Merge branch 'deploy-tokens-container-registry-specs' into 'master'

Verify that deploy token has valid access when pulling container registry image Closes #45148 See merge request gitlab-org/gitlab-ce!18260
author: Kamil Trzciński <ayufan@ayufan.eu> 2018-04-10 07:31:30 +0000
committer: Robert Speicher <rspeicher@gmail.com> 2018-04-10 19:03:07 -0500
commit: 44b89668371dff6b32b7c077f6dddba6fd13d52f (patch)
tree: 5feb5899d1dd333f89d08ba8a0b9d9eb9edc6b72 /spec/services
parent: bff933f0f1bfc83bbfbec40c7bd4181c88c175da (diff)
download: gitlab-ce-44b89668371dff6b32b7c077f6dddba6fd13d52f.tar.gz
1 files changed, 136 insertions, 0 deletions
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index 290eeae828e..da8e660c16b 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -585,4 +585,140 @@ describe Auth::ContainerRegistryAuthenticationService do
       it_behaves_like 'not a container repository factory'
     end
   end
+
+  context 'for deploy tokens' do
+    let(:current_params) do
+      { scope: "repository:#{project.full_path}:pull" }
+    end
+
+    context 'when deploy token has read_registry as a scope' do
+      let(:current_user) { create(:deploy_token, projects: [project]) }
+
+      context 'for public project' do
+        let(:project) { create(:project, :public) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scope: "repository:#{project.full_path}:push" }
+          end
+
+          it_behaves_like 'an inaccessible'
+        end
+      end
+
+      context 'for internal project' do
+        let(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scope: "repository:#{project.full_path}:push" }
+          end
+
+          it_behaves_like 'an inaccessible'
+        end
+      end
+
+      context 'for private project' do
+        let(:project) { create(:project, :private) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scope: "repository:#{project.full_path}:push" }
+          end
+
+          it_behaves_like 'an inaccessible'
+        end
+      end
+    end
+
+    context 'when deploy token does not have read_registry scope' do
+      let(:current_user) { create(:deploy_token, projects: [project], read_registry: false) }
+
+      context 'for public project' do
+        let(:project) { create(:project, :public) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+      end
+
+      context 'for internal project' do
+        let(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+
+      context 'for private project' do
+        let(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+    end
+
+    context 'when deploy token is not related to the project' do
+      let(:current_user) { create(:deploy_token, read_registry: false) }
+
+      context 'for public project' do
+        let(:project) { create(:project, :public) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+      end
+
+      context 'for internal project' do
+        let(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+
+      context 'for private project' do
+        let(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+    end
+
+    context 'when deploy token has been revoked' do
+      let(:current_user) { create(:deploy_token, :revoked, projects: [project]) }
+
+      context 'for public project' do
+        let(:project) { create(:project, :public) }
+
+        it_behaves_like 'a pullable'
+      end
+
+      context 'for internal project' do
+        let(:project) { create(:project, :internal) }
+
+        it_behaves_like 'an inaccessible'
+      end
+
+      context 'for private project' do
+        let(:project) { create(:project, :internal) }
+
+        it_behaves_like 'an inaccessible'
+      end
+    end
+  end
 end
author	Kamil Trzciński <ayufan@ayufan.eu>	2018-04-10 07:31:30 +0000
committer	Robert Speicher <rspeicher@gmail.com>	2018-04-10 19:03:07 -0500
commit	44b89668371dff6b32b7c077f6dddba6fd13d52f (patch)
tree	5feb5899d1dd333f89d08ba8a0b9d9eb9edc6b72 /spec/services
parent	bff933f0f1bfc83bbfbec40c7bd4181c88c175da (diff)
download	gitlab-ce-44b89668371dff6b32b7c077f6dddba6fd13d52f.tar.gz