Backend: Allow toggling the inbound job token scope
What does this MR do and why?
Issue Context
As part of the work for:
- Issue: #346298 (closed)
We want to be able to add projects to the job token scope but enforce the restriction on project access in the inverse direction.
Backend MR context
This MR adds the ability to toggle the new setting on and off that controls whether access is restricted to the project from the other projects CI_JOB_TOKENS. If the setting is off there is no additional restrictions on project access beyond the permissions inherited from the build.user
.
MR | MR description |
---|---|
!98673 (merged) | Add a column to ci_job_token_project_scope_links with the outbound and inbound direction
|
!99032 (merged) | Add a column to project_ci_cd_settings to toggle the setting inbound inbound_job_token_scope_enabled
|
You are here | Allow toggling the inbound job token scope |
!100303 (merged) | Rename project.ci_job_token_scope_enabled to project.ci_outbound_job_token_scope_enabled
|
!100136 (closed) | Ensure existing module Ci::JobToken::Scope only uses outbound direction |
!99166 (merged) | Add project to inbound scope (Graphql and REST) |
TODO | Remove project from scope (Graphql and REST) |
TODO | Backend: Read the inbound scope allow list |
TODO | Core logic to restrict access based on the allow list |
TODO | Flag removal & documentation (will require frontend complete) |
Please also see the feature documentation for the existing feature:
And the design for the additional feature:
Screenshots or screen recordings
Description | Screenshot |
---|---|
graphql explorer | ![]() |
How to set up and validate locally
- Enable the flag
Feature.enable(:ci_inbound_job_token_scope)
- Go the the graphql explorer
http://localhost:3000/-/graphql-explorer
- Run the query
mutation { projectCiCdSettingsUpdate( input: { fullPath: "gnuwget/Flight1234", inboundJobTokenScopeEnabled: false, jobTokenScopeEnabled: true } ) { ciCdSettings { jobTokenScopeEnabled, inboundJobTokenScopeEnabled } } }
- See the response
{
"data": {
"projectCiCdSettingsUpdate": {
"ciCdSettings": {
"jobTokenScopeEnabled": true,
"inboundJobTokenScopeEnabled": false
}
}
}
}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Allison Browne