Commit 645608ac authored by David Fernandez's avatar David Fernandez

Merge branch 'container-registry-migration-phase1' into 'master'

Drive container registry migration phase 1 with Rails FFs [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!63907
parents af098b51 29cf01b5
...@@ -115,7 +115,25 @@ module Auth ...@@ -115,7 +115,25 @@ module Auth
# #
ensure_container_repository!(path, authorized_actions) ensure_container_repository!(path, authorized_actions)
{ type: type, name: path.to_s, actions: authorized_actions } {
type: type,
name: path.to_s,
actions: authorized_actions,
migration_eligible: migration_eligible(requested_project, authorized_actions)
}.compact
end
def migration_eligible(project, actions)
return unless actions.include?('push')
return unless Feature.enabled?(:container_registry_migration_phase1)
# The migration process will start by allowing only specific test and gitlab-org projects using the
# `container_registry_migration_phase1_allow` FF. We'll then move on to a percentage rollout using this same FF.
# To remove the risk of impacting enterprise customers that rely heavily on the registry during the percentage
# rollout, we'll add their top-level group/namespace to the `container_registry_migration_phase1_deny` FF. Later,
# we'll remove them manually from this deny list, and their new repositories will become eligible.
Feature.disabled?(:container_registry_migration_phase1_deny, project.root_ancestor) &&
Feature.enabled?(:container_registry_migration_phase1_allow, project)
end end
## ##
......
---
name: container_registry_migration_phase1
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63907
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/335703
milestone: '14.1'
type: development
group: group::package
default_enabled: false
---
name: container_registry_migration_phase1_allow
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63907
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/335705
milestone: '14.1'
type: development
group: group::package
default_enabled: false
---
name: container_registry_migration_phase1_deny
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63907
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/335706
milestone: '14.1'
type: development
group: group::package
default_enabled: false
...@@ -6,4 +6,96 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do ...@@ -6,4 +6,96 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
include AdminModeHelper include AdminModeHelper
it_behaves_like 'a container registry auth service' it_behaves_like 'a container registry auth service'
context 'when in migration mode' do
include_context 'container registry auth service context'
let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project) }
before do
project.add_developer(current_user)
end
shared_examples 'an unmodified token' do
it_behaves_like 'a valid token'
it { expect(payload['access']).not_to include(have_key('migration_eligible')) }
end
shared_examples 'a modified token with migration eligibility' do |eligible|
it_behaves_like 'a valid token'
it { expect(payload['access']).to include(include('migration_eligible' => eligible)) }
end
shared_examples 'a modified token' do
context 'with a non eligible root ancestor and project' do
before do
stub_feature_flags(container_registry_migration_phase1_deny: project.root_ancestor)
stub_feature_flags(container_registry_migration_phase1_allow: false)
end
it_behaves_like 'a modified token with migration eligibility', false
end
context 'with a non eligible root ancestor and eligible project' do
before do
stub_feature_flags(container_registry_migration_phase1_deny: false)
stub_feature_flags(container_registry_migration_phase1_deny: project.root_ancestor)
stub_feature_flags(container_registry_migration_phase1_allow: project)
end
it_behaves_like 'a modified token with migration eligibility', false
end
context 'with an eligible root ancestor and non eligible project' do
before do
stub_feature_flags(container_registry_migration_phase1_deny: false)
stub_feature_flags(container_registry_migration_phase1_allow: false)
end
it_behaves_like 'a modified token with migration eligibility', false
end
context 'with an eligible root ancestor and project' do
before do
stub_feature_flags(container_registry_migration_phase1_deny: false)
stub_feature_flags(container_registry_migration_phase1_allow: project)
end
it_behaves_like 'a modified token with migration eligibility', true
end
end
context 'with pull action' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull"] }
end
it_behaves_like 'an unmodified token'
end
context 'with push action' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:push"] }
end
it_behaves_like 'a modified token'
end
context 'with multiple actions including push' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull,push,delete"] }
end
it_behaves_like 'a modified token'
end
context 'with multiple actions excluding push' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull,delete"] }
end
it_behaves_like 'an unmodified token'
end
end
end end
...@@ -157,6 +157,10 @@ end ...@@ -157,6 +157,10 @@ end
RSpec.shared_examples 'a container registry auth service' do RSpec.shared_examples 'a container registry auth service' do
include_context 'container registry auth service context' include_context 'container registry auth service context'
before do
stub_feature_flags(container_registry_migration_phase1: false)
end
describe '#full_access_token' do describe '#full_access_token' do
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment