Disable limit CI_JOB_TOKEN scope
Problem
We want to retire the outbound
job token scope since customers preferred the inbound
scoping during customer validation.
However, simply removing the functionality entirely would make our customers using the feature abruptly less secure with a larger scope of projects their projects can access via the CI_JOB_TOKEN than they wanted to allow.
Solution
In this issue we can
- disable the ability to add new projects to the "limit CI_JOB_TOKEN scope" (outbound) in the backend
- disable the ability to toggle the scope on in the frontend
- The UI should not be removed, but rather grayed out to show if the toggle is on or off.
- We should add a help text that includes "Limit CI_JOB_TOKEN scope is deprecated and will be removed in a future milestone. Configure the CI_JOB_TOKEN allowlist. For more information, see our documentation"
We will still:
- enforce permissions based on the existing projects in the inbound allowlist.
This will keep customers from adding more data this way reducing the scope of data that needs to be migrated or manually changed in or around the %17.0 milestone when the feature will be completely removed.
UI changes
- Warning that Limit CI_JOB_TOKEN access is deprecated and adding CI_JOB_TOKEN project allowlist scopes is disabled and cannot be or be enabled.
- Disable the toggle if it's currently off.
- Add warnings that turning off Limit CI_JOB_TOKEN access is a permanent change
- Disable the input and button for adding a project but still show the project list.
- UI should still be visible but "grayed out"
Implementation
Backend
Mutations::Ci::JobTokenScope::AddProject
- We can add a feature flag and that removes the
:outbound
parameter when it's specified asdirection
. - We can make the default parameter :inbound if none is specified.
- We can deprecate the :direction argument entirely but not yet remove it.
Mutations::Ci::ProjectCiCdSettingsUpdate
- We can add a feature flag and that removes the
job_token_scope_enabled
argument if it's being set totrue
. - We can deprecate but not remove the
job_token_scope_enabled
argument
Breaking User impact
Users who were using the GraphQL API to add a project to the Limit CI_JOB_TOKEN access
allowlist will no longer be able to.
If the direction parameter is left out of the CiJobTokenScopeAddProject
mutation then the project will be added to the Allow access to this project with a CI_JOB_TOKEN
allowlist. Previously it would have been added to the Limit CI_JOB_TOKEN access
allowlist.
Users will no longer be able to turn on the setting that enforces Limit CI_JOB_TOKEN access.
Once users turn off the Limit CI_JOB_TOKEN access scope they cannot go back to using it and must instead configure the same permissions using the Allow access to your project with a job token scope.
Once users remove a project from Limit CI_JOB_TOKEN access
allowlist they cannot re-add it and must instead configure the same permissions using the Allow access to your project with a job token
allowlist.
What's not changing
Users projects will still be secured as documented by the Limit CI_JOB_TOKEN access
scope documentation.