gitlab-org--gitlab-foss/spec/requests/api/internal/kubernetes_spec.rb

347 lines
12 KiB
Ruby

# frozen_string_literal: true
require 'spec_helper'
RSpec.describe API::Internal::Kubernetes do
let(:jwt_auth_headers) do
jwt_token = JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')
{ Gitlab::Kas::INTERNAL_API_REQUEST_HEADER => jwt_token }
end
let(:jwt_secret) { SecureRandom.random_bytes(Gitlab::Kas::SECRET_LENGTH) }
before do
allow(Gitlab::Kas).to receive(:secret).and_return(jwt_secret)
end
shared_examples 'authorization' do
context 'not authenticated' do
it 'returns 401' do
send_request(headers: { Gitlab::Kas::INTERNAL_API_REQUEST_HEADER => '' })
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
context 'kubernetes_agent_internal_api feature flag disabled' do
before do
stub_feature_flags(kubernetes_agent_internal_api: false)
end
it 'returns 404' do
send_request
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
shared_examples 'agent authentication' do
it 'returns 401 if Authorization header not sent' do
send_request
expect(response).to have_gitlab_http_status(:unauthorized)
end
it 'returns 401 if Authorization is for non-existent agent' do
send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
shared_examples 'agent token tracking' do
it 'tracks token usage' do
expect do
send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })
end.to change { agent_token.reload.read_attribute(:last_used_at) }
end
end
describe 'POST /internal/kubernetes/usage_metrics', :clean_gitlab_redis_shared_state do
def send_request(headers: {}, params: {})
post api('/internal/kubernetes/usage_metrics'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
end
include_examples 'authorization'
context 'is authenticated for an agent' do
let!(:agent_token) { create(:cluster_agent_token) }
# Todo: Remove gitops_sync_count and k8s_api_proxy_request_count in the next milestone
# https://gitlab.com/gitlab-org/gitlab/-/issues/369489
# We're only keeping it for backwards compatibility until KAS is released
# using `counts:` instead
context 'deprecated events' do
it 'returns no_content for valid events' do
send_request(params: { gitops_sync_count: 10, k8s_api_proxy_request_count: 5 })
expect(response).to have_gitlab_http_status(:no_content)
end
it 'returns no_content for counts of zero' do
send_request(params: { gitops_sync_count: 0, k8s_api_proxy_request_count: 0 })
expect(response).to have_gitlab_http_status(:no_content)
end
it 'returns 400 for non number' do
send_request(params: { gitops_sync_count: 'string', k8s_api_proxy_request_count: 1 })
expect(response).to have_gitlab_http_status(:bad_request)
end
it 'returns 400 for negative number' do
send_request(params: { gitops_sync_count: -1, k8s_api_proxy_request_count: 1 })
expect(response).to have_gitlab_http_status(:bad_request)
end
it 'tracks events' do
counters = { gitops_sync_count: 10, k8s_api_proxy_request_count: 5 }
expected_counters = {
kubernetes_agent_gitops_sync: counters[:gitops_sync_count],
kubernetes_agent_k8s_api_proxy_request: counters[:k8s_api_proxy_request_count]
}
send_request(params: counters)
expect(Gitlab::UsageDataCounters::KubernetesAgentCounter.totals).to eq(expected_counters)
end
end
it 'returns no_content for valid events' do
counters = { gitops_sync: 10, k8s_api_proxy_request: 5 }
unique_counters = { agent_users_using_ci_tunnel: [10] }
send_request(params: { counters: counters, unique_counters: unique_counters })
expect(response).to have_gitlab_http_status(:no_content)
end
it 'returns no_content for counts of zero' do
counters = { gitops_sync: 0, k8s_api_proxy_request: 0 }
unique_counters = { agent_users_using_ci_tunnel: [] }
send_request(params: { counters: counters, unique_counters: unique_counters })
expect(response).to have_gitlab_http_status(:no_content)
end
it 'returns 400 for non counter number' do
counters = { gitops_sync: 'string', k8s_api_proxy_request: 0 }
send_request(params: { counters: counters })
expect(response).to have_gitlab_http_status(:bad_request)
end
it 'returns 400 for non unique_counter set' do
unique_counters = { agent_users_using_ci_tunnel: 1 }
send_request(params: { unique_counters: unique_counters })
expect(response).to have_gitlab_http_status(:bad_request)
end
it 'tracks events' do
counters = { gitops_sync: 10, k8s_api_proxy_request: 5 }
unique_counters = { agent_users_using_ci_tunnel: [10] }
expected_counters = {
kubernetes_agent_gitops_sync: counters[:gitops_sync],
kubernetes_agent_k8s_api_proxy_request: counters[:k8s_api_proxy_request]
}
send_request(params: { counters: counters, unique_counters: unique_counters })
expect(Gitlab::UsageDataCounters::KubernetesAgentCounter.totals).to eq(expected_counters)
expect(
Gitlab::UsageDataCounters::HLLRedisCounter
.unique_events(
event_names: 'agent_users_using_ci_tunnel',
start_date: Date.current, end_date: Date.current + 10
)
).to eq(1)
end
end
end
describe 'POST /internal/kubernetes/agent_configuration' do
def send_request(headers: {}, params: {})
post api('/internal/kubernetes/agent_configuration'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
end
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, namespace: group) }
let_it_be(:agent) { create(:cluster_agent, project: project) }
let_it_be(:config) do
{
ci_access: {
groups: [
{ id: group.full_path, default_namespace: 'production' }
],
projects: [
{ id: project.full_path, default_namespace: 'staging' }
]
}
}
end
include_examples 'authorization'
context 'agent exists' do
it 'configures the agent and returns a 204' do
send_request(params: { agent_id: agent.id, agent_config: config })
expect(response).to have_gitlab_http_status(:no_content)
expect(agent.authorized_groups).to contain_exactly(group)
expect(agent.authorized_projects).to contain_exactly(project)
end
end
context 'agent does not exist' do
it 'returns a 404' do
send_request(params: { agent_id: -1, agent_config: config })
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
describe 'GET /internal/kubernetes/agent_info' do
def send_request(headers: {}, params: {})
get api('/internal/kubernetes/agent_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
end
include_examples 'authorization'
include_examples 'agent authentication'
context 'an agent is found' do
let!(:agent_token) { create(:cluster_agent_token) }
let(:agent) { agent_token.agent }
let(:project) { agent.project }
include_examples 'agent token tracking'
it 'returns expected data', :aggregate_failures do
send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:success)
expect(json_response).to match(
a_hash_including(
'project_id' => project.id,
'agent_id' => agent.id,
'agent_name' => agent.name,
'gitaly_info' => a_hash_including(
'address' => match(/\.socket$/),
'token' => 'secret',
'features' => {}
),
'gitaly_repository' => a_hash_including(
'storage_name' => project.repository_storage,
'relative_path' => project.disk_path + '.git',
'gl_repository' => "project-#{project.id}",
'gl_project_path' => project.full_path
),
'default_branch' => project.default_branch_or_main
)
)
end
end
end
describe 'GET /internal/kubernetes/project_info' do
def send_request(headers: {}, params: {})
get api('/internal/kubernetes/project_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
end
include_examples 'authorization'
include_examples 'agent authentication'
context 'an agent is found' do
let_it_be(:agent_token) { create(:cluster_agent_token) }
shared_examples 'agent token tracking'
context 'project is public' do
let(:project) { create(:project, :public) }
it 'returns expected data', :aggregate_failures do
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:success)
expect(json_response).to match(
a_hash_including(
'project_id' => project.id,
'gitaly_info' => a_hash_including(
'address' => match(/\.socket$/),
'token' => 'secret',
'features' => {}
),
'gitaly_repository' => a_hash_including(
'storage_name' => project.repository_storage,
'relative_path' => project.disk_path + '.git',
'gl_repository' => "project-#{project.id}",
'gl_project_path' => project.full_path
),
'default_branch' => project.default_branch_or_main
)
)
end
context 'repository is for project members only' do
let(:project) { create(:project, :public, :repository_private) }
it 'returns 404' do
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
context 'project is private' do
let(:project) { create(:project, :private) }
it 'returns 404' do
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:not_found)
end
context 'and agent belongs to project' do
let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
it 'returns 200' do
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:success)
end
end
end
context 'project is internal' do
let(:project) { create(:project, :internal) }
it 'returns 404' do
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'project does not exist' do
it 'returns 404' do
send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
end