Clean up read_registry scope changes

Closes #37789

7 files changed, 28 insertions, 20 deletions

diff --git a/app/controllers/profiles/personal_access_tokens_controller.rb b/app/controllers/profiles/personal_access_tokens_controller.rb
index f748d191ef4..c1cc509a748 100644
--- a/app/controllers/profiles/personal_access_tokens_controller.rb
+++ b/app/controllers/profiles/personal_access_tokens_controller.rb
@@ -38,7 +38,7 @@ class Profiles::PersonalAccessTokensController < Profiles::ApplicationController
   end
 
   def set_index_vars
-    @scopes = Gitlab::Auth::AVAILABLE_SCOPES
+    @scopes = Gitlab::Auth.available_scopes
 
     @personal_access_token = finder.build
     @inactive_personal_access_tokens = finder(state: 'inactive').execute
diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb
index ec0ebe4d353..1f9d712ef84 100644
--- a/app/models/personal_access_token.rb
+++ b/app/models/personal_access_token.rb
@@ -28,7 +28,7 @@ class PersonalAccessToken < ActiveRecord::Base
   protected
 
   def validate_scopes
-    unless revoked || scopes.all? { |scope| Gitlab::Auth::AVAILABLE_SCOPES.include?(scope.to_sym) }
+    unless revoked || scopes.all? { |scope| Gitlab::Auth.available_scopes.include?(scope.to_sym) }
       errors.add :scopes, "can only contain available scopes"
     end
   end
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 40e635bf2cf..b89f0419b91 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -58,7 +58,7 @@ Doorkeeper.configure do
   # For more information go to
   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
   default_scopes(*Gitlab::Auth::DEFAULT_SCOPES)
-  optional_scopes(*Gitlab::Auth::OPTIONAL_SCOPES)
+  optional_scopes(*Gitlab::Auth.optional_scopes)
 
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 11ace83c15c..87aeb76b66a 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -2,7 +2,7 @@ module Gitlab
   module Auth
     MissingPersonalTokenError = Class.new(StandardError)
 
-    REGISTRY_SCOPES = Gitlab.config.registry.enabled ? [:read_registry].freeze : [].freeze
+    REGISTRY_SCOPES = [:read_registry].freeze
 
     # Scopes used for GitLab API access
     API_SCOPES = [:api, :read_user].freeze
@@ -13,11 +13,6 @@ module Gitlab
     # Default scopes for OAuth applications that don't define their own
     DEFAULT_SCOPES = [:api].freeze
 
-    AVAILABLE_SCOPES = (API_SCOPES + REGISTRY_SCOPES).freeze
-
-    # Other available scopes
-    OPTIONAL_SCOPES = (AVAILABLE_SCOPES + OPENID_SCOPES - DEFAULT_SCOPES).freeze
-
     class << self
       include Gitlab::CurrentSettings
 
@@ -132,7 +127,7 @@ module Gitlab
 
         token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
 
-        if token && valid_scoped_token?(token, AVAILABLE_SCOPES)
+        if token && valid_scoped_token?(token, available_scopes)
           Gitlab::Auth::Result.new(token.user, nil, :personal_token, abilities_for_scope(token.scopes))
         end
       end
@@ -230,6 +225,21 @@ module Gitlab
       def read_user_scope_authentication_abilities
         []
       end
+
+      def available_scopes
+        API_SCOPES + registry_scopes
+      end
+
+      # Other available scopes
+      def optional_scopes
+        available_scopes + OPENID_SCOPES - DEFAULT_SCOPES
+      end
+
+      def registry_scopes
+        return [] unless Gitlab.config.registry.enabled
+
+        REGISTRY_SCOPES
+      end
     end
   end
 end
diff --git a/spec/initializers/doorkeeper_spec.rb b/spec/initializers/doorkeeper_spec.rb
index 37cc08b3038..1a78196e33d 100644
--- a/spec/initializers/doorkeeper_spec.rb
+++ b/spec/initializers/doorkeeper_spec.rb
@@ -9,8 +9,8 @@ describe Doorkeeper.configuration do
   end
 
   describe '#optional_scopes' do
-    it 'matches Gitlab::Auth::OPTIONAL_SCOPES' do
-      expect(subject.optional_scopes).to eq Gitlab::Auth::OPTIONAL_SCOPES - Gitlab::Auth::REGISTRY_SCOPES
+    it 'matches Gitlab::Auth.optional_scopes' do
+      expect(subject.optional_scopes).to eq Gitlab::Auth.optional_scopes - Gitlab::Auth::REGISTRY_SCOPES
     end
   end
 
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 4f4a27e4c41..af1db2c3455 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -16,20 +16,20 @@ describe Gitlab::Auth do
       expect(subject::DEFAULT_SCOPES).to eq [:api]
     end
 
-    it 'OPTIONAL_SCOPES contains all non-default scopes' do
+    it 'optional_scopes contains all non-default scopes' do
       stub_container_registry_config(enabled: true)
 
-      expect(subject::OPTIONAL_SCOPES).to eq %i[read_user read_registry openid]
+      expect(subject.optional_scopes).to eq %i[read_user read_registry openid]
     end
 
-    context 'REGISTRY_SCOPES' do
+    context 'registry_scopes' do
       context 'when registry is disabled' do
         before do
           stub_container_registry_config(enabled: false)
         end
 
         it 'is empty' do
-          expect(subject::REGISTRY_SCOPES).to eq []
+          expect(subject.registry_scopes).to eq []
         end
       end
 
@@ -39,7 +39,7 @@ describe Gitlab::Auth do
         end
 
         it 'contains all registry related scopes' do
-          expect(subject::REGISTRY_SCOPES).to eq %i[read_registry]
+          expect(subject.registry_scopes).to eq %i[read_registry]
         end
       end
     end
diff --git a/spec/support/stub_gitlab_calls.rb b/spec/support/stub_gitlab_calls.rb
index 9695f35bd25..78a2ff73746 100644
--- a/spec/support/stub_gitlab_calls.rb
+++ b/spec/support/stub_gitlab_calls.rb
@@ -26,11 +26,9 @@ module StubGitlabCalls
   end
 
   def stub_container_registry_config(registry_settings)
+    allow(Gitlab.config.registry).to receive_messages(registry_settings)
     allow(Auth::ContainerRegistryAuthenticationService)
       .to receive(:full_access_token).and_return('token')
-
-    allow(Gitlab.config.registry).to receive_messages(registry_settings)
-    load 'lib/gitlab/auth.rb'
   end
 
   def stub_container_registry_tags(repository: :any, tags:)