Add latest changes from gitlab-org/gitlab@15-6-stable-ee

12 files changed, 13 insertions, 83 deletions

diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb
index 1663aa61f62..a7c6137f33a 100644
--- a/app/controllers/profiles/personal_access_tokens_controller.rb
+++ b/app/controllers/profiles/personal_access_tokens_controller.rb
@@ -5,8 +5,6 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
 
   feature_category :authentication_and_authorization
 
-  before_action :check_personal_access_tokens_enabled
-
   def index
     set_index_vars
     scopes = params[:scopes].split(',').map(&:squish).select(&:present?).map(&:to_sym) unless params[:scopes].nil?
@@ -64,8 +62,4 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
   def represent(tokens)
     ::PersonalAccessTokenSerializer.new.represent(tokens)
   end
-
-  def check_personal_access_tokens_enabled
-    render_404 if Gitlab::CurrentSettings.personal_access_tokens_disabled?
-  end
 end
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index adbbddd635c..b111df97fec 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -807,10 +807,6 @@ class ApplicationSetting < ApplicationRecord
     ::AsciidoctorExtensions::Kroki::SUPPORTED_DIAGRAM_NAMES.include?(diagram_type)
   end
 
-  def personal_access_tokens_disabled?
-    false
-  end
-
   private
 
   def parsed_grafana_url
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index bfeb1a602ab..6701eb4f429 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -805,7 +805,7 @@ class ProjectPolicy < BasePolicy
 
   rule { project_bot }.enable :project_bot_access
 
-  rule { can?(:read_all_resources) & resource_access_token_feature_available }.enable :read_resource_access_tokens
+  rule { can?(:read_all_resources) }.enable :read_resource_access_tokens
 
   rule { can?(:admin_project) & resource_access_token_feature_available }.policy do
     enable :read_resource_access_tokens
diff --git a/app/views/layouts/nav/sidebar/_profile.html.haml b/app/views/layouts/nav/sidebar/_profile.html.haml
index 0e3327935ca..a1393615e69 100644
--- a/app/views/layouts/nav/sidebar/_profile.html.haml
+++ b/app/views/layouts/nav/sidebar/_profile.html.haml
@@ -51,18 +51,17 @@
             = link_to profile_chat_names_path do
               %strong.fly-out-top-item-name
                 = _('Chat')
-      - unless Gitlab::CurrentSettings.personal_access_tokens_disabled?
-        = nav_link(controller: :personal_access_tokens) do
-          = link_to profile_personal_access_tokens_path do
-            .nav-icon-container
-              = sprite_icon('token')
-            %span.nav-item-name
-              = _('Access Tokens')
-          %ul.sidebar-sub-level-items.is-fly-out-only
-            = nav_link(controller: :personal_access_tokens, html_options: { class: "fly-out-top-item" } ) do
-              = link_to profile_personal_access_tokens_path do
-                %strong.fly-out-top-item-name
-                  = _('Access Tokens')
+      = nav_link(controller: :personal_access_tokens) do
+        = link_to profile_personal_access_tokens_path do
+          .nav-icon-container
+            = sprite_icon('token')
+          %span.nav-item-name
+            = _('Access Tokens')
+        %ul.sidebar-sub-level-items.is-fly-out-only
+          = nav_link(controller: :personal_access_tokens, html_options: { class: "fly-out-top-item" } ) do
+            = link_to profile_personal_access_tokens_path do
+              %strong.fly-out-top-item-name
+                = _('Access Tokens')
       = nav_link(controller: :emails) do
         = link_to profile_emails_path, data: { qa_selector: 'profile_emails_link' } do
           .nav-icon-container
diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md
index 158e1654c6e..4806fcec4da 100644
--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -48,9 +48,6 @@ You cannot use group access tokens to create other group, project, or personal a
 Group access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
 configured for personal access tokens.
 
-NOTE:
-Group access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../../development/fips_compliance.md) is enabled.
-
 ## Create a group access token using UI
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214045) in GitLab 14.7.
diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md
index 507ad6378bc..71a7cc91fab 100644
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -45,9 +45,6 @@ For examples of how you can use a personal access token to authenticate with the
 Alternately, GitLab administrators can use the API to create [impersonation tokens](../../api/index.md#impersonation-tokens).
 Use impersonation tokens to automate authentication as a specific user.
 
-NOTE:
-Personal access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../development/fips_compliance.md) is enabled.
-
 ## Create a personal access token
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/348660) in GitLab 15.3, default expiration of 30 days is populated in the UI.
diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md
index f27672a1b07..6e312a448c4 100644
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -48,9 +48,6 @@ You cannot use project access tokens to create other group, project, or personal
 Project access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
 configured for personal access tokens.
 
-NOTE:
-Project access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../../development/fips_compliance.md) is enabled.
-
 ## Create a project access token
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89114) in GitLab 15.1, Owners can select Owner role for project access tokens.
diff --git a/spec/controllers/profiles/personal_access_tokens_controller_spec.rb b/spec/controllers/profiles/personal_access_tokens_controller_spec.rb
index 044ce8f397a..179e657cb8f 100644
--- a/spec/controllers/profiles/personal_access_tokens_controller_spec.rb
+++ b/spec/controllers/profiles/personal_access_tokens_controller_spec.rb
@@ -36,14 +36,6 @@ RSpec.describe Profiles::PersonalAccessTokensController do
       expect(created_token.expires_at).to eq(expires_at)
     end
 
-    it 'does not allow creation when personal access tokens are disabled' do
-      allow(::Gitlab::CurrentSettings).to receive_messages(personal_access_tokens_disabled?: true)
-
-      post :create, params: { personal_access_token: token_attributes }
-
-      expect(response).to have_gitlab_http_status(:not_found)
-    end
-
     it_behaves_like "#create access token" do
       let(:url) { :create }
     end
@@ -92,14 +84,6 @@ RSpec.describe Profiles::PersonalAccessTokensController do
       )
     end
 
-    it 'returns 404 when personal access tokens are disabled' do
-      allow(::Gitlab::CurrentSettings).to receive_messages(personal_access_tokens_disabled?: true)
-
-      get :index
-
-      expect(response).to have_gitlab_http_status(:not_found)
-    end
-
     it 'returns tokens for json format' do
       get :index, params: { format: :json }
 
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 9283c31a207..64328d15fd4 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -189,7 +189,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
         end
 
         it 'returns nil if valid feed_token and disabled' do
-          allow(Gitlab::CurrentSettings).to receive_messages(disable_feed_token: true)
+          stub_application_setting(disable_feed_token: true)
           set_param(:feed_token, user.feed_token)
 
           expect(find_user_from_feed_token(:rss)).to be_nil
diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb
index fd86a784b2d..a46d75d6837 100644
--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -1483,10 +1483,4 @@ RSpec.describe ApplicationSetting do
       expect(setting.personal_access_token_prefix).to eql('glpat-')
     end
   end
-
-  describe '.personal_access_tokens_disabled?' do
-    it 'is false' do
-      expect(setting.personal_access_tokens_disabled?).to eq(false)
-    end
-  end
 end
diff --git a/spec/requests/admin/impersonation_tokens_controller_spec.rb b/spec/requests/admin/impersonation_tokens_controller_spec.rb
index ee0e12ad0c0..2017a512bce 100644
--- a/spec/requests/admin/impersonation_tokens_controller_spec.rb
+++ b/spec/requests/admin/impersonation_tokens_controller_spec.rb
@@ -10,18 +10,6 @@ RSpec.describe Admin::ImpersonationTokensController, :enable_admin_mode do
     sign_in(admin)
   end
 
-  context 'when impersonation is enabled' do
-    before do
-      stub_config_setting(impersonation_enabled: true)
-    end
-
-    it 'responds ok' do
-      get admin_user_impersonation_tokens_path(user_id: user.username)
-
-      expect(response).to have_gitlab_http_status(:ok)
-    end
-  end
-
   context "when impersonation is disabled" do
     before do
       stub_config_setting(impersonation_enabled: false)
diff --git a/spec/views/layouts/nav/sidebar/_profile.html.haml_spec.rb b/spec/views/layouts/nav/sidebar/_profile.html.haml_spec.rb
index f5a0a7a935c..3d28be68b25 100644
--- a/spec/views/layouts/nav/sidebar/_profile.html.haml_spec.rb
+++ b/spec/views/layouts/nav/sidebar/_profile.html.haml_spec.rb
@@ -11,20 +11,4 @@ RSpec.describe 'layouts/nav/sidebar/_profile' do
 
   it_behaves_like 'has nav sidebar'
   it_behaves_like 'sidebar includes snowplow attributes', 'render', 'user_side_navigation', 'user_side_navigation'
-
-  it 'has a link to access tokens' do
-    render
-
-    expect(rendered).to have_link(_('Access Tokens'), href: profile_personal_access_tokens_path)
-  end
-
-  context 'when personal access tokens are disabled' do
-    it 'does not have a link to access tokens' do
-      allow(::Gitlab::CurrentSettings).to receive_messages(personal_access_tokens_disabled?: true)
-
-      render
-
-      expect(rendered).not_to have_link(_('Access Tokens'), href: profile_personal_access_tokens_path)
-    end
-  end
 end