1 files changed, 84 insertions, 0 deletions

diff --git a/spec/requests/api/package_files_spec.rb b/spec/requests/api/package_files_spec.rb
index f47dca387ef..3b4bd2f3cf4 100644
--- a/spec/requests/api/package_files_spec.rb
+++ b/spec/requests/api/package_files_spec.rb
@@ -10,6 +10,15 @@ RSpec.describe API::PackageFiles, feature_category: :package_registry do
   describe 'GET /projects/:id/packages/:package_id/package_files' do
     let(:url) { "/projects/#{project.id}/packages/#{package.id}/package_files" }
 
+    shared_examples 'handling job token and returning' do |status:|
+      it "returns status #{status}" do
+        get api(url, job_token: job.token)
+
+        expect(response).to have_gitlab_http_status(status)
+        expect(response).to match_response_schema('public_api/v4/packages/package_files') if status == :ok
+      end
+    end
+
     before do
       project.add_developer(user)
     end
@@ -27,6 +36,12 @@ RSpec.describe API::PackageFiles, feature_category: :package_registry do
 
           expect(response).to have_gitlab_http_status(:not_found)
         end
+
+        context 'with JOB-TOKEN auth' do
+          let(:job) { create(:ci_build, :running, user: user, project: project) }
+
+          it_behaves_like 'handling job token and returning', status: :ok
+        end
       end
 
       context 'project is private' do
@@ -52,6 +67,28 @@ RSpec.describe API::PackageFiles, feature_category: :package_registry do
           expect(response).to have_gitlab_http_status(:ok)
           expect(response).to match_response_schema('public_api/v4/packages/package_files')
         end
+
+        context 'with JOB-TOKEN auth' do
+          let(:job) { create(:ci_build, :running, user: user, project: project) }
+
+          context 'a non authenticated user' do
+            let(:user) { nil }
+
+            it_behaves_like 'handling job token and returning', status: :not_found
+          end
+
+          context 'a user without access to the project', :sidekiq_inline do
+            before do
+              project.team.truncate
+            end
+
+            it_behaves_like 'handling job token and returning', status: :not_found
+          end
+
+          context 'a user with access to the project' do
+            it_behaves_like 'handling job token and returning', status: :ok
+          end
+        end
       end
 
       context 'with pagination params' do
@@ -97,6 +134,18 @@ RSpec.describe API::PackageFiles, feature_category: :package_registry do
 
     subject(:api_request) { delete api(url, user) }
 
+    shared_examples 'handling job token and returning' do |status:|
+      it "returns status #{status}", :aggregate_failures do
+        if status == :no_content
+          expect { api_request }.to change { package.package_files.pending_destruction.count }.by(1)
+        else
+          expect { api_request }.not_to change { package.package_files.pending_destruction.count }
+        end
+
+        expect(response).to have_gitlab_http_status(status)
+      end
+    end
+
     context 'project is public' do
       context 'without user' do
         let(:user) { nil }
@@ -108,6 +157,14 @@ RSpec.describe API::PackageFiles, feature_category: :package_registry do
         end
       end
 
+      context 'with JOB-TOKEN auth' do
+        subject(:api_request) { delete api(url, job_token: job.token) }
+
+        let(:job) { create(:ci_build, :running, user: user, project: project) }
+
+        it_behaves_like 'handling job token and returning', status: :forbidden
+      end
+
       it 'returns 403 for a user without access to the project', :aggregate_failures do
         expect { api_request }.not_to change { package.package_files.pending_destruction.count }
 
@@ -175,6 +232,33 @@ RSpec.describe API::PackageFiles, feature_category: :package_registry do
           expect(response).to have_gitlab_http_status(:not_found)
         end
       end
+
+      context 'with JOB-TOKEN auth' do
+        subject(:api_request) { delete api(url, job_token: job.token) }
+
+        let(:job) { create(:ci_build, :running, user: user, project: project) }
+        let_it_be_with_refind(:project) { create(:project, :private) }
+
+        context 'a user without access to the project' do
+          it_behaves_like 'handling job token and returning', status: :not_found
+        end
+
+        context 'a user without enough permissions' do
+          before do
+            project.add_developer(user)
+          end
+
+          it_behaves_like 'handling job token and returning', status: :forbidden
+        end
+
+        context 'a user with the right permissions' do
+          before do
+            project.add_maintainer(user)
+          end
+
+          it_behaves_like 'handling job token and returning', status: :no_content
+        end
+      end
     end
   end
 end