Add latest changes from gitlab-org/gitlab@master

12 files changed, 62 insertions, 18 deletions

diff --git a/app/models/ci/job_token/scope.rb b/app/models/ci/job_token/scope.rb
index fb1d5952a4c..42cfdc21d66 100644
--- a/app/models/ci/job_token/scope.rb
+++ b/app/models/ci/job_token/scope.rb
@@ -22,6 +22,9 @@ module Ci
       end
 
       def includes?(target_project)
+        # if the setting is disabled any project is considered to be in scope.
+        return true unless source_project.ci_job_token_scope_enabled?
+
         target_project.id == source_project.id ||
           Ci::JobToken::ProjectScopeLink.from_project(source_project).to_project(target_project).exists?
       end
diff --git a/app/models/project.rb b/app/models/project.rb
index 460bb1c8be9..f7eba76849d 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -423,6 +423,7 @@ class Project < ApplicationRecord
   delegate :dashboard_timezone, to: :metrics_setting, allow_nil: true, prefix: true
   delegate :default_git_depth, :default_git_depth=, to: :ci_cd_settings, prefix: :ci
   delegate :forward_deployment_enabled, :forward_deployment_enabled=, :forward_deployment_enabled?, to: :ci_cd_settings, prefix: :ci
+  delegate :job_token_scope_enabled, :job_token_scope_enabled=, :job_token_scope_enabled?, to: :ci_cd_settings, prefix: :ci
   delegate :keep_latest_artifact, :keep_latest_artifact=, :keep_latest_artifact?, :keep_latest_artifacts_available?, to: :ci_cd_settings
   delegate :restrict_user_defined_variables, :restrict_user_defined_variables=, :restrict_user_defined_variables?,
     to: :ci_cd_settings
diff --git a/app/models/project_ci_cd_setting.rb b/app/models/project_ci_cd_setting.rb
index c0c2ea42d46..b025326c6f8 100644
--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -16,6 +16,7 @@ class ProjectCiCdSetting < ApplicationRecord
     allow_nil: true
 
   default_value_for :forward_deployment_enabled, true
+  default_value_for :job_token_scope_enabled, true
 
   def forward_deployment_enabled?
     super && ::Feature.enabled?(:forward_deployment_enabled, project, default_enabled: true)
diff --git a/db/migrate/20210607154719_add_job_token_scope_enabled_to_ci_cd_settings.rb b/db/migrate/20210607154719_add_job_token_scope_enabled_to_ci_cd_settings.rb
new file mode 100644
index 00000000000..20b9e8d95ee
--- /dev/null
+++ b/db/migrate/20210607154719_add_job_token_scope_enabled_to_ci_cd_settings.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class AddJobTokenScopeEnabledToCiCdSettings < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  def up
+    with_lock_retries do
+      add_column :project_ci_cd_settings, :job_token_scope_enabled, :boolean, default: false, null: false
+    end
+  end
+
+  def down
+    with_lock_retries do
+      remove_column :project_ci_cd_settings, :job_token_scope_enabled
+    end
+  end
+end
diff --git a/db/schema_migrations/20210607154719 b/db/schema_migrations/20210607154719
new file mode 100644
index 00000000000..0f7aab0fc39
--- /dev/null
+++ b/db/schema_migrations/20210607154719
@@ -0,0 +1 @@
+dd6bf6ae4988e8e07247388554992d5100dedb2bd66e92c42a6bb144dc6b1937
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 56b6dcd0a24..05cbb357513 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -16564,7 +16564,8 @@ CREATE TABLE project_ci_cd_settings (
     merge_trains_enabled boolean DEFAULT false,
     auto_rollback_enabled boolean DEFAULT false NOT NULL,
     keep_latest_artifact boolean DEFAULT true NOT NULL,
-    restrict_user_defined_variables boolean DEFAULT false NOT NULL
+    restrict_user_defined_variables boolean DEFAULT false NOT NULL,
+    job_token_scope_enabled boolean DEFAULT false NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq
diff --git a/doc/api/dora/metrics.md b/doc/api/dora/metrics.md
index 31e6fee66ca..99826550b61 100644
--- a/doc/api/dora/metrics.md
+++ b/doc/api/dora/metrics.md
@@ -7,7 +7,8 @@ type: reference, api
 
 # DevOps Research and Assessment (DORA) key metrics API **(ULTIMATE)**
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/279039) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/279039) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10.
+> - The legacy key/value pair `{ "<date>" => "<value>" }` was removed from the payload in GitLab 14.0.
 
 All methods require [reporter permissions and above](../../user/permissions.md).
 
@@ -38,14 +39,14 @@ Example response:
 
 ```json
 [
-  { "2021-03-01": 3, "date": "2021-03-01", "value": 3 },
-  { "2021-03-02": 6, "date": "2021-03-02", "value": 6 },
-  { "2021-03-03": 0, "date": "2021-03-03", "value": 0 },
-  { "2021-03-04": 0, "date": "2021-03-04", "value": 0 },
-  { "2021-03-05": 0, "date": "2021-03-05", "value": 0 },
-  { "2021-03-06": 0, "date": "2021-03-06", "value": 0 },
-  { "2021-03-07": 0, "date": "2021-03-07", "value": 0 },
-  { "2021-03-08": 4, "date": "2021-03-08", "value": 4 }
+  { "date": "2021-03-01", "value": 3 },
+  { "date": "2021-03-02", "value": 6 },
+  { "date": "2021-03-03", "value": 0 },
+  { "date": "2021-03-04", "value": 0 },
+  { "date": "2021-03-05", "value": 0 },
+  { "date": "2021-03-06", "value": 0 },
+  { "date": "2021-03-07", "value": 0 },
+  { "date": "2021-03-08", "value": 4 }
 ]
 ```
 
@@ -78,14 +79,14 @@ Example response:
 
 ```json
 [
-  { "2021-03-01": 3, "date": "2021-03-01", "value": 3 },
-  { "2021-03-02": 6, "date": "2021-03-02", "value": 6 },
-  { "2021-03-03": 0, "date": "2021-03-03", "value": 0 },
-  { "2021-03-04": 0, "date": "2021-03-04", "value": 0 },
-  { "2021-03-05": 0, "date": "2021-03-05", "value": 0 },
-  { "2021-03-06": 0, "date": "2021-03-06", "value": 0 },
-  { "2021-03-07": 0, "date": "2021-03-07", "value": 0 },
-  { "2021-03-08": 4, "date": "2021-03-08", "value": 4 }
+  { "date": "2021-03-01", "value": 3 },
+  { "date": "2021-03-02", "value": 6 },
+  { "date": "2021-03-03", "value": 0 },
+  { "date": "2021-03-04", "value": 0 },
+  { "date": "2021-03-05", "value": 0 },
+  { "date": "2021-03-06", "value": 0 },
+  { "date": "2021-03-07", "value": 0 },
+  { "date": "2021-03-08", "value": 4 }
 ]
 ```
 
diff --git a/doc/install/next_steps.md b/doc/install/next_steps.md
index 0a2a1c250d6..4e4f1f01a08 100644
--- a/doc/install/next_steps.md
+++ b/doc/install/next_steps.md
@@ -28,6 +28,7 @@ installation.
 
 - [Secure GitLab](../security/README.md#securing-your-gitlab-installation):
   Recommended practices to secure your GitLab instance.
+- Sign up for the GitLab [Security Newsletter](https://about.gitlab.com/company/preference-center/) to get notified for security updates upon release.
 
 ## Authentication
 
diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb
index 3af33eb9886..7280945d814 100644
--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -95,6 +95,7 @@ module API
       expose :runners_token, if: lambda { |_project, options| options[:user_can_admin_project] }
       expose :ci_default_git_depth
       expose :ci_forward_deployment_enabled
+      expose :ci_job_token_scope_enabled
       expose :public_builds, as: :public_jobs
       expose :build_git_strategy, if: lambda { |project, options| options[:user_can_admin_project] } do |project, options|
         project.build_allow_git_fetch ? 'fetch' : 'clone'
diff --git a/spec/models/ci/job_token/scope_spec.rb b/spec/models/ci/job_token/scope_spec.rb
index 2fbfbac64f8..c731a2634f5 100644
--- a/spec/models/ci/job_token/scope_spec.rb
+++ b/spec/models/ci/job_token/scope_spec.rb
@@ -50,6 +50,16 @@ RSpec.describe Ci::JobToken::Scope do
       let(:target_project) { scope_link.target_project }
 
       it { is_expected.to be_falsey }
+
+      context 'when project scope setting is disabled' do
+        before do
+          project.ci_job_token_scope_enabled = false
+        end
+
+        it 'considers any project to be part of the scope' do
+          expect(subject).to be_truthy
+        end
+      end
     end
   end
 end
diff --git a/spec/models/project_ci_cd_setting_spec.rb b/spec/models/project_ci_cd_setting_spec.rb
index 406485d8cc8..c206ba27ec1 100644
--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@@ -21,6 +21,12 @@ RSpec.describe ProjectCiCdSetting do
     end
   end
 
+  describe '#job_token_scope_enabled' do
+    it 'is true by default' do
+      expect(described_class.new.job_token_scope_enabled).to be_truthy
+    end
+  end
+
   describe '#default_git_depth' do
     let(:default_value) { described_class::DEFAULT_GIT_DEPTH }
 
diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml
index ea0ecfc6032..fad7492f310 100644
--- a/spec/requests/api/project_attributes.yml
+++ b/spec/requests/api/project_attributes.yml
@@ -94,6 +94,7 @@ ci_cd_settings:
   remapped_attributes:
     default_git_depth: ci_default_git_depth
     forward_deployment_enabled: ci_forward_deployment_enabled
+    job_token_scope_enabled: ci_job_token_scope_enabled
 
 build_import_state: # import_state
   unexposed_attributes: