Merge branch '37789-followup-for-read-registry-change' into 'master'

Clean up read_registry scope changes

Closes #37789

See merge request gitlab-org/gitlab-ce!14307

app/controllers/profiles/personal_access_tokens_controller.rb

@@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
   end
 
   def set_index_vars
-    @scopes = Gitlab::Auth::AVAILABLE_SCOPES
+    @scopes = Gitlab::Auth.available_scopes
 
     @personal_access_token = finder.build
     @inactive_personal_access_tokens = finder(state: 'inactive').execute

app/models/personal_access_token.rb

@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base
   protected
 
   def validate_scopes
-    unless revoked || scopes.all? { |scope| Gitlab::Auth::AVAILABLE_SCOPES.include?(scope.to_sym) }
+    unless revoked || scopes.all? { |scope| Gitlab::Auth.available_scopes.include?(scope.to_sym) }
       errors.add :scopes, "can only contain available scopes"
     end
   end

config/initializers/doorkeeper.rb

@@ -58,7 +58,7 @@ Doorkeeper.configure do
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
   default_scopes(*Gitlab::Auth::DEFAULT_SCOPES)
-  optional_scopes(*Gitlab::Auth::OPTIONAL_SCOPES)
+  optional_scopes(*Gitlab::Auth.optional_scopes)
 
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then

lib/gitlab/auth.rb

@@ -2,7 +2,7 @@ module Gitlab
   module Auth
     MissingPersonalTokenError = Class.new(StandardError)
 
-    REGISTRY_SCOPES = Gitlab.config.registry.enabled ? [:read_registry].freeze : [].freeze
+    REGISTRY_SCOPES = [:read_registry].freeze
 
     # Scopes used for GitLab API access
     API_SCOPES = [:api, :read_user].freeze
@@ -13,11 +13,6 @@ module Gitlab
     # Default scopes for OAuth applications that don't define their own
     DEFAULT_SCOPES = [:api].freeze
 
-    AVAILABLE_SCOPES = (API_SCOPES + REGISTRY_SCOPES).freeze
-
-    # Other available scopes
-    OPTIONAL_SCOPES = (AVAILABLE_SCOPES + OPENID_SCOPES - DEFAULT_SCOPES).freeze
-
     class << self
       include Gitlab::CurrentSettings
 
@@ -132,7 +127,7 @@ module Gitlab
 
         token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
 
-        if token && valid_scoped_token?(token, AVAILABLE_SCOPES)
+        if token && valid_scoped_token?(token, available_scopes)
           Gitlab::Auth::Result.new(token.user, nil, :personal_token, abilities_for_scope(token.scopes))
         end
       end
@@ -230,6 +225,21 @@ module Gitlab
       def read_user_scope_authentication_abilities
         []
       end
+
+      def available_scopes
+        API_SCOPES + registry_scopes
+      end
+
+      # Other available scopes
+      def optional_scopes
+        available_scopes + OPENID_SCOPES - DEFAULT_SCOPES
+      end
+
+      def registry_scopes
+        return [] unless Gitlab.config.registry.enabled
+
+        REGISTRY_SCOPES
+      end
     end
   end
 end

spec/initializers/doorkeeper_spec.rb

@@ -9,8 +9,8 @@ describe Doorkeeper.configuration do
   end
 
   describe '#optional_scopes' do
-    it 'matches Gitlab::Auth::OPTIONAL_SCOPES' do
+    it 'matches Gitlab::Auth.optional_scopes' do
-      expect(subject.optional_scopes).to eq Gitlab::Auth::OPTIONAL_SCOPES - Gitlab::Auth::REGISTRY_SCOPES
+      expect(subject.optional_scopes).to eq Gitlab::Auth.optional_scopes - Gitlab::Auth::REGISTRY_SCOPES
     end
   end
 

spec/lib/gitlab/auth_spec.rb

@@ -16,20 +16,20 @@ describe Gitlab::Auth do
       expect(subject::DEFAULT_SCOPES).to eq [:api]
     end
 
-    it 'OPTIONAL_SCOPES contains all non-default scopes' do
+    it 'optional_scopes contains all non-default scopes' do
       stub_container_registry_config(enabled: true)
 
-      expect(subject::OPTIONAL_SCOPES).to eq %i[read_user read_registry openid]
+      expect(subject.optional_scopes).to eq %i[read_user read_registry openid]
     end
 
-    context 'REGISTRY_SCOPES' do
+    context 'registry_scopes' do
       context 'when registry is disabled' do
         before do
           stub_container_registry_config(enabled: false)
         end
 
         it 'is empty' do
-          expect(subject::REGISTRY_SCOPES).to eq []
+          expect(subject.registry_scopes).to eq []
         end
       end
 
@@ -39,7 +39,7 @@ describe Gitlab::Auth do
         end
 
         it 'contains all registry related scopes' do
-          expect(subject::REGISTRY_SCOPES).to eq %i[read_registry]
+          expect(subject.registry_scopes).to eq %i[read_registry]
         end
       end
     end

spec/support/stub_gitlab_calls.rb

@@ -26,11 +26,9 @@ module StubGitlabCalls
   end
 
   def stub_container_registry_config(registry_settings)
+    allow(Gitlab.config.registry).to receive_messages(registry_settings)
     allow(Auth::ContainerRegistryAuthenticationService)
       .to receive(:full_access_token).and_return('token')
-
-    allow(Gitlab.config.registry).to receive_messages(registry_settings)
-    load 'lib/gitlab/auth.rb'
   end
 
   def stub_container_registry_tags(repository: :any, tags:)