Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
gitlab-ce
Commits
c78b97df
Commit
c78b97df
authored
May 09, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Added rspec for testing container registry authentication service
parent
b180d79c
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
241 additions
and
0 deletions
+241
-0
spec/lib/jwt/rsa_token_spec.rb
spec/lib/jwt/rsa_token_spec.rb
+31
-0
spec/lib/jwt/token_spec.rb
spec/lib/jwt/token_spec.rb
+18
-0
spec/services/jwt/container_registry_authentication_service_spec.rb
...ces/jwt/container_registry_authentication_service_spec.rb
+192
-0
No files found.
spec/lib/jwt/rsa_token_spec.rb
0 → 100644
View file @
c78b97df
describe
Jwt
::
RSAToken
do
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
before
{
allow_any_instance_of
(
described_class
).
to
receive
(
:key
).
and_return
(
rsa_key
)
}
context
'token'
do
context
'for valid key to be validated'
do
before
{
rsa_token
[
'key'
]
=
'value'
}
subject
{
JWT
.
decode
(
rsa_encoded
,
rsa_key
)
}
it
{
expect
{
subject
}.
to_not
raise_error
}
it
{
expect
(
subject
.
first
).
to
include
(
'key'
=>
'value'
)
}
end
context
'for invalid key to raise an exception'
do
let
(
:new_key
)
{
generate_key
}
subject
{
JWT
.
decode
(
rsa_encoded
,
new_key
)
}
it
{
expect
{
subject
}.
to
raise_error
(
JWT
::
DecodeError
)
}
end
end
private
def
generate_key
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
end
end
spec/lib/jwt/token_spec.rb
0 → 100644
View file @
c78b97df
describe
Jwt
::
Token
do
let
(
:token
)
{
described_class
.
new
}
context
'custom parameters'
do
let
(
:value
)
{
'value'
}
before
{
token
[
:key
]
=
value
}
it
{
expect
(
token
[
:key
]).
to
eq
(
value
)
}
it
{
expect
(
token
.
payload
).
to
include
(
key:
value
)
}
end
context
'embeds default payload'
do
subject
{
token
.
payload
}
let
(
:default
)
{
token
.
send
(
:default_payload
)
}
it
{
is_expected
.
to
include
(
default
)
}
end
end
spec/services/jwt/container_registry_authentication_service_spec.rb
0 → 100644
View file @
c78b97df
require
'spec_helper'
describe
Jwt
::
ContainerRegistryAuthenticationService
,
services:
true
do
let
(
:current_project
)
{
nil
}
let
(
:current_user
)
{
nil
}
let
(
:current_params
)
{
{}
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:registry_settings
)
{
{
issuer:
'rspec'
,
key:
nil
}
}
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
}
before
do
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow_any_instance_of
(
Jwt
::
RSAToken
).
to
receive
(
:key
).
and_return
(
rsa_key
)
end
shared_examples
'an authenticated'
do
it
{
is_expected
.
to
include
(
:token
)
}
it
{
expect
(
payload
).
to
include
(
'access'
)
}
end
shared_examples
'a accessible'
do
let
(
:access
)
{
[{
'type'
=>
'repository'
,
'name'
=>
project
.
path_with_namespace
,
'actions'
=>
actions
,
}]
}
it_behaves_like
'an authenticated'
it
{
expect
(
payload
).
to
include
(
'access'
=>
access
)
}
end
shared_examples
'a pullable'
do
it_behaves_like
'a accessible'
do
let
(
:actions
)
{
[
'pull'
]
}
end
end
shared_examples
'a pushable'
do
it_behaves_like
'a accessible'
do
let
(
:actions
)
{
[
'push'
]
}
end
end
shared_examples
'a pullable and pushable'
do
it_behaves_like
'a accessible'
do
let
(
:actions
)
{
[
'pull'
,
'push'
]
}
end
end
shared_examples
'a forbidden'
do
it
{
is_expected
.
to
include
(
http_status:
401
)
}
it
{
is_expected
.
to_not
include
(
:token
)
}
end
context
'user authorization'
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:current_user
)
{
create
(
:user
)
}
context
'allow developer to push images'
do
before
{
project
.
team
<<
[
current_user
,
:developer
]
}
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
}
it_behaves_like
'a pushable'
end
context
'allow reporter to pull images'
do
before
{
project
.
team
<<
[
current_user
,
:reporter
]
}
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
}
it_behaves_like
'a pullable'
end
context
'return a least of privileges'
do
before
{
project
.
team
<<
[
current_user
,
:reporter
]
}
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push,pull"
}
}
it_behaves_like
'a pullable'
end
context
'disallow guest to pull or push images'
do
before
{
project
.
team
<<
[
current_user
,
:guest
]
}
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull,push"
}
}
it_behaves_like
'a forbidden'
end
end
context
'project authorization'
do
let
(
:current_project
)
{
create
(
:empty_project
)
}
context
'allow to pull and push images'
do
let
(
:current_params
)
{
{
scope:
"repository:
#{
current_project
.
path_with_namespace
}
:pull,push"
}
}
it_behaves_like
'a pullable and pushable'
do
let
(
:project
)
{
current_project
}
end
end
context
'for other projects'
do
context
'when pulling'
do
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
}
context
'allow for public'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
it_behaves_like
'a pullable'
end
context
'disallow for private'
do
let
(
:project
)
{
create
(
:empty_project
,
:private
)
}
it_behaves_like
'a forbidden'
end
end
context
'when pushing'
do
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
}
context
'disallow for all'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
it_behaves_like
'a forbidden'
end
end
end
end
context
'unauthorized'
do
context
'for invalid scope'
do
let
(
:current_params
)
{
{
scope:
'invalid:aa:bb'
}
}
it_behaves_like
'a forbidden'
end
context
'for private project'
do
let
(
:project
)
{
create
(
:empty_project
,
:private
)
}
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
}
it_behaves_like
'a forbidden'
end
context
'for public project'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
context
'when pulling and pushing'
do
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull,push"
}
}
it_behaves_like
'a pullable'
end
context
'when pushing'
do
let
(
:current_params
)
{
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
}
it_behaves_like
'a forbidden'
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment