1 files changed, 85 insertions, 1 deletions

diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index 0ae839ce0b3..7f704629bfa 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -59,6 +59,12 @@ describe Auth::ContainerRegistryAuthenticationService do
     it { expect(payload).to include('access' => []) }
   end
 
+  shared_examples 'a deletable' do
+    it_behaves_like 'a accessible' do
+      let(:actions) { ['*'] }
+    end
+  end
+
   shared_examples 'a pullable' do
     it_behaves_like 'an accessible' do
       let(:actions) { ['pull'] }
@@ -131,6 +137,16 @@ describe Auth::ContainerRegistryAuthenticationService do
         it_behaves_like 'container repository factory'
       end
 
+      context 'disallow developer to delete images' do
+        before { project.team << [current_user, :developer] }
+
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:*" }
+        end
+
+        it_behaves_like 'an inaccessible'
+      end
+
       context 'allow reporter to pull images' do
         before do
           project.team << [current_user, :reporter]
@@ -146,6 +162,16 @@ describe Auth::ContainerRegistryAuthenticationService do
         end
       end
 
+      context 'disallow reporter to delete images' do
+        before { project.team << [current_user, :reporter] }
+
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:*" }
+        end
+
+        it_behaves_like 'an inaccessible'
+      end
+
       context 'return a least of privileges' do
         before do
           project.team << [current_user, :reporter]
@@ -171,6 +197,16 @@ describe Auth::ContainerRegistryAuthenticationService do
         it_behaves_like 'an inaccessible'
         it_behaves_like 'not a container repository factory'
       end
+
+      context 'disallow guest to delete images' do
+        before { project.team << [current_user, :guest] }
+
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:*" }
+        end
+
+        it_behaves_like 'an inaccessible'
+      end
     end
 
     context 'for public project' do
@@ -202,6 +238,14 @@ describe Auth::ContainerRegistryAuthenticationService do
         it_behaves_like 'an inaccessible'
         it_behaves_like 'not a container repository factory'
       end
+
+      context 'disallow anyone to delete images' do
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:*" }
+        end
+
+        it_behaves_like 'an inaccessible'
+      end
     end
 
     context 'for internal project' do
@@ -225,12 +269,20 @@ describe Auth::ContainerRegistryAuthenticationService do
           it_behaves_like 'an inaccessible'
           it_behaves_like 'not a container repository factory'
         end
+
+        context 'disallow anyone to delete images' do
+          let(:current_params) do
+            { scope: "repository:#{project.path_with_namespace}:*" }
+          end
+
+          it_behaves_like 'an inaccessible'
+        end
       end
 
       context 'for external user' do
         let(:current_user) { create(:user, external: true) }
         let(:current_params) do
-          { scope: "repository:#{project.full_path}:pull,push" }
+          { scope: "repository:#{project.full_path}:pull,push,*" }
         end
 
         it_behaves_like 'an inaccessible'
@@ -239,6 +291,28 @@ describe Auth::ContainerRegistryAuthenticationService do
     end
   end
 
+  context 'delete authorized as admin' do
+    let(:current_project) { create(:empty_project) }
+    let(:current_user) { create(:admin) }
+    let(:authentication_abilities) do
+      [
+        :admin_container_image
+      ]
+    end
+
+    it_behaves_like 'a valid token'
+
+    context 'allow to delete images' do
+      let(:current_params) do
+        { scope: "repository:#{current_project.path_with_namespace}:*" }
+      end
+
+      it_behaves_like 'a deletable' do
+        let(:project) { current_project }
+      end
+    end
+  end
+
   context 'build authorized as user' do
     let(:current_project) { create(:empty_project) }
     let(:current_user) { create(:user) }
@@ -267,6 +341,16 @@ describe Auth::ContainerRegistryAuthenticationService do
       end
     end
 
+    context 'disallow to delete images' do
+      let(:current_params) do
+        { scope: "repository:#{current_project.path_with_namespace}:*" }
+      end
+
+      it_behaves_like 'an inaccessible' do
+        let(:project) { current_project }
+      end
+    end
+
     context 'for other projects' do
       context 'when pulling' do
         let(:current_params) do