Merge branch 'add-default-permissions-argument-to-job-token-policies-mutations' into 'master'

Add default permissions argument to job token policies mutations

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175382



Merged-by: Max Fan <mfan@gitlab.com>
Approved-by: Alex Buijs <abuijs@gitlab.com>
Approved-by: Max Fan <mfan@gitlab.com>
Reviewed-by: Alex Buijs <abuijs@gitlab.com>
Reviewed-by: Hinam Mehra <hmehra@gitlab.com>
Reviewed-by: Max Fan <mfan@gitlab.com>
Co-authored-by: Daniel Tian <dtian@gitlab.com>

app/graphql/mutations/ci/job_token_scope/add_group_or_project.rb

@@ -18,6 +18,13 @@ class AddGroupOrProject < BaseMutation
           required: true,
           description: 'Group or project to be added to the CI job token scope.'
 
+        argument :default_permissions, GraphQL::Types::Boolean,
+          required: false,
+          default_value: true,
+          experiment: { milestone: '17.8' },
+          description: 'Indicates whether default permissions are enabled (true) or fine-grained permissions are ' \
+            'enabled (false).'
+
         argument :job_token_policies, [Types::Ci::JobTokenScope::PoliciesEnum],
           required: false,
           default_value: [],
@@ -36,16 +43,16 @@ class AddGroupOrProject < BaseMutation
           null: true,
           description: "CI job token's access scope."
 
-        def resolve(args)
-          project = authorized_find!(args[:project_path])
-
-          target = find_target_path(args[:target_path])
-
-          args.delete(:job_token_policies) unless Feature.enabled?(:add_policies_to_ci_job_token, project)
+        def resolve(project_path:, target_path:, default_permissions:, job_token_policies:)
+          project = authorized_find!(project_path)
+          target = find_target_path(target_path)
+          policies_enabled = Feature.enabled?(:add_policies_to_ci_job_token, project)
+          # Use default permissions if policies feature isn't enabled.
+          default = policies_enabled ? default_permissions : true
 
           result = ::Ci::JobTokenScope::AddGroupOrProjectService
             .new(project, current_user)
-            .execute(target, policies: args[:job_token_policies])
+            .execute(target, default_permissions: default, policies: job_token_policies)
 
           if result.success?
             {

app/graphql/mutations/ci/job_token_scope/update_job_token_policies.rb

@@ -18,6 +18,11 @@ class UpdateJobTokenPolicies < BaseMutation
           required: true,
           description: 'Group or project that the CI job token targets.'
 
+        argument :default_permissions, GraphQL::Types::Boolean,
+          required: true,
+          description: 'Indicates whether default permissions are enabled (true) or fine-grained permissions are ' \
+            'enabled (false).'
+
         argument :job_token_policies, [Types::Ci::JobTokenScope::PoliciesEnum],
           required: true,
           description: 'List of policies added to the CI job token scope.'
@@ -28,7 +33,7 @@ class UpdateJobTokenPolicies < BaseMutation
           experiment: { milestone: '17.6' },
           description: "Allowlist entry for the CI job token's access scope."
 
-        def resolve(project_path:, target_path:, job_token_policies:)
+        def resolve(project_path:, target_path:, default_permissions:, job_token_policies:)
           project = authorized_find!(project_path)
           target = find_target_using_path(target_path)
 
@@ -38,7 +43,7 @@ def resolve(project_path:, target_path:, job_token_policies:)
 
           result = ::Ci::JobTokenScope::UpdatePoliciesService
             .new(project, current_user)
-            .execute(target, job_token_policies)
+            .execute(target, default_permissions, job_token_policies)
 
           if result.success?
             {

app/graphql/types/ci/job_token_scope/allowlist_entry_type.rb

@@ -25,6 +25,11 @@ class AllowlistEntryType < BaseObject
           null: true,
           description: 'Direction of access. Defaults to INBOUND.'
 
+        field :default_permissions,
+          GraphQL::Types::Boolean,
+          description: 'Indicates whether default permissions are enabled (true) or fine-grained permissions are ' \
+            'enabled (false).'
+
         field :job_token_policies,
           [Types::Ci::JobTokenScope::PoliciesEnum],
           null: true,
@@ -63,6 +68,10 @@ def direction
           end
         end
 
+        def default_permissions
+          Feature.enabled?(:add_policies_to_ci_job_token, object.source_project) ? object.default_permissions : true
+        end
+
         def job_token_policies
           return unless Feature.enabled?(:add_policies_to_ci_job_token, object.source_project)
 

app/models/ci/job_token/allowlist.rb

@@ -30,25 +30,29 @@ def groups
         ::Group.id_in(group_links.pluck(:target_group_id))
       end
 
-      def add!(target_project, user:, policies: [])
+      def add!(target_project, user:, default_permissions: true, policies: [])
         job_token_policies = add_policies_to_ci_job_token_enabled ? policies : []
+        default_permissions = add_policies_to_ci_job_token_enabled ? default_permissions : true
 
         Ci::JobToken::ProjectScopeLink.create!(
           source_project: @source_project,
           direction: @direction,
           target_project: target_project,
           added_by: user,
+          default_permissions: default_permissions,
           job_token_policies: job_token_policies
         )
       end
 
-      def add_group!(target_group, user:, policies: [])
+      def add_group!(target_group, user:, default_permissions: true, policies: [])
         job_token_policies = add_policies_to_ci_job_token_enabled ? policies : []
+        default_permissions = add_policies_to_ci_job_token_enabled ? default_permissions : true
 
         Ci::JobToken::GroupScopeLink.create!(
           source_project: @source_project,
           target_group: target_group,
           added_by: user,
+          default_permissions: default_permissions,
           job_token_policies: job_token_policies
         )
       end

app/services/ci/job_token_scope/add_group_or_project_service.rb

@@ -5,13 +5,15 @@ module JobTokenScope
     class AddGroupOrProjectService < ::BaseService
       include EditScopeValidations
 
-      def execute(target, policies: [])
+      def execute(target, default_permissions: true, policies: [])
         validate_target_exists!(target)
 
         if target.is_a?(::Group)
-          ::Ci::JobTokenScope::AddGroupService.new(project, current_user).execute(target, policies: policies)
+          ::Ci::JobTokenScope::AddGroupService.new(project, current_user).execute(target,
+            default_permissions: default_permissions, policies: policies)
         else
-          ::Ci::JobTokenScope::AddProjectService.new(project, current_user).execute(target, policies: policies)
+          ::Ci::JobTokenScope::AddProjectService.new(project, current_user).execute(target,
+            default_permissions: default_permissions, policies: policies)
         end
 
       rescue EditScopeValidations::NotFoundError => e

app/services/ci/job_token_scope/add_group_service.rb

@@ -5,11 +5,11 @@ module JobTokenScope
     class AddGroupService < ::BaseService
       include EditScopeValidations
 
-      def execute(target_group, policies: [])
+      def execute(target_group, default_permissions: true, policies: [])
         validate_source_project_and_target_group_access!(project, target_group, current_user)
 
         link = allowlist
-          .add_group!(target_group, policies: policies, user: current_user)
+          .add_group!(target_group, default_permissions: default_permissions, policies: policies, user: current_user)
 
         ServiceResponse.success(payload: { group_link: link })
 

app/services/ci/job_token_scope/add_project_service.rb

@@ -5,11 +5,11 @@ module JobTokenScope
     class AddProjectService < ::BaseService
       include EditScopeValidations
 
-      def execute(target_project, policies: [], direction: :inbound)
+      def execute(target_project, default_permissions: true, policies: [], direction: :inbound)
         validate_source_project_and_target_project_access!(project, target_project, current_user)
 
         link = allowlist(direction)
-          .add!(target_project, policies: policies, user: current_user)
+          .add!(target_project, default_permissions: default_permissions, policies: policies, user: current_user)
 
         ServiceResponse.success(payload: { project_link: link })
 

app/services/ci/job_token_scope/update_policies_service.rb

@@ -5,7 +5,7 @@ module JobTokenScope
     class UpdatePoliciesService < ::BaseService
       include EditScopeValidations
 
-      def execute(target, policies)
+      def execute(target, default_permissions, policies)
         return unless Feature.enabled?(:add_policies_to_ci_job_token, project)
 
         validate_target_exists!(target)
@@ -15,7 +15,7 @@ def execute(target, policies)
 
         return error_link_not_found unless link
 
-        if link.update(job_token_policies: policies)
+        if link.update(default_permissions: default_permissions, job_token_policies: policies)
           ServiceResponse.success(payload: link)
         else
           error_updating(link)

doc/api/graphql/reference/index.md

@@ -3134,6 +3134,7 @@ Input type: `CiJobTokenScopeAddGroupOrProjectInput`
 | Name | Type | Description |
 | ---- | ---- | ----------- |
 | <a id="mutationcijobtokenscopeaddgrouporprojectclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationcijobtokenscopeaddgrouporprojectdefaultpermissions"></a>`defaultPermissions` **{warning-solid}** | [`Boolean`](#boolean) | **Deprecated:** **Status**: Experiment. Introduced in GitLab 17.8. |
 | <a id="mutationcijobtokenscopeaddgrouporprojectjobtokenpolicies"></a>`jobTokenPolicies` **{warning-solid}** | [`[CiJobTokenScopePolicies!]`](#cijobtokenscopepolicies) | **Deprecated:** **Status**: Experiment. Introduced in GitLab 17.5. |
 | <a id="mutationcijobtokenscopeaddgrouporprojectprojectpath"></a>`projectPath` | [`ID!`](#id) | Project that the CI job token scope belongs to. |
 | <a id="mutationcijobtokenscopeaddgrouporprojecttargetpath"></a>`targetPath` | [`ID!`](#id) | Group or project to be added to the CI job token scope. |
@@ -3225,6 +3226,7 @@ Input type: `CiJobTokenScopeUpdatePoliciesInput`
 | Name | Type | Description |
 | ---- | ---- | ----------- |
 | <a id="mutationcijobtokenscopeupdatepoliciesclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationcijobtokenscopeupdatepoliciesdefaultpermissions"></a>`defaultPermissions` | [`Boolean!`](#boolean) | Indicates whether default permissions are enabled (true) or fine-grained permissions are enabled (false). |
 | <a id="mutationcijobtokenscopeupdatepoliciesjobtokenpolicies"></a>`jobTokenPolicies` | [`[CiJobTokenScopePolicies!]!`](#cijobtokenscopepolicies) | List of policies added to the CI job token scope. |
 | <a id="mutationcijobtokenscopeupdatepoliciesprojectpath"></a>`projectPath` | [`ID!`](#id) | Project that the CI job token scope belongs to. |
 | <a id="mutationcijobtokenscopeupdatepoliciestargetpath"></a>`targetPath` | [`ID!`](#id) | Group or project that the CI job token targets. |
@@ -20496,6 +20498,7 @@ Represents an allowlist entry for the CI_JOB_TOKEN.
 | ---- | ---- | ----------- |
 | <a id="cijobtokenscopeallowlistentryaddedby"></a>`addedBy` | [`UserCore`](#usercore) | User that added the entry. |
 | <a id="cijobtokenscopeallowlistentrycreatedat"></a>`createdAt` | [`Time!`](#time) | When the entry was created. |
+| <a id="cijobtokenscopeallowlistentrydefaultpermissions"></a>`defaultPermissions` | [`Boolean`](#boolean) | Indicates whether default permissions are enabled (true) or fine-grained permissions are enabled (false). |
 | <a id="cijobtokenscopeallowlistentrydirection"></a>`direction` | [`String`](#string) | Direction of access. Defaults to INBOUND. |
 | <a id="cijobtokenscopeallowlistentryjobtokenpolicies"></a>`jobTokenPolicies` **{warning-solid}** | [`[CiJobTokenScopePolicies!]`](#cijobtokenscopepolicies) | **Introduced** in GitLab 17.5. **Status**: Experiment. List of policies for the entry. |
 | <a id="cijobtokenscopeallowlistentrysourceproject"></a>`sourceProject` | [`Project!`](#project) | Project that owns the allowlist entry. |

ee/app/services/ee/ci/job_token_scope/add_group_service.rb

@@ -7,21 +7,22 @@ module AddGroupService
         extend ::Gitlab::Utils::Override
 
         override :execute
-        def execute(target_group, policies: [])
+        def execute(target_group, default_permissions: true, policies: [])
           super.tap do |response|
-            audit(project, target_group, current_user, policies) if response.success?
+            audit(project, target_group, current_user, default_permissions, policies) if response.success?
           end
         end
 
         private
 
-        def audit(scope, target, author, policies)
+        def audit(scope, target, author, default_permissions, policies)
           audit_message =
             "Group #{target.full_path} was added to list of allowed groups for #{scope.full_path}"
           event_name = 'secure_ci_job_token_group_added'
 
           if ::Feature.enabled?(:add_policies_to_ci_job_token, scope) && policies.present?
-            audit_message += ", with job token permissions: #{policies.join(', ')}"
+            audit_message += ", with default permissions: #{default_permissions}, " \
+              "job token policies: #{policies.join(', ')}"
           end
 
           audit_context = {

ee/app/services/ee/ci/job_token_scope/add_project_service.rb

@@ -7,21 +7,25 @@ module AddProjectService
         extend ::Gitlab::Utils::Override
 
         override :execute
-        def execute(target_project, policies: [], direction: :inbound)
+        def execute(target_project, default_permissions: true, policies: [], direction: :inbound)
           super.tap do |response|
-            audit(project, target_project, current_user, policies) if direction == :inbound && response.success?
+            if direction == :inbound && response.success?
+              audit(project, target_project, current_user, default_permissions,
+                policies)
+            end
           end
         end
 
         private
 
-        def audit(scope, target, author, policies)
+        def audit(scope, target, author, default_permissions, policies)
           audit_message =
             "Project #{target.full_path} was added to inbound list of allowed projects for #{scope.full_path}"
           event_name = 'secure_ci_job_token_project_added'
 
           if ::Feature.enabled?(:add_policies_to_ci_job_token, scope) && policies.present?
-            audit_message += ", with job token permissions: #{policies.join(', ')}"
+            audit_message += ", with default permissions: #{default_permissions}, " \
+              "job token policies: #{policies.join(', ')}"
           end
 
           audit_context = {

ee/app/services/ee/ci/job_token_scope/remove_group_service.rb

@@ -21,7 +21,7 @@ def audit(scope, target, author, policies)
           event_name = 'secure_ci_job_token_group_removed'
 
           if ::Feature.enabled?(:add_policies_to_ci_job_token, scope) && policies.present?
-            audit_message += ", with job token permissions: #{policies.join(', ')}"
+            audit_message += ", with job token policies: #{policies.join(', ')}"
           end
 
           audit_context = {

ee/app/services/ee/ci/job_token_scope/remove_project_service.rb

@@ -23,7 +23,7 @@ def audit(scope, target, author, policies)
           event_name = 'secure_ci_job_token_project_removed'
 
           if ::Feature.enabled?(:add_policies_to_ci_job_token, scope) && policies.present?
-            audit_message += ", with job token permissions: #{policies.join(', ')}"
+            audit_message += ", with job token policies: #{policies.join(', ')}"
           end
 
           audit_context = {

ee/app/services/ee/ci/job_token_scope/update_policies_service.rb

@@ -7,17 +7,17 @@ module UpdatePoliciesService
         extend ::Gitlab::Utils::Override
 
         override :execute
-        def execute(target, policies)
+        def execute(target, default_permissions, policies)
           super.tap do |response|
-            audit(project, target, current_user, policies) if response.success?
+            audit(project, target, current_user, default_permissions, policies) if response.success?
           end
         end
 
         private
 
-        def audit(scope, target, author, policies)
+        def audit(scope, target, author, default_permissions, policies)
           audit_message =
-            "CI job token policies updated to: #{policies.join(', ')}"
+            "CI job token updated to default permissions: #{default_permissions}, policies: #{policies.join(', ')}"
 
           event_name = 'secure_ci_job_token_policies_updated'
 

ee/spec/graphql/ee/mutations/ci/job_token_scope/add_group_or_project_spec.rb

@@ -33,8 +33,8 @@
       {
         project_path: project.full_path,
         target_path: target.full_path,
-        job_token_policies: policies,
-        direction: :inbound
+        default_permissions: false,
+        job_token_policies: policies
       }
     end
 
@@ -51,7 +51,7 @@
 
       let(:expected_audit_message) do
         "Group #{target_group_path} was added to list of allowed groups for #{project_path}, " \
-          "with job token permissions: read_containers, read_packages"
+          "with default permissions: false, job token policies: read_containers, read_packages"
       end
 
       let(:event_name) { 'secure_ci_job_token_group_added' }
@@ -104,7 +104,7 @@
 
       let(:expected_audit_message) do
         "Project #{target_project_path} was added to inbound list of allowed projects for #{project_path}, " \
-          "with job token permissions: read_containers, read_packages"
+          "with default permissions: false, job token policies: read_containers, read_packages"
       end
 
       let(:event_name) { 'secure_ci_job_token_project_added' }

ee/spec/graphql/ee/mutations/ci/job_token_scope/remove_group_spec.rb

@@ -51,7 +51,7 @@
       context 'when user removes target group to the job token scope' do
         let(:expected_audit_message) do
           "Group #{target_group_path} was removed from list of allowed groups for #{project_path}, " \
-            "with job token permissions: read_containers, read_packages"
+            "with job token policies: read_containers, read_packages"
         end
 
         let(:event_name) { 'secure_ci_job_token_group_removed' }

ee/spec/graphql/ee/mutations/ci/job_token_scope/remove_project_spec.rb

@@ -59,7 +59,7 @@
 
       let(:expected_audit_message) do
         "Project #{target_project_path} was removed from inbound list of allowed projects for #{project_path}, " \
-          "with job token permissions: read_containers, read_packages"
+          "with job token policies: read_containers, read_packages"
       end
 
       let(:event_name) { 'secure_ci_job_token_project_removed' }

ee/spec/services/ee/ci/job_token_scope/add_group_service_spec.rb

@@ -10,12 +10,14 @@
 
   let_it_be(:policies) { %w[read_containers read_packages] }
 
-  subject(:service_result) { described_class.new(project, current_user).execute(target_group, policies: policies) }
+  subject(:service_result) do
+    described_class.new(project, current_user).execute(target_group, default_permissions: false, policies: policies)
+  end
 
   describe '#execute' do
     let(:expected_audit_message) do
       "Group #{target_group.full_path} was added to list of allowed groups for #{project.full_path}, " \
-        "with job token permissions: read_containers, read_packages"
+        "with default permissions: false, job token policies: read_containers, read_packages"
     end
 
     let(:audit_event) do

ee/spec/services/ee/ci/job_token_scope/add_project_service_spec.rb

@@ -13,14 +13,15 @@
   let_it_be(:direction) { :inbound }
 
   subject(:service_result) do
-    described_class.new(project, current_user).execute(target_project, policies: policies, direction: direction)
+    described_class.new(project, current_user).execute(target_project, default_permissions: false, policies: policies,
+      direction: direction)
   end
 
   describe '#execute' do
     context 'when the direction is inbound' do
       let(:expected_audit_message) do
         "Project #{target_project.full_path} was added to inbound list of allowed projects for #{project.full_path}, " \
-          "with job token permissions: read_containers, read_packages"
+          "with default permissions: false, job token policies: read_containers, read_packages"
       end
 
       let(:audit_event) do

ee/spec/services/ee/ci/job_token_scope/remove_group_service_spec.rb

@@ -23,7 +23,7 @@
   describe '#execute' do
     let(:expected_audit_message) do
       "Group #{target_group.full_path} was removed from list of allowed groups for #{project.full_path}, " \
-        "with job token permissions: read_containers, read_packages"
+        "with job token policies: read_containers, read_packages"
     end
 
     let(:audit_event) do