Add registry migration eligibility flag to tokens for internal use

Previously this was only being added to tokens for external use obtained through the /jwt/auth API endpoint.

Add registry migration eligibility flag to tokens for internal use
Previously this was only being added to tokens for external use obtained through the /jwt/auth API endpoint.
7be745d2 · João Pereira · 064e9079 · 7be745d2 · 7be745d2
Commit 7be745d2 authored Aug 17, 2021 by João Pereira
2 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -45,7 +45,12 @@ module Auth
      token.expire_time = token_expire_at

      token[:access] = names.map do |name|
-        { type: 'repository', name: name, actions: actions }
+        {
+          type: 'repository',
+          name: name,
+          actions: actions,
+          migration_eligible: migration_eligible(repository_path: name)
+        }.compact
      end

      token.encoded
@@ -119,13 +124,20 @@ module Auth
        type: type,
        name: path.to_s,
        actions: authorized_actions,
-        migration_eligible: migration_eligible(requested_project, authorized_actions)
+        migration_eligible: self.class.migration_eligible(project: requested_project)
      }.compact
    end

-    def migration_eligible(project, actions)
+    def self.migration_eligible(project: nil, repository_path: nil)
      return unless Feature.enabled?(:container_registry_migration_phase1)

+      # project has precedence over repository_path. If only the latter is provided, we find the corresponding Project.
+      unless project
+        return unless repository_path
+
+        project = ContainerRegistry::Path.new(repository_path).repository_project
+      end
+
      # The migration process will start by allowing only specific test and gitlab-org projects using the
      # `container_registry_migration_phase1_allow` FF. We'll then move on to a percentage rollout using this same FF.
      # To remove the risk of impacting enterprise customers that rely heavily on the registry during the percentage

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -84,5 +84,36 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do

      it_behaves_like 'a modified token'
    end
+
+    describe '#access_token' do
+      let(:token) { described_class.access_token(%w[push], [project.full_path]) }
+
+      subject { { token: token } }
+
+      it_behaves_like 'a modified token'
+    end
+  end
+
+  context 'when not in migration mode' do
+    include_context 'container registry auth service context'
+
+    let_it_be(:project) { create(:project) }
+
+    before do
+      stub_feature_flags(container_registry_migration_phase1: false)
+    end
+
+    shared_examples 'an unmodified token' do
+      it_behaves_like 'a valid token'
+      it { expect(payload['access']).not_to include(have_key('migration_eligible')) }
+    end
+
+    describe '#access_token' do
+      let(:token) { described_class.access_token(%w[push], [project.full_path]) }
+
+      subject { { token: token } }
+
+      it_behaves_like 'an unmodified token'
+    end
  end
 end