diff options
Diffstat (limited to 'spec/lib/integrations/google_cloud_platform')
| -rw-r--r-- | spec/lib/integrations/google_cloud_platform/artifact_registry/client_spec.rb | 98 | ||||
| -rw-r--r-- | spec/lib/integrations/google_cloud_platform/jwt_spec.rb | 86 |
2 files changed, 184 insertions, 0 deletions
diff --git a/spec/lib/integrations/google_cloud_platform/artifact_registry/client_spec.rb b/spec/lib/integrations/google_cloud_platform/artifact_registry/client_spec.rb new file mode 100644 index 00000000000..36fa350e46f --- /dev/null +++ b/spec/lib/integrations/google_cloud_platform/artifact_registry/client_spec.rb @@ -0,0 +1,98 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Integrations::GoogleCloudPlatform::ArtifactRegistry::Client, feature_category: :container_registry do + let_it_be(:project) { create(:project) } + let_it_be(:rsa_key) { OpenSSL::PKey::RSA.generate(3072) } + let_it_be(:rsa_key_data) { rsa_key.to_s } + + let(:gcp_project_id) { 'gcp_project_id' } + let(:gcp_location) { 'gcp_location' } + let(:gcp_repository) { 'gcp_repository' } + let(:gcp_wlif) { 'https://wlif.test' } + + let(:user) { project.owner } + let(:client) do + described_class.new( + project: project, + user: user, + gcp_project_id: gcp_project_id, + gcp_location: gcp_location, + gcp_repository: gcp_repository, + gcp_wlif: gcp_wlif + ) + end + + describe '#list_docker_images' do + let(:page_token) { nil } + + subject(:list) { client.list_docker_images(page_token: page_token) } + + before do + stub_application_setting(ci_jwt_signing_key: rsa_key_data) + end + + it 'calls glgo list docker images API endpoint' do + stub_list_docker_image(body: dummy_list_body) + expect(client).to receive(:encoded_jwt).with(wlif: gcp_wlif) + + expect(list).to include(images: an_instance_of(Array), next_page_token: an_instance_of(String)) + end + + context 'with a page token set' do + let(:page_token) { 'token' } + + it 'calls glgo list docker images API endpoint with a page token' do + stub_list_docker_image(body: dummy_list_body, page_token: page_token) + + expect(list).to include(images: an_instance_of(Array), next_page_token: an_instance_of(String)) + end + end + + context 'with an erroneous response' do + it 'returns an empty hash' do + stub_list_docker_image(body: dummy_list_body, status_code: 400) + + expect(list).to eq({}) + end + end + + private + + def stub_list_docker_image(body:, page_token: nil, status_code: 200) + url = "#{described_class::GLGO_BASE_URL}/gcp/ar" + url << "/projects/#{gcp_project_id}" + url << "/locations/#{gcp_location}" + url << "/repositories/#{gcp_repository}/docker" + url << "?page_size=#{described_class::PAGE_SIZE}" + url << "&page_token=#{page_token}" if page_token.present? + + stub_request(:get, url) + .to_return(status: status_code, body: body) + end + + def dummy_list_body + <<-BODY + { + "images": [ + { + "built_at": "2023-11-30T23:23:11.980068941Z", + "media_type": "application/vnd.docker.distribution.manifest.v2+json", + "name": "projects/project/locations/location/repositories/repo/dockerImages/image@sha256:6a0657acfef760bd9e293361c9b558e98e7d740ed0dffca823d17098a4ffddf5", + "size_bytes": 2827903, + "tags": [ + "tag1", + "tag2" + ], + "updated_at": "2023-12-07T11:48:50.840751Z", + "uploaded_at": "2023-12-07T11:48:47.598511Z", + "uri": "location.pkg.dev/project/repo/image@sha256:6a0657acfef760bd9e293361c9b558e98e7d740ed0dffca823d17098a4ffddf5" + } + ], + "next_page_token": "next_page_token" + } + BODY + end + end +end diff --git a/spec/lib/integrations/google_cloud_platform/jwt_spec.rb b/spec/lib/integrations/google_cloud_platform/jwt_spec.rb new file mode 100644 index 00000000000..51707c26a3a --- /dev/null +++ b/spec/lib/integrations/google_cloud_platform/jwt_spec.rb @@ -0,0 +1,86 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Integrations::GoogleCloudPlatform::Jwt, feature_category: :shared do + let_it_be(:project) { create(:project) } + let_it_be(:user) { create(:user) } + + let(:claims) { { audience: 'http://sandbox.test', wlif: 'http://wlif.test' } } + let(:jwt) { described_class.new(project: project, user: user, claims: claims) } + + describe '#encoded' do + let_it_be(:rsa_key) { OpenSSL::PKey::RSA.generate(3072) } + let_it_be(:rsa_key_data) { rsa_key.to_s } + + subject(:encoded) { jwt.encoded } + + before do + stub_application_setting(ci_jwt_signing_key: rsa_key_data) + end + + it 'creates a valid jwt' do + payload, headers = JWT.decode(encoded, rsa_key.public_key, true, { algorithm: 'RS256' }) + + expect(payload).to include( + 'root_namespace_path' => project.root_namespace.full_path, + 'root_namespace_id' => project.root_namespace.id.to_s, + 'wlif' => claims[:wlif], + 'aud' => claims[:audience], + 'project_id' => project.id.to_s, + 'project_path' => project.full_path, + 'user_id' => user.id.to_s, + 'user_email' => user.email, + 'sub' => "project_#{project.id}_user_#{user.id}", + 'iss' => Gitlab.config.gitlab.url + ) + + expect(headers).to include( + 'kid' => rsa_key.public_key.to_jwk[:kid] + ) + end + + context 'with missing jwt audience' do + let(:claims) { { wlif: 'http://wlif.test' } } + + it 'raises an ArgumentError' do + expect { encoded }.to raise_error(ArgumentError, described_class::JWT_OPTIONS_ERROR) + end + end + + context 'with missing jwt wlif' do + let(:claims) { { audience: 'http://sandbox.test' } } + + it 'raises an ArgumentError' do + expect { encoded }.to raise_error(ArgumentError, described_class::JWT_OPTIONS_ERROR) + end + end + + context 'with no ci signing key' do + before do + stub_application_setting(ci_jwt_signing_key: nil) + end + + it 'raises a NoSigningKeyError' do + expect { encoded }.to raise_error(described_class::NoSigningKeyError) + end + end + + context 'with oidc_issuer_url feature flag disabled' do + before do + stub_feature_flags(oidc_issuer_url: false) + # Settings.gitlab.base_url and Gitlab.config.gitlab.url are the + # same for test. Changing that to assert the proper behavior here. + allow(Settings.gitlab).to receive(:base_url).and_return('test.dev') + end + + it 'uses a different issuer' do + payload, _ = JWT.decode(encoded, rsa_key.public_key, true, { algorithm: 'RS256' }) + + expect(payload).to include( + 'iss' => Settings.gitlab.base_url + ) + end + end + end +end |