diff options
Diffstat (limited to 'spec/services/clusters/aws')
3 files changed, 70 insertions, 7 deletions
diff --git a/spec/services/clusters/aws/authorize_role_service_spec.rb b/spec/services/clusters/aws/authorize_role_service_spec.rb index 302bae6e3ff..17bbc372675 100644 --- a/spec/services/clusters/aws/authorize_role_service_spec.rb +++ b/spec/services/clusters/aws/authorize_role_service_spec.rb @@ -40,7 +40,7 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do shared_examples 'bad request' do it 'returns an empty hash' do expect(subject.status).to eq(:unprocessable_entity) - expect(subject.body).to eq({}) + expect(subject.body).to eq({ message: message }) end it 'logs the error' do @@ -52,12 +52,14 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do context 'role does not exist' do let(:user) { create(:user) } + let(:message) { 'Error: Unable to find AWS role for current user' } include_examples 'bad request' end context 'supplied ARN is invalid' do let(:role_arn) { 'invalid' } + let(:message) { 'Validation failed: Role arn must be a valid Amazon Resource Name' } include_examples 'bad request' end @@ -69,18 +71,29 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do context 'error fetching credentials' do let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') } + let(:message) { 'AWS service error: error message' } + + include_examples 'bad request' + end + + context 'error in assuming role' do + let(:raw_message) { "User foo is not authorized to perform: sts:AssumeRole on resource bar" } + let(:error) { Aws::STS::Errors::AccessDenied.new(nil, raw_message) } + let(:message) { "Access denied: #{raw_message}" } include_examples 'bad request' end context 'credentials not configured' do let(:error) { Aws::Errors::MissingCredentialsError.new('error message') } + let(:message) { "Error: No AWS credentials were supplied" } include_examples 'bad request' end context 'role not configured' do let(:error) { Clusters::Aws::FetchCredentialsService::MissingRoleError.new('error message') } + let(:message) { "Error: No AWS provision role found for user" } include_examples 'bad request' end diff --git a/spec/services/clusters/aws/fetch_credentials_service_spec.rb b/spec/services/clusters/aws/fetch_credentials_service_spec.rb index 361a947f634..0358ca1f535 100644 --- a/spec/services/clusters/aws/fetch_credentials_service_spec.rb +++ b/spec/services/clusters/aws/fetch_credentials_service_spec.rb @@ -60,9 +60,7 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do subject { described_class.new(provision_role, provider: provider).execute } before do - allow(File).to receive(:read) - .with(Rails.root.join('vendor', 'aws', 'iam', 'eks_cluster_read_only_policy.json')) - .and_return(session_policy) + stub_file_read(Rails.root.join('vendor', 'aws', 'iam', 'eks_cluster_read_only_policy.json'), content: session_policy) end it { is_expected.to eq assumed_role_credentials } @@ -83,5 +81,59 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do expect { subject }.to raise_error(described_class::MissingRoleError, 'AWS provisioning role not configured') end end + + context 'with an instance profile attached to an IAM role' do + let(:sts_client) { Aws::STS::Client.new(region: region, stub_responses: true) } + let(:provision_role) { create(:aws_role, user: user, region: 'custom-region') } + + before do + stub_application_setting(eks_access_key_id: nil) + stub_application_setting(eks_secret_access_key: nil) + + expect(Aws::STS::Client).to receive(:new) + .with(region: region) + .and_return(sts_client) + + expect(Aws::AssumeRoleCredentials).to receive(:new) + .with( + client: sts_client, + role_arn: provision_role.role_arn, + role_session_name: session_name, + external_id: provision_role.role_external_id, + policy: session_policy + ).and_call_original + end + + context 'provider is specified' do + let(:region) { provider.region } + let(:session_name) { "gitlab-eks-cluster-#{provider.cluster_id}-user-#{user.id}" } + let(:session_policy) { nil } + + it 'returns credentials', :aggregate_failures do + expect(subject.access_key_id).to be_present + expect(subject.secret_access_key).to be_present + expect(subject.session_token).to be_present + end + end + + context 'provider is not specifed' do + let(:provider) { nil } + let(:region) { provision_role.region } + let(:session_name) { "gitlab-eks-autofill-user-#{user.id}" } + let(:session_policy) { 'policy-document' } + + before do + stub_file_read(Rails.root.join('vendor', 'aws', 'iam', 'eks_cluster_read_only_policy.json'), content: session_policy) + end + + subject { described_class.new(provision_role, provider: provider).execute } + + it 'returns credentials', :aggregate_failures do + expect(subject.access_key_id).to be_present + expect(subject.secret_access_key).to be_present + expect(subject.session_token).to be_present + end + end + end end end diff --git a/spec/services/clusters/aws/provision_service_spec.rb b/spec/services/clusters/aws/provision_service_spec.rb index 52612e5ac40..5efac29ec1e 100644 --- a/spec/services/clusters/aws/provision_service_spec.rb +++ b/spec/services/clusters/aws/provision_service_spec.rb @@ -42,9 +42,7 @@ RSpec.describe Clusters::Aws::ProvisionService do allow(provider).to receive(:api_client) .and_return(client) - allow(File).to receive(:read) - .with(Rails.root.join('vendor', 'aws', 'cloudformation', 'eks_cluster.yaml')) - .and_return(cloudformation_template) + stub_file_read(Rails.root.join('vendor', 'aws', 'cloudformation', 'eks_cluster.yaml'), content: cloudformation_template) end it 'updates the provider status to :creating and configures the provider with credentials' do |