Merge branch '340359-add-license-check-to-agent-project-info-endpoint' into 'master'

Add licensed feature for internal/kubernetes/project_info endpoint See merge request gitlab-org/gitlab!71438

Merge branch '340359-add-license-check-to-agent-project-info-endpoint' into 'master'
Add licensed feature for internal/kubernetes/project_info endpoint See merge request gitlab-org/gitlab!71438
9a931232 · Michael Kozono · cd05aef4 · c135ea52 · 9a931232 · 9a931232
Commit 9a931232 authored Sep 30, 2021 by Michael Kozono
5 changed files
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -68,6 +68,7 @@ class License < ApplicationRecord
    ci_cd_projects
    ci_secrets_management
    cluster_agents
+    cluster_agents_gitops
    cluster_deployments
    code_owner_approval_required
    commit_committer_check

--- a/ee/lib/ee/api/internal/kubernetes.rb
+++ b/ee/lib/ee/api/internal/kubernetes.rb
@@ -9,6 +9,30 @@ module EE
            namespace 'kubernetes' do
              before { check_agent_token }

+              helpers do
+                def agent_has_access_to_project?(project)
+                  project&.licensed_feature_available?(:cluster_agents_gitops) &&
+                    (Guest.can?(:download_code, project) || agent.has_access_to?(project))
+                end
+              end
+
+              desc 'Gets project info' do
+                detail 'Retrieves project info (if authorized)'
+              end
+              route_setting :authentication, cluster_agent_token_allowed: true
+              get '/project_info' do
+                project = find_project(params[:id])
+
+                not_found! unless agent_has_access_to_project?(project)
+
+                status 200
+                {
+                  project_id: project.id,
+                  gitaly_info: gitaly_info(project),
+                  gitaly_repository: gitaly_repository(project)
+                }
+              end
+
              namespace 'modules/cilium_alert' do
                desc 'POST network alerts' do
                  detail 'Creates network alert'

--- a/ee/spec/requests/api/internal/kubernetes_spec.rb
+++ b/ee/spec/requests/api/internal/kubernetes_spec.rb
@@ -64,6 +64,112 @@ RSpec.describe API::Internal::Kubernetes do
    end
  end

+  describe 'GET /internal/kubernetes/project_info' do
+    def send_request(headers: {}, params: {})
+      get api('/internal/kubernetes/project_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
+    end
+
+    before do
+      stub_licensed_features(cluster_agents_gitops: true)
+    end
+
+    include_examples 'authorization'
+    include_examples 'agent authentication'
+
+    context 'an agent is found' do
+      let_it_be(:agent_token) { create(:cluster_agent_token) }
+
+      shared_examples 'agent token tracking'
+
+      context 'project is public' do
+        let(:project) { create(:project, :public) }
+
+        it 'returns expected data', :aggregate_failures do
+          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+          expect(response).to have_gitlab_http_status(:success)
+
+          expect(json_response).to match(
+            a_hash_including(
+              'project_id' => project.id,
+              'gitaly_info' => a_hash_including(
+                'address' => match(/\.socket$/),
+                'token' => 'secret',
+                'features' => {}
+              ),
+              'gitaly_repository' => a_hash_including(
+                'storage_name' => project.repository_storage,
+                'relative_path' => project.disk_path + '.git',
+                'gl_repository' => "project-#{project.id}",
+                'gl_project_path' => project.full_path
+              )
+            )
+          )
+        end
+
+        context 'repository is for project members only' do
+          let(:project) { create(:project, :public, :repository_private) }
+
+          it 'returns 404' do
+            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
+
+      context 'project is private' do
+        let(:project) { create(:project, :private) }
+
+        it 'returns 404' do
+          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+
+        context 'and agent belongs to project' do
+          let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
+
+          it 'returns 200' do
+            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:success)
+          end
+        end
+      end
+
+      context 'project is internal' do
+        let(:project) { create(:project, :internal) }
+
+        it 'returns 404' do
+          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'project does not exist' do
+        it 'returns 404' do
+          send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'project does not have access to the feature' do
+        before do
+          stub_licensed_features(cluster_agents_gitops: false)
+        end
+
+        it 'returns 404' do
+          send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
+
  describe 'POST /internal/kubernetes/modules/cilium_alert' do
    let(:method) { :post }
    let(:api_url) { '/internal/kubernetes/modules/cilium_alert' }

--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -79,25 +79,6 @@ module API
              gitaly_repository: gitaly_repository(project)
            }
          end
-
-          desc 'Gets project info' do
-            detail 'Retrieves project info (if authorized)'
-          end
-          route_setting :authentication, cluster_agent_token_allowed: true
-          get '/project_info' do
-            project = find_project(params[:id])
-
-            unless Guest.can?(:download_code, project) || agent.has_access_to?(project)
-              not_found!
-            end
-
-            status 200
-            {
-              project_id: project.id,
-              gitaly_info: gitaly_info(project),
-              gitaly_repository: gitaly_repository(project)
-            }
-          end
        end

        namespace 'kubernetes/agent_configuration' do

--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -177,94 +177,4 @@ RSpec.describe API::Internal::Kubernetes do
      end
    end
  end
-
-  describe 'GET /internal/kubernetes/project_info' do
-    def send_request(headers: {}, params: {})
-      get api('/internal/kubernetes/project_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
-    end
-
-    include_examples 'authorization'
-    include_examples 'agent authentication'
-
-    context 'an agent is found' do
-      let_it_be(:agent_token) { create(:cluster_agent_token) }
-
-      shared_examples 'agent token tracking'
-
-      context 'project is public' do
-        let(:project) { create(:project, :public) }
-
-        it 'returns expected data', :aggregate_failures do
-          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
-
-          expect(response).to have_gitlab_http_status(:success)
-
-          expect(json_response).to match(
-            a_hash_including(
-              'project_id' => project.id,
-              'gitaly_info' => a_hash_including(
-                'address' => match(/\.socket$/),
-                'token' => 'secret',
-                'features' => {}
-              ),
-              'gitaly_repository' => a_hash_including(
-                'storage_name' => project.repository_storage,
-                'relative_path' => project.disk_path + '.git',
-                'gl_repository' => "project-#{project.id}",
-                'gl_project_path' => project.full_path
-              )
-            )
-          )
-        end
-
-        context 'repository is for project members only' do
-          let(:project) { create(:project, :public, :repository_private) }
-
-          it 'returns 404' do
-            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
-
-            expect(response).to have_gitlab_http_status(:not_found)
-          end
-        end
-      end
-
-      context 'project is private' do
-        let(:project) { create(:project, :private) }
-
-        it 'returns 404' do
-          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
-
-          expect(response).to have_gitlab_http_status(:not_found)
-        end
-
-        context 'and agent belongs to project' do
-          let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
-
-          it 'returns 200' do
-            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
-
-            expect(response).to have_gitlab_http_status(:success)
-          end
-        end
-      end
-
-      context 'project is internal' do
-        let(:project) { create(:project, :internal) }
-
-        it 'returns 404' do
-          send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
-
-          expect(response).to have_gitlab_http_status(:not_found)
-        end
-      end
-
-      context 'project does not exist' do
-        it 'returns 404' do
-          send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
-
-          expect(response).to have_gitlab_http_status(:not_found)
-        end
-      end
-    end
-  end
 end