Added rspec for testing container registry authentication service
This commit is contained in:
parent
b180d79cdc
commit
c78b97df0e
|
@ -0,0 +1,31 @@
|
|||
describe Jwt::RSAToken do
|
||||
let(:rsa_key) { generate_key }
|
||||
let(:rsa_token) { described_class.new(nil) }
|
||||
let(:rsa_encoded) { rsa_token.encoded }
|
||||
|
||||
before { allow_any_instance_of(described_class).to receive(:key).and_return(rsa_key) }
|
||||
|
||||
context 'token' do
|
||||
context 'for valid key to be validated' do
|
||||
before { rsa_token['key'] = 'value' }
|
||||
|
||||
subject { JWT.decode(rsa_encoded, rsa_key) }
|
||||
|
||||
it { expect{subject}.to_not raise_error }
|
||||
it { expect(subject.first).to include('key' => 'value') }
|
||||
end
|
||||
|
||||
context 'for invalid key to raise an exception' do
|
||||
let(:new_key) { generate_key }
|
||||
subject { JWT.decode(rsa_encoded, new_key) }
|
||||
|
||||
it { expect{subject}.to raise_error(JWT::DecodeError) }
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def generate_key
|
||||
OpenSSL::PKey::RSA.generate(512)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,18 @@
|
|||
describe Jwt::Token do
|
||||
let(:token) { described_class.new }
|
||||
|
||||
context 'custom parameters' do
|
||||
let(:value) { 'value' }
|
||||
before { token[:key] = value }
|
||||
|
||||
it { expect(token[:key]).to eq(value) }
|
||||
it { expect(token.payload).to include(key: value) }
|
||||
end
|
||||
|
||||
context 'embeds default payload' do
|
||||
subject { token.payload }
|
||||
let(:default) { token.send(:default_payload) }
|
||||
|
||||
it { is_expected.to include(default) }
|
||||
end
|
||||
end
|
|
@ -0,0 +1,192 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe Jwt::ContainerRegistryAuthenticationService, services: true do
|
||||
let(:current_project) { nil }
|
||||
let(:current_user) { nil }
|
||||
let(:current_params) { {} }
|
||||
let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
|
||||
let(:registry_settings) {
|
||||
{
|
||||
issuer: 'rspec',
|
||||
key: nil
|
||||
}
|
||||
}
|
||||
let(:payload) { JWT.decode(subject[:token], rsa_key).first }
|
||||
|
||||
subject { described_class.new(current_project, current_user, current_params).execute }
|
||||
|
||||
before do
|
||||
allow(Gitlab.config.registry).to receive_messages(registry_settings)
|
||||
allow_any_instance_of(Jwt::RSAToken).to receive(:key).and_return(rsa_key)
|
||||
end
|
||||
|
||||
shared_examples 'an authenticated' do
|
||||
it { is_expected.to include(:token) }
|
||||
it { expect(payload).to include('access') }
|
||||
end
|
||||
|
||||
shared_examples 'a accessible' do
|
||||
let(:access) {
|
||||
[{
|
||||
'type' => 'repository',
|
||||
'name' => project.path_with_namespace,
|
||||
'actions' => actions,
|
||||
}]
|
||||
}
|
||||
|
||||
it_behaves_like 'an authenticated'
|
||||
it { expect(payload).to include('access' => access) }
|
||||
end
|
||||
|
||||
shared_examples 'a pullable' do
|
||||
it_behaves_like 'a accessible' do
|
||||
let(:actions) { ['pull'] }
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples 'a pushable' do
|
||||
it_behaves_like 'a accessible' do
|
||||
let(:actions) { ['push'] }
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples 'a pullable and pushable' do
|
||||
it_behaves_like 'a accessible' do
|
||||
let(:actions) { ['pull', 'push'] }
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples 'a forbidden' do
|
||||
it { is_expected.to include(http_status: 401) }
|
||||
it { is_expected.to_not include(:token) }
|
||||
end
|
||||
|
||||
context 'user authorization' do
|
||||
let(:project) { create(:project) }
|
||||
let(:current_user) { create(:user) }
|
||||
|
||||
context 'allow developer to push images' do
|
||||
before { project.team << [current_user, :developer] }
|
||||
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:push" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a pushable'
|
||||
end
|
||||
|
||||
context 'allow reporter to pull images' do
|
||||
before { project.team << [current_user, :reporter] }
|
||||
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:pull" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a pullable'
|
||||
end
|
||||
|
||||
context 'return a least of privileges' do
|
||||
before { project.team << [current_user, :reporter] }
|
||||
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:push,pull" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a pullable'
|
||||
end
|
||||
|
||||
context 'disallow guest to pull or push images' do
|
||||
before { project.team << [current_user, :guest] }
|
||||
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:pull,push" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a forbidden'
|
||||
end
|
||||
end
|
||||
|
||||
context 'project authorization' do
|
||||
let(:current_project) { create(:empty_project) }
|
||||
|
||||
context 'allow to pull and push images' do
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{current_project.path_with_namespace}:pull,push" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a pullable and pushable' do
|
||||
let(:project) { current_project }
|
||||
end
|
||||
end
|
||||
|
||||
context 'for other projects' do
|
||||
context 'when pulling' do
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:pull" }
|
||||
}
|
||||
|
||||
context 'allow for public' do
|
||||
let(:project) { create(:empty_project, :public) }
|
||||
it_behaves_like 'a pullable'
|
||||
end
|
||||
|
||||
context 'disallow for private' do
|
||||
let(:project) { create(:empty_project, :private) }
|
||||
it_behaves_like 'a forbidden'
|
||||
end
|
||||
end
|
||||
|
||||
context 'when pushing' do
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:push" }
|
||||
}
|
||||
|
||||
context 'disallow for all' do
|
||||
let(:project) { create(:empty_project, :public) }
|
||||
it_behaves_like 'a forbidden'
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
context 'unauthorized' do
|
||||
context 'for invalid scope' do
|
||||
let(:current_params) {
|
||||
{ scope: 'invalid:aa:bb' }
|
||||
}
|
||||
|
||||
it_behaves_like 'a forbidden'
|
||||
end
|
||||
|
||||
context 'for private project' do
|
||||
let(:project) { create(:empty_project, :private) }
|
||||
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:pull" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a forbidden'
|
||||
end
|
||||
|
||||
context 'for public project' do
|
||||
let(:project) { create(:empty_project, :public) }
|
||||
|
||||
context 'when pulling and pushing' do
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:pull,push" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a pullable'
|
||||
end
|
||||
|
||||
context 'when pushing' do
|
||||
let(:current_params) {
|
||||
{ scope: "repository:#{project.path_with_namespace}:push" }
|
||||
}
|
||||
|
||||
it_behaves_like 'a forbidden'
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue