spec/services/auth/container_registry_authentication_service_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Auth::ContainerRegistryAuthenticationService do
  include AdminModeHelper

  it_behaves_like 'a container registry auth service'

  context 'when in migration mode' do
    include_context 'container registry auth service context'

    let_it_be(:current_user) { create(:user) }
    let_it_be(:project) { create(:project) }

    before do
      project.add_developer(current_user)
    end

    shared_examples 'a modified token with migration eligibility' do |eligible|
      it_behaves_like 'a valid token'
      it { expect(payload['access']).to include(include('migration_eligible' => eligible)) }
    end

    shared_examples 'a modified token' do
      context 'with a non eligible root ancestor and project' do
        before do
          stub_feature_flags(container_registry_migration_phase1_deny: project.root_ancestor)
          stub_feature_flags(container_registry_migration_phase1_allow: false)
        end

        it_behaves_like 'a modified token with migration eligibility', false
      end

      context 'with a non eligible root ancestor and eligible project' do
        before do
          stub_feature_flags(container_registry_migration_phase1_deny: false)
          stub_feature_flags(container_registry_migration_phase1_deny: project.root_ancestor)
          stub_feature_flags(container_registry_migration_phase1_allow: project)
        end

        it_behaves_like 'a modified token with migration eligibility', false
      end

      context 'with an eligible root ancestor and non eligible project' do
        before do
          stub_feature_flags(container_registry_migration_phase1_deny: false)
          stub_feature_flags(container_registry_migration_phase1_allow: false)
        end

        it_behaves_like 'a modified token with migration eligibility', false
      end

      context 'with an eligible root ancestor and project' do
        before do
          stub_feature_flags(container_registry_migration_phase1_deny: false)
          stub_feature_flags(container_registry_migration_phase1_allow: project)
        end

        it_behaves_like 'a modified token with migration eligibility', true
      end
    end

    context 'with pull action' do
      let(:current_params) do
        { scopes: ["repository:#{project.full_path}:pull"] }
      end

      it_behaves_like 'a modified token'
    end

    context 'with push action' do
      let(:current_params) do
        { scopes: ["repository:#{project.full_path}:push"] }
      end

      it_behaves_like 'a modified token'
    end

    context 'with multiple actions' do
      let(:current_params) do
        { scopes: ["repository:#{project.full_path}:pull,push,delete"] }
      end

      it_behaves_like 'a modified token'
    end

    describe '#access_token' do
      let(:token) { described_class.access_token(%w[push], [project.full_path]) }

      subject { { token: token } }

      it_behaves_like 'a modified token'
    end

    context 'with a project with a path with trailing underscore' do
      let(:bad_project) { create(:project) }

      before do
        bad_project.update!(path: bad_project.path + '_')
        bad_project.add_developer(current_user)
      end

      describe '#full_access_token' do
        let(:token) { described_class.full_access_token(bad_project.full_path) }
        let(:access) do
          [{ 'type' => 'repository',
             'name' => bad_project.full_path,
             'actions' => ['*'],
             'migration_eligible' => false }]
        end

        subject { { token: token } }

        it 'logs an exception and returns a valid access token' do
          expect(Gitlab::ErrorTracking).to receive(:track_and_raise_for_dev_exception)

          expect(token).to be_present
          expect(payload).to be_a(Hash)
          expect(payload).to include('access' => access)
        end
      end
    end
  end

  context 'when not in migration mode' do
    include_context 'container registry auth service context'

    let_it_be(:project) { create(:project) }

    before do
      stub_feature_flags(container_registry_migration_phase1: false)
    end

    shared_examples 'an unmodified token' do
      it_behaves_like 'a valid token'
      it { expect(payload['access']).not_to include(have_key('migration_eligible')) }
    end

    describe '#access_token' do
      let(:token) { described_class.access_token(%w[push], [project.full_path]) }

      subject { { token: token } }

      it_behaves_like 'an unmodified token'
    end
  end
end