Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2019-12-12 00:07:43 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2019-12-12 00:07:43 +0000
commit: 2e3cbf7d89815e2915f77677388c49b48f8d20c3 (patch)
tree: 03bdbc99e829295e8077b2ec4032300c15b48e37 /spec/services
parent: e44bb86539a8fb4cfb06dfe281632b6f206bd0a7 (diff)
download: gitlab-ce-2e3cbf7d89815e2915f77677388c49b48f8d20c3.tar.gz
4 files changed, 124 insertions, 214 deletions
diff --git a/spec/services/clusters/aws/authorize_role_service_spec.rb b/spec/services/clusters/aws/authorize_role_service_spec.rb
new file mode 100644
index 00000000000..3ef332558a2
--- /dev/null
+++ b/spec/services/clusters/aws/authorize_role_service_spec.rb
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Aws::AuthorizeRoleService do
+  let(:user) { create(:user) }
+  let(:credentials) { instance_double(Aws::Credentials) }
+  let(:credentials_service) { instance_double(Clusters::Aws::FetchCredentialsService, execute: credentials) }
+
+  let(:params) do
+    params = ActionController::Parameters.new({
+      cluster: {
+        role_arn: 'arn:my-role',
+        role_external_id: 'external-id'
+      }
+    })
+
+    params.require(:cluster).permit(:role_arn, :role_external_id)
+  end
+
+  subject { described_class.new(user, params: params).execute }
+
+  before do
+    allow(Clusters::Aws::FetchCredentialsService).to receive(:new)
+      .with(instance_of(Aws::Role)).and_return(credentials_service)
+  end
+
+  context 'role does not exist' do
+    it 'creates an Aws::Role record and returns a set of credentials' do
+      expect(user).to receive(:create_aws_role!)
+        .with(params).and_call_original
+
+      expect(subject.status).to eq(:ok)
+      expect(subject.body).to eq(credentials)
+    end
+  end
+
+  context 'role already exists' do
+    let(:role) { create(:aws_role, user: user) }
+
+    it 'updates the existing Aws::Role record and returns a set of credentials' do
+      expect(role).to receive(:update!)
+        .with(params).and_call_original
+
+      expect(subject.status).to eq(:ok)
+      expect(subject.body).to eq(credentials)
+    end
+  end
+
+  context 'errors' do
+    shared_examples 'bad request' do
+      it 'returns an empty hash' do
+        expect(subject.status).to eq(:unprocessable_entity)
+        expect(subject.body).to eq({})
+      end
+    end
+
+    context 'cannot create role' do
+      before do
+        allow(user).to receive(:create_aws_role!)
+          .and_raise(ActiveRecord::RecordInvalid.new(user))
+      end
+
+      include_examples 'bad request'
+    end
+
+    context 'client errors' do
+      before do
+        allow(credentials_service).to receive(:execute).and_raise(error)
+      end
+
+      context 'error fetching credentials' do
+        let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') }
+
+        include_examples 'bad request'
+      end
+
+      context 'credentials not configured' do
+        let(:error) { Aws::Errors::MissingCredentialsError.new('error message') }
+
+        include_examples 'bad request'
+      end
+
+      context 'role not configured' do
+        let(:error) { Clusters::Aws::FetchCredentialsService::MissingRoleError.new('error message') }
+
+        include_examples 'bad request'
+      end
+    end
+  end
+end
diff --git a/spec/services/clusters/aws/fetch_credentials_service_spec.rb b/spec/services/clusters/aws/fetch_credentials_service_spec.rb
index 726d1c30603..9194947c67f 100644
--- a/spec/services/clusters/aws/fetch_credentials_service_spec.rb
+++ b/spec/services/clusters/aws/fetch_credentials_service_spec.rb
@@ -5,19 +5,18 @@ require 'spec_helper'
 describe Clusters::Aws::FetchCredentialsService do
   describe '#execute' do
     let(:user) { create(:user) }
-    let(:provider) { create(:cluster_provider_aws) }
+    let(:provider) { create(:cluster_provider_aws, region: 'ap-southeast-2') }
 
     let(:gitlab_access_key_id) { 'gitlab-access-key-id' }
     let(:gitlab_secret_access_key) { 'gitlab-secret-access-key' }
 
-    let(:region) { 'us-east-1' }
     let(:gitlab_credentials) { Aws::Credentials.new(gitlab_access_key_id, gitlab_secret_access_key) }
     let(:sts_client) { Aws::STS::Client.new(credentials: gitlab_credentials, region: region) }
     let(:assumed_role) { instance_double(Aws::AssumeRoleCredentials, credentials: assumed_role_credentials) }
 
     let(:assumed_role_credentials) { double }
 
-    subject { described_class.new(provision_role, region: region, provider: provider).execute }
+    subject { described_class.new(provision_role, provider: provider).execute }
 
     context 'provision role is configured' do
       let(:provision_role) { create(:aws_role, user: user) }
@@ -39,19 +38,30 @@ describe Clusters::Aws::FetchCredentialsService do
             client: sts_client,
             role_arn: provision_role.role_arn,
             role_session_name: session_name,
-            external_id: provision_role.role_external_id
+            external_id: provision_role.role_external_id,
+            policy: session_policy
           ).and_return(assumed_role)
       end
 
       context 'provider is specified' do
+        let(:region) { provider.region }
         let(:session_name) { "gitlab-eks-cluster-#{provider.cluster_id}-user-#{user.id}" }
+        let(:session_policy) { nil }
 
         it { is_expected.to eq assumed_role_credentials }
       end
 
       context 'provider is not specifed' do
         let(:provider) { nil }
+        let(:region) { Clusters::Providers::Aws::DEFAULT_REGION }
         let(:session_name) { "gitlab-eks-autofill-user-#{user.id}" }
+        let(:session_policy) { 'policy-document' }
+
+        before do
+          allow(File).to receive(:read)
+            .with(Rails.root.join('vendor', 'aws', 'iam', 'eks_cluster_read_only_policy.json'))
+            .and_return(session_policy)
+        end
 
         it { is_expected.to eq assumed_role_credentials }
       end
diff --git a/spec/services/clusters/aws/proxy_service_spec.rb b/spec/services/clusters/aws/proxy_service_spec.rb
deleted file mode 100644
index 7b0e0512b95..00000000000
--- a/spec/services/clusters/aws/proxy_service_spec.rb
+++ /dev/null
@@ -1,210 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe Clusters::Aws::ProxyService do
-  let(:role) { create(:aws_role) }
-  let(:credentials) { instance_double(Aws::Credentials) }
-  let(:client_instance) { instance_double(client) }
-
-  let(:region) { 'region' }
-  let(:vpc_id) { }
-  let(:params) do
-    ActionController::Parameters.new({
-      resource: resource,
-      region: region,
-      vpc_id: vpc_id
-    })
-  end
-
-  subject { described_class.new(role, params: params).execute }
-
-  context 'external resources' do
-    before do
-      allow(Clusters::Aws::FetchCredentialsService).to receive(:new) do
-        double(execute: credentials)
-      end
-
-      allow(client).to receive(:new)
-        .with(
-          credentials: credentials, region: region,
-          http_open_timeout: 5, http_read_timeout: 10)
-        .and_return(client_instance)
-    end
-
-    shared_examples 'bad request' do
-      it 'returns an empty hash' do
-        expect(subject.status).to eq :bad_request
-        expect(subject.body).to eq({})
-      end
-    end
-
-    describe 'key_pairs' do
-      let(:client) { Aws::EC2::Client }
-      let(:resource) { 'key_pairs' }
-      let(:response) { double(to_hash: :key_pairs) }
-
-      it 'requests a list of key pairs' do
-        expect(client_instance).to receive(:describe_key_pairs).once.and_return(response)
-        expect(subject.status).to eq :ok
-        expect(subject.body).to eq :key_pairs
-      end
-    end
-
-    describe 'roles' do
-      let(:client) { Aws::IAM::Client }
-      let(:resource) { 'roles' }
-      let(:response) { double(to_hash: :roles) }
-
-      it 'requests a list of roles' do
-        expect(client_instance).to receive(:list_roles).once.and_return(response)
-        expect(subject.status).to eq :ok
-        expect(subject.body).to eq :roles
-      end
-    end
-
-    describe 'regions' do
-      let(:client) { Aws::EC2::Client }
-      let(:resource) { 'regions' }
-      let(:response) { double(to_hash: :regions) }
-
-      it 'requests a list of regions' do
-        expect(client_instance).to receive(:describe_regions).once.and_return(response)
-        expect(subject.status).to eq :ok
-        expect(subject.body).to eq :regions
-      end
-    end
-
-    describe 'security_groups' do
-      let(:client) { Aws::EC2::Client }
-      let(:resource) { 'security_groups' }
-      let(:response) { double(to_hash: :security_groups) }
-
-      include_examples 'bad request'
-
-      context 'VPC is specified' do
-        let(:vpc_id) { 'vpc-1' }
-
-        it 'requests a list of security groups for a VPC' do
-          expect(client_instance).to receive(:describe_security_groups).once
-            .with(filters: [{ name: 'vpc-id', values: [vpc_id] }])
-            .and_return(response)
-          expect(subject.status).to eq :ok
-          expect(subject.body).to eq :security_groups
-        end
-      end
-    end
-
-    describe 'subnets' do
-      let(:client) { Aws::EC2::Client }
-      let(:resource) { 'subnets' }
-      let(:response) { double(to_hash: :subnets) }
-
-      include_examples 'bad request'
-
-      context 'VPC is specified' do
-        let(:vpc_id) { 'vpc-1' }
-
-        it 'requests a list of subnets for a VPC' do
-          expect(client_instance).to receive(:describe_subnets).once
-            .with(filters: [{ name: 'vpc-id', values: [vpc_id] }])
-            .and_return(response)
-          expect(subject.status).to eq :ok
-          expect(subject.body).to eq :subnets
-        end
-      end
-    end
-
-    describe 'vpcs' do
-      let(:client) { Aws::EC2::Client }
-      let(:resource) { 'vpcs' }
-      let(:response) { double(to_hash: :vpcs) }
-
-      it 'requests a list of VPCs' do
-        expect(client_instance).to receive(:describe_vpcs).once.and_return(response)
-        expect(subject.status).to eq :ok
-        expect(subject.body).to eq :vpcs
-      end
-    end
-
-    context 'errors' do
-      let(:client) { Aws::EC2::Client }
-
-      context 'unknown resource' do
-        let(:resource) { 'instances' }
-
-        include_examples 'bad request'
-      end
-
-      context 'client and configuration errors' do
-        let(:resource) { 'vpcs' }
-
-        before do
-          allow(client_instance).to receive(:describe_vpcs).and_raise(error)
-        end
-
-        context 'error fetching credentials' do
-          let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') }
-
-          include_examples 'bad request'
-        end
-
-        context 'credentials not configured' do
-          let(:error) { Aws::Errors::MissingCredentialsError.new('error message') }
-
-          include_examples 'bad request'
-        end
-
-        context 'role not configured' do
-          let(:error) { Clusters::Aws::FetchCredentialsService::MissingRoleError.new('error message') }
-
-          include_examples 'bad request'
-        end
-
-        context 'EC2 error' do
-          let(:error) { Aws::EC2::Errors::ServiceError.new(nil, 'error message') }
-
-          include_examples 'bad request'
-        end
-
-        context 'IAM error' do
-          let(:error) { Aws::IAM::Errors::ServiceError.new(nil, 'error message') }
-
-          include_examples 'bad request'
-        end
-
-        context 'STS error' do
-          let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') }
-
-          include_examples 'bad request'
-        end
-      end
-    end
-  end
-
-  context 'local resources' do
-    describe 'instance_types' do
-      let(:resource) { 'instance_types' }
-      let(:cloudformation_template) { double }
-      let(:instance_types) { double(dig: %w(t3.small)) }
-
-      before do
-        allow(File).to receive(:read)
-          .with(Rails.root.join('vendor', 'aws', 'cloudformation', 'eks_cluster.yaml'))
-          .and_return(cloudformation_template)
-
-        allow(YAML).to receive(:safe_load)
-          .with(cloudformation_template)
-          .and_return(instance_types)
-      end
-
-      it 'returns a list of instance types' do
-        expect(subject.status).to eq :ok
-        expect(subject.body).to have_key(:instance_types)
-        expect(subject.body[:instance_types]).to match_array([
-          instance_type_name: 't3.small'
-        ])
-      end
-    end
-  end
-end
diff --git a/spec/services/clusters/kubernetes_spec.rb b/spec/services/clusters/kubernetes_spec.rb
new file mode 100644
index 00000000000..7f2c5e0461d
--- /dev/null
+++ b/spec/services/clusters/kubernetes_spec.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Kubernetes do
+  it { is_expected.to be_const_defined(:GITLAB_SERVICE_ACCOUNT_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_SERVICE_ACCOUNT_NAMESPACE) }
+  it { is_expected.to be_const_defined(:GITLAB_ADMIN_TOKEN_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_CLUSTER_ROLE_BINDING_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_CLUSTER_ROLE_NAME) }
+  it { is_expected.to be_const_defined(:PROJECT_CLUSTER_ROLE_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_KNATIVE_SERVING_ROLE_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_CROSSPLANE_DATABASE_ROLE_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_KNATIVE_VERSION_ROLE_NAME) }
+  it { is_expected.to be_const_defined(:GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME) }
+  it { is_expected.to be_const_defined(:KNATIVE_SERVING_NAMESPACE) }
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2019-12-12 00:07:43 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2019-12-12 00:07:43 +0000
commit	2e3cbf7d89815e2915f77677388c49b48f8d20c3 (patch)
tree	03bdbc99e829295e8077b2ec4032300c15b48e37 /spec/services
parent	e44bb86539a8fb4cfb06dfe281632b6f206bd0a7 (diff)
download	gitlab-ce-2e3cbf7d89815e2915f77677388c49b48f8d20c3.tar.gz