debian-mirror-gitlab/spec/requests/api/internal/kubernetes_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe API::Internal::Kubernetes do
  let(:jwt_auth_headers) do
    jwt_token = JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')

    { Gitlab::Kas::INTERNAL_API_REQUEST_HEADER => jwt_token }
  end

  let(:jwt_secret) { SecureRandom.random_bytes(Gitlab::Kas::SECRET_LENGTH) }

  before do
    allow(Gitlab::Kas).to receive(:secret).and_return(jwt_secret)
  end

  shared_examples 'authorization' do
    context 'not authenticated' do
      it 'returns 401' do
        send_request(headers: { Gitlab::Kas::INTERNAL_API_REQUEST_HEADER => '' })

        expect(response).to have_gitlab_http_status(:unauthorized)
      end
    end

    context 'kubernetes_agent_internal_api feature flag disabled' do
      before do
        stub_feature_flags(kubernetes_agent_internal_api: false)
      end

      it 'returns 404' do
        send_request

        expect(response).to have_gitlab_http_status(:not_found)
      end
    end
  end

  shared_examples 'agent authentication' do
    it 'returns 401 if Authorization header not sent' do
      send_request

      expect(response).to have_gitlab_http_status(:unauthorized)
    end

    it 'returns 401 if Authorization is for non-existent agent' do
      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })

      expect(response).to have_gitlab_http_status(:unauthorized)
    end
  end

  shared_examples 'agent token tracking' do
    it 'tracks token usage' do
      expect { response }.to change { agent_token.reload.read_attribute(:last_used_at) }
    end
  end

  describe 'POST /internal/kubernetes/usage_metrics' do
    def send_request(headers: {}, params: {})
      post api('/internal/kubernetes/usage_metrics'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
    end

    include_examples 'authorization'

    context 'is authenticated for an agent' do
      let!(:agent_token) { create(:cluster_agent_token) }

      it 'returns no_content for valid gitops_sync_count' do
        send_request(params: { gitops_sync_count: 10 })

        expect(response).to have_gitlab_http_status(:no_content)
      end

      it 'returns no_content 0 gitops_sync_count' do
        send_request(params: { gitops_sync_count: 0 })

        expect(response).to have_gitlab_http_status(:no_content)
      end

      it 'returns 400 for non number' do
        send_request(params: { gitops_sync_count: 'string' })

        expect(response).to have_gitlab_http_status(:bad_request)
      end

      it 'returns 400 for negative number' do
        send_request(params: { gitops_sync_count: '-1' })

        expect(response).to have_gitlab_http_status(:bad_request)
      end
    end
  end

  describe 'GET /internal/kubernetes/agent_info' do
    def send_request(headers: {}, params: {})
      get api('/internal/kubernetes/agent_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
    end

    include_examples 'authorization'
    include_examples 'agent authentication'

    context 'an agent is found' do
      let!(:agent_token) { create(:cluster_agent_token) }

      let(:agent) { agent_token.agent }
      let(:project) { agent.project }

      shared_examples 'agent token tracking'

      it 'returns expected data', :aggregate_failures do
        send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })

        expect(response).to have_gitlab_http_status(:success)

        expect(json_response).to match(
          a_hash_including(
            'project_id' => project.id,
            'agent_id' => agent.id,
            'agent_name' => agent.name,
            'gitaly_info' => a_hash_including(
              'address' => match(/\.socket$/),
              'token' => 'secret',
              'features' => {}
            ),
            'gitaly_repository' => a_hash_including(
              'storage_name' => project.repository_storage,
              'relative_path' => project.disk_path + '.git',
              'gl_repository' => "project-#{project.id}",
              'gl_project_path' => project.full_path
            )
          )
        )
      end

      context 'on GitLab.com' do
        before do
          allow(::Gitlab).to receive(:com?).and_return(true)
        end

        context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
          before do
            stub_feature_flags(kubernetes_agent_on_gitlab_com: false)
          end

          it 'returns 403' do
            send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })

            expect(response).to have_gitlab_http_status(:forbidden)
          end
        end

        context 'kubernetes_agent_on_gitlab_com feature flag enabled' do
          before do
            stub_feature_flags(kubernetes_agent_on_gitlab_com: agent_token.agent.project)
          end

          it 'returns success' do
            send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })

            expect(response).to have_gitlab_http_status(:success)
          end
        end
      end
    end
  end

  describe 'GET /internal/kubernetes/project_info' do
    def send_request(headers: {}, params: {})
      get api('/internal/kubernetes/project_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
    end

    include_examples 'authorization'
    include_examples 'agent authentication'

    context 'an agent is found' do
      let_it_be(:agent_token) { create(:cluster_agent_token) }

      shared_examples 'agent token tracking'

      context 'project is public' do
        let(:project) { create(:project, :public) }

        it 'returns expected data', :aggregate_failures do
          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

          expect(response).to have_gitlab_http_status(:success)

          expect(json_response).to match(
            a_hash_including(
              'project_id' => project.id,
              'gitaly_info' => a_hash_including(
                'address' => match(/\.socket$/),
                'token' => 'secret',
                'features' => {}
              ),
              'gitaly_repository' => a_hash_including(
                'storage_name' => project.repository_storage,
                'relative_path' => project.disk_path + '.git',
                'gl_repository' => "project-#{project.id}",
                'gl_project_path' => project.full_path
              )
            )
          )
        end

        context 'repository is for project members only' do
          let(:project) { create(:project, :public, :repository_private) }

          it 'returns 404' do
            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

            expect(response).to have_gitlab_http_status(:not_found)
          end
        end

        context 'on GitLab.com' do
          before do
            allow(::Gitlab).to receive(:com?).and_return(true)
          end

          context 'kubernetes_agent_on_gitlab_com feature flag disabled' do
            before do
              stub_feature_flags(kubernetes_agent_on_gitlab_com: false)
            end

            it 'returns 403' do
              send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

              expect(response).to have_gitlab_http_status(:forbidden)
            end
          end

          context 'kubernetes_agent_on_gitlab_com feature flag enabled' do
            before do
              stub_feature_flags(kubernetes_agent_on_gitlab_com: agent_token.agent.project)
            end

            it 'returns success' do
              send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

              expect(response).to have_gitlab_http_status(:success)
            end
          end
        end
      end

      context 'project is private' do
        let(:project) { create(:project, :private) }

        it 'returns 404' do
          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

          expect(response).to have_gitlab_http_status(:not_found)
        end

        context 'and agent belongs to project' do
          let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }

          it 'returns 200' do
            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

            expect(response).to have_gitlab_http_status(:success)
          end
        end
      end

      context 'project is internal' do
        let(:project) { create(:project, :internal) }

        it 'returns 404' do
          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

          expect(response).to have_gitlab_http_status(:not_found)
        end
      end

      context 'project does not exist' do
        it 'returns 404' do
          send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })

          expect(response).to have_gitlab_http_status(:not_found)
        end
      end
    end
  end
end
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`# frozen_string_literal: true`

			`require 'spec_helper'`

			`RSpec.describe API::Internal::Kubernetes do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`let(:jwt_auth_headers) do`
			`jwt_token = JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')`

			`{ Gitlab::Kas::INTERNAL_API_REQUEST_HEADER => jwt_token }`
			`end`

			`let(:jwt_secret) { SecureRandom.random_bytes(Gitlab::Kas::SECRET_LENGTH) }`

			`before do`
			`allow(Gitlab::Kas).to receive(:secret).and_return(jwt_secret)`
			`end`

			`shared_examples 'authorization' do`
			`context 'not authenticated' do`
			`it 'returns 401' do`
			`send_request(headers: { Gitlab::Kas::INTERNAL_API_REQUEST_HEADER => '' })`

			`expect(response).to have_gitlab_http_status(:unauthorized)`
			`end`
			`end`

New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`context 'kubernetes_agent_internal_api feature flag disabled' do`
			`before do`
			`stub_feature_flags(kubernetes_agent_internal_api: false)`
			`end`

			`it 'returns 404' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`expect(response).to have_gitlab_http_status(:not_found)`
			`end`
			`end`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`end`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`shared_examples 'agent authentication' do`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`it 'returns 401 if Authorization header not sent' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`expect(response).to have_gitlab_http_status(:unauthorized)`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`end`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`it 'returns 401 if Authorization is for non-existent agent' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`expect(response).to have_gitlab_http_status(:unauthorized)`
			`end`
			`end`

			`shared_examples 'agent token tracking' do`
			`it 'tracks token usage' do`
			`expect { response }.to change { agent_token.reload.read_attribute(:last_used_at) }`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`end`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`end`

			`describe 'POST /internal/kubernetes/usage_metrics' do`
			`def send_request(headers: {}, params: {})`
			`post api('/internal/kubernetes/usage_metrics'), params: params, headers: headers.reverse_merge(jwt_auth_headers)`
			`end`

			`include_examples 'authorization'`

			`context 'is authenticated for an agent' do`
			`let!(:agent_token) { create(:cluster_agent_token) }`

			`it 'returns no_content for valid gitops_sync_count' do`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`send_request(params: { gitops_sync_count: 10 })`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30
			`expect(response).to have_gitlab_http_status(:no_content)`
			`end`

			`it 'returns no_content 0 gitops_sync_count' do`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`send_request(params: { gitops_sync_count: 0 })`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30
			`expect(response).to have_gitlab_http_status(:no_content)`
			`end`

			`it 'returns 400 for non number' do`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`send_request(params: { gitops_sync_count: 'string' })`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30
			`expect(response).to have_gitlab_http_status(:bad_request)`
			`end`

			`it 'returns 400 for negative number' do`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`send_request(params: { gitops_sync_count: '-1' })`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30
			`expect(response).to have_gitlab_http_status(:bad_request)`
			`end`
			`end`
			`end`

New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`describe 'GET /internal/kubernetes/agent_info' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`def send_request(headers: {}, params: {})`
			`get api('/internal/kubernetes/agent_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)`
			`end`

			`include_examples 'authorization'`
			`include_examples 'agent authentication'`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`context 'an agent is found' do`
			`let!(:agent_token) { create(:cluster_agent_token) }`

			`let(:agent) { agent_token.agent }`
			`let(:project) { agent.project }`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`shared_examples 'agent token tracking'`

New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`it 'returns expected data', :aggregate_failures do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`expect(response).to have_gitlab_http_status(:success)`

			`expect(json_response).to match(`
			`a_hash_including(`
			`'project_id' => project.id,`
			`'agent_id' => agent.id,`
			`'agent_name' => agent.name,`
			`'gitaly_info' => a_hash_including(`
			`'address' => match(/\.socket$/),`
			`'token' => 'secret',`
			`'features' => {}`
			`),`
			`'gitaly_repository' => a_hash_including(`
			`'storage_name' => project.repository_storage,`
			`'relative_path' => project.disk_path + '.git',`
			`'gl_repository' => "project-#{project.id}",`
			`'gl_project_path' => project.full_path`
			`)`
			`)`
			`)`
			`end`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30
			`context 'on GitLab.com' do`
			`before do`
			`allow(::Gitlab).to receive(:com?).and_return(true)`
			`end`

			`context 'kubernetes_agent_on_gitlab_com feature flag disabled' do`
			`before do`
			`stub_feature_flags(kubernetes_agent_on_gitlab_com: false)`
			`end`

			`it 'returns 403' do`
			`send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })`

			`expect(response).to have_gitlab_http_status(:forbidden)`
			`end`
			`end`

			`context 'kubernetes_agent_on_gitlab_com feature flag enabled' do`
			`before do`
			`stub_feature_flags(kubernetes_agent_on_gitlab_com: agent_token.agent.project)`
			`end`

			`it 'returns success' do`
			`send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })`

			`expect(response).to have_gitlab_http_status(:success)`
			`end`
			`end`
			`end`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`end`
			`end`

			`describe 'GET /internal/kubernetes/project_info' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`def send_request(headers: {}, params: {})`
			`get api('/internal/kubernetes/project_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`end`

New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`include_examples 'authorization'`
			`include_examples 'agent authentication'`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`context 'an agent is found' do`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`let_it_be(:agent_token) { create(:cluster_agent_token) }`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`shared_examples 'agent token tracking'`

New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`context 'project is public' do`
			`let(:project) { create(:project, :public) }`

			`it 'returns expected data', :aggregate_failures do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`expect(response).to have_gitlab_http_status(:success)`

			`expect(json_response).to match(`
			`a_hash_including(`
			`'project_id' => project.id,`
			`'gitaly_info' => a_hash_including(`
			`'address' => match(/\.socket$/),`
			`'token' => 'secret',`
			`'features' => {}`
			`),`
			`'gitaly_repository' => a_hash_including(`
			`'storage_name' => project.repository_storage,`
			`'relative_path' => project.disk_path + '.git',`
			`'gl_repository' => "project-#{project.id}",`
			`'gl_project_path' => project.full_path`
			`)`
			`)`
			`)`
			`end`
New upstream version 13.3.9 2020-11-05 12:06:23 +05:30
			`context 'repository is for project members only' do`
			`let(:project) { create(:project, :public, :repository_private) }`

			`it 'returns 404' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`
New upstream version 13.3.9 2020-11-05 12:06:23 +05:30
			`expect(response).to have_gitlab_http_status(:not_found)`
			`end`
			`end`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30
			`context 'on GitLab.com' do`
			`before do`
			`allow(::Gitlab).to receive(:com?).and_return(true)`
			`end`

			`context 'kubernetes_agent_on_gitlab_com feature flag disabled' do`
			`before do`
			`stub_feature_flags(kubernetes_agent_on_gitlab_com: false)`
			`end`

			`it 'returns 403' do`
			`send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`

			`expect(response).to have_gitlab_http_status(:forbidden)`
			`end`
			`end`

			`context 'kubernetes_agent_on_gitlab_com feature flag enabled' do`
			`before do`
			`stub_feature_flags(kubernetes_agent_on_gitlab_com: agent_token.agent.project)`
			`end`

			`it 'returns success' do`
			`send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`

			`expect(response).to have_gitlab_http_status(:success)`
			`end`
			`end`
			`end`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`end`

			`context 'project is private' do`
			`let(:project) { create(:project, :private) }`

			`it 'returns 404' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`expect(response).to have_gitlab_http_status(:not_found)`
			`end`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30
			`context 'and agent belongs to project' do`
			`let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }`

			`it 'returns 200' do`
			`send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`

			`expect(response).to have_gitlab_http_status(:success)`
			`end`
			`end`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`end`

			`context 'project is internal' do`
			`let(:project) { create(:project, :internal) }`

			`it 'returns 404' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`expect(response).to have_gitlab_http_status(:not_found)`
			`end`
			`end`

			`context 'project does not exist' do`
			`it 'returns 404' do`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30
			`expect(response).to have_gitlab_http_status(:not_found)`
			`end`
			`end`
			`end`
			`end`
			`end`