to increase the
@ -292,16 +292,10 @@ the feature with more strategic control of the access permissions.

 ##### Enable or disable CI job token scope limit **(FREE SELF)**

-The GitLab CI/CD job token access scope limit is under development but ready for production
-use. It is deployed behind a feature flag that is **enabled by default**.
+The GitLab CI/CD job token access scope limit is under development and not ready for production
+use. It is deployed behind a feature flag that is **disabled by default**.
 [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
-can disable the feature.
-
-To disable it:
-
-```ruby
-Feature.disable(:ci_scoped_job_token)
-```
+can enable it.

 To enable it:

@ -309,6 +303,12 @@ To enable it:
 Feature.enable(:ci_scoped_job_token)
 ```

+To disable it:
+
+```ruby
+Feature.disable(:ci_scoped_job_token)
+```
+
 ### Impersonation tokens

 Impersonation tokens are a type of [personal access token](../user/profile/personal_access_tokens.md).
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@ -7027,15 +7027,24 @@ msgstr ""
 msgid "ClusterAgents|Access tokens"
 msgstr ""

+msgid "ClusterAgents|Alternative installation methods"
+msgstr ""
+
 msgid "ClusterAgents|An error occurred while loading your GitLab Agents"
 msgstr ""

 msgid "ClusterAgents|An error occurred while loading your agent"
 msgstr ""

+msgid "ClusterAgents|An unknown error occurred. Please try again."
+msgstr ""
+
 msgid "ClusterAgents|Configuration"
 msgstr ""

+msgid "ClusterAgents|Copy token"
+msgstr ""
+
 msgid "ClusterAgents|Created by"
 msgstr ""

@ -7048,9 +7057,15 @@ msgstr ""
 msgid "ClusterAgents|Description"
 msgstr ""

+msgid "ClusterAgents|For alternative installation methods %{linkStart}go to the documentation%{linkEnd}."
+msgstr ""
+
 msgid "ClusterAgents|Go to the repository"
 msgstr ""

+msgid "ClusterAgents|Install new Agent"
+msgstr ""
+
 msgid "ClusterAgents|Integrate Kubernetes with a GitLab Agent"
 msgstr ""

@ -7075,18 +7090,39 @@ msgstr ""
 msgid "ClusterAgents|Read more about getting started"
 msgstr ""

+msgid "ClusterAgents|Recommended installation method"
+msgstr ""
+
 msgid "ClusterAgents|Registering Agent"
 msgstr ""

+msgid "ClusterAgents|Registration token"
+msgstr ""
+
 msgid "ClusterAgents|Select an Agent"
 msgstr ""

+msgid "ClusterAgents|Select the Agent you want to register with GitLab and install on your cluster. To learn more about the Kubernetes Agent registration process %{linkStart}go to the documentation%{linkEnd}."
+msgstr ""
+
+msgid "ClusterAgents|Select which Agent you want to install"
+msgstr ""
+
 msgid "ClusterAgents|The GitLab Agent also requires %{linkStart}enabling the Agent Server%{linkEnd}"
 msgstr ""

 msgid "ClusterAgents|The GitLab Kubernetes Agent allows an Infrastructure as Code, GitOps approach to integrating Kubernetes clusters with GitLab. %{linkStart}Learn more.%{linkEnd}"
 msgstr ""

+msgid "ClusterAgents|The recommended installation method provided below includes the token. If you want to follow the alternative installation method provided in the docs make sure you save the token value before you close the window."
+msgstr ""
+
+msgid "ClusterAgents|The registration token will be used to connect the Agent on your cluster to GitLab. To learn more about the registration tokens and how they are used %{linkStart}go to the documentation%{linkEnd}."
+msgstr ""
+
+msgid "ClusterAgents|The token value will not be shown again after you close this window."
+msgstr ""
+
 msgid "ClusterAgents|This agent has no tokens"
 msgstr ""

@ -13626,6 +13662,9 @@ msgstr ""
 msgid "Failed to publish issue on status page."
 msgstr ""

+msgid "Failed to register Agent"
+msgstr ""
+
 msgid "Failed to remove a Zoom meeting"
 msgstr ""

@ -23123,6 +23162,9 @@ msgstr ""
 msgid "Open Selection"
 msgstr ""

+msgid "Open a CLI and connect to the cluster you want to install the Agent in. Use this installation method to minimise any manual steps.The token is already included in the command."
+msgstr ""
+
 msgid "Open comment type dropdown"
 msgstr ""

--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do
  end

  describe '#job_token_scope_enabled' do
-    it 'is true by default' do
-      expect(described_class.new.job_token_scope_enabled).to be_truthy
+    it 'is false by default' do
+      expect(described_class.new.job_token_scope_enabled).to be_falsey
    end
  end

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'

-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token

-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end

@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is enabled', :enable_admin_mode do
                it_behaves_like 'can download code only'

-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token

-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end

--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do
                  let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }

                  # I'm not sure what this tests that is different from the previous test
-                  it_behaves_like 'LFS http 404 response'
+                  it_behaves_like 'LFS http 403 response'
                end
              end

@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do
                let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }

                # I'm not sure what this tests that is different from the previous test
-                it_behaves_like 'LFS http 404 response'
+                it_behaves_like 'LFS http 403 response'
              end
            end
				`@ -0,0 +1 @@`
				`5cf415013b50c46fde5f12702c3f5bae808848a82eb57bfa38764947fc672ad9`