Add latest changes from gitlab-org/gitlab@master

5 files changed, 90 insertions, 0 deletions

diff --git a/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb
index 21052f03cb8..cf27d185103 100644
--- a/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb
@@ -3,8 +3,20 @@
 require 'spec_helper'
 
 RSpec.describe 'Jobs/Build.gitlab-ci.yml' do
+  include Ci::TemplateHelpers
+
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Build') }
 
+  describe 'AUTO_BUILD_IMAGE_VERSION' do
+    it 'corresponds to a published image in the registry' do
+      registry = "https://#{template_registry_host}"
+      repository = "gitlab-org/cluster-integration/auto-build-image"
+      reference = YAML.safe_load(template.content).dig('variables', 'AUTO_BUILD_IMAGE_VERSION')
+
+      expect(public_image_exist?(registry, repository, reference)).to be true
+    end
+  end
+
   describe 'the created pipeline' do
     let_it_be(:project) { create(:project, :repository) }
     let_it_be(:user) { project.first_owner }
diff --git a/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb
index b657f73fa77..5b9e1a0d18d 100644
--- a/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
+  include Ci::TemplateHelpers
+
   subject(:template) do
     <<~YAML
       stages:
@@ -26,6 +28,17 @@ RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
     YAML
   end
 
+  describe 'AUTO_DEPLOY_IMAGE_VERSION' do
+    it 'corresponds to a published image in the registry' do
+      template = Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Deploy')
+      registry = "https://#{template_registry_host}"
+      repository = "gitlab-org/cluster-integration/auto-deploy-image"
+      reference = YAML.safe_load(template.content, aliases: true).dig('variables', 'AUTO_DEPLOY_IMAGE_VERSION')
+
+      expect(public_image_exist?(registry, repository, reference)).to be true
+    end
+  end
+
   describe 'the created pipeline' do
     let_it_be(:project, refind: true) { create(:project, :repository) }
 
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index c65933c5208..60acacac814 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -258,6 +258,19 @@ RSpec.describe GroupPolicy do
     it_behaves_like 'deploy token does not get confused with user' do
       let(:user_id) { migration_bot.id }
     end
+
+    context 'with no user' do
+      let(:current_user) { nil }
+
+      it :aggregate_failures do
+        expect_disallowed(:read_resource_access_tokens, :destroy_resource_access_tokens)
+        expect_disallowed(*guest_permissions)
+        expect_disallowed(*reporter_permissions)
+        expect_disallowed(*developer_permissions)
+        expect_disallowed(*maintainer_permissions)
+        expect_disallowed(*owner_permissions)
+      end
+    end
   end
 
   describe 'private nested group use the highest access level from the group and inherited permissions' do
diff --git a/spec/support/helpers/ci/template_helpers.rb b/spec/support/helpers/ci/template_helpers.rb
index 2e9b6f748cd..2cdd242ac22 100644
--- a/spec/support/helpers/ci/template_helpers.rb
+++ b/spec/support/helpers/ci/template_helpers.rb
@@ -5,6 +5,51 @@ module Ci
     def template_registry_host
       'registry.gitlab.com'
     end
+
+    def public_image_exist?(registry, repository, image)
+      public_image_manifest(registry, repository, image).present?
+    end
+
+    def public_image_manifest(registry, repository, reference)
+      token = public_image_repository_token(registry, repository)
+
+      response = with_net_connect_allowed do
+        Gitlab::HTTP.get(image_manifest_url(registry, repository, reference),
+                         headers: { 'Authorization' => "Bearer #{token}" })
+      end
+
+      return unless response.success?
+
+      Gitlab::Json.parse(response.body)
+    end
+
+    def public_image_repository_token(registry, repository)
+      @public_image_repository_tokens ||= {}
+      @public_image_repository_tokens[[registry, repository]] ||=
+        begin
+          response = with_net_connect_allowed do
+            Gitlab::HTTP.get(image_manifest_url(registry, repository, 'latest'))
+          end
+
+          return unless response.unauthorized?
+
+          www_authenticate = response.headers['www-authenticate']
+          return unless www_authenticate
+
+          realm, service, scope = www_authenticate.split(',').map { |s| s[/\w+="(.*)"/, 1] }
+          token_response = with_net_connect_allowed do
+            Gitlab::HTTP.get(realm, query: { service: service, scope: scope })
+          end
+
+          return unless token_response.success?
+
+          token_response['token']
+        end
+    end
+
+    def image_manifest_url(registry, repository, reference)
+      "#{registry}/v2/#{repository}/manifests/#{reference}"
+    end
   end
 end
 
diff --git a/spec/support/webmock.rb b/spec/support/webmock.rb
index f952f7f0985..b9bd3f82f65 100644
--- a/spec/support/webmock.rb
+++ b/spec/support/webmock.rb
@@ -15,6 +15,13 @@ def webmock_allowed_hosts
   end.compact.uniq
 end
 
+def with_net_connect_allowed
+  WebMock.allow_net_connect!
+  yield
+ensure
+  webmock_enable!
+end
+
 # This prevents Selenium/WebMock from spawning thousands of connections
 # while waiting for an element to appear via Capybara's find:
 # https://github.com/teamcapybara/capybara/issues/2322#issuecomment-619321520