diff options
Diffstat (limited to 'spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb')
-rw-r--r-- | spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb | 80 |
1 files changed, 75 insertions, 5 deletions
diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb index 6bb791d2fd4..9b977248435 100644 --- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb @@ -60,6 +60,42 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category: it { is_expected.to have_gitlab_http_status(:not_found) } end + context 'with invalid group access token' do + let_it_be(:user) { create(:user, :project_bot) } + + context 'not under the group' do + it { is_expected.to have_gitlab_http_status(:not_found) } + end + + context 'with sufficient scopes, but not active' do + %i[expired revoked].each do |status| + context status.to_s do + let_it_be(:pat) do + create(:personal_access_token, status, user: user).tap do |pat| + pat.update_column(:scopes, Gitlab::Auth::REGISTRY_SCOPES) + end + end + + it { is_expected.to have_gitlab_http_status(:not_found) } + end + end + end + + context 'with insufficient scopes' do + let_it_be(:pat) { create(:personal_access_token, user: user, scopes: [Gitlab::Auth::READ_API_SCOPE]) } + + it { is_expected.to have_gitlab_http_status(:not_found) } + + context 'packages_dependency_proxy_containers_scope_check disabled' do + before do + stub_feature_flags(packages_dependency_proxy_containers_scope_check: false) + end + + it { is_expected.to have_gitlab_http_status(:not_found) } + end + end + end + context 'with deploy token from a different group,' do let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) } @@ -119,11 +155,7 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category: end shared_examples 'authorize action with permission' do - context 'with a valid user' do - before do - group.add_guest(user) - end - + shared_examples 'sends Workhorse instructions' do it 'sends Workhorse local file instructions', :aggregate_failures do subject @@ -144,6 +176,32 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category: expect(json_response['MaximumSize']).to eq(maximum_size) end end + + before do + group.add_guest(user) + end + + context 'with a valid user' do + it_behaves_like 'sends Workhorse instructions' + end + + context 'with a valid group access token' do + let_it_be(:user) { create(:user, :project_bot) } + let_it_be_with_reload(:token) { create(:personal_access_token, user: user) } + + before do + token.update_column(:scopes, Gitlab::Auth::REGISTRY_SCOPES) + end + + it_behaves_like 'sends Workhorse instructions' + end + + context 'with a deploy token' do + let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group) } + let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) } + + it_behaves_like 'sends Workhorse instructions' + end end shared_examples 'namespace statistics refresh' do @@ -277,6 +335,18 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category: it_behaves_like 'a successful manifest pull' end end + + context 'a valid group access token' do + let_it_be(:user) { create(:user, :project_bot) } + let_it_be(:token) { create(:personal_access_token, :dependency_proxy_scopes, user: user) } + + before do + group.add_guest(user) + end + + it_behaves_like 'a successful manifest pull' + it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest', false + end end it_behaves_like 'not found when disabled' |