Welcome to mirror list, hosted at ThFree Co, Russian Federation.

fetch_credentials_service_spec.rb « aws « clusters « services « spec - gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/services/clusters/aws/fetch_credentials_service_spec.rb
blob: 361a947f6346b11ca98741d2152c77a73cea4558 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Clusters::Aws::FetchCredentialsService do
  describe '#execute' do
    let(:user) { create(:user) }
    let(:provider) { create(:cluster_provider_aws, region: 'ap-southeast-2') }

    let(:gitlab_access_key_id) { 'gitlab-access-key-id' }
    let(:gitlab_secret_access_key) { 'gitlab-secret-access-key' }

    let(:gitlab_credentials) { Aws::Credentials.new(gitlab_access_key_id, gitlab_secret_access_key) }
    let(:sts_client) { Aws::STS::Client.new(credentials: gitlab_credentials, region: region) }
    let(:assumed_role) { instance_double(Aws::AssumeRoleCredentials, credentials: assumed_role_credentials) }

    let(:assumed_role_credentials) { double }

    subject { described_class.new(provision_role, provider: provider).execute }

    context 'provision role is configured' do
      let(:provision_role) { create(:aws_role, user: user, region: 'custom-region') }

      before do
        stub_application_setting(eks_access_key_id: gitlab_access_key_id)
        stub_application_setting(eks_secret_access_key: gitlab_secret_access_key)

        expect(Aws::Credentials).to receive(:new)
          .with(gitlab_access_key_id, gitlab_secret_access_key)
          .and_return(gitlab_credentials)

        expect(Aws::STS::Client).to receive(:new)
          .with(credentials: gitlab_credentials, region: region)
          .and_return(sts_client)

        expect(Aws::AssumeRoleCredentials).to receive(:new)
          .with(
            client: sts_client,
            role_arn: provision_role.role_arn,
            role_session_name: session_name,
            external_id: provision_role.role_external_id,
            policy: session_policy
          ).and_return(assumed_role)
      end

      context 'provider is specified' do
        let(:region) { provider.region }
        let(:session_name) { "gitlab-eks-cluster-#{provider.cluster_id}-user-#{user.id}" }
        let(:session_policy) { nil }

        it { is_expected.to eq assumed_role_credentials }
      end

      context 'provider is not specifed' do
        let(:provider) { nil }
        let(:region) { provision_role.region }
        let(:session_name) { "gitlab-eks-autofill-user-#{user.id}" }
        let(:session_policy) { 'policy-document' }

        subject { described_class.new(provision_role, provider: provider).execute }

        before do
          allow(File).to receive(:read)
            .with(Rails.root.join('vendor', 'aws', 'iam', 'eks_cluster_read_only_policy.json'))
            .and_return(session_policy)
        end

        it { is_expected.to eq assumed_role_credentials }

        context 'region is not specifed' do
          let(:region) { Clusters::Providers::Aws::DEFAULT_REGION }
          let(:provision_role) { create(:aws_role, user: user, region: nil) }

          it { is_expected.to eq assumed_role_credentials }
        end
      end
    end

    context 'provision role is not configured' do
      let(:provision_role) { nil }

      it 'raises an error' do
        expect { subject }.to raise_error(described_class::MissingRoleError, 'AWS provisioning role not configured')
      end
    end
  end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-20 05:50:23 +0300