Deploy token access for the Dependency Proxy

Remove the feature flag to enable group deploy token access for the Dependency Proxy. Changelog: added

Deploy token access for the Dependency Proxy
Remove the feature flag to enable group deploy token access for the Dependency Proxy. Changelog: added
9a6cee64 · Steve Abrams · 32613a4b · 9a6cee64 · 32613a4b · 9a6cee64
Commit 9a6cee64 authored Aug 04, 2021 by Steve Abrams
3 changed files
--- a/app/controllers/groups/dependency_proxy/application_controller.rb
+++ b/app/controllers/groups/dependency_proxy/application_controller.rb
@@ -18,23 +18,14 @@ module Groups
      def authenticate_user_from_jwt_token!
        return unless dependency_proxy_for_private_groups?

-        if Feature.enabled?(:dependency_proxy_deploy_tokens)
-          authenticate_with_http_token do |token, _|
-            @authentication_result = EMPTY_AUTH_RESULT
-
-            found_user = user_from_token(token)
-            sign_in(found_user) if found_user.is_a?(User)
-          end
-
-          request_bearer_token! unless authenticated_user
-        else
-          authenticate_with_http_token do |token, _|
-            user = user_from_token(token)
-            sign_in(user) if user
-          end
-
-          request_bearer_token! unless current_user
+        authenticate_with_http_token do |token, _|
+          @authentication_result = EMPTY_AUTH_RESULT
+
+          found_user = user_from_token(token)
+          sign_in(found_user) if found_user.is_a?(User)
        end
+
+        request_bearer_token! unless authenticated_user
      end

      private
@@ -51,7 +42,6 @@ module Groups

      def user_from_token(token)
        token_payload = ::DependencyProxy::AuthTokenService.decoded_token_payload(token)
-        return User.find(token_payload['user_id']) unless Feature.enabled?(:dependency_proxy_deploy_tokens)

        if token_payload['user_id']
          token_user = User.find(token_payload['user_id'])

--- a/config/feature_flags/development/dependency_proxy_deploy_tokens.yml
+++ b/config/feature_flags/development/dependency_proxy_deploy_tokens.yml
---
-name: dependency_proxy_deploy_tokens
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/64363
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/334565
-milestone: '14.2'
-type: development
-group: group::package
-default_enabled: false
--- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
+++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
@@ -65,82 +65,39 @@ RSpec.describe Groups::DependencyProxyForContainersController do
      it { is_expected.to have_gitlab_http_status(:not_found) }
    end

-    context 'deploy tokens with dependency_proxy_deploy_tokens disabled' do
-      before do
-        stub_feature_flags(dependency_proxy_deploy_tokens: false)
-      end
-
-      context 'with deploy token from a different group,' do
-        let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
-      end
-
-      context 'with revoked deploy token' do
-        let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
-      end
-
-      context 'with expired deploy token' do
-        let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
-      end
-
-      context 'with deploy token with insufficient scopes' do
-        let_it_be(:user) { create(:deploy_token, :group) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
-      end
+    context 'with deploy token from a different group,' do
+      let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }

-      context 'when a group is not found' do
-        before do
-          expect(Group).to receive(:find_by_full_path).and_return(nil)
-        end
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
-      end
+      it { is_expected.to have_gitlab_http_status(:not_found) }
    end

-    context 'deploy tokens with dependency_proxy_deploy_tokens enabled' do
-      context 'with deploy token from a different group,' do
-        let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
-      end
+    context 'with revoked deploy token' do
+      let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) }
+      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }

-      context 'with revoked deploy token' do
-        let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      it { is_expected.to have_gitlab_http_status(:unauthorized) }
+    end

-        it { is_expected.to have_gitlab_http_status(:unauthorized) }
-      end
+    context 'with expired deploy token' do
+      let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) }
+      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }

-      context 'with expired deploy token' do
-        let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      it { is_expected.to have_gitlab_http_status(:unauthorized) }
+    end

-        it { is_expected.to have_gitlab_http_status(:unauthorized) }
-      end
+    context 'with deploy token with insufficient scopes' do
+      let_it_be(:user) { create(:deploy_token, :group) }
+      let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }

-      context 'with deploy token with insufficient scopes' do
-        let_it_be(:user) { create(:deploy_token, :group) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
+      it { is_expected.to have_gitlab_http_status(:not_found) }
+    end

-        it { is_expected.to have_gitlab_http_status(:not_found) }
+    context 'when a group is not found' do
+      before do
+        expect(Group).to receive(:find_by_full_path).and_return(nil)
      end

-      context 'when a group is not found' do
-        before do
-          expect(Group).to receive(:find_by_full_path).and_return(nil)
-        end
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
-      end
+      it { is_expected.to have_gitlab_http_status(:not_found) }
    end

    context 'when user is not found' do
@@ -274,25 +231,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do
          it_behaves_like 'returning response status', :success
          it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest_from_cache'
        end
-
-        context 'with dependency_proxy_deploy_tokens feature flag disabled' do
-          before do
-            stub_feature_flags(dependency_proxy_deploy_tokens: false)
-          end
-
-          it_behaves_like 'a successful manifest pull'
-        end
-      end
-
-      context 'a valid deploy token with dependency_proxy_deploy_tokens feature flag disabled' do
-        let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
-
-        before do
-          stub_feature_flags(dependency_proxy_deploy_tokens: false)
-        end
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
      end

      context 'a valid deploy token' do
@@ -395,25 +333,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do
          it_behaves_like 'returning response status', :success
          it_behaves_like 'a package tracking event', described_class.name, 'pull_blob_from_cache'
        end
-
-        context 'with dependency_proxy_deploy_tokens feature flag disabled' do
-          before do
-            stub_feature_flags(dependency_proxy_deploy_tokens: false)
-          end
-
-          it_behaves_like 'a successful blob pull'
-        end
-      end
-
-      context 'a valid deploy token with dependency_proxy_deploy_tokens feature flag disabled' do
-        let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) }
-        let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) }
-
-        before do
-          stub_feature_flags(dependency_proxy_deploy_tokens: false)
-        end
-
-        it { is_expected.to have_gitlab_http_status(:not_found) }
      end

      context 'a valid deploy token' do