diff --git a/app/controllers/admin/impersonation_tokens_controller.rb b/app/controllers/admin/impersonation_tokens_controller.rb
index ecacb81b8d46e78b75fea23134228d990bdde746..0ba04a3416aaf8b3ea15e21158d8893153e30e0f 100644
--- a/app/controllers/admin/impersonation_tokens_controller.rb
+++ b/app/controllers/admin/impersonation_tokens_controller.rb
@@ -84,6 +84,8 @@ def impersonation_token_params
def set_index_vars
@scopes = Gitlab::Auth.available_scopes_for(current_user)
+ @scopes = ::VirtualRegistries.filter_token_scopes(@scopes, current_user)
+
@impersonation_token ||= finder.build
@active_impersonation_tokens = active_impersonation_tokens
end
diff --git a/app/controllers/concerns/access_tokens_actions.rb b/app/controllers/concerns/access_tokens_actions.rb
index 7fcb3210ed401a3f6df639d96c65ce0eb61600aa..c9eb45424cbbb50f5318f0c7901f06004ad365b7 100644
--- a/app/controllers/concerns/access_tokens_actions.rb
+++ b/app/controllers/concerns/access_tokens_actions.rb
@@ -98,6 +98,9 @@ def set_index_vars
resource.members.load
@scopes = Gitlab::Auth.available_scopes_for(resource)
+
+ @scopes = ::VirtualRegistries.filter_token_scopes(@scopes, current_user)
+
@active_access_tokens, @active_access_tokens_size = active_access_tokens
@inactive_access_tokens_size = inactive_access_tokens.size
end
diff --git a/app/controllers/user_settings/personal_access_tokens_controller.rb b/app/controllers/user_settings/personal_access_tokens_controller.rb
index d8f0975145cef89b25cbf8f50fc7395f951cba66..825e6878009f1b370552a2766d27f4ecd6d34c85 100644
--- a/app/controllers/user_settings/personal_access_tokens_controller.rb
+++ b/app/controllers/user_settings/personal_access_tokens_controller.rb
@@ -106,6 +106,9 @@ def personal_access_token_params
def set_index_vars
@scopes = Gitlab::Auth.available_scopes_for(current_user)
+
+ @scopes = ::VirtualRegistries.filter_token_scopes(@scopes, current_user)
+
@active_access_tokens, @active_access_tokens_size = active_access_tokens
end
diff --git a/app/models/virtual_registries.rb b/app/models/virtual_registries.rb
new file mode 100644
index 0000000000000000000000000000000000000000..ab4cafc4feb6726e80ba1e872b52e15b736c9642
--- /dev/null
+++ b/app/models/virtual_registries.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# Remove this file when virtual_registry_maven *and* dependency_proxy_read_write_scopes are removed
+module VirtualRegistries
+ def self.filter_token_scopes(scopes, current_user)
+ return scopes if Feature.enabled?(:virtual_registry_maven, current_user) ||
+ Feature.enabled?(:dependency_proxy_read_write_scopes, current_user)
+
+ scopes - ::Gitlab::Auth.virtual_registry_scopes
+ end
+end
diff --git a/config/feature_flags/wip/dependency_proxy_read_write_scopes.yml b/config/feature_flags/wip/dependency_proxy_read_write_scopes.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c00229cc4007cf7cb42f1a1fa8089fc830590fa8
--- /dev/null
+++ b/config/feature_flags/wip/dependency_proxy_read_write_scopes.yml
@@ -0,0 +1,9 @@
+---
+name: dependency_proxy_read_write_scopes
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/336800
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180333
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517249
+milestone: '17.9'
+group: group::container registry
+type: wip
+default_enabled: false
diff --git a/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb b/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
index 5354585129ac5426c39422f5e53d25c591163aff..4997243b2a72f44296fcbd917fea2e55fd82eea7 100644
--- a/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
+++ b/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
@@ -141,5 +141,32 @@ def created_token
it 'sets available scopes' do
expect(assigns(:scopes)).to eq(Gitlab::Auth.available_scopes_for(access_token_user))
end
+
+ context 'with feature flags virtual_registry_maven and dependency_proxy_read_write_scopes disabled' do
+ before do
+ stub_feature_flags(virtual_registry_maven: false, dependency_proxy_read_write_scopes: false)
+ stub_config(dependency_proxy: { enabled: true })
+
+ get :index
+ end
+
+ it 'does not include the virtual registry scopes' do
+ expect(assigns(:scopes)).not_to include(Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+ expect(assigns(:scopes)).not_to include(Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+ end
+
+ %i[virtual_registry_maven dependency_proxy_read_write_scopes].each do |feature_flag|
+ context "with feature flag #{feature_flag} enabled" do
+ before do
+ stub_feature_flags(feature_flag => true)
+ end
+
+ it 'includes the virtual registry scopes' do
+ expect(assigns(:scopes)).not_to include(::Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+ expect(assigns(:scopes)).not_to include(::Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+ end
+ end
+ end
+ end
end
end
diff --git a/spec/requests/admin/impersonation_tokens_controller_spec.rb b/spec/requests/admin/impersonation_tokens_controller_spec.rb
index 51f17ad725afc8d9827d801c196f982c533b9d3c..9074ab3dc0664719d0f5ad8bfb577c8a5319d756 100644
--- a/spec/requests/admin/impersonation_tokens_controller_spec.rb
+++ b/spec/requests/admin/impersonation_tokens_controller_spec.rb
@@ -62,4 +62,39 @@
let(:token_attributes) { attributes_for(:personal_access_token, impersonation: true) }
end
end
+
+ describe '#index', :with_current_organization do
+ it 'sets available scopes' do
+ get admin_user_impersonation_tokens_path(user_id: user.username)
+
+ expect(assigns(:scopes)).to include(::Gitlab::Auth::API_SCOPE)
+ end
+
+ context 'with feature flags virtual_registry_maven and dependency_proxy_read_write_scopes disabled' do
+ before do
+ stub_feature_flags(virtual_registry_maven: false, dependency_proxy_read_write_scopes: false)
+ stub_config(dependency_proxy: { enabled: true })
+
+ get admin_user_impersonation_tokens_path(user_id: user.username)
+ end
+
+ it 'does not include the virtual registry scopes' do
+ expect(assigns(:scopes)).not_to include(Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+ expect(assigns(:scopes)).not_to include(Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+ end
+
+ %i[virtual_registry_maven dependency_proxy_read_write_scopes].each do |feature_flag|
+ context "with feature flag #{feature_flag} enabled" do
+ before do
+ stub_feature_flags(feature_flag => true)
+ end
+
+ it 'includes the virtual registry scopes' do
+ expect(assigns(:scopes)).not_to include(::Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+ expect(assigns(:scopes)).not_to include(::Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+ end
+ end
+ end
+ end
+ end
end
diff --git a/spec/requests/projects/settings/access_tokens_controller_spec.rb b/spec/requests/projects/settings/access_tokens_controller_spec.rb
index d91e356167cbaf9022371e718284e6bc9fc507ec..de66d99b3d9e06dab2667b372706501f555e7b61 100644
--- a/spec/requests/projects/settings/access_tokens_controller_spec.rb
+++ b/spec/requests/projects/settings/access_tokens_controller_spec.rb
@@ -123,5 +123,32 @@
expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE)
expect(assigns(:scopes)).to include(Gitlab::Auth::SELF_ROTATE_SCOPE)
end
+
+ context 'with feature flags virtual_registry_maven and dependency_proxy_read_write_scopes disabled' do
+ before do
+ stub_feature_flags(virtual_registry_maven: false, dependency_proxy_read_write_scopes: false)
+ stub_config(dependency_proxy: { enabled: true })
+
+ get project_settings_access_tokens_path(resource)
+ end
+
+ it 'does not include the virtual registry scopes' do
+ expect(assigns(:scopes)).not_to include(Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+ expect(assigns(:scopes)).not_to include(Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+ end
+
+ %i[virtual_registry_maven dependency_proxy_read_write_scopes].each do |feature_flag|
+ context "with feature flag #{feature_flag} enabled" do
+ before do
+ stub_feature_flags(feature_flag => true)
+ end
+
+ it 'includes the virtual registry scopes' do
+ expect(assigns(:scopes)).not_to include(::Gitlab::Auth::READ_VIRTUAL_REGISTRY_SCOPE)
+ expect(assigns(:scopes)).not_to include(::Gitlab::Auth::WRITE_VIRTUAL_REGISTRY_SCOPE)
+ end
+ end
+ end
+ end
end
end