Merge branch '336800-ff-for-new-vr-scopes' into 'master'

Hide the new virtual registry scopes behind a feature flag See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180333 Merged-by: Drew Blessing <drew@gitlab.com> Approved-by: David Fernandez <dfernandez@gitlab.com> Approved-by: Jarka Košanová <jarka@gitlab.com> Approved-by: Drew Blessing <drew@gitlab.com> Reviewed-by: David Fernandez <dfernandez@gitlab.com> Reviewed-by: Radamanthus Batnag <rbatnag@gitlab.com> Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Merge branch '336800-ff-for-new-vr-scopes' into 'master'
f97c6eb5 · Drew Blessing · GitLab · 7f5f1f92 · 81283400 · f97c6eb5
--- a/app/controllers/admin/impersonation_tokens_controller.rb
+++ b/app/controllers/admin/impersonation_tokens_controller.rb
@@ -84,6 +84,8 @@ def impersonation_token_params
  def set_index_vars
    @scopes = Gitlab::Auth.available_scopes_for(current_user)

+    @scopes = ::VirtualRegistries.filter_token_scopes(@scopes, current_user)
+
    @impersonation_token ||= finder.build
    @active_impersonation_tokens = active_impersonation_tokens
  end

--- a/app/controllers/concerns/access_tokens_actions.rb
+++ b/app/controllers/concerns/access_tokens_actions.rb
@@ -98,6 +98,9 @@ def set_index_vars
    resource.members.load

    @scopes = Gitlab::Auth.available_scopes_for(resource)
+
+    @scopes = ::VirtualRegistries.filter_token_scopes(@scopes, current_user)
+
    @active_access_tokens, @active_access_tokens_size = active_access_tokens
    @inactive_access_tokens_size = inactive_access_tokens.size
  end

--- a/app/controllers/user_settings/personal_access_tokens_controller.rb
+++ b/app/controllers/user_settings/personal_access_tokens_controller.rb
@@ -106,6 +106,9 @@ def personal_access_token_params

    def set_index_vars
      @scopes = Gitlab::Auth.available_scopes_for(current_user)
+
+      @scopes = ::VirtualRegistries.filter_token_scopes(@scopes, current_user)
+
      @active_access_tokens, @active_access_tokens_size = active_access_tokens
    end


--- a/app/models/virtual_registries.rb
+++ b/app/models/virtual_registries.rb
+# frozen_string_literal: true
+
+# Remove this file when virtual_registry_maven *and* dependency_proxy_read_write_scopes are removed
+module VirtualRegistries
+  def self.filter_token_scopes(scopes, current_user)
+    return scopes if Feature.enabled?(:virtual_registry_maven, current_user) ||
+      Feature.enabled?(:dependency_proxy_read_write_scopes, current_user)
+
+    scopes - ::Gitlab::Auth.virtual_registry_scopes
+  end
+end
--- a/config/feature_flags/wip/dependency_proxy_read_write_scopes.yml
+++ b/config/feature_flags/wip/dependency_proxy_read_write_scopes.yml
+---
+name: dependency_proxy_read_write_scopes
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/336800
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180333
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517249
+milestone: '17.9'
+group: group::container registry
+type: wip
+default_enabled: false
--- a/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
+++ b/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
@@ -141,5 +141,32 @@ def created_token
    it 'sets available scopes' do
      expect(assigns(:scopes)).to eq(Gitlab::Auth.available_scopes_for(access_token_user))
    end
+
+    context 'with feature flags virtual_registry_maven and dependency_proxy_read_write_scopes disabled' do
+      before do
+        stub_feature_flags(virtual_registry_maven: false, dependency_proxy_read_write_scopes: false)
+        stub_config(dependency_proxy: { enabled: true })
+
+        get :index
+      end
+
+      it 'does not include the virtual registry scopes' do
+        expect(assigns(:scopes)).not_to include(Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+        expect(assigns(:scopes)).not_to include(Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+      end
+
+      %i[virtual_registry_maven dependency_proxy_read_write_scopes].each do |feature_flag|
+        context "with feature flag #{feature_flag} enabled" do
+          before do
+            stub_feature_flags(feature_flag => true)
+          end
+
+          it 'includes the virtual registry scopes' do
+            expect(assigns(:scopes)).not_to include(::Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+            expect(assigns(:scopes)).not_to include(::Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+          end
+        end
+      end
+    end
  end
 end
--- a/spec/requests/admin/impersonation_tokens_controller_spec.rb
+++ b/spec/requests/admin/impersonation_tokens_controller_spec.rb
@@ -62,4 +62,39 @@
      let(:token_attributes) { attributes_for(:personal_access_token, impersonation: true) }
    end
  end
+
+  describe '#index', :with_current_organization do
+    it 'sets available scopes' do
+      get admin_user_impersonation_tokens_path(user_id: user.username)
+
+      expect(assigns(:scopes)).to include(::Gitlab::Auth::API_SCOPE)
+    end
+
+    context 'with feature flags virtual_registry_maven and dependency_proxy_read_write_scopes disabled' do
+      before do
+        stub_feature_flags(virtual_registry_maven: false, dependency_proxy_read_write_scopes: false)
+        stub_config(dependency_proxy: { enabled: true })
+
+        get admin_user_impersonation_tokens_path(user_id: user.username)
+      end
+
+      it 'does not include the virtual registry scopes' do
+        expect(assigns(:scopes)).not_to include(Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+        expect(assigns(:scopes)).not_to include(Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+      end
+
+      %i[virtual_registry_maven dependency_proxy_read_write_scopes].each do |feature_flag|
+        context "with feature flag #{feature_flag} enabled" do
+          before do
+            stub_feature_flags(feature_flag => true)
+          end
+
+          it 'includes the virtual registry scopes' do
+            expect(assigns(:scopes)).not_to include(::Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+            expect(assigns(:scopes)).not_to include(::Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+          end
+        end
+      end
+    end
+  end
 end
--- a/spec/requests/projects/settings/access_tokens_controller_spec.rb
+++ b/spec/requests/projects/settings/access_tokens_controller_spec.rb
@@ -123,5 +123,32 @@
      expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE)
      expect(assigns(:scopes)).to include(Gitlab::Auth::SELF_ROTATE_SCOPE)
    end
+
+    context 'with feature flags virtual_registry_maven and dependency_proxy_read_write_scopes disabled' do
+      before do
+        stub_feature_flags(virtual_registry_maven: false, dependency_proxy_read_write_scopes: false)
+        stub_config(dependency_proxy: { enabled: true })
+
+        get project_settings_access_tokens_path(resource)
+      end
+
+      it 'does not include the virtual registry scopes' do
+        expect(assigns(:scopes)).not_to include(Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+        expect(assigns(:scopes)).not_to include(Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+      end
+
+      %i[virtual_registry_maven dependency_proxy_read_write_scopes].each do |feature_flag|
+        context "with feature flag #{feature_flag} enabled" do
+          before do
+            stub_feature_flags(feature_flag => true)
+          end
+
+          it 'includes the virtual registry scopes' do
+            expect(assigns(:scopes)).not_to include(::Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+            expect(assigns(:scopes)).not_to include(::Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+          end
+        end
+      end
+    end
  end
 end