Commit 9a6cee64 authored by Steve Abrams's avatar Steve Abrams

Deploy token access for the Dependency Proxy

Remove the feature flag to enable group deploy token
access for the Dependency Proxy.

Changelog: added
parent 32613a4b
...@@ -18,23 +18,14 @@ module Groups ...@@ -18,23 +18,14 @@ module Groups
def authenticate_user_from_jwt_token! def authenticate_user_from_jwt_token!
return unless dependency_proxy_for_private_groups? return unless dependency_proxy_for_private_groups?
if Feature.enabled?(:dependency_proxy_deploy_tokens) authenticate_with_http_token do |token, _|
authenticate_with_http_token do |token, _| @authentication_result = EMPTY_AUTH_RESULT
@authentication_result = EMPTY_AUTH_RESULT
found_user = user_from_token(token)
found_user = user_from_token(token) sign_in(found_user) if found_user.is_a?(User)
sign_in(found_user) if found_user.is_a?(User)
end
request_bearer_token! unless authenticated_user
else
authenticate_with_http_token do |token, _|
user = user_from_token(token)
sign_in(user) if user
end
request_bearer_token! unless current_user
end end
request_bearer_token! unless authenticated_user
end end
private private
...@@ -51,7 +42,6 @@ module Groups ...@@ -51,7 +42,6 @@ module Groups
def user_from_token(token) def user_from_token(token)
token_payload = ::DependencyProxy::AuthTokenService.decoded_token_payload(token) token_payload = ::DependencyProxy::AuthTokenService.decoded_token_payload(token)
return User.find(token_payload['user_id']) unless Feature.enabled?(:dependency_proxy_deploy_tokens)
if token_payload['user_id'] if token_payload['user_id']
token_user = User.find(token_payload['user_id']) token_user = User.find(token_payload['user_id'])
......
---
name: dependency_proxy_deploy_tokens
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/64363
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/334565
milestone: '14.2'
type: development
group: group::package
default_enabled: false
...@@ -65,82 +65,39 @@ RSpec.describe Groups::DependencyProxyForContainersController do ...@@ -65,82 +65,39 @@ RSpec.describe Groups::DependencyProxyForContainersController do
it { is_expected.to have_gitlab_http_status(:not_found) } it { is_expected.to have_gitlab_http_status(:not_found) }
end end
context 'deploy tokens with dependency_proxy_deploy_tokens disabled' do context 'with deploy token from a different group,' do
before do let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }
stub_feature_flags(dependency_proxy_deploy_tokens: false)
end
context 'with deploy token from a different group,' do
let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }
it { is_expected.to have_gitlab_http_status(:not_found) }
end
context 'with revoked deploy token' do
let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) }
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
it { is_expected.to have_gitlab_http_status(:not_found) }
end
context 'with expired deploy token' do
let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) }
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
it { is_expected.to have_gitlab_http_status(:not_found) }
end
context 'with deploy token with insufficient scopes' do
let_it_be(:user) { create(:deploy_token, :group) }
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
it { is_expected.to have_gitlab_http_status(:not_found) }
end
context 'when a group is not found' do it { is_expected.to have_gitlab_http_status(:not_found) }
before do
expect(Group).to receive(:find_by_full_path).and_return(nil)
end
it { is_expected.to have_gitlab_http_status(:not_found) }
end
end end
context 'deploy tokens with dependency_proxy_deploy_tokens enabled' do context 'with revoked deploy token' do
context 'with deploy token from a different group,' do let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) }
let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) } let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
it { is_expected.to have_gitlab_http_status(:not_found) }
end
context 'with revoked deploy token' do it { is_expected.to have_gitlab_http_status(:unauthorized) }
let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) } end
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
it { is_expected.to have_gitlab_http_status(:unauthorized) } context 'with expired deploy token' do
end let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) }
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
context 'with expired deploy token' do it { is_expected.to have_gitlab_http_status(:unauthorized) }
let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) } end
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
it { is_expected.to have_gitlab_http_status(:unauthorized) } context 'with deploy token with insufficient scopes' do
end let_it_be(:user) { create(:deploy_token, :group) }
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
context 'with deploy token with insufficient scopes' do it { is_expected.to have_gitlab_http_status(:not_found) }
let_it_be(:user) { create(:deploy_token, :group) } end
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
it { is_expected.to have_gitlab_http_status(:not_found) } context 'when a group is not found' do
before do
expect(Group).to receive(:find_by_full_path).and_return(nil)
end end
context 'when a group is not found' do it { is_expected.to have_gitlab_http_status(:not_found) }
before do
expect(Group).to receive(:find_by_full_path).and_return(nil)
end
it { is_expected.to have_gitlab_http_status(:not_found) }
end
end end
context 'when user is not found' do context 'when user is not found' do
...@@ -274,25 +231,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do ...@@ -274,25 +231,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do
it_behaves_like 'returning response status', :success it_behaves_like 'returning response status', :success
it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest_from_cache' it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest_from_cache'
end end
context 'with dependency_proxy_deploy_tokens feature flag disabled' do
before do
stub_feature_flags(dependency_proxy_deploy_tokens: false)
end
it_behaves_like 'a successful manifest pull'
end
end
context 'a valid deploy token with dependency_proxy_deploy_tokens feature flag disabled' do
let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group) }
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
before do
stub_feature_flags(dependency_proxy_deploy_tokens: false)
end
it { is_expected.to have_gitlab_http_status(:not_found) }
end end
context 'a valid deploy token' do context 'a valid deploy token' do
...@@ -395,25 +333,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do ...@@ -395,25 +333,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do
it_behaves_like 'returning response status', :success it_behaves_like 'returning response status', :success
it_behaves_like 'a package tracking event', described_class.name, 'pull_blob_from_cache' it_behaves_like 'a package tracking event', described_class.name, 'pull_blob_from_cache'
end end
context 'with dependency_proxy_deploy_tokens feature flag disabled' do
before do
stub_feature_flags(dependency_proxy_deploy_tokens: false)
end
it_behaves_like 'a successful blob pull'
end
end
context 'a valid deploy token with dependency_proxy_deploy_tokens feature flag disabled' do
let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }
let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
before do
stub_feature_flags(dependency_proxy_deploy_tokens: false)
end
it { is_expected.to have_gitlab_http_status(:not_found) }
end end
context 'a valid deploy token' do context 'a valid deploy token' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment