diff options
Diffstat (limited to 'spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb')
| -rw-r--r-- | spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb | 178 |
1 files changed, 137 insertions, 41 deletions
diff --git a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb index eafcbd77040..f6e25ee6647 100644 --- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb +++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb @@ -69,6 +69,10 @@ RSpec.shared_examples 'a browsable' do end RSpec.shared_examples 'an accessible' do + before do + stub_feature_flags(container_registry_migration_phase1: false) + end + let(:access) do [{ 'type' => 'repository', 'name' => project.full_path, @@ -203,9 +207,7 @@ RSpec.shared_examples 'a container registry auth service' do end end - context 'for private project' do - let_it_be(:project) { create(:project) } - + shared_examples 'private project' do context 'allow to use scope-less authentication' do it_behaves_like 'a valid token' end @@ -345,8 +347,20 @@ RSpec.shared_examples 'a container registry auth service' do end end - context 'for public project' do - let_it_be(:project) { create(:project, :public) } + context 'for private project' do + let_it_be_with_reload(:project) { create(:project) } + + it_behaves_like 'private project' + end + + context 'for public project with private container registry' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) } + + it_behaves_like 'private project' + end + + context 'for public project with container_registry `enabled`' do + let_it_be(:project) { create(:project, :public, :container_registry_enabled) } context 'allow anyone to pull images' do let(:current_params) do @@ -394,8 +408,8 @@ RSpec.shared_examples 'a container registry auth service' do end end - context 'for internal project' do - let_it_be(:project) { create(:project, :internal) } + context 'for internal project with container_registry `enabled`' do + let_it_be(:project) { create(:project, :internal, :container_registry_enabled) } context 'for internal user' do context 'allow anyone to pull images' do @@ -470,6 +484,12 @@ RSpec.shared_examples 'a container registry auth service' do end end end + + context 'for internal project with private container registry' do + let_it_be_with_reload(:project) { create(:project, :internal, :container_registry_private) } + + it_behaves_like 'private project' + end end context 'delete authorized as maintainer' do @@ -630,12 +650,8 @@ RSpec.shared_examples 'a container registry auth service' do end end - context 'for project with private container registry' do - let_it_be(:project, reload: true) { create(:project, :public) } - - before do - project.project_feature.update!(container_registry_access_level: ProjectFeature::PRIVATE) - end + context 'for public project with private container registry' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) } it_behaves_like 'pullable for being team member' @@ -675,11 +691,7 @@ RSpec.shared_examples 'a container registry auth service' do end context 'for project without container registry' do - let_it_be(:project) { create(:project, :public, container_registry_enabled: false) } - - before do - project.update!(container_registry_enabled: false) - end + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_disabled) } context 'disallow when pulling' do let(:current_params) do @@ -719,12 +731,16 @@ RSpec.shared_examples 'a container registry auth service' do context 'support for multiple scopes' do let_it_be(:internal_project) { create(:project, :internal) } let_it_be(:private_project) { create(:project, :private) } + let_it_be(:public_project) { create(:project, :public) } + let_it_be(:public_project_private_container_registry) { create(:project, :public, :container_registry_private) } let(:current_params) do { scopes: [ "repository:#{internal_project.full_path}:pull", - "repository:#{private_project.full_path}:pull" + "repository:#{private_project.full_path}:pull", + "repository:#{public_project.full_path}:pull", + "repository:#{public_project_private_container_registry.full_path}:pull" ] } end @@ -744,13 +760,19 @@ RSpec.shared_examples 'a container registry auth service' do 'actions' => ['pull'] }, { 'type' => 'repository', 'name' => private_project.full_path, + 'actions' => ['pull'] }, + { 'type' => 'repository', + 'name' => public_project.full_path, + 'actions' => ['pull'] }, + { 'type' => 'repository', + 'name' => public_project_private_container_registry.full_path, 'actions' => ['pull'] } ] end end end - context 'user only has access to internal project' do + context 'user only has access to internal and public projects' do let_it_be(:current_user) { create(:user) } it_behaves_like 'a browsable' do @@ -758,16 +780,35 @@ RSpec.shared_examples 'a container registry auth service' do [ { 'type' => 'repository', 'name' => internal_project.full_path, + 'actions' => ['pull'] }, + { 'type' => 'repository', + 'name' => public_project.full_path, 'actions' => ['pull'] } ] end end end - context 'anonymous access is rejected' do + context 'anonymous user has access only to public project' do let(:current_user) { nil } - it_behaves_like 'a forbidden' + it_behaves_like 'a browsable' do + let(:access) do + [ + { 'type' => 'repository', + 'name' => public_project.full_path, + 'actions' => ['pull'] } + ] + end + end + + context 'with no public container registry' do + before do + public_project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE) + end + + it_behaves_like 'a forbidden' + end end end @@ -796,8 +837,8 @@ RSpec.shared_examples 'a container registry auth service' do it_behaves_like 'a forbidden' end - context 'for public project' do - let_it_be(:project) { create(:project, :public) } + context 'for public project with container registry `enabled`' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) } context 'when pulling and pushing' do let(:current_params) do @@ -818,6 +859,19 @@ RSpec.shared_examples 'a container registry auth service' do end end + context 'for public project with container registry `private`' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) } + + context 'when pulling and pushing' do + let(:current_params) do + { scopes: ["repository:#{project.full_path}:pull,push"] } + end + + it_behaves_like 'a forbidden' + it_behaves_like 'not a container repository factory' + end + end + context 'for registry catalog' do let(:current_params) do { scopes: ["registry:catalog:*"] } @@ -830,15 +884,15 @@ RSpec.shared_examples 'a container registry auth service' do context 'for deploy tokens' do let(:current_params) do - { scopes: ["repository:#{project.full_path}:pull"] } + { scopes: ["repository:#{project.full_path}:pull"], deploy_token: deploy_token } end context 'when deploy token has read and write registry as scopes' do - let(:current_user) { create(:deploy_token, write_registry: true, projects: [project]) } + let(:deploy_token) { create(:deploy_token, write_registry: true, projects: [project]) } shared_examples 'able to login' do context 'registry provides read_container_image authentication_abilities' do - let(:current_params) { {} } + let(:current_params) { { deploy_token: deploy_token } } let(:authentication_abilities) { [:read_container_image] } it_behaves_like 'an authenticated' @@ -854,7 +908,7 @@ RSpec.shared_examples 'a container registry auth service' do context 'when pushing' do let(:current_params) do - { scopes: ["repository:#{project.full_path}:push"] } + { scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token } end it_behaves_like 'a pushable' @@ -872,7 +926,7 @@ RSpec.shared_examples 'a container registry auth service' do context 'when pushing' do let(:current_params) do - { scopes: ["repository:#{project.full_path}:push"] } + { scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token } end it_behaves_like 'a pushable' @@ -890,7 +944,25 @@ RSpec.shared_examples 'a container registry auth service' do context 'when pushing' do let(:current_params) do - { scopes: ["repository:#{project.full_path}:push"] } + { scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token } + end + + it_behaves_like 'a pushable' + end + + it_behaves_like 'able to login' + end + + context 'for public project with private container registry' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) } + + context 'when pulling' do + it_behaves_like 'a pullable' + end + + context 'when pushing' do + let(:current_params) do + { scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token } end it_behaves_like 'a pushable' @@ -901,26 +973,26 @@ RSpec.shared_examples 'a container registry auth service' do end context 'when deploy token does not have read_registry scope' do - let(:current_user) { create(:deploy_token, projects: [project], read_registry: false) } + let(:deploy_token) do + create(:deploy_token, projects: [project], read_registry: false) + end shared_examples 'unable to login' do context 'registry provides no container authentication_abilities' do - let(:current_params) { {} } let(:authentication_abilities) { [] } it_behaves_like 'a forbidden' end context 'registry provides inapplicable container authentication_abilities' do - let(:current_params) { {} } let(:authentication_abilities) { [:download_code] } it_behaves_like 'a forbidden' end end - context 'for public project' do - let_it_be(:project) { create(:project, :public) } + context 'for public project with container registry `enabled`' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) } context 'when pulling' do it_behaves_like 'a pullable' @@ -929,6 +1001,16 @@ RSpec.shared_examples 'a container registry auth service' do it_behaves_like 'unable to login' end + context 'for public project with container registry `private`' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) } + + context 'when pulling' do + it_behaves_like 'an inaccessible' + end + + it_behaves_like 'unable to login' + end + context 'for internal project' do let_it_be(:project) { create(:project, :internal) } @@ -958,16 +1040,24 @@ RSpec.shared_examples 'a container registry auth service' do end context 'when deploy token is not related to the project' do - let_it_be(:current_user) { create(:deploy_token, read_registry: false) } + let_it_be(:deploy_token) { create(:deploy_token, read_registry: false) } - context 'for public project' do - let_it_be(:project) { create(:project, :public) } + context 'for public project with container registry `enabled`' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) } context 'when pulling' do it_behaves_like 'a pullable' end end + context 'for public project with container registry `private`' do + let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) } + + context 'when pulling' do + it_behaves_like 'an inaccessible' + end + end + context 'for internal project' do let_it_be(:project) { create(:project, :internal) } @@ -986,14 +1076,20 @@ RSpec.shared_examples 'a container registry auth service' do end context 'when deploy token has been revoked' do - let(:current_user) { create(:deploy_token, :revoked, projects: [project]) } + let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) } - context 'for public project' do - let_it_be(:project) { create(:project, :public) } + context 'for public project with container registry `enabled`' do + let_it_be(:project) { create(:project, :public, :container_registry_enabled) } it_behaves_like 'a pullable' end + context 'for public project with container registry `private`' do + let_it_be(:project) { create(:project, :public, :container_registry_private) } + + it_behaves_like 'an inaccessible' + end + context 'for internal project' do let_it_be(:project) { create(:project, :internal) } |