From b3e058996c70aeae6f00cad7195bce421e02b39b Mon Sep 17 00:00:00 2001
From: Lin Jen-Shin <godfat@godfat.org>
Date: Wed, 2 Aug 2017 17:27:21 +0800
Subject: [PATCH] Cleanup tests and add admin_container_image to

full_authentication_abilities. This is fine because
we're going to check with can?(..) anyway
---
 lib/gitlab/auth.rb                            |  3 +-
 spec/lib/gitlab/auth_spec.rb                  |  3 +-
 ...er_registry_authentication_service_spec.rb | 54 ++++++++++---------
 3 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 9bed81e7327..7d3aa532750 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -218,7 +218,8 @@ module Gitlab
       def full_authentication_abilities
         read_authentication_abilities + [
           :push_code,
-          :create_container_image
+          :create_container_image,
+          :admin_container_image
         ]
       end
       alias_method :api_scope_authentication_abilities, :full_authentication_abilities
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index a9db0d5164d..20bca4306fb 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -313,7 +313,8 @@ describe Gitlab::Auth do
   def full_authentication_abilities
     read_authentication_abilities + [
       :push_code,
-      :create_container_image
+      :create_container_image,
+      :admin_container_image
     ]
   end
 end
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index a19ac911315..7ae7f4688a2 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -8,7 +8,7 @@ describe Auth::ContainerRegistryAuthenticationService do
   let(:payload) { JWT.decode(subject[:token], rsa_key).first }
 
   let(:authentication_abilities) do
-    [:read_container_image, :create_container_image]
+    [:read_container_image, :create_container_image, :admin_container_image]
   end
 
   subject do
@@ -60,7 +60,7 @@ describe Auth::ContainerRegistryAuthenticationService do
   end
 
   shared_examples 'a deletable' do
-    it_behaves_like 'a accessible' do
+    it_behaves_like 'an accessible' do
       let(:actions) { ['*'] }
     end
   end
@@ -126,7 +126,7 @@ describe Auth::ContainerRegistryAuthenticationService do
 
       context 'allow developer to push images' do
         before do
-          project.team << [current_user, :developer]
+          project.add_developer(current_user)
         end
 
         let(:current_params) do
@@ -138,18 +138,21 @@ describe Auth::ContainerRegistryAuthenticationService do
       end
 
       context 'disallow developer to delete images' do
-        before { project.team << [current_user, :developer] }
+        before do
+          project.add_developer(current_user)
+        end
 
         let(:current_params) do
           { scope: "repository:#{project.path_with_namespace}:*" }
         end
 
         it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
       end
 
       context 'allow reporter to pull images' do
         before do
-          project.team << [current_user, :reporter]
+          project.add_reporter(current_user)
         end
 
         context 'when pulling from root level repository' do
@@ -172,11 +175,12 @@ describe Auth::ContainerRegistryAuthenticationService do
         end
 
         it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
       end
 
       context 'return a least of privileges' do
         before do
-          project.team << [current_user, :reporter]
+          project.add_reporter(current_user)
         end
 
         let(:current_params) do
@@ -189,7 +193,7 @@ describe Auth::ContainerRegistryAuthenticationService do
 
       context 'disallow guest to pull or push images' do
         before do
-          project.team << [current_user, :guest]
+          project.add_guest(current_user)
         end
 
         let(:current_params) do
@@ -201,13 +205,16 @@ describe Auth::ContainerRegistryAuthenticationService do
       end
 
       context 'disallow guest to delete images' do
-        before { project.team << [current_user, :guest] }
+        before do
+          project.add_guest(current_user)
+        end
 
         let(:current_params) do
           { scope: "repository:#{project.path_with_namespace}:*" }
         end
 
         it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
       end
     end
 
@@ -238,6 +245,7 @@ describe Auth::ContainerRegistryAuthenticationService do
         end
 
         it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
       end
 
       context 'when repository name is invalid' do
@@ -248,14 +256,6 @@ describe Auth::ContainerRegistryAuthenticationService do
         it_behaves_like 'an inaccessible'
         it_behaves_like 'not a container repository factory'
       end
-
-      context 'disallow anyone to delete images' do
-        let(:current_params) do
-          { scope: "repository:#{project.path_with_namespace}:*" }
-        end
-
-        it_behaves_like 'an inaccessible'
-      end
     end
 
     context 'for internal project' do
@@ -286,6 +286,7 @@ describe Auth::ContainerRegistryAuthenticationService do
           end
 
           it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
         end
       end
 
@@ -313,13 +314,16 @@ describe Auth::ContainerRegistryAuthenticationService do
     end
   end
 
-  context 'delete authorized as admin' do
+  context 'delete authorized as master' do
     let(:current_project) { create(:empty_project) }
-    let(:current_user) { create(:admin) }
+    let(:current_user) { create(:user) }
+
     let(:authentication_abilities) do
-      [
-        :admin_container_image
-      ]
+      [:admin_container_image]
+    end
+
+    before do
+      current_project.add_master(current_user)
     end
 
     it_behaves_like 'a valid token'
@@ -344,7 +348,7 @@ describe Auth::ContainerRegistryAuthenticationService do
     end
 
     before do
-      current_project.team << [current_user, :developer]
+      current_project.add_developer(current_user)
     end
 
     it_behaves_like 'a valid token'
@@ -394,7 +398,7 @@ describe Auth::ContainerRegistryAuthenticationService do
 
           context 'when you are member' do
             before do
-              project.team << [current_user, :developer]
+              project.add_developer(current_user)
             end
 
             it_behaves_like 'a pullable'
@@ -424,7 +428,7 @@ describe Auth::ContainerRegistryAuthenticationService do
 
             context 'when you are member' do
               before do
-                project.team << [current_user, :developer]
+                project.add_developer(current_user)
               end
 
               it_behaves_like 'a pullable'
@@ -451,7 +455,7 @@ describe Auth::ContainerRegistryAuthenticationService do
             let(:project) { create(:empty_project, :public) }
 
             before do
-              project.team << [current_user, :developer]
+              project.add_developer(current_user)
             end
 
             it_behaves_like 'an inaccessible'