Add instance level job token application settings (!166952) · Merge requests · GitLab.org / GitLab

Dmytro Biryukov requested to merge dbiryukov_add_instance_settings_job_token_scope_mr-440697 into master Sep 23, 2024

What does this MR do and why?

Introduces instance settings for job token scope to toggle enforcement of allowlist for all projects.

When on (default on %18.0): all projects will enforce their job token scope allowlist even if the scope is disabled at instance setting. If allowlist is empty, only job tokens from the current project are allowed.
When off: only projects that have the scope enabled in the project settings will enforce the allowlist. Other projects will allow authentications from CI_JOB_TOKENs from other projects.

FE-related changes will be done in follow-ups MRs, issues

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Switch to this branch

Run migrations: bin/rails db:migrate

In the Rails console, check that accessing the field does not throw an error:

[1] pry(main)> ::Gitlab::CurrentSettings.enforce_ci_inbound_job_token_scope_enabled = true
=> true

Edited Sep 30, 2024 by Dmytro Biryukov

Add instance level job token application settings

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports