DB Migration: Add direction to ci_job_token_project_scope_links
What does this MR do and why?
Issue Context
As part of the work for:
- Issue: #346298 (closed)
We want to be able to add projects to the job token scope but enforce the restriction on project access in the inverse direction.
- For Inbound in the UI we create a list of projects that the source project can access.
- For Outbound in the UI we create a list of projects can access the source project.
| MR | MR description |
|---|---|
| !98673 (merged) | Add a column to ci_job_token_project_scope_links with the outbound and inbound direction
|
| You are here | Add a column to project_ci_cd_settings to toggle the setting inbound inbound_job_token_scope_enabled
|
| !99165 (merged) | Backend: Allow toggling the inbound job token scope |
| !99166 (merged) | Backend: Add project to inbound scope (Graphql and REST) |
| TODO | Backend: Remove project from scope (Graphql and REST) |
| TODO | Backend: Read the inbound scope allow list |
| TODO | Backend: Core logic to restrict access based on the allow list |
| TODO | Flag removal & documentation (will require frontend complete) |
Please also see the feature documentation for the existing feature:
And the design for the additional feature:
![#346298[secure-bot-flow.png]](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/designs/secure-bot-flow.png){kind=link}
MR context
This MR is part of the work for the database task:
See the conversation on the issue about this database design implemented here: #346298 (comment 1106005663)
We want to record the direction of allowed access between the projects via CI jobs.
This adds a column called direction to ci_job_token_project_scope_links as part of that work.
This also adds the enum data in the model with inbound and outbound directions.
The default is 0 or outbound which refers to the existing direction
How to set up and validate locally
- Run the migration
rake db:migrate - Log into postgres
psql -h <gdk_location>/postgresql -d gitlabhq_development_ci -p 5432 - Select the table
gitlabhq_development_ci=# select * from ci_job_token_project_scope_links;
id | source_project_id | target_project_id | added_by_id | created_at | direction
----+-------------------+-------------------+-------------+-------------------------------+-----------
1 | 20 | 21 | 1 | 2022-08-01 19:00:45.468278+00 | 0
2 | 20 | 22 | 1 | 2022-08-01 19:00:53.151662+00 | 0
(2 rows) - View the schema
Column | Type | Collation | Nullable | Default | Storage | Stats target | Description
-------------------+--------------------------+-----------+----------+--------------------------------------------------------------+---------+--------------+-------------
id | bigint | | not null | nextval('ci_job_token_project_scope_links_id_seq'::regclass) | plain | |
source_project_id | bigint | | not null | | plain | |
target_project_id | bigint | | not null | | plain | |
added_by_id | bigint | | | | plain | |
created_at | timestamp with time zone | | not null | | plain | |
direction | integer | | | 0 | plain | |
Indexes:
"ci_job_token_project_scope_links_pkey" PRIMARY KEY, btree (id)
"i_ci_job_token_project_scope_links_on_source_and_target_project" UNIQUE, btree (source_project_id, target_project_id)
"index_ci_job_token_project_scope_links_on_added_by_id" btree (added_by_id)
"index_ci_job_token_project_scope_links_on_target_project_id" btree (target_project_id)
Access method: heap- Start irb with
rails c. Create a job token scope link.
=> FactoryBot.create(:ci_job_token_project_scope_link, source_project: Project.first, target_project: Project.second, User: User.last)
=> #<Ci::JobToken::ProjectScopeLink:0x000000011f6c96a0
id: 4,
source_project_id: 1,
target_project_id: 2,
added_by_id: 51,
created_at: Tue, 27 Sep 2022 15:17:43.119838000 UTC +00:00,
direction: "outbound">- Ensure the default is correct
[14] pry(main)> link.direction
=> "outbound"MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.