3 files changed, 222 insertions, 6 deletions

diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
new file mode 100644
index 00000000000..3ea252ed44f
--- /dev/null
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -0,0 +1,216 @@
+require 'spec_helper'
+
+describe Auth::ContainerRegistryAuthenticationService, services: true do
+  let(:current_project) { nil }
+  let(:current_user) { nil }
+  let(:current_params) { {} }
+  let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
+  let(:registry_settings) do
+    {
+      enabled: true,
+      issuer: 'rspec',
+      key: nil
+    }
+  end
+  let(:payload) { JWT.decode(subject[:token], rsa_key).first }
+
+  subject { described_class.new(current_project, current_user, current_params).execute }
+
+  before do
+    allow(Gitlab.config.registry).to receive_messages(registry_settings)
+    allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
+  end
+
+  shared_examples 'an authenticated' do
+    it { is_expected.to include(:token) }
+    it { expect(payload).to include('access') }
+  end
+
+  shared_examples 'a accessible' do
+    let(:access) do
+      [{
+         'type' => 'repository',
+         'name' => project.path_with_namespace,
+         'actions' => actions,
+       }]
+    end
+
+    it_behaves_like 'an authenticated'
+    it { expect(payload).to include('access' => access) }
+  end
+
+  shared_examples 'a pullable' do
+    it_behaves_like 'a accessible' do
+      let(:actions) { ['pull'] }
+    end
+  end
+
+  shared_examples 'a pushable' do
+    it_behaves_like 'a accessible' do
+      let(:actions) { ['push'] }
+    end
+  end
+
+  shared_examples 'a pullable and pushable' do
+    it_behaves_like 'a accessible' do
+      let(:actions) { ['pull', 'push'] }
+    end
+  end
+
+  shared_examples 'a forbidden' do
+    it { is_expected.to include(http_status: 403) }
+    it { is_expected.to_not include(:token) }
+  end
+
+  context 'user authorization' do
+    let(:project) { create(:project) }
+    let(:current_user) { create(:user) }
+
+    context 'allow to use offline_token' do
+      let(:current_params) do
+        { offline_token: true }
+      end
+
+      it_behaves_like 'an authenticated'
+    end
+
+    context 'allow developer to push images' do
+      before { project.team << [current_user, :developer] }
+
+      let(:current_params) do
+        { scope: "repository:#{project.path_with_namespace}:push" }
+      end
+
+      it_behaves_like 'a pushable'
+    end
+
+    context 'allow reporter to pull images' do
+      before { project.team << [current_user, :reporter] }
+
+      let(:current_params) do
+        { scope: "repository:#{project.path_with_namespace}:pull" }
+      end
+
+      it_behaves_like 'a pullable'
+    end
+
+    context 'return a least of privileges' do
+      before { project.team << [current_user, :reporter] }
+
+      let(:current_params) do
+        { scope: "repository:#{project.path_with_namespace}:push,pull" }
+      end
+
+      it_behaves_like 'a pullable'
+    end
+
+    context 'disallow guest to pull or push images' do
+      before { project.team << [current_user, :guest] }
+
+      let(:current_params) do
+        { scope: "repository:#{project.path_with_namespace}:pull,push" }
+      end
+
+      it_behaves_like 'a forbidden'
+    end
+  end
+
+  context 'project authorization' do
+    let(:current_project) { create(:empty_project) }
+
+    context 'disallow to use offline_token' do
+      let(:current_params) do
+        { offline_token: true }
+      end
+
+      it_behaves_like 'a forbidden'
+    end
+
+    context 'allow to pull and push images' do
+      let(:current_params) do
+        { scope: "repository:#{current_project.path_with_namespace}:pull,push" }
+      end
+
+      it_behaves_like 'a pullable and pushable' do
+        let(:project) { current_project }
+      end
+    end
+
+    context 'for other projects' do
+      context 'when pulling' do
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:pull" }
+        end
+
+        context 'allow for public' do
+          let(:project) { create(:empty_project, :public) }
+          it_behaves_like 'a pullable'
+        end
+
+        context 'disallow for private' do
+          let(:project) { create(:empty_project, :private) }
+          it_behaves_like 'a forbidden'
+        end
+      end
+
+      context 'when pushing' do
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:push" }
+        end
+
+        context 'disallow for all' do
+          let(:project) { create(:empty_project, :public) }
+          it_behaves_like 'a forbidden'
+        end
+      end
+    end
+  end
+
+  context 'unauthorized' do
+    context 'disallow to use offline_token' do
+      let(:current_params) do
+        { offline_token: true }
+      end
+
+      it_behaves_like 'a forbidden'
+    end
+
+    context 'for invalid scope' do
+      let(:current_params) do
+        { scope: 'invalid:aa:bb' }
+      end
+
+      it_behaves_like 'a forbidden'
+    end
+
+    context 'for private project' do
+      let(:project) { create(:empty_project, :private) }
+
+      let(:current_params) do
+        { scope: "repository:#{project.path_with_namespace}:pull" }
+      end
+
+      it_behaves_like 'a forbidden'
+    end
+
+    context 'for public project' do
+      let(:project) { create(:empty_project, :public) }
+
+      context 'when pulling and pushing' do
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:pull,push" }
+        end
+
+        it_behaves_like 'a pullable'
+      end
+
+      context 'when pushing' do
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:push" }
+        end
+
+        it_behaves_like 'a forbidden'
+      end
+    end
+  end
+end
diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb
index e43903dbd3c..fd114359467 100644
--- a/spec/services/projects/create_service_spec.rb
+++ b/spec/services/projects/create_service_spec.rb
@@ -64,7 +64,7 @@ describe Projects::CreateService, services: true do
           @path = ProjectWiki.new(@project, @user).send(:path_to_repo)
         end
 
-        it { expect(File.exists?(@path)).to be_truthy }
+        it { expect(File.exist?(@path)).to be_truthy }
       end
 
       context 'wiki_enabled false does not create wiki repository directory' do
@@ -74,7 +74,7 @@ describe Projects::CreateService, services: true do
           @path = ProjectWiki.new(@project, @user).send(:path_to_repo)
         end
 
-        it { expect(File.exists?(@path)).to be_falsey }
+        it { expect(File.exist?(@path)).to be_falsey }
       end
     end
 
diff --git a/spec/services/projects/destroy_service_spec.rb b/spec/services/projects/destroy_service_spec.rb
index 1ec27077717..a5cb6f382e4 100644
--- a/spec/services/projects/destroy_service_spec.rb
+++ b/spec/services/projects/destroy_service_spec.rb
@@ -13,8 +13,8 @@ describe Projects::DestroyService, services: true do
     end
 
     it { expect(Project.all).not_to include(project) }
-    it { expect(Dir.exists?(path)).to be_falsey }
-    it { expect(Dir.exists?(remove_path)).to be_falsey }
+    it { expect(Dir.exist?(path)).to be_falsey }
+    it { expect(Dir.exist?(remove_path)).to be_falsey }
   end
 
   context 'Sidekiq fake' do
@@ -24,8 +24,8 @@ describe Projects::DestroyService, services: true do
     end
 
     it { expect(Project.all).not_to include(project) }
-    it { expect(Dir.exists?(path)).to be_falsey }
-    it { expect(Dir.exists?(remove_path)).to be_truthy }
+    it { expect(Dir.exist?(path)).to be_falsey }
+    it { expect(Dir.exist?(remove_path)).to be_truthy }
   end
 
   def destroy_project(project, user, params)