diff --git a/config/feature_flags/development/ci_scoped_job_token.yml b/config/feature_flags/development/ci_scoped_job_token.yml index a885a1e6391..a7fa0244839 100644 --- a/config/feature_flags/development/ci_scoped_job_token.yml +++ b/config/feature_flags/development/ci_scoped_job_token.yml @@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/332272 milestone: '14.0' type: development group: group::pipeline execution -default_enabled: true +default_enabled: false diff --git a/db/migrate/20210716074555_revert_default_job_token_scope.rb b/db/migrate/20210716074555_revert_default_job_token_scope.rb new file mode 100644 index 00000000000..d28f75605e4 --- /dev/null +++ b/db/migrate/20210716074555_revert_default_job_token_scope.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +class RevertDefaultJobTokenScope < ActiveRecord::Migration[6.1] + include Gitlab::Database::MigrationHelpers + + def up + with_lock_retries do + change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: true, to: false + end + end + + def down + with_lock_retries do + change_column_default :project_ci_cd_settings, :job_token_scope_enabled, from: false, to: true + end + end +end diff --git a/db/schema_migrations/20210716074555 b/db/schema_migrations/20210716074555 new file mode 100644 index 00000000000..f079b199ca5 --- /dev/null +++ b/db/schema_migrations/20210716074555 @@ -0,0 +1 @@ +5cf415013b50c46fde5f12702c3f5bae808848a82eb57bfa38764947fc672ad9 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 0a1b53400d8..07cbad0f69d 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -16753,7 +16753,7 @@ CREATE TABLE project_ci_cd_settings ( auto_rollback_enabled boolean DEFAULT false NOT NULL, keep_latest_artifact boolean DEFAULT true NOT NULL, restrict_user_defined_variables boolean DEFAULT false NOT NULL, - job_token_scope_enabled boolean DEFAULT true NOT NULL + job_token_scope_enabled boolean DEFAULT false NOT NULL ); CREATE SEQUENCE project_ci_cd_settings_id_seq diff --git a/doc/api/index.md b/doc/api/index.md index d80f4ecf19b..f1059904ac3 100644 --- a/doc/api/index.md +++ b/doc/api/index.md @@ -248,13 +248,13 @@ tries to steal tokens from other jobs. #### Limit GitLab CI/CD job token access > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. -> - [Deployed behind a feature flag](../user/feature_flags.md), enabled by default. -> - Enabled on GitLab.com. -> - Recommended for production use. -> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)** +> - [Deployed behind a feature flag](../user/feature_flags.md), disabled by default. +> - Disabled on GitLab.com. +> - Not recommended for production use. +> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ci-job-token-scope-limit). **(FREE SELF)** -There can be -[risks when disabling released features](../user/feature_flags.md#risks-when-disabling-released-features). +This in-development feature might not be available for your use. There can be +[risks when enabling features still in development](../user/feature_flags.md#risks-when-enabling-features-still-in-development). Refer to this feature's version history for more details. You can limit the access scope of a project's CI/CD job token to increase the @@ -292,16 +292,10 @@ the feature with more strategic control of the access permissions. ##### Enable or disable CI job token scope limit **(FREE SELF)** -The GitLab CI/CD job token access scope limit is under development but ready for production -use. It is deployed behind a feature flag that is **enabled by default**. +The GitLab CI/CD job token access scope limit is under development and not ready for production +use. It is deployed behind a feature flag that is **disabled by default**. [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md) -can disable the feature. - -To disable it: - -```ruby -Feature.disable(:ci_scoped_job_token) -``` +can enable it. To enable it: @@ -309,6 +303,12 @@ To enable it: Feature.enable(:ci_scoped_job_token) ``` +To disable it: + +```ruby +Feature.disable(:ci_scoped_job_token) +``` + ### Impersonation tokens Impersonation tokens are a type of [personal access token](../user/profile/personal_access_tokens.md). diff --git a/locale/gitlab.pot b/locale/gitlab.pot index c21a50dc9d3..607e37be54b 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -7027,15 +7027,24 @@ msgstr "" msgid "ClusterAgents|Access tokens" msgstr "" +msgid "ClusterAgents|Alternative installation methods" +msgstr "" + msgid "ClusterAgents|An error occurred while loading your GitLab Agents" msgstr "" msgid "ClusterAgents|An error occurred while loading your agent" msgstr "" +msgid "ClusterAgents|An unknown error occurred. Please try again." +msgstr "" + msgid "ClusterAgents|Configuration" msgstr "" +msgid "ClusterAgents|Copy token" +msgstr "" + msgid "ClusterAgents|Created by" msgstr "" @@ -7048,9 +7057,15 @@ msgstr "" msgid "ClusterAgents|Description" msgstr "" +msgid "ClusterAgents|For alternative installation methods %{linkStart}go to the documentation%{linkEnd}." +msgstr "" + msgid "ClusterAgents|Go to the repository" msgstr "" +msgid "ClusterAgents|Install new Agent" +msgstr "" + msgid "ClusterAgents|Integrate Kubernetes with a GitLab Agent" msgstr "" @@ -7075,18 +7090,39 @@ msgstr "" msgid "ClusterAgents|Read more about getting started" msgstr "" +msgid "ClusterAgents|Recommended installation method" +msgstr "" + msgid "ClusterAgents|Registering Agent" msgstr "" +msgid "ClusterAgents|Registration token" +msgstr "" + msgid "ClusterAgents|Select an Agent" msgstr "" +msgid "ClusterAgents|Select the Agent you want to register with GitLab and install on your cluster. To learn more about the Kubernetes Agent registration process %{linkStart}go to the documentation%{linkEnd}." +msgstr "" + +msgid "ClusterAgents|Select which Agent you want to install" +msgstr "" + msgid "ClusterAgents|The GitLab Agent also requires %{linkStart}enabling the Agent Server%{linkEnd}" msgstr "" msgid "ClusterAgents|The GitLab Kubernetes Agent allows an Infrastructure as Code, GitOps approach to integrating Kubernetes clusters with GitLab. %{linkStart}Learn more.%{linkEnd}" msgstr "" +msgid "ClusterAgents|The recommended installation method provided below includes the token. If you want to follow the alternative installation method provided in the docs make sure you save the token value before you close the window." +msgstr "" + +msgid "ClusterAgents|The registration token will be used to connect the Agent on your cluster to GitLab. To learn more about the registration tokens and how they are used %{linkStart}go to the documentation%{linkEnd}." +msgstr "" + +msgid "ClusterAgents|The token value will not be shown again after you close this window." +msgstr "" + msgid "ClusterAgents|This agent has no tokens" msgstr "" @@ -13626,6 +13662,9 @@ msgstr "" msgid "Failed to publish issue on status page." msgstr "" +msgid "Failed to register Agent" +msgstr "" + msgid "Failed to remove a Zoom meeting" msgstr "" @@ -23123,6 +23162,9 @@ msgstr "" msgid "Open Selection" msgstr "" +msgid "Open a CLI and connect to the cluster you want to install the Agent in. Use this installation method to minimise any manual steps.The token is already included in the command." +msgstr "" + msgid "Open comment type dropdown" msgstr "" diff --git a/spec/models/project_ci_cd_setting_spec.rb b/spec/models/project_ci_cd_setting_spec.rb index c206ba27ec1..caab182cda8 100644 --- a/spec/models/project_ci_cd_setting_spec.rb +++ b/spec/models/project_ci_cd_setting_spec.rb @@ -22,8 +22,8 @@ RSpec.describe ProjectCiCdSetting do end describe '#job_token_scope_enabled' do - it 'is true by default' do - expect(described_class.new.job_token_scope_enabled).to be_truthy + it 'is false by default' do + expect(described_class.new.job_token_scope_enabled).to be_falsey end end diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index b80b3f4e159..3fb683ea0fa 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -889,10 +889,10 @@ RSpec.describe 'Git HTTP requests' do context 'when admin mode is enabled', :enable_admin_mode do it_behaves_like 'can download code only' - it 'downloads from other project get status 404' do + it 'downloads from other project get status 403' do clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token - expect(response).to have_gitlab_http_status(:not_found) + expect(response).to have_gitlab_http_status(:forbidden) end end @@ -1490,10 +1490,10 @@ RSpec.describe 'Git HTTP requests' do context 'when admin mode is enabled', :enable_admin_mode do it_behaves_like 'can download code only' - it 'downloads from other project get status 404' do + it 'downloads from other project get status 403' do clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token - expect(response).to have_gitlab_http_status(:not_found) + expect(response).to have_gitlab_http_status(:forbidden) end end diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index 833889431e9..02eb4262690 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -574,7 +574,7 @@ RSpec.describe 'Git LFS API and storage' do let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } # I'm not sure what this tests that is different from the previous test - it_behaves_like 'LFS http 404 response' + it_behaves_like 'LFS http 403 response' end end @@ -1049,7 +1049,7 @@ RSpec.describe 'Git LFS API and storage' do let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } # I'm not sure what this tests that is different from the previous test - it_behaves_like 'LFS http 404 response' + it_behaves_like 'LFS http 403 response' end end