diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-27 18:09:39 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-27 18:09:39 +0000 |
| commit | 3e1f93c033ed7744696f7763716b51ab5acda17a (patch) | |
| tree | 9208f71b8b7461a34560ac2b7f5d01f26b5cd80c /spec/policies | |
| parent | ab421e159d39cf91a95f4a911821308d258e77d9 (diff) | |
| download | gitlab-ce-3e1f93c033ed7744696f7763716b51ab5acda17a.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 118 |
1 files changed, 105 insertions, 13 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 6857865c7cf..eaace86025c 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1098,25 +1098,117 @@ RSpec.describe ProjectPolicy do subject { described_class.new(deploy_token, project) } - context 'a deploy token with read_package_registry scope' do - let(:deploy_token) { create(:deploy_token, read_package_registry: true) } + context 'private project' do + let(:project) { private_project } - it { is_expected.to be_allowed(:read_package) } - it { is_expected.to be_allowed(:read_project) } - it { is_expected.to be_disallowed(:create_package) } + context 'a deploy token with read_registry scope' do + let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false) } - it_behaves_like 'package access with repository disabled' + it { is_expected.to be_allowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + + context 'with registry disabled' do + include_context 'registry disabled via project features' + + it { is_expected.to be_disallowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + end + end + + context 'a deploy token with write_registry scope' do + let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true) } + + it { is_expected.to be_disallowed(:read_container_image) } + it { is_expected.to be_allowed(:create_container_image) } + + context 'with registry disabled' do + include_context 'registry disabled via project features' + + it { is_expected.to be_disallowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + end + end + + context 'a deploy token with no registry scope' do + let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: false) } + + it { is_expected.to be_disallowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + end + + context 'a deploy token with read_package_registry scope' do + let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, read_package_registry: true) } + + it { is_expected.to be_allowed(:read_project) } + it { is_expected.to be_allowed(:read_package) } + it { is_expected.to be_disallowed(:create_package) } + + it_behaves_like 'package access with repository disabled' + end + + context 'a deploy token with write_package_registry scope' do + let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, write_package_registry: true) } + + it { is_expected.to be_allowed(:create_package) } + it { is_expected.to be_allowed(:read_package) } + it { is_expected.to be_allowed(:read_project) } + it { is_expected.to be_disallowed(:destroy_package) } + + it_behaves_like 'package access with repository disabled' + end end - context 'a deploy token with write_package_registry scope' do - let(:deploy_token) { create(:deploy_token, write_package_registry: true) } + context 'public project' do + let(:project) { public_project } + + context 'a deploy token with read_registry scope' do + let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false) } - it { is_expected.to be_allowed(:create_package) } - it { is_expected.to be_allowed(:read_package) } - it { is_expected.to be_allowed(:read_project) } - it { is_expected.to be_disallowed(:destroy_package) } + it { is_expected.to be_allowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } - it_behaves_like 'package access with repository disabled' + context 'with registry disabled' do + include_context 'registry disabled via project features' + + it { is_expected.to be_disallowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + end + + context 'with registry private' do + include_context 'registry set to private via project features' + + it { is_expected.to be_allowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + end + end + + context 'a deploy token with write_registry scope' do + let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true) } + + it { is_expected.to be_allowed(:read_container_image) } + it { is_expected.to be_allowed(:create_container_image) } + + context 'with registry disabled' do + include_context 'registry disabled via project features' + + it { is_expected.to be_disallowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + end + + context 'with registry private' do + include_context 'registry set to private via project features' + + it { is_expected.to be_allowed(:read_container_image) } + it { is_expected.to be_allowed(:create_container_image) } + end + end + + context 'a deploy token with no registry scope' do + let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: false) } + + it { is_expected.to be_disallowed(:read_container_image) } + it { is_expected.to be_disallowed(:create_container_image) } + end end end |