summaryrefslogtreecommitdiff
path: root/spec/services/auth/container_registry_authentication_service_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/services/auth/container_registry_authentication_service_spec.rb')
-rw-r--r--spec/services/auth/container_registry_authentication_service_spec.rb131
1 files changed, 68 insertions, 63 deletions
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index bc85f4f0087..90ef32f1c5c 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -3,6 +3,8 @@
require 'spec_helper'
RSpec.describe Auth::ContainerRegistryAuthenticationService do
+ include AdminModeHelper
+
let(:current_project) { nil }
let(:current_user) { nil }
let(:current_params) { {} }
@@ -135,7 +137,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
describe '#full_access_token' do
- let(:project) { create(:project) }
+ let_it_be(:project) { create(:project) }
let(:token) { described_class.full_access_token(project.full_path) }
subject { { token: token } }
@@ -148,7 +150,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
describe '#pull_access_token' do
- let(:project) { create(:project) }
+ let_it_be(:project) { create(:project) }
let(:token) { described_class.pull_access_token(project.full_path) }
subject { { token: token } }
@@ -161,7 +163,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'user authorization' do
- let(:current_user) { create(:user) }
+ let_it_be(:current_user) { create(:user) }
context 'for registry catalog' do
let(:current_params) do
@@ -175,14 +177,14 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for private project' do
- let(:project) { create(:project) }
+ let_it_be(:project) { create(:project) }
context 'allow to use scope-less authentication' do
it_behaves_like 'a valid token'
end
context 'allow developer to push images' do
- before do
+ before_all do
project.add_developer(current_user)
end
@@ -195,7 +197,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow developer to delete images' do
- before do
+ before_all do
project.add_developer(current_user)
end
@@ -222,7 +224,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow developer to delete images since registry 2.7' do
- before do
+ before_all do
project.add_developer(current_user)
end
@@ -235,7 +237,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'allow reporter to pull images' do
- before do
+ before_all do
project.add_reporter(current_user)
end
@@ -250,7 +252,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow reporter to delete images' do
- before do
+ before_all do
project.add_reporter(current_user)
end
@@ -263,7 +265,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow reporter to delete images since registry 2.7' do
- before do
+ before_all do
project.add_reporter(current_user)
end
@@ -276,7 +278,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'return a least of privileges' do
- before do
+ before_all do
project.add_reporter(current_user)
end
@@ -289,7 +291,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow guest to pull or push images' do
- before do
+ before_all do
project.add_guest(current_user)
end
@@ -302,7 +304,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow guest to delete images' do
- before do
+ before_all do
project.add_guest(current_user)
end
@@ -315,7 +317,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow guest to delete images since registry 2.7' do
- before do
+ before_all do
project.add_guest(current_user)
end
@@ -329,7 +331,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for public project' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
context 'allow anyone to pull images' do
let(:current_params) do
@@ -378,7 +380,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for internal project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
context 'for internal user' do
context 'allow anyone to pull images' do
@@ -420,7 +422,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
context 'for external user' do
context 'disallow anyone to pull or push images' do
- let(:current_user) { create(:user, external: true) }
+ let_it_be(:current_user) { create(:user, external: true) }
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull,push"] }
end
@@ -430,7 +432,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow anyone to delete images' do
- let(:current_user) { create(:user, external: true) }
+ let_it_be(:current_user) { create(:user, external: true) }
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:*"] }
end
@@ -440,7 +442,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'disallow anyone to delete images since registry 2.7' do
- let(:current_user) { create(:user, external: true) }
+ let_it_be(:current_user) { create(:user, external: true) }
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
@@ -453,14 +455,14 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'delete authorized as maintainer' do
- let(:current_project) { create(:project) }
- let(:current_user) { create(:user) }
+ let_it_be(:current_project) { create(:project) }
+ let_it_be(:current_user) { create(:user) }
let(:authentication_abilities) do
[:admin_container_image]
end
- before do
+ before_all do
current_project.add_maintainer(current_user)
end
@@ -488,14 +490,14 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'build authorized as user' do
- let(:current_project) { create(:project) }
- let(:current_user) { create(:user) }
+ let_it_be(:current_project) { create(:project) }
+ let_it_be(:current_user) { create(:user) }
let(:authentication_abilities) do
[:build_read_container_image, :build_create_container_image, :build_destroy_container_image]
end
- before do
+ before_all do
current_project.add_developer(current_user)
end
@@ -550,7 +552,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'allow for public' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
it_behaves_like 'a pullable'
it_behaves_like 'not a container repository factory'
@@ -563,7 +565,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'when you are member' do
- before do
+ before_all do
project.add_developer(current_user)
end
@@ -572,7 +574,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'when you are owner' do
- let(:project) { create(:project, namespace: current_user.namespace) }
+ let_it_be(:project) { create(:project, namespace: current_user.namespace) }
it_behaves_like 'a pullable'
it_behaves_like 'not a container repository factory'
@@ -580,12 +582,12 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for private' do
- let(:project) { create(:project, :private) }
+ let_it_be(:project) { create(:project, :private) }
it_behaves_like 'pullable for being team member'
context 'when you are admin' do
- let(:current_user) { create(:admin) }
+ let_it_be(:current_user) { create(:admin) }
context 'when you are not member' do
it_behaves_like 'an inaccessible'
@@ -593,7 +595,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'when you are member' do
- before do
+ before_all do
project.add_developer(current_user)
end
@@ -602,7 +604,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'when you are owner' do
- let(:project) { create(:project, namespace: current_user.namespace) }
+ let_it_be(:project) { create(:project, namespace: current_user.namespace) }
it_behaves_like 'a pullable'
it_behaves_like 'not a container repository factory'
@@ -618,9 +620,9 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
context 'disallow for all' do
context 'when you are member' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
- before do
+ before_all do
project.add_developer(current_user)
end
@@ -629,7 +631,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'when you are owner' do
- let(:project) { create(:project, :public, namespace: current_user.namespace) }
+ let_it_be(:project) { create(:project, :public, namespace: current_user.namespace) }
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
@@ -639,10 +641,10 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for project without container registry' do
- let(:project) { create(:project, :public, container_registry_enabled: false) }
+ let_it_be(:project) { create(:project, :public, container_registry_enabled: false) }
before do
- project.update(container_registry_enabled: false)
+ project.update!(container_registry_enabled: false)
end
context 'disallow when pulling' do
@@ -656,7 +658,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for project that disables repository' do
- let(:project) { create(:project, :public, :repository_disabled) }
+ let_it_be(:project) { create(:project, :public, :repository_disabled) }
context 'disallow when pulling' do
let(:current_params) do
@@ -670,8 +672,8 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'registry catalog browsing authorized as admin' do
- let(:current_user) { create(:user, :admin) }
- let(:project) { create(:project, :public) }
+ let_it_be(:current_user) { create(:user, :admin) }
+ let_it_be(:project) { create(:project, :public) }
let(:current_params) do
{ scopes: ["registry:catalog:*"] }
@@ -681,8 +683,8 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'support for multiple scopes' do
- let(:internal_project) { create(:project, :internal) }
- let(:private_project) { create(:project, :private) }
+ let_it_be(:internal_project) { create(:project, :internal) }
+ let_it_be(:private_project) { create(:project, :private) }
let(:current_params) do
{
@@ -694,7 +696,11 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'user has access to all projects' do
- let(:current_user) { create(:user, :admin) }
+ let_it_be(:current_user) { create(:user, :admin) }
+
+ before do
+ enable_admin_mode!(current_user)
+ end
it_behaves_like 'a browsable' do
let(:access) do
@@ -711,7 +717,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'user only has access to internal project' do
- let(:current_user) { create(:user) }
+ let_it_be(:current_user) { create(:user) }
it_behaves_like 'a browsable' do
let(:access) do
@@ -747,7 +753,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for private project' do
- let(:project) { create(:project, :private) }
+ let_it_be(:project) { create(:project, :private) }
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull"] }
@@ -757,7 +763,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for public project' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
context 'when pulling and pushing' do
let(:current_params) do
@@ -806,7 +812,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for public project' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
context 'when pulling' do
it_behaves_like 'a pullable'
@@ -824,7 +830,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for internal project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
context 'when pulling' do
it_behaves_like 'a pullable'
@@ -842,7 +848,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for private project' do
- let(:project) { create(:project, :private) }
+ let_it_be(:project) { create(:project, :private) }
context 'when pulling' do
it_behaves_like 'a pullable'
@@ -880,7 +886,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for public project' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
context 'when pulling' do
it_behaves_like 'a pullable'
@@ -890,7 +896,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for internal project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
@@ -900,7 +906,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for private project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
@@ -918,10 +924,10 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'when deploy token is not related to the project' do
- let(:current_user) { create(:deploy_token, read_registry: false) }
+ let_it_be(:current_user) { create(:deploy_token, read_registry: false) }
context 'for public project' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
context 'when pulling' do
it_behaves_like 'a pullable'
@@ -929,7 +935,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for internal project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
@@ -937,7 +943,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'for private project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
@@ -949,19 +955,19 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
let(:current_user) { create(:deploy_token, :revoked, projects: [project]) }
context 'for public project' do
- let(:project) { create(:project, :public) }
+ let_it_be(:project) { create(:project, :public) }
it_behaves_like 'a pullable'
end
context 'for internal project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
it_behaves_like 'an inaccessible'
end
context 'for private project' do
- let(:project) { create(:project, :internal) }
+ let_it_be(:project) { create(:project, :internal) }
it_behaves_like 'an inaccessible'
end
@@ -969,14 +975,13 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
end
context 'user authorization' do
- let(:current_user) { create(:user) }
+ let_it_be(:current_user) { create(:user) }
context 'with multiple scopes' do
- let(:project) { create(:project) }
- let(:project2) { create }
+ let_it_be(:project) { create(:project) }
context 'allow developer to push images' do
- before do
+ before_all do
project.add_developer(current_user)
end
View Lorry Controller Status