Commit 781fbfe0 authored by David Kim's avatar David Kim

Merge branch '18792-update-specs' into 'master'

Add specs for private container registry

See merge request gitlab-org/gitlab!65831
parents af4c94c7 f0a875f5
...@@ -26,6 +26,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do ...@@ -26,6 +26,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do
expect(policy_project.protected_branches.first.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MAINTAINER]) expect(policy_project.protected_branches.first.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MAINTAINER])
expect(policy_project.protected_branches.first.push_access_levels.map(&:access_level)).to eq([Gitlab::Access::NO_ACCESS]) expect(policy_project.protected_branches.first.push_access_levels.map(&:access_level)).to eq([Gitlab::Access::NO_ACCESS])
expect(policy_project.team.developers).to contain_exactly(maintainer) expect(policy_project.team.developers).to contain_exactly(maintainer)
expect(policy_project.container_registry_access_level).to eq(ProjectFeature::DISABLED)
end end
end end
......
...@@ -9,12 +9,12 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p ...@@ -9,12 +9,12 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
let_it_be(:project, reload: true) { create(:project, namespace: user.namespace) } let_it_be(:project, reload: true) { create(:project, namespace: user.namespace) }
let(:container_registry_enabled) { true } let(:container_registry_enabled) { true }
let(:container_registry_enabled_on_project) { true } let(:container_registry_enabled_on_project) { ProjectFeature::ENABLED }
subject { visit project_settings_packages_and_registries_path(project) } subject { visit project_settings_packages_and_registries_path(project) }
before do before do
project.update!(container_registry_enabled: container_registry_enabled_on_project) project.project_feature.update!(container_registry_access_level: container_registry_enabled_on_project)
project.container_expiration_policy.update!(enabled: true) project.container_expiration_policy.update!(enabled: true)
sign_in(user) sign_in(user)
...@@ -104,7 +104,7 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p ...@@ -104,7 +104,7 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
end end
context 'when container registry is disabled on project' do context 'when container registry is disabled on project' do
let(:container_registry_enabled_on_project) { false } let(:container_registry_enabled_on_project) { ProjectFeature::DISABLED }
it 'does not exists' do it 'does not exists' do
subject subject
......
...@@ -3151,6 +3151,17 @@ RSpec.describe Ci::Build do ...@@ -3151,6 +3151,17 @@ RSpec.describe Ci::Build do
end end
context 'when container registry is enabled' do context 'when container registry is enabled' do
let_it_be_with_reload(:project) { create(:project, :public, :repository, group: group) }
let_it_be_with_reload(:pipeline) do
create(:ci_pipeline, project: project,
sha: project.commit.id,
ref: project.default_branch,
status: 'success')
end
let_it_be_with_refind(:build) { create(:ci_build, pipeline: pipeline) }
let(:container_registry_enabled) { true } let(:container_registry_enabled) { true }
let(:ci_registry) do let(:ci_registry) do
{ key: 'CI_REGISTRY', value: 'registry.example.com', public: true, masked: false } { key: 'CI_REGISTRY', value: 'registry.example.com', public: true, masked: false }
...@@ -3162,7 +3173,7 @@ RSpec.describe Ci::Build do ...@@ -3162,7 +3173,7 @@ RSpec.describe Ci::Build do
context 'and is disabled for project' do context 'and is disabled for project' do
before do before do
project.update!(container_registry_enabled: false) project.project_feature.update_column(:container_registry_access_level, ProjectFeature::DISABLED)
end end
it { is_expected.to include(ci_registry) } it { is_expected.to include(ci_registry) }
...@@ -3171,7 +3182,16 @@ RSpec.describe Ci::Build do ...@@ -3171,7 +3182,16 @@ RSpec.describe Ci::Build do
context 'and is enabled for project' do context 'and is enabled for project' do
before do before do
project.update!(container_registry_enabled: true) project.project_feature.update_column(:container_registry_access_level, ProjectFeature::ENABLED)
end
it { is_expected.to include(ci_registry) }
it { is_expected.to include(ci_registry_image) }
end
context 'and is private for project' do
before do
project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
end end
it { is_expected.to include(ci_registry) } it { is_expected.to include(ci_registry) }
......
...@@ -203,9 +203,7 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -203,9 +203,7 @@ RSpec.shared_examples 'a container registry auth service' do
end end
end end
context 'for private project' do shared_examples 'private project' do
let_it_be(:project) { create(:project) }
context 'allow to use scope-less authentication' do context 'allow to use scope-less authentication' do
it_behaves_like 'a valid token' it_behaves_like 'a valid token'
end end
...@@ -345,8 +343,20 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -345,8 +343,20 @@ RSpec.shared_examples 'a container registry auth service' do
end end
end end
context 'for public project' do context 'for private project' do
let_it_be(:project) { create(:project, :public) } let_it_be_with_reload(:project) { create(:project) }
it_behaves_like 'private project'
end
context 'for public project with private container registry' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
it_behaves_like 'private project'
end
context 'for public project with container_registry `enabled`' do
let_it_be(:project) { create(:project, :public, :container_registry_enabled) }
context 'allow anyone to pull images' do context 'allow anyone to pull images' do
let(:current_params) do let(:current_params) do
...@@ -394,8 +404,8 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -394,8 +404,8 @@ RSpec.shared_examples 'a container registry auth service' do
end end
end end
context 'for internal project' do context 'for internal project with container_registry `enabled`' do
let_it_be(:project) { create(:project, :internal) } let_it_be(:project) { create(:project, :internal, :container_registry_enabled) }
context 'for internal user' do context 'for internal user' do
context 'allow anyone to pull images' do context 'allow anyone to pull images' do
...@@ -470,6 +480,12 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -470,6 +480,12 @@ RSpec.shared_examples 'a container registry auth service' do
end end
end end
end end
context 'for internal project with private container registry' do
let_it_be_with_reload(:project) { create(:project, :internal, :container_registry_private) }
it_behaves_like 'private project'
end
end end
context 'delete authorized as maintainer' do context 'delete authorized as maintainer' do
...@@ -630,12 +646,8 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -630,12 +646,8 @@ RSpec.shared_examples 'a container registry auth service' do
end end
end end
context 'for project with private container registry' do context 'for public project with private container registry' do
let_it_be(:project, reload: true) { create(:project, :public) } let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
before do
project.project_feature.update!(container_registry_access_level: ProjectFeature::PRIVATE)
end
it_behaves_like 'pullable for being team member' it_behaves_like 'pullable for being team member'
...@@ -675,11 +687,7 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -675,11 +687,7 @@ RSpec.shared_examples 'a container registry auth service' do
end end
context 'for project without container registry' do context 'for project without container registry' do
let_it_be(:project) { create(:project, :public, container_registry_enabled: false) } let_it_be_with_reload(:project) { create(:project, :public, :container_registry_disabled) }
before do
project.update!(container_registry_enabled: false)
end
context 'disallow when pulling' do context 'disallow when pulling' do
let(:current_params) do let(:current_params) do
...@@ -719,12 +727,16 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -719,12 +727,16 @@ RSpec.shared_examples 'a container registry auth service' do
context 'support for multiple scopes' do context 'support for multiple scopes' do
let_it_be(:internal_project) { create(:project, :internal) } let_it_be(:internal_project) { create(:project, :internal) }
let_it_be(:private_project) { create(:project, :private) } let_it_be(:private_project) { create(:project, :private) }
let_it_be(:public_project) { create(:project, :public) }
let_it_be(:public_project_private_container_registry) { create(:project, :public, :container_registry_private) }
let(:current_params) do let(:current_params) do
{ {
scopes: [ scopes: [
"repository:#{internal_project.full_path}:pull", "repository:#{internal_project.full_path}:pull",
"repository:#{private_project.full_path}:pull" "repository:#{private_project.full_path}:pull",
"repository:#{public_project.full_path}:pull",
"repository:#{public_project_private_container_registry.full_path}:pull"
] ]
} }
end end
...@@ -744,13 +756,19 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -744,13 +756,19 @@ RSpec.shared_examples 'a container registry auth service' do
'actions' => ['pull'] }, 'actions' => ['pull'] },
{ 'type' => 'repository', { 'type' => 'repository',
'name' => private_project.full_path, 'name' => private_project.full_path,
'actions' => ['pull'] },
{ 'type' => 'repository',
'name' => public_project.full_path,
'actions' => ['pull'] },
{ 'type' => 'repository',
'name' => public_project_private_container_registry.full_path,
'actions' => ['pull'] } 'actions' => ['pull'] }
] ]
end end
end end
end end
context 'user only has access to internal project' do context 'user only has access to internal and public projects' do
let_it_be(:current_user) { create(:user) } let_it_be(:current_user) { create(:user) }
it_behaves_like 'a browsable' do it_behaves_like 'a browsable' do
...@@ -758,18 +776,37 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -758,18 +776,37 @@ RSpec.shared_examples 'a container registry auth service' do
[ [
{ 'type' => 'repository', { 'type' => 'repository',
'name' => internal_project.full_path, 'name' => internal_project.full_path,
'actions' => ['pull'] },
{ 'type' => 'repository',
'name' => public_project.full_path,
'actions' => ['pull'] } 'actions' => ['pull'] }
] ]
end end
end end
end end
context 'anonymous access is rejected' do context 'anonymous user has access only to public project' do
let(:current_user) { nil } let(:current_user) { nil }
it_behaves_like 'a browsable' do
let(:access) do
[
{ 'type' => 'repository',
'name' => public_project.full_path,
'actions' => ['pull'] }
]
end
end
context 'with no public container registry' do
before do
public_project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
end
it_behaves_like 'a forbidden' it_behaves_like 'a forbidden'
end end
end end
end
context 'unauthorized' do context 'unauthorized' do
context 'disallow to use scope-less authentication' do context 'disallow to use scope-less authentication' do
...@@ -796,8 +833,8 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -796,8 +833,8 @@ RSpec.shared_examples 'a container registry auth service' do
it_behaves_like 'a forbidden' it_behaves_like 'a forbidden'
end end
context 'for public project' do context 'for public project with container registry `enabled`' do
let_it_be(:project) { create(:project, :public) } let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
context 'when pulling and pushing' do context 'when pulling and pushing' do
let(:current_params) do let(:current_params) do
...@@ -818,6 +855,19 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -818,6 +855,19 @@ RSpec.shared_examples 'a container registry auth service' do
end end
end end
context 'for public project with container registry `private`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling and pushing' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull,push"] }
end
it_behaves_like 'a forbidden'
it_behaves_like 'not a container repository factory'
end
end
context 'for registry catalog' do context 'for registry catalog' do
let(:current_params) do let(:current_params) do
{ scopes: ["registry:catalog:*"] } { scopes: ["registry:catalog:*"] }
...@@ -898,6 +948,24 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -898,6 +948,24 @@ RSpec.shared_examples 'a container registry auth service' do
it_behaves_like 'able to login' it_behaves_like 'able to login'
end end
context 'for public project with private container registry' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling' do
it_behaves_like 'a pullable'
end
context 'when pushing' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token }
end
it_behaves_like 'a pushable'
end
it_behaves_like 'able to login'
end
end end
context 'when deploy token does not have read_registry scope' do context 'when deploy token does not have read_registry scope' do
...@@ -919,8 +987,8 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -919,8 +987,8 @@ RSpec.shared_examples 'a container registry auth service' do
end end
end end
context 'for public project' do context 'for public project with container registry `enabled`' do
let_it_be(:project) { create(:project, :public) } let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
context 'when pulling' do context 'when pulling' do
it_behaves_like 'a pullable' it_behaves_like 'a pullable'
...@@ -929,6 +997,16 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -929,6 +997,16 @@ RSpec.shared_examples 'a container registry auth service' do
it_behaves_like 'unable to login' it_behaves_like 'unable to login'
end end
context 'for public project with container registry `private`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
end
it_behaves_like 'unable to login'
end
context 'for internal project' do context 'for internal project' do
let_it_be(:project) { create(:project, :internal) } let_it_be(:project) { create(:project, :internal) }
...@@ -960,14 +1038,22 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -960,14 +1038,22 @@ RSpec.shared_examples 'a container registry auth service' do
context 'when deploy token is not related to the project' do context 'when deploy token is not related to the project' do
let_it_be(:deploy_token) { create(:deploy_token, read_registry: false) } let_it_be(:deploy_token) { create(:deploy_token, read_registry: false) }
context 'for public project' do context 'for public project with container registry `enabled`' do
let_it_be(:project) { create(:project, :public) } let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
context 'when pulling' do context 'when pulling' do
it_behaves_like 'a pullable' it_behaves_like 'a pullable'
end end
end end
context 'for public project with container registry `private`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
end
end
context 'for internal project' do context 'for internal project' do
let_it_be(:project) { create(:project, :internal) } let_it_be(:project) { create(:project, :internal) }
...@@ -988,12 +1074,18 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -988,12 +1074,18 @@ RSpec.shared_examples 'a container registry auth service' do
context 'when deploy token has been revoked' do context 'when deploy token has been revoked' do
let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) } let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) }
context 'for public project' do context 'for public project with container registry `enabled`' do
let_it_be(:project) { create(:project, :public) } let_it_be(:project) { create(:project, :public, :container_registry_enabled) }
it_behaves_like 'a pullable' it_behaves_like 'a pullable'
end end
context 'for public project with container registry `private`' do
let_it_be(:project) { create(:project, :public, :container_registry_private) }
it_behaves_like 'an inaccessible'
end
context 'for internal project' do context 'for internal project' do
let_it_be(:project) { create(:project, :internal) } let_it_be(:project) { create(:project, :internal) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment