Merge branch 'registry-with-auth-tokens' into 'master'

Add container registry with multiple auth tokens test

See merge request gitlab-org/gitlab!71912

app/views/shared/deploy_tokens/_form.html.haml

@@ -36,7 +36,7 @@
         .text-secondary= s_('DeployTokens|Allows read-only access to registry images.')
 
       %fieldset.form-group.form-check
-        = f.check_box :write_registry, class: 'form-check-input'
+        = f.check_box :write_registry, class: 'form-check-input', data: { qa_selector: 'deploy_token_write_registry_checkbox' }
         = f.label :write_registry, 'write_registry', class: 'label-bold form-check-label'
         .text-secondary= s_('DeployTokens|Allows read and write access to registry images.')
 

qa/qa/page/project/settings/deploy_tokens.rb

@@ -12,6 +12,7 @@ module QA
             element :deploy_token_read_package_registry_checkbox
             element :deploy_token_write_package_registry_checkbox
             element :deploy_token_read_registry_checkbox
+            element :deploy_token_write_registry_checkbox
             element :create_deploy_token_button
           end
 
@@ -29,11 +30,12 @@ module QA
             fill_element(:deploy_token_expires_at_field, expires_at.to_s + "\n")
           end
 
-          def fill_scopes(read_repository: false, read_registry: false, read_package_registry: false, write_package_registry: false)
-            check_element(:deploy_token_read_repository_checkbox) if read_repository
-            check_element(:deploy_token_read_package_registry_checkbox) if read_package_registry
-            check_element(:deploy_token_write_package_registry_checkbox) if write_package_registry
-            check_element(:deploy_token_read_registry_checkbox) if read_registry
+          def fill_scopes(scopes)
+            check_element(:deploy_token_read_repository_checkbox) if scopes.include? :read_repository
+            check_element(:deploy_token_read_package_registry_checkbox) if scopes.include? :read_package_registry
+            check_element(:deploy_token_write_package_registry_checkbox) if scopes.include? :write_package_registry
+            check_element(:deploy_token_read_registry_checkbox) if scopes.include? :read_registry
+            check_element(:deploy_token_write_registry_checkbox) if scopes.include? :write_registry
           end
 
           def add_token

qa/qa/resource/deploy_token.rb

@@ -4,6 +4,7 @@ module QA
   module Resource
     class DeployToken < Base
       attr_accessor :name, :expires_at
+      attr_writer :scopes
 
       attribute :username do
         Page::Project::Settings::Repository.perform do |repository_page|
@@ -37,7 +38,7 @@ module QA
           setting.expand_deploy_tokens do |page|
             page.fill_token_name(name)
             page.fill_token_expires_at(expires_at)
-            page.fill_scopes(read_repository: true, read_package_registry: true, write_package_registry: true)
+            page.fill_scopes(@scopes)
 
             page.add_token
           end

qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb

@@ -3,10 +3,27 @@
 module QA
   RSpec.describe 'Package', :orchestrated, only: { pipeline: :main } do
     describe 'Self-managed Container Registry' do
+      using RSpec::Parameterized::TableSyntax
+
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
           project.name = 'project-with-registry'
           project.template_name = 'express'
+          project.visibility = :private
+        end
+      end
+
+      let(:project_deploy_token) do
+        Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
+          deploy_token.name = 'registry-deploy-token'
+          deploy_token.project = project
+          deploy_token.scopes = [
+            :read_repository,
+            :read_package_registry,
+            :write_package_registry,
+            :read_registry,
+            :write_registry
+          ]
         end
       end
 
@@ -19,6 +36,8 @@ module QA
         end
       end
 
+      let(:personal_access_token) { Runtime::Env.personal_access_token }
+
       before do
         Flow::Login.sign_in
         project.visit!
@@ -26,68 +45,92 @@ module QA
 
       after do
         runner.remove_via_api!
+        project.remove_via_api!
       end
 
-      context 'when tls is enabled' do
-        it "pushes image and deletes tag", :registry_tls, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/1911' do
-          Resource::Repository::Commit.fabricate_via_api! do |commit|
-            commit.project = project
-            commit.commit_message = 'Add .gitlab-ci.yml'
-            commit.add_files([{
-                                file_path: '.gitlab-ci.yml',
-                                content:
-                                <<~YAML
-                                  build:
-                                    image: docker:19.03.12
-                                    stage: build
-                                    services:
-                                    - name: docker:19.03.12-dind
-                                      command:
-                                      - /bin/sh
-                                      - -c
-                                      - |
-                                        apk add --no-cache openssl
-                                        true | openssl s_client -showcerts -connect gitlab.test:5050 > /usr/local/share/ca-certificates/gitlab.test.crt
-                                        update-ca-certificates
-                                        dockerd-entrypoint.sh || exit                                
-                                    variables:
-                                      IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
-                                    script:
-                                      - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD gitlab.test:5050
-                                      - docker build -t $IMAGE_TAG .
-                                      - docker push $IMAGE_TAG
-                                    tags:
-                                      - "runner-for-#{project.name}"
-                                YAML
-                            }])
-          end
-
-          Flow::Pipeline.visit_latest_pipeline
+      where(:authentication_token_type, :token_name) do
+        :personal_access_token | 'Personal Access Token'
+        :project_deploy_token  | 'Deploy Token'
+        :ci_job_token          | 'Job Token'
+      end
 
-          Page::Project::Pipeline::Show.perform do |pipeline|
-            pipeline.click_job('build')
+      with_them do
+        let(:auth_token) do
+          case authentication_token_type
+          when :personal_access_token
+            "\"#{personal_access_token}\""
+          when :project_deploy_token
+            "\"#{project_deploy_token.password}\""
+          when :ci_job_token
+            '$CI_JOB_TOKEN'
           end
+        end
 
-          Page::Project::Job::Show.perform do |job|
-            expect(job).to be_successful(timeout: 800)
+        let(:auth_user) do
+          case authentication_token_type
+          when :personal_access_token
+            "$CI_REGISTRY_USER"
+          when :project_deploy_token
+            "\"#{project_deploy_token.username}\""
+          when :ci_job_token
+            'gitlab-ci-token'
           end
+        end
 
-          Page::Project::Menu.perform(&:go_to_container_registry)
-
-          Page::Project::Registry::Show.perform do |registry|
-            expect(registry).to have_registry_repository(project.path_with_namespace)
-
-            registry.click_on_image(project.path_with_namespace)
-            expect(registry).to have_tag('master')
-
-            registry.click_delete
-            expect(registry).not_to have_tag('master')
+        context "when tls is disabled" do
+          it "using a #{params[:token_name]}, pushes image and deletes tag", :registry do
+            Resource::Repository::Commit.fabricate_via_api! do |commit|
+              commit.project = project
+              commit.commit_message = 'Add .gitlab-ci.yml'
+              commit.add_files([{
+                                  file_path: '.gitlab-ci.yml',
+                                  content:
+                                      <<~YAML
+                                        build:
+                                          image: docker:19.03.12
+                                          stage: build
+                                          services:
+                                          - name: docker:19.03.12-dind
+                                            command: ["--insecure-registry=gitlab.test:5050"]                                
+                                          variables:
+                                            IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+                                          script:
+                                            - docker login -u #{auth_user} -p #{auth_token} gitlab.test:5050
+                                            - docker build -t $IMAGE_TAG .
+                                            - docker push $IMAGE_TAG
+                                          tags:
+                                            - "runner-for-#{project.name}"
+                                      YAML
+                              }])
+            end
+
+            Flow::Pipeline.visit_latest_pipeline
+
+            Page::Project::Pipeline::Show.perform do |pipeline|
+              pipeline.click_job('build')
+            end
+
+            Page::Project::Job::Show.perform do |job|
+              expect(job).to be_successful(timeout: 800)
+            end
+
+            Page::Project::Menu.perform(&:go_to_container_registry)
+
+            Page::Project::Registry::Show.perform do |registry|
+              expect(registry).to have_registry_repository(project.path_with_namespace)
+
+              registry.click_on_image(project.path_with_namespace)
+              expect(registry).to have_tag('master')
+
+              registry.click_delete
+              expect(registry).not_to have_tag('master')
+            end
           end
         end
       end
 
-      context "when tls is disabled" do
-        it "pushes image and deletes tag", :registry, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/2378' do
+      context "when tls is enabled" do
+        it "pushes image and deletes tag", :registry_tls, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/2378' do
           Resource::Repository::Commit.fabricate_via_api! do |commit|
             commit.project = project
             commit.commit_message = 'Add .gitlab-ci.yml'
@@ -100,7 +143,14 @@ module QA
                                         stage: build
                                         services:
                                         - name: docker:19.03.12-dind
-                                          command: ["--insecure-registry=gitlab.test:5050"]                                
+                                          command:
+                                          - /bin/sh
+                                          - -c
+                                          - |
+                                            apk add --no-cache openssl
+                                            true | openssl s_client -showcerts -connect gitlab.test:5050 > /usr/local/share/ca-certificates/gitlab.test.crt
+                                            update-ca-certificates
+                                            dockerd-entrypoint.sh || exit                                
                                         variables:
                                           IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
                                         script:
@@ -119,8 +169,8 @@ module QA
             pipeline.click_job('build')
           end
 
-          Page::Project::Job::Show.perform do |job|
-            expect(job).to be_successful(timeout: 800)
+          Support::Retrier.retry_until(max_duration: 800, sleep_interval: 10) do
+            project.pipelines.last[:status] == 'success'
           end
 
           Page::Project::Menu.perform(&:go_to_container_registry)

qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_instance_level_spec.rb

@@ -19,6 +19,11 @@ module QA
         Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
           deploy_token.name = 'npm-deploy-token'
           deploy_token.project = project
+          deploy_token.scopes = [
+            :read_repository,
+            :read_package_registry,
+            :write_package_registry
+          ]
         end
       end
 

qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_project_level_spec.rb

@@ -19,6 +19,11 @@ module QA
         Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
           deploy_token.name = 'npm-deploy-token'
           deploy_token.project = project
+          deploy_token.scopes = [
+            :read_repository,
+            :read_package_registry,
+            :write_package_registry
+          ]
         end
       end
 

qa/qa/specs/features/browser_ui/6_release/deploy_token/add_deploy_token_spec.rb

@@ -12,6 +12,7 @@ module QA
         deploy_token = Resource::DeployToken.fabricate_via_browser_ui! do |resource|
           resource.name = deploy_token_name
           resource.expires_at = one_week_from_now
+          resource.scopes = [:read_repository]
         end
 
         expect(deploy_token.username.length).to be > 0

qa/spec/support/shared_contexts/packages_registry_shared_context.rb

@@ -45,6 +45,11 @@ module QA
       Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
         deploy_token.name = 'package-deploy-token'
         deploy_token.project = package_project
+        deploy_token.scopes = [
+          :read_repository,
+          :read_package_registry,
+          :write_package_registry
+        ]
       end
     end