diff options
author | Kamil TrzciĆski <ayufan@ayufan.eu> | 2018-04-10 07:31:30 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2018-04-10 19:03:07 -0500 |
commit | 44b89668371dff6b32b7c077f6dddba6fd13d52f (patch) | |
tree | 5feb5899d1dd333f89d08ba8a0b9d9eb9edc6b72 /spec/services | |
parent | bff933f0f1bfc83bbfbec40c7bd4181c88c175da (diff) | |
download | gitlab-ce-44b89668371dff6b32b7c077f6dddba6fd13d52f.tar.gz |
Merge branch 'deploy-tokens-container-registry-specs' into 'master'
Verify that deploy token has valid access when pulling container registry image
Closes #45148
See merge request gitlab-org/gitlab-ce!18260
Diffstat (limited to 'spec/services')
-rw-r--r-- | spec/services/auth/container_registry_authentication_service_spec.rb | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index 290eeae828e..da8e660c16b 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -585,4 +585,140 @@ describe Auth::ContainerRegistryAuthenticationService do it_behaves_like 'not a container repository factory' end end + + context 'for deploy tokens' do + let(:current_params) do + { scope: "repository:#{project.full_path}:pull" } + end + + context 'when deploy token has read_registry as a scope' do + let(:current_user) { create(:deploy_token, projects: [project]) } + + context 'for public project' do + let(:project) { create(:project, :public) } + + context 'when pulling' do + it_behaves_like 'a pullable' + end + + context 'when pushing' do + let(:current_params) do + { scope: "repository:#{project.full_path}:push" } + end + + it_behaves_like 'an inaccessible' + end + end + + context 'for internal project' do + let(:project) { create(:project, :internal) } + + context 'when pulling' do + it_behaves_like 'a pullable' + end + + context 'when pushing' do + let(:current_params) do + { scope: "repository:#{project.full_path}:push" } + end + + it_behaves_like 'an inaccessible' + end + end + + context 'for private project' do + let(:project) { create(:project, :private) } + + context 'when pulling' do + it_behaves_like 'a pullable' + end + + context 'when pushing' do + let(:current_params) do + { scope: "repository:#{project.full_path}:push" } + end + + it_behaves_like 'an inaccessible' + end + end + end + + context 'when deploy token does not have read_registry scope' do + let(:current_user) { create(:deploy_token, projects: [project], read_registry: false) } + + context 'for public project' do + let(:project) { create(:project, :public) } + + context 'when pulling' do + it_behaves_like 'a pullable' + end + end + + context 'for internal project' do + let(:project) { create(:project, :internal) } + + context 'when pulling' do + it_behaves_like 'an inaccessible' + end + end + + context 'for private project' do + let(:project) { create(:project, :internal) } + + context 'when pulling' do + it_behaves_like 'an inaccessible' + end + end + end + + context 'when deploy token is not related to the project' do + let(:current_user) { create(:deploy_token, read_registry: false) } + + context 'for public project' do + let(:project) { create(:project, :public) } + + context 'when pulling' do + it_behaves_like 'a pullable' + end + end + + context 'for internal project' do + let(:project) { create(:project, :internal) } + + context 'when pulling' do + it_behaves_like 'an inaccessible' + end + end + + context 'for private project' do + let(:project) { create(:project, :internal) } + + context 'when pulling' do + it_behaves_like 'an inaccessible' + end + end + end + + context 'when deploy token has been revoked' do + let(:current_user) { create(:deploy_token, :revoked, projects: [project]) } + + context 'for public project' do + let(:project) { create(:project, :public) } + + it_behaves_like 'a pullable' + end + + context 'for internal project' do + let(:project) { create(:project, :internal) } + + it_behaves_like 'an inaccessible' + end + + context 'for private project' do + let(:project) { create(:project, :internal) } + + it_behaves_like 'an inaccessible' + end + end + end end |