1 files changed, 35 insertions, 1 deletions

diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb
index 69127a7526e..965bead4068 100644
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -61,7 +61,7 @@ RSpec.describe JwtController, feature_category: :system_access do
     end
   end
 
-  context 'authenticating against container registry' do
+  shared_examples 'container registry authenticator' do
     context 'existing service' do
       subject! { get '/jwt/auth', params: parameters }
 
@@ -254,6 +254,40 @@ RSpec.describe JwtController, feature_category: :system_access do
     end
   end
 
+  shared_examples 'parses a space-delimited list of scopes' do |output|
+    let(:user) { create(:user) }
+    let(:headers) { { authorization: credentials(user.username, user.password) } }
+
+    subject! { get '/jwt/auth', params: parameters, headers: headers }
+
+    let(:parameters) do
+      {
+        service: service_name,
+        scope: 'scope1 scope2'
+      }
+    end
+
+    let(:service_parameters) do
+      ActionController::Parameters.new({ service: service_name, scopes: output }).permit!
+    end
+
+    it { expect(service_class).to have_received(:new).with(nil, user, service_parameters.merge(auth_type: :gitlab_or_ldap)) }
+  end
+
+  context 'authenticating against container registry' do
+    it_behaves_like 'container registry authenticator'
+    it_behaves_like 'parses a space-delimited list of scopes', %w(scope1 scope2)
+
+    context 'when jwt_auth_space_delimited_scopes feature flag is disabled' do
+      before do
+        stub_feature_flags(jwt_auth_space_delimited_scopes: false)
+      end
+
+      it_behaves_like 'container registry authenticator'
+      it_behaves_like 'parses a space-delimited list of scopes', ['scope1 scope2']
+    end
+  end
+
   context 'authenticating against dependency proxy' do
     let_it_be(:user) { create(:user) }
     let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }