Skip to content

Backend: Allow toggling the inbound job token scope

What does this MR do and why?

Issue Context

As part of the work for:

We want to be able to add projects to the job token scope but enforce the restriction on project access in the inverse direction.


Backend MR context

This MR adds the ability to toggle the new setting on and off that controls whether access is restricted to the project from the other projects CI_JOB_TOKENS. If the setting is off there is no additional restrictions on project access beyond the permissions inherited from the build.user.

MR MR description
!98673 (merged) Add a column to ci_job_token_project_scope_links with the outbound and inbound direction
!99032 (merged) Add a column to project_ci_cd_settings to toggle the setting inbound inbound_job_token_scope_enabled
You are here Allow toggling the inbound job token scope
!100303 (merged) Rename project.ci_job_token_scope_enabled to project.ci_outbound_job_token_scope_enabled
!100136 (closed) Ensure existing module Ci::JobToken::Scope only uses outbound direction
!99166 (merged) Add project to inbound scope (Graphql and REST)
TODO Remove project from scope (Graphql and REST)
TODO Backend: Read the inbound scope allow list
TODO Core logic to restrict access based on the allow list
TODO Flag removal & documentation (will require frontend complete)

Please also see the feature documentation for the existing feature:

And the design for the additional feature:

Screenshots or screen recordings

Description Screenshot
graphql explorer Screen_Shot_2022-09-28_at_4.57.12_PM

How to set up and validate locally

  1. Enable the flag
    Feature.enable(:ci_inbound_job_token_scope)
  2. Go the the graphql explorer
    http://localhost:3000/-/graphql-explorer
  3. Run the query
     mutation {
         projectCiCdSettingsUpdate(
             input: {
             fullPath: "gnuwget/Flight1234",
             inboundJobTokenScopeEnabled: false,
             jobTokenScopeEnabled: true
             }
         ) {
             ciCdSettings {
             jobTokenScopeEnabled,
             inboundJobTokenScopeEnabled
             }
         }
     }   
  4. See the response
    {
        "data": {
            "projectCiCdSettingsUpdate": {
            "ciCdSettings": {
                "jobTokenScopeEnabled": true,
                "inboundJobTokenScopeEnabled": false
            }
            }
        }
    }

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Allison Browne

Merge request reports

Loading