diff options
Diffstat (limited to 'spec/services/auth')
-rw-r--r-- | spec/services/auth/container_registry_authentication_service_spec.rb | 86 |
1 files changed, 85 insertions, 1 deletions
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index 0ae839ce0b3..7f704629bfa 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -59,6 +59,12 @@ describe Auth::ContainerRegistryAuthenticationService do it { expect(payload).to include('access' => []) } end + shared_examples 'a deletable' do + it_behaves_like 'a accessible' do + let(:actions) { ['*'] } + end + end + shared_examples 'a pullable' do it_behaves_like 'an accessible' do let(:actions) { ['pull'] } @@ -131,6 +137,16 @@ describe Auth::ContainerRegistryAuthenticationService do it_behaves_like 'container repository factory' end + context 'disallow developer to delete images' do + before { project.team << [current_user, :developer] } + + let(:current_params) do + { scope: "repository:#{project.path_with_namespace}:*" } + end + + it_behaves_like 'an inaccessible' + end + context 'allow reporter to pull images' do before do project.team << [current_user, :reporter] @@ -146,6 +162,16 @@ describe Auth::ContainerRegistryAuthenticationService do end end + context 'disallow reporter to delete images' do + before { project.team << [current_user, :reporter] } + + let(:current_params) do + { scope: "repository:#{project.path_with_namespace}:*" } + end + + it_behaves_like 'an inaccessible' + end + context 'return a least of privileges' do before do project.team << [current_user, :reporter] @@ -171,6 +197,16 @@ describe Auth::ContainerRegistryAuthenticationService do it_behaves_like 'an inaccessible' it_behaves_like 'not a container repository factory' end + + context 'disallow guest to delete images' do + before { project.team << [current_user, :guest] } + + let(:current_params) do + { scope: "repository:#{project.path_with_namespace}:*" } + end + + it_behaves_like 'an inaccessible' + end end context 'for public project' do @@ -202,6 +238,14 @@ describe Auth::ContainerRegistryAuthenticationService do it_behaves_like 'an inaccessible' it_behaves_like 'not a container repository factory' end + + context 'disallow anyone to delete images' do + let(:current_params) do + { scope: "repository:#{project.path_with_namespace}:*" } + end + + it_behaves_like 'an inaccessible' + end end context 'for internal project' do @@ -225,12 +269,20 @@ describe Auth::ContainerRegistryAuthenticationService do it_behaves_like 'an inaccessible' it_behaves_like 'not a container repository factory' end + + context 'disallow anyone to delete images' do + let(:current_params) do + { scope: "repository:#{project.path_with_namespace}:*" } + end + + it_behaves_like 'an inaccessible' + end end context 'for external user' do let(:current_user) { create(:user, external: true) } let(:current_params) do - { scope: "repository:#{project.full_path}:pull,push" } + { scope: "repository:#{project.full_path}:pull,push,*" } end it_behaves_like 'an inaccessible' @@ -239,6 +291,28 @@ describe Auth::ContainerRegistryAuthenticationService do end end + context 'delete authorized as admin' do + let(:current_project) { create(:empty_project) } + let(:current_user) { create(:admin) } + let(:authentication_abilities) do + [ + :admin_container_image + ] + end + + it_behaves_like 'a valid token' + + context 'allow to delete images' do + let(:current_params) do + { scope: "repository:#{current_project.path_with_namespace}:*" } + end + + it_behaves_like 'a deletable' do + let(:project) { current_project } + end + end + end + context 'build authorized as user' do let(:current_project) { create(:empty_project) } let(:current_user) { create(:user) } @@ -267,6 +341,16 @@ describe Auth::ContainerRegistryAuthenticationService do end end + context 'disallow to delete images' do + let(:current_params) do + { scope: "repository:#{current_project.path_with_namespace}:*" } + end + + it_behaves_like 'an inaccessible' do + let(:project) { current_project } + end + end + context 'for other projects' do context 'when pulling' do let(:current_params) do |