Skip to content

Show warning when adding auth logs exceeds the allowlist limit

Mireya Andresrequested to merge
job-token/allowlist-limit-alert into master

What does this MR do and why?

Implements fourth part of #498125 (closed).

Feature is developed under the authentication_logs_migration_for_allowlist feature flag. This shows a warning to the user if they choose to add entries from the auth log to the job token allowlist, and if doing so will exceed the allowlist limit.

The allowlist limit can be found in PROJECT_LINK_DIRECTIONAL_LIMIT in app/models/ci/job_token/project_scope_link.rb and GROUP LINK LIMIT in app/models/ci/job_token/group_scope_link.rb. Currently these are set to 200.

Note: There is currently a bug where the user is unable to open the modal again after it's closed. This is being fixed in !179212 (comment 2338051370).

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

When limit is NOT exceeded When limit is exceeded
no_limit limit_reached

demo

How to set up and validate locally

  1. Enable the feature flag.

    Feature.enable(:authentication_logs_migration_for_allowlist)

  2. Create sample authorization log records in the rails console:

    project = Project.first
project2 = Project.second
project3 = Project.third

Ci::JobToken::Authorization.create(accessed_project: project, origin_project: project2, last_authorized_at: 1.day.ago)
Ci::JobToken::Authorization.create(accessed_project: project, origin_project: project3, last_authorized_at: 1.day.ago)
Ci::JobToken::Authorization.all
Ci::JobToken::ProjectScopeLink.where(source_project: project)

  3. Visit the Job token permissions section of the CI/CD settings. <path-to-project>/-/settings/ci_cd#js-token-access.

  4. In CI/CD job token allowlist click Add > Group or project and add a couple of groups and projects to the allowlist (that are different from the projects we just created for the auth logs).

  5. Edit PROJECT_LINK_DIRECTIONAL_LIMIT in app/models/ci/job_token/project_scope_link.rb and GROUP LINK LIMIT in app/models/ci/job_token/group_scope_link.rb to a lower number such that adding the 2 new entries we created for the authentication logs will exceed the allowlist limit.

  6. Refresh the page. In CI/CD job token allowlist click Add > All projects in authentication log.

  7. This will open the modal. Click on the Add entries button.

  8. A toast message will show up and the allowlist will refresh with the new entries included.

Edited by Mireya Andres

Merge request reports