Add container registry with multiple auth tokens test

app/views/shared/deploy_tokens/_form.html.haml

@@ -36,7 +36,7 @@
         .text-secondary= s_('DeployTokens|Allows read-only access to registry images.')
 
       %fieldset.form-group.form-check
-        = f.check_box :write_registry, class: 'form-check-input'
+        = f.check_box :write_registry, class: 'form-check-input', data: { qa_selector: 'deploy_token_write_registry_checkbox' }
         = f.label :write_registry, 'write_registry', class: 'label-bold form-check-label'
         .text-secondary= s_('DeployTokens|Allows read and write access to registry images.')
 

qa/qa/page/project/settings/deploy_tokens.rb

@@ -12,6 +12,7 @@ module QA
             element :deploy_token_read_package_registry_checkbox
             element :deploy_token_write_package_registry_checkbox
             element :deploy_token_read_registry_checkbox
+            element :deploy_token_write_registry_checkbox
             element :create_deploy_token_button
           end
 
@@ -29,11 +30,12 @@ module QA
             fill_element(:deploy_token_expires_at_field, expires_at.to_s + "\n")
           end
 
-          def fill_scopes(read_repository: false, read_registry: false, read_package_registry: false, write_package_registry: false)
-            check_element(:deploy_token_read_repository_checkbox) if read_repository
-            check_element(:deploy_token_read_package_registry_checkbox) if read_package_registry
-            check_element(:deploy_token_write_package_registry_checkbox) if write_package_registry
-            check_element(:deploy_token_read_registry_checkbox) if read_registry
+          def fill_scopes(scopes)
+            check_element(:deploy_token_read_repository_checkbox) if scopes.include? :read_repository
+            check_element(:deploy_token_read_package_registry_checkbox) if scopes.include? :read_package_registry
+            check_element(:deploy_token_write_package_registry_checkbox) if scopes.include? :write_package_registry
+            check_element(:deploy_token_read_registry_checkbox) if scopes.include? :read_registry
+            check_element(:deploy_token_write_registry_checkbox) if scopes.include? :write_registry
           end
 
           def add_token

qa/qa/resource/deploy_token.rb

@@ -4,6 +4,7 @@ module QA
   module Resource
     class DeployToken < Base
       attr_accessor :name, :expires_at
+      attr_writer :scopes
 
       attribute :username do
         Page::Project::Settings::Repository.perform do |repository_page|
@@ -37,7 +38,7 @@ module QA
           setting.expand_deploy_tokens do |page|
             page.fill_token_name(name)
             page.fill_token_expires_at(expires_at)
-            page.fill_scopes(read_repository: true, read_package_registry: true, write_package_registry: true)
+            page.fill_scopes(@scopes)
 
             page.add_token
           end

qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb

@@ -3,10 +3,27 @@
 module QA
   RSpec.describe 'Package', :orchestrated, only: { pipeline: :main } do
     describe 'Self-managed Container Registry' do
+      using RSpec::Parameterized::TableSyntax
+
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
           project.name = 'project-with-registry'
           project.template_name = 'express'
+          project.visibility = :private
+        end
+      end
+
+      let(:project_deploy_token) do
+        Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
+          deploy_token.name = 'registry-deploy-token'
+          deploy_token.project = project
+          deploy_token.scopes = [
+            :read_repository,
+            :read_package_registry,
+            :write_package_registry,
+            :read_registry,
+            :write_registry
+          ]
         end
       end
 
@@ -19,6 +36,8 @@ module QA
         end
       end
 
+      let(:personal_access_token) { Runtime::Env.personal_access_token }
+
       before do
         Flow::Login.sign_in
         project.visit!
@@ -26,10 +45,40 @@ module QA
 
       after do
         runner.remove_via_api!
+        project.remove_via_api!
+      end
+
+      where(:authentication_token_type, :token_name) do
+        :personal_access_token | 'Personal Access Token'
+        :project_deploy_token  | 'Deploy Token'
+        :ci_job_token          | 'Job Token'
+      end
+
+      with_them do
+        let(:auth_token) do
+          case authentication_token_type
+          when :personal_access_token
+            "\"#{personal_access_token}\""
+          when :project_deploy_token
+            "\"#{project_deploy_token.password}\""
+          when :ci_job_token
+            '$CI_JOB_TOKEN'
+          end
         end
 
-      context 'when tls is enabled' do
-        it "pushes image and deletes tag", :registry_tls, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/1911' do
+        let(:auth_user) do
+          case authentication_token_type
+          when :personal_access_token
+            "$CI_REGISTRY_USER"
+          when :project_deploy_token
+            "\"#{project_deploy_token.username}\""
+          when :ci_job_token
+            'gitlab-ci-token'
+          end
+        end
+
+        context "when tls is disabled" do
+          it "using a #{params[:token_name]}, pushes image and deletes tag", :registry do
             Resource::Repository::Commit.fabricate_via_api! do |commit|
               commit.project = project
               commit.commit_message = 'Add .gitlab-ci.yml'
@@ -42,18 +91,11 @@ module QA
                                           stage: build
                                           services:
                                           - name: docker:19.03.12-dind
-                                      command:
-                                      - /bin/sh
-                                      - -c
-                                      - |
-                                        apk add --no-cache openssl
-                                        true | openssl s_client -showcerts -connect gitlab.test:5050 > /usr/local/share/ca-certificates/gitlab.test.crt
-                                        update-ca-certificates
-                                        dockerd-entrypoint.sh || exit                                
+                                            command: ["--insecure-registry=gitlab.test:5050"]                                
                                           variables:
                                             IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
                                           script:
-                                      - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD gitlab.test:5050
+                                            - docker login -u #{auth_user} -p #{auth_token} gitlab.test:5050
                                             - docker build -t $IMAGE_TAG .
                                             - docker push $IMAGE_TAG
                                           tags:
@@ -85,9 +127,10 @@ module QA
             end
           end
         end
+      end
 
-      context "when tls is disabled" do
-        it "pushes image and deletes tag", :registry, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/2378' do
+      context "when tls is enabled" do
+        it "pushes image and deletes tag", :registry_tls, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/2378' do
           Resource::Repository::Commit.fabricate_via_api! do |commit|
             commit.project = project
             commit.commit_message = 'Add .gitlab-ci.yml'
@@ -100,7 +143,14 @@ module QA
                                         stage: build
                                         services:
                                         - name: docker:19.03.12-dind
-                                          command: ["--insecure-registry=gitlab.test:5050"]                                
+                                          command:
+                                          - /bin/sh
+                                          - -c
+                                          - |
+                                            apk add --no-cache openssl
+                                            true | openssl s_client -showcerts -connect gitlab.test:5050 > /usr/local/share/ca-certificates/gitlab.test.crt
+                                            update-ca-certificates
+                                            dockerd-entrypoint.sh || exit                                
                                         variables:
                                           IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
                                         script:
@@ -119,8 +169,8 @@ module QA
             pipeline.click_job('build')
           end
 
-          Page::Project::Job::Show.perform do |job|
-            expect(job).to be_successful(timeout: 800)
+          Support::Retrier.retry_until(max_duration: 800, sleep_interval: 10) do
+            project.pipelines.last[:status] == 'success'
           end
 
           Page::Project::Menu.perform(&:go_to_container_registry)

qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_instance_level_spec.rb

@@ -19,6 +19,11 @@ module QA
         Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
           deploy_token.name = 'npm-deploy-token'
           deploy_token.project = project
+          deploy_token.scopes = [
+            :read_repository,
+            :read_package_registry,
+            :write_package_registry
+          ]
         end
       end
 

qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_project_level_spec.rb

@@ -19,6 +19,11 @@ module QA
         Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
           deploy_token.name = 'npm-deploy-token'
           deploy_token.project = project
+          deploy_token.scopes = [
+            :read_repository,
+            :read_package_registry,
+            :write_package_registry
+          ]
         end
       end
 

qa/qa/specs/features/browser_ui/6_release/deploy_token/add_deploy_token_spec.rb

@@ -12,6 +12,7 @@ module QA
         deploy_token = Resource::DeployToken.fabricate_via_browser_ui! do |resource|
           resource.name = deploy_token_name
           resource.expires_at = one_week_from_now
+          resource.scopes = [:read_repository]
         end
 
         expect(deploy_token.username.length).to be > 0

qa/spec/support/shared_contexts/packages_registry_shared_context.rb

@@ -45,6 +45,11 @@ module QA
       Resource::DeployToken.fabricate_via_browser_ui! do |deploy_token|
         deploy_token.name = 'package-deploy-token'
         deploy_token.project = package_project
+        deploy_token.scopes = [
+          :read_repository,
+          :read_package_registry,
+          :write_package_registry
+        ]
       end
     end