2016-05-09 15:06:32 -04:00
|
|
|
require 'spec_helper'
|
|
|
|
|
|
2017-07-10 10:24:02 -04:00
|
|
|
describe Auth::ContainerRegistryAuthenticationService do
|
2016-05-09 15:06:32 -04:00
|
|
|
let(:current_project) { nil }
|
|
|
|
|
let(:current_user) { nil }
|
|
|
|
|
let(:current_params) { {} }
|
|
|
|
|
let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
|
|
|
|
|
let(:payload) { JWT.decode(subject[:token], rsa_key).first }
|
2017-03-29 06:30:38 -04:00
|
|
|
|
2016-09-16 03:59:10 -04:00
|
|
|
let(:authentication_abilities) do
|
2017-08-02 05:27:21 -04:00
|
|
|
[:read_container_image, :create_container_image, :admin_container_image]
|
2016-09-15 07:49:11 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2017-03-29 06:30:38 -04:00
|
|
|
subject do
|
|
|
|
|
described_class.new(current_project, current_user, current_params)
|
|
|
|
|
.execute(authentication_abilities: authentication_abilities)
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
|
|
|
|
before do
|
2016-05-20 19:43:11 -04:00
|
|
|
allow(Gitlab.config.registry).to receive_messages(enabled: true, issuer: 'rspec', key: nil)
|
2016-05-14 19:23:31 -04:00
|
|
|
allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
2016-05-30 10:57:39 -04:00
|
|
|
shared_examples 'a valid token' do
|
2016-05-09 15:06:32 -04:00
|
|
|
it { is_expected.to include(:token) }
|
|
|
|
|
it { expect(payload).to include('access') }
|
2016-05-31 07:48:21 -04:00
|
|
|
|
|
|
|
|
context 'a expirable' do
|
|
|
|
|
let(:expires_at) { Time.at(payload['exp']) }
|
|
|
|
|
let(:expire_delay) { 10 }
|
|
|
|
|
|
|
|
|
|
context 'for default configuration' do
|
2016-05-31 09:38:42 -04:00
|
|
|
it { expect(expires_at).not_to be_within(2.seconds).of(Time.now + expire_delay.minutes) }
|
2016-05-31 07:48:21 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for changed configuration' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
|
stub_application_setting(container_registry_token_expire_delay: expire_delay)
|
|
|
|
|
end
|
2016-05-31 07:48:21 -04:00
|
|
|
|
|
|
|
|
it { expect(expires_at).to be_within(2.seconds).of(Time.now + expire_delay.minutes) }
|
|
|
|
|
end
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
2017-10-08 16:11:36 -04:00
|
|
|
|
2017-10-08 14:36:45 -04:00
|
|
|
shared_examples 'a browsable' do
|
|
|
|
|
let(:access) do
|
|
|
|
|
[{ 'type' => 'registry',
|
|
|
|
|
'name' => 'catalog',
|
2017-10-08 16:11:36 -04:00
|
|
|
'actions' => ['*'] }]
|
2017-10-08 14:36:45 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a valid token'
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
2017-10-10 17:46:18 -04:00
|
|
|
|
|
|
|
|
it 'has the correct scope' do
|
|
|
|
|
expect(payload).to include('access' => access)
|
|
|
|
|
end
|
2017-10-08 14:36:45 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2017-03-29 06:30:38 -04:00
|
|
|
shared_examples 'an accessible' do
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:access) do
|
2017-03-29 06:30:38 -04:00
|
|
|
[{ 'type' => 'repository',
|
2017-07-21 20:37:22 -04:00
|
|
|
'name' => project.full_path,
|
2017-03-29 06:30:38 -04:00
|
|
|
'actions' => actions }]
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-05-30 10:57:39 -04:00
|
|
|
it_behaves_like 'a valid token'
|
2017-10-10 17:46:18 -04:00
|
|
|
|
|
|
|
|
it 'has the correct scope' do
|
|
|
|
|
expect(payload).to include('access' => access)
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
2016-05-30 10:57:39 -04:00
|
|
|
shared_examples 'an inaccessible' do
|
|
|
|
|
it_behaves_like 'a valid token'
|
|
|
|
|
it { expect(payload).to include('access' => []) }
|
|
|
|
|
end
|
|
|
|
|
|
2017-03-16 18:19:12 -04:00
|
|
|
shared_examples 'a deletable' do
|
2017-08-02 05:27:21 -04:00
|
|
|
it_behaves_like 'an accessible' do
|
2017-03-16 18:19:12 -04:00
|
|
|
let(:actions) { ['*'] }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-05-09 15:06:32 -04:00
|
|
|
shared_examples 'a pullable' do
|
2017-03-29 06:30:38 -04:00
|
|
|
it_behaves_like 'an accessible' do
|
2016-05-09 15:06:32 -04:00
|
|
|
let(:actions) { ['pull'] }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
shared_examples 'a pushable' do
|
2017-03-29 06:30:38 -04:00
|
|
|
it_behaves_like 'an accessible' do
|
2016-05-09 15:06:32 -04:00
|
|
|
let(:actions) { ['push'] }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
shared_examples 'a pullable and pushable' do
|
2017-03-29 06:30:38 -04:00
|
|
|
it_behaves_like 'an accessible' do
|
2017-02-22 12:46:57 -05:00
|
|
|
let(:actions) { %w(pull push) }
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-05-15 09:52:26 -04:00
|
|
|
shared_examples 'a forbidden' do
|
|
|
|
|
it { is_expected.to include(http_status: 403) }
|
2016-05-23 19:37:59 -04:00
|
|
|
it { is_expected.not_to include(:token) }
|
2016-05-15 09:52:26 -04:00
|
|
|
end
|
|
|
|
|
|
2017-03-30 09:24:46 -04:00
|
|
|
shared_examples 'container repository factory' do
|
2017-03-31 06:37:44 -04:00
|
|
|
it 'creates a new container repository resource' do
|
2017-03-30 09:24:46 -04:00
|
|
|
expect { subject }
|
|
|
|
|
.to change { project.container_repositories.count }.by(1)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2017-03-31 06:37:44 -04:00
|
|
|
shared_examples 'not a container repository factory' do
|
2017-03-30 09:24:46 -04:00
|
|
|
it 'does not create a new container repository resource' do
|
|
|
|
|
expect { subject }.not_to change { ContainerRepository.count }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-05-20 19:43:11 -04:00
|
|
|
describe '#full_access_token' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project) }
|
2017-07-21 20:37:22 -04:00
|
|
|
let(:token) { described_class.full_access_token(project.full_path) }
|
2016-05-20 19:43:11 -04:00
|
|
|
|
|
|
|
|
subject { { token: token } }
|
|
|
|
|
|
2017-03-29 06:30:38 -04:00
|
|
|
it_behaves_like 'an accessible' do
|
2016-05-20 19:43:11 -04:00
|
|
|
let(:actions) { ['*'] }
|
|
|
|
|
end
|
2017-03-30 09:24:46 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-20 19:43:11 -04:00
|
|
|
end
|
|
|
|
|
|
2016-05-09 15:06:32 -04:00
|
|
|
context 'user authorization' do
|
|
|
|
|
let(:current_user) { create(:user) }
|
|
|
|
|
|
2017-10-08 14:36:45 -04:00
|
|
|
context 'for registry catalog' do
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "registry:catalog:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'disallow browsing for users without Gitlab admin rights' do
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
|
|
|
|
end
|
|
|
|
|
end
|
2017-10-08 16:11:36 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'for private project' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project) }
|
2016-05-15 09:52:26 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'allow to use scope-less authentication' do
|
|
|
|
|
it_behaves_like 'a valid token'
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'allow developer to push images' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
project.add_developer(current_user)
|
2017-06-14 14:18:56 -04:00
|
|
|
end
|
2016-07-15 11:05:41 -04:00
|
|
|
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:push" }
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a pushable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'container repository factory'
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2017-03-16 18:19:12 -04:00
|
|
|
context 'disallow developer to delete images' do
|
2017-08-02 05:27:21 -04:00
|
|
|
before do
|
|
|
|
|
project.add_developer(current_user)
|
|
|
|
|
end
|
2017-03-16 18:19:12 -04:00
|
|
|
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-08-02 05:27:21 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2017-03-16 18:19:12 -04:00
|
|
|
end
|
|
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'allow reporter to pull images' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
project.add_reporter(current_user)
|
2017-06-14 14:18:56 -04:00
|
|
|
end
|
2016-07-15 11:05:41 -04:00
|
|
|
|
2017-03-30 09:24:46 -04:00
|
|
|
context 'when pulling from root level repository' do
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull" }
|
2017-03-30 09:24:46 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'a pullable'
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
|
|
|
|
end
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2017-03-16 18:19:12 -04:00
|
|
|
context 'disallow reporter to delete images' do
|
2017-05-23 17:45:01 -04:00
|
|
|
before do
|
|
|
|
|
project.add_reporter(current_user)
|
|
|
|
|
end
|
2017-03-16 18:19:12 -04:00
|
|
|
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-08-02 05:27:21 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2017-03-16 18:19:12 -04:00
|
|
|
end
|
|
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'return a least of privileges' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
project.add_reporter(current_user)
|
2017-06-14 14:18:56 -04:00
|
|
|
end
|
2016-07-15 11:05:41 -04:00
|
|
|
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:push,pull" }
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'disallow guest to pull or push images' do
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
project.add_guest(current_user)
|
2017-06-14 14:18:56 -04:00
|
|
|
end
|
2016-07-15 11:05:41 -04:00
|
|
|
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull,push" }
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
2017-03-16 18:19:12 -04:00
|
|
|
|
|
|
|
|
context 'disallow guest to delete images' do
|
2017-08-02 05:27:21 -04:00
|
|
|
before do
|
|
|
|
|
project.add_guest(current_user)
|
|
|
|
|
end
|
2017-03-16 18:19:12 -04:00
|
|
|
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-08-02 05:27:21 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2017-03-16 18:19:12 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'for public project' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :public) }
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'allow anyone to pull images' do
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull" }
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'disallow anyone to push images' do
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:push" }
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
2017-03-31 06:37:44 -04:00
|
|
|
|
2017-05-23 17:45:01 -04:00
|
|
|
context 'disallow anyone to delete images' do
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-08-02 05:27:21 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2017-05-23 17:45:01 -04:00
|
|
|
end
|
|
|
|
|
|
2017-03-31 06:37:44 -04:00
|
|
|
context 'when repository name is invalid' do
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: 'repository:invalid:push' }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'for internal project' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :internal) }
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'for internal user' do
|
|
|
|
|
context 'allow anyone to pull images' do
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull" }
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'disallow anyone to push images' do
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:push" }
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
2017-03-16 18:19:12 -04:00
|
|
|
|
|
|
|
|
context 'disallow anyone to delete images' do
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-08-02 05:27:21 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2017-03-16 18:19:12 -04:00
|
|
|
end
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-07-15 11:05:41 -04:00
|
|
|
context 'for external user' do
|
2017-05-23 17:45:01 -04:00
|
|
|
context 'disallow anyone to pull or push images' do
|
|
|
|
|
let(:current_user) { create(:user, external: true) }
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{project.path_with_namespace}:pull,push" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
|
|
|
|
|
2017-05-23 17:45:01 -04:00
|
|
|
context 'disallow anyone to delete images' do
|
|
|
|
|
let(:current_user) { create(:user, external: true) }
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
|
|
|
|
end
|
2016-07-15 11:05:41 -04:00
|
|
|
end
|
2017-03-16 18:19:12 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2017-08-02 05:27:21 -04:00
|
|
|
context 'delete authorized as master' do
|
2017-08-07 05:29:34 -04:00
|
|
|
let(:current_project) { create(:project) }
|
2017-08-02 05:27:21 -04:00
|
|
|
let(:current_user) { create(:user) }
|
|
|
|
|
|
2017-03-16 18:19:12 -04:00
|
|
|
let(:authentication_abilities) do
|
2017-08-02 05:27:21 -04:00
|
|
|
[:admin_container_image]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
before do
|
|
|
|
|
current_project.add_master(current_user)
|
2017-03-16 18:19:12 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a valid token'
|
|
|
|
|
|
|
|
|
|
context 'allow to delete images' do
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{current_project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a deletable' do
|
|
|
|
|
let(:project) { current_project }
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-09-15 10:36:39 -04:00
|
|
|
context 'build authorized as user' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:current_project) { create(:project) }
|
2016-09-15 10:36:39 -04:00
|
|
|
let(:current_user) { create(:user) }
|
2017-03-29 06:30:38 -04:00
|
|
|
|
2016-09-16 03:59:10 -04:00
|
|
|
let(:authentication_abilities) do
|
2017-03-29 06:30:38 -04:00
|
|
|
[:build_read_container_image, :build_create_container_image]
|
2016-09-15 09:40:53 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-09-15 10:36:39 -04:00
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
current_project.add_developer(current_user)
|
2016-05-15 09:52:26 -04:00
|
|
|
end
|
|
|
|
|
|
2016-09-15 10:36:39 -04:00
|
|
|
it_behaves_like 'a valid token'
|
|
|
|
|
|
2016-05-09 15:06:32 -04:00
|
|
|
context 'allow to pull and push images' do
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{current_project.full_path}:pull,push" }
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable and pushable' do
|
|
|
|
|
let(:project) { current_project }
|
|
|
|
|
end
|
2017-03-30 09:24:46 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'container repository factory' do
|
|
|
|
|
let(:project) { current_project }
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
2017-03-16 18:19:12 -04:00
|
|
|
context 'disallow to delete images' do
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "repository:#{current_project.path_with_namespace}:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible' do
|
|
|
|
|
let(:project) { current_project }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-05-09 15:06:32 -04:00
|
|
|
context 'for other projects' do
|
|
|
|
|
context 'when pulling' do
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull" }
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
|
|
|
|
context 'allow for public' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :public) }
|
2016-09-15 10:36:39 -04:00
|
|
|
|
2016-05-09 15:06:32 -04:00
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
2016-09-15 10:36:39 -04:00
|
|
|
shared_examples 'pullable for being team member' do
|
|
|
|
|
context 'when you are not member' do
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-09-15 10:36:39 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when you are member' do
|
|
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
project.add_developer(current_user)
|
2016-09-15 10:36:39 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-09-15 10:36:39 -04:00
|
|
|
end
|
2016-10-17 11:23:51 -04:00
|
|
|
|
|
|
|
|
context 'when you are owner' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, namespace: current_user.namespace) }
|
2016-10-17 11:23:51 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-10-17 11:23:51 -04:00
|
|
|
end
|
2016-09-15 10:36:39 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for private' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :private) }
|
2016-09-15 10:36:39 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'pullable for being team member'
|
|
|
|
|
|
|
|
|
|
context 'when you are admin' do
|
|
|
|
|
let(:current_user) { create(:admin) }
|
|
|
|
|
|
2016-09-16 03:59:10 -04:00
|
|
|
context 'when you are not member' do
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-09-16 03:59:10 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when you are member' do
|
|
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
project.add_developer(current_user)
|
2016-09-16 03:59:10 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-09-16 03:59:10 -04:00
|
|
|
end
|
2016-10-17 11:23:51 -04:00
|
|
|
|
|
|
|
|
context 'when you are owner' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, namespace: current_user.namespace) }
|
2016-10-17 11:23:51 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-10-17 11:23:51 -04:00
|
|
|
end
|
2016-09-15 10:36:39 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when pushing' do
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:push" }
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
|
|
|
|
context 'disallow for all' do
|
2016-10-17 11:23:51 -04:00
|
|
|
context 'when you are member' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :public) }
|
2016-09-15 10:36:39 -04:00
|
|
|
|
2016-10-17 11:23:51 -04:00
|
|
|
before do
|
2017-08-02 05:27:21 -04:00
|
|
|
project.add_developer(current_user)
|
2016-10-17 11:23:51 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-09-15 10:36:39 -04:00
|
|
|
end
|
|
|
|
|
|
2016-10-17 11:23:51 -04:00
|
|
|
context 'when you are owner' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :public, namespace: current_user.namespace) }
|
2016-10-17 11:23:51 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-10-17 11:23:51 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
end
|
2016-05-13 13:20:23 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for project without container registry' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :public, container_registry_enabled: false) }
|
2016-05-13 13:20:23 -04:00
|
|
|
|
2017-06-14 14:18:56 -04:00
|
|
|
before do
|
|
|
|
|
project.update(container_registry_enabled: false)
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-05-13 13:20:23 -04:00
|
|
|
context 'disallow when pulling' do
|
|
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull" }
|
2016-05-13 13:20:23 -04:00
|
|
|
end
|
|
|
|
|
|
2016-05-30 10:57:39 -04:00
|
|
|
it_behaves_like 'an inaccessible'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-13 13:20:23 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2017-10-08 14:36:45 -04:00
|
|
|
context 'registry catalog browsing authorized as admin' do
|
|
|
|
|
let(:current_user) { create(:user, :admin) }
|
2017-10-10 17:46:18 -04:00
|
|
|
|
2017-10-08 14:36:45 -04:00
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "registry:catalog:*" }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it_behaves_like 'a browsable'
|
|
|
|
|
end
|
|
|
|
|
|
2016-05-09 15:06:32 -04:00
|
|
|
context 'unauthorized' do
|
2016-05-30 10:57:39 -04:00
|
|
|
context 'disallow to use scope-less authentication' do
|
|
|
|
|
it_behaves_like 'a forbidden'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-15 09:52:26 -04:00
|
|
|
end
|
|
|
|
|
|
2016-05-09 15:06:32 -04:00
|
|
|
context 'for invalid scope' do
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:current_params) do
|
2016-05-09 15:06:32 -04:00
|
|
|
{ scope: 'invalid:aa:bb' }
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-05-15 11:46:54 -04:00
|
|
|
it_behaves_like 'a forbidden'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for private project' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :private) }
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull" }
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-05-15 11:46:54 -04:00
|
|
|
it_behaves_like 'a forbidden'
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for public project' do
|
2017-08-02 15:55:11 -04:00
|
|
|
let(:project) { create(:project, :public) }
|
2016-05-09 15:06:32 -04:00
|
|
|
|
|
|
|
|
context 'when pulling and pushing' do
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:pull,push" }
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
|
|
|
|
it_behaves_like 'a pullable'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'when pushing' do
|
2016-05-12 13:47:55 -04:00
|
|
|
let(:current_params) do
|
2017-07-21 20:37:22 -04:00
|
|
|
{ scope: "repository:#{project.full_path}:push" }
|
2016-05-12 13:47:55 -04:00
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
|
2016-05-15 11:46:54 -04:00
|
|
|
it_behaves_like 'a forbidden'
|
2017-03-30 09:24:46 -04:00
|
|
|
it_behaves_like 'not a container repository factory'
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
end
|
2017-10-08 14:36:45 -04:00
|
|
|
|
|
|
|
|
context 'for registry catalog' do
|
|
|
|
|
let(:current_params) do
|
|
|
|
|
{ scope: "registry:catalog:*" }
|
|
|
|
|
end
|
2017-10-10 17:46:18 -04:00
|
|
|
|
2017-10-08 14:36:45 -04:00
|
|
|
it_behaves_like 'a forbidden'
|
|
|
|
|
it_behaves_like 'not a container repository factory'
|
|
|
|
|
end
|
2016-05-09 15:06:32 -04:00
|
|
|
end
|
|
|
|
|
end
|
