2 files changed, 44 insertions, 11 deletions

diff --git a/spec/requests/api/internal/base_spec.rb b/spec/requests/api/internal/base_spec.rb
index 86999c4adaa..6bedd43e5c4 100644
--- a/spec/requests/api/internal/base_spec.rb
+++ b/spec/requests/api/internal/base_spec.rb
@@ -644,7 +644,7 @@ RSpec.describe API::Internal::Base do
 
       context 'with Project' do
         it_behaves_like 'storing arguments in the application context' do
-          let(:expected_params) { { user: key.user.username, project: project.full_path } }
+          let(:expected_params) { { user: key.user.username, project: project.full_path, caller_id: "POST /api/:version/internal/allowed" } }
 
           subject { push(key, project) }
         end
@@ -652,7 +652,7 @@ RSpec.describe API::Internal::Base do
 
       context 'with PersonalSnippet' do
         it_behaves_like 'storing arguments in the application context' do
-          let(:expected_params) { { user: key.user.username } }
+          let(:expected_params) { { user: key.user.username, caller_id: "POST /api/:version/internal/allowed" } }
 
           subject { push(key, personal_snippet) }
         end
@@ -660,7 +660,7 @@ RSpec.describe API::Internal::Base do
 
       context 'with ProjectSnippet' do
         it_behaves_like 'storing arguments in the application context' do
-          let(:expected_params) { { user: key.user.username, project: project_snippet.project.full_path } }
+          let(:expected_params) { { user: key.user.username, project: project_snippet.project.full_path, caller_id: "POST /api/:version/internal/allowed" } }
 
           subject { push(key, project_snippet) }
         end
@@ -887,7 +887,7 @@ RSpec.describe API::Internal::Base do
     context 'project does not exist' do
       context 'git pull' do
         it 'returns a 200 response with status: false' do
-          project.destroy
+          project.destroy!
 
           pull(key, project)
 
@@ -1115,7 +1115,7 @@ RSpec.describe API::Internal::Base do
         end
       end
 
-      context 'feature flag :user_mode_in_session is enabled' do
+      context 'application setting :admin_mode is enabled' do
         context 'with an admin user' do
           let(:user) { create(:admin) }
 
@@ -1147,9 +1147,9 @@ RSpec.describe API::Internal::Base do
         end
       end
 
-      context 'feature flag :user_mode_in_session is disabled' do
+      context 'application setting :admin_mode is disabled' do
         before do
-          stub_feature_flags(user_mode_in_session: false)
+          stub_application_setting(admin_mode: false)
         end
 
         context 'with an admin user' do
@@ -1413,6 +1413,29 @@ RSpec.describe API::Internal::Base do
     end
   end
 
+  describe 'GET /internal/geo_proxy' do
+    subject { get api('/internal/geo_proxy'), params: { secret_token: secret_token } }
+
+    context 'with valid auth' do
+      it 'returns empty data' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response).to be_empty
+      end
+    end
+
+    context 'with invalid auth' do
+      let(:secret_token) { 'invalid_token' }
+
+      it 'returns unauthorized' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
+  end
+
   def lfs_auth_project(project)
     post(
       api("/internal/lfs_authenticate"),
diff --git a/spec/requests/api/internal/kubernetes_spec.rb b/spec/requests/api/internal/kubernetes_spec.rb
index 2e13016a0a6..47d0c872eb6 100644
--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -38,16 +38,22 @@ RSpec.describe API::Internal::Kubernetes do
   end
 
   shared_examples 'agent authentication' do
-    it 'returns 403 if Authorization header not sent' do
+    it 'returns 401 if Authorization header not sent' do
       send_request
 
-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
     end
 
-    it 'returns 403 if Authorization is for non-existent agent' do
+    it 'returns 401 if Authorization is for non-existent agent' do
       send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })
 
-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
+    end
+  end
+
+  shared_examples 'agent token tracking' do
+    it 'tracks token usage' do
+      expect { response }.to change { agent_token.reload.read_attribute(:last_used_at) }
     end
   end
 
@@ -101,6 +107,8 @@ RSpec.describe API::Internal::Kubernetes do
       let(:agent) { agent_token.agent }
       let(:project) { agent.project }
 
+      shared_examples 'agent token tracking'
+
       it 'returns expected data', :aggregate_failures do
         send_request(headers: { 'Authorization' => "Bearer #{agent_token.token}" })
 
@@ -169,6 +177,8 @@ RSpec.describe API::Internal::Kubernetes do
     context 'an agent is found' do
       let_it_be(:agent_token) { create(:cluster_agent_token) }
 
+      shared_examples 'agent token tracking'
+
       context 'project is public' do
         let(:project) { create(:project, :public) }