Merge branch '18792-update-specs' into 'master'

Add specs for private container registry See merge request gitlab-org/gitlab!65831

Merge branch '18792-update-specs' into 'master'
Add specs for private container registry See merge request gitlab-org/gitlab!65831
781fbfe0 · David Kim · af4c94c7 · f0a875f5 · 781fbfe0 · 781fbfe0
Commit 781fbfe0 authored Aug 02, 2021 by David Kim
4 changed files
--- a/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb
@@ -26,6 +26,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do
        expect(policy_project.protected_branches.first.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MAINTAINER])
        expect(policy_project.protected_branches.first.push_access_levels.map(&:access_level)).to eq([Gitlab::Access::NO_ACCESS])
        expect(policy_project.team.developers).to contain_exactly(maintainer)
+        expect(policy_project.container_registry_access_level).to eq(ProjectFeature::DISABLED)
      end
    end


--- a/spec/features/projects/settings/registry_settings_spec.rb
+++ b/spec/features/projects/settings/registry_settings_spec.rb
@@ -9,12 +9,12 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
  let_it_be(:project, reload: true) { create(:project, namespace: user.namespace) }

  let(:container_registry_enabled) { true }
-  let(:container_registry_enabled_on_project) { true }
+  let(:container_registry_enabled_on_project) { ProjectFeature::ENABLED }

  subject { visit project_settings_packages_and_registries_path(project) }

  before do
-    project.update!(container_registry_enabled: container_registry_enabled_on_project)
+    project.project_feature.update!(container_registry_access_level: container_registry_enabled_on_project)
    project.container_expiration_policy.update!(enabled: true)

    sign_in(user)
@@ -104,7 +104,7 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
  end

  context 'when container registry is disabled on project' do
-    let(:container_registry_enabled_on_project) { false }
+    let(:container_registry_enabled_on_project) { ProjectFeature::DISABLED }

    it 'does not exists' do
      subject

--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -3151,6 +3151,17 @@ RSpec.describe Ci::Build do
    end

    context 'when container registry is enabled' do
+      let_it_be_with_reload(:project) { create(:project, :public, :repository, group: group) }
+
+      let_it_be_with_reload(:pipeline) do
+        create(:ci_pipeline, project: project,
+                             sha: project.commit.id,
+                             ref: project.default_branch,
+                             status: 'success')
+      end
+
+      let_it_be_with_refind(:build) { create(:ci_build, pipeline: pipeline) }
+
      let(:container_registry_enabled) { true }
      let(:ci_registry) do
        { key: 'CI_REGISTRY', value: 'registry.example.com', public: true, masked: false }
@@ -3162,7 +3173,7 @@ RSpec.describe Ci::Build do

      context 'and is disabled for project' do
        before do
-          project.update!(container_registry_enabled: false)
+          project.project_feature.update_column(:container_registry_access_level, ProjectFeature::DISABLED)
        end

        it { is_expected.to include(ci_registry) }
@@ -3171,7 +3182,16 @@ RSpec.describe Ci::Build do

      context 'and is enabled for project' do
        before do
-          project.update!(container_registry_enabled: true)
+          project.project_feature.update_column(:container_registry_access_level, ProjectFeature::ENABLED)
+        end
+
+        it { is_expected.to include(ci_registry) }
+        it { is_expected.to include(ci_registry_image) }
+      end
+
+      context 'and is private for project' do
+        before do
+          project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
        end

        it { is_expected.to include(ci_registry) }

--- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
@@ -203,9 +203,7 @@ RSpec.shared_examples 'a container registry auth service' do
      end
    end

-    context 'for private project' do
-      let_it_be(:project) { create(:project) }
-
+    shared_examples 'private project' do
      context 'allow to use scope-less authentication' do
        it_behaves_like 'a valid token'
      end
@@ -345,8 +343,20 @@ RSpec.shared_examples 'a container registry auth service' do
      end
    end

-    context 'for public project' do
-      let_it_be(:project) { create(:project, :public) }
+    context 'for private project' do
+      let_it_be_with_reload(:project) { create(:project) }
+
+      it_behaves_like 'private project'
+    end
+
+    context 'for public project with private container registry' do
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+      it_behaves_like 'private project'
+    end
+
+    context 'for public project with container_registry `enabled`' do
+      let_it_be(:project) { create(:project, :public, :container_registry_enabled) }

      context 'allow anyone to pull images' do
        let(:current_params) do
@@ -394,8 +404,8 @@ RSpec.shared_examples 'a container registry auth service' do
      end
    end

-    context 'for internal project' do
-      let_it_be(:project) { create(:project, :internal) }
+    context 'for internal project with container_registry `enabled`' do
+      let_it_be(:project) { create(:project, :internal, :container_registry_enabled) }

      context 'for internal user' do
        context 'allow anyone to pull images' do
@@ -470,6 +480,12 @@ RSpec.shared_examples 'a container registry auth service' do
        end
      end
    end
+
+    context 'for internal project with private container registry' do
+      let_it_be_with_reload(:project) { create(:project, :internal, :container_registry_private) }
+
+      it_behaves_like 'private project'
+    end
  end

  context 'delete authorized as maintainer' do
@@ -630,12 +646,8 @@ RSpec.shared_examples 'a container registry auth service' do
          end
        end

-        context 'for project with private container registry' do
-          let_it_be(:project, reload: true) { create(:project, :public) }
-
-          before do
-            project.project_feature.update!(container_registry_access_level: ProjectFeature::PRIVATE)
-          end
+        context 'for public project with private container registry' do
+          let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }

          it_behaves_like 'pullable for being team member'

@@ -675,11 +687,7 @@ RSpec.shared_examples 'a container registry auth service' do
    end

    context 'for project without container registry' do
-      let_it_be(:project) { create(:project, :public, container_registry_enabled: false) }
-
-      before do
-        project.update!(container_registry_enabled: false)
-      end
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_disabled) }

      context 'disallow when pulling' do
        let(:current_params) do
@@ -719,12 +727,16 @@ RSpec.shared_examples 'a container registry auth service' do
  context 'support for multiple scopes' do
    let_it_be(:internal_project) { create(:project, :internal) }
    let_it_be(:private_project) { create(:project, :private) }
+    let_it_be(:public_project) { create(:project, :public) }
+    let_it_be(:public_project_private_container_registry) { create(:project, :public, :container_registry_private) }

    let(:current_params) do
      {
        scopes: [
          "repository:#{internal_project.full_path}:pull",
-          "repository:#{private_project.full_path}:pull"
+          "repository:#{private_project.full_path}:pull",
+          "repository:#{public_project.full_path}:pull",
+          "repository:#{public_project_private_container_registry.full_path}:pull"
        ]
      }
    end
@@ -744,13 +756,19 @@ RSpec.shared_examples 'a container registry auth service' do
              'actions' => ['pull'] },
            { 'type' => 'repository',
              'name' => private_project.full_path,
+              'actions' => ['pull'] },
+            { 'type' => 'repository',
+              'name' => public_project.full_path,
+              'actions' => ['pull'] },
+            { 'type' => 'repository',
+              'name' => public_project_private_container_registry.full_path,
              'actions' => ['pull'] }
          ]
        end
      end
    end

-    context 'user only has access to internal project' do
+    context 'user only has access to internal and public projects' do
      let_it_be(:current_user) { create(:user) }

      it_behaves_like 'a browsable' do
@@ -758,18 +776,37 @@ RSpec.shared_examples 'a container registry auth service' do
          [
            { 'type' => 'repository',
              'name' => internal_project.full_path,
+              'actions' => ['pull'] },
+            { 'type' => 'repository',
+              'name' => public_project.full_path,
              'actions' => ['pull'] }
          ]
        end
      end
    end

-    context 'anonymous access is rejected' do
+    context 'anonymous user has access only to public project' do
      let(:current_user) { nil }

+      it_behaves_like 'a browsable' do
+        let(:access) do
+          [
+            { 'type' => 'repository',
+              'name' => public_project.full_path,
+              'actions' => ['pull'] }
+          ]
+        end
+      end
+
+      context 'with no public container registry' do
+        before do
+          public_project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
+        end
+
        it_behaves_like 'a forbidden'
      end
    end
+  end

  context 'unauthorized' do
    context 'disallow to use scope-less authentication' do
@@ -796,8 +833,8 @@ RSpec.shared_examples 'a container registry auth service' do
      it_behaves_like 'a forbidden'
    end

-    context 'for public project' do
-      let_it_be(:project) { create(:project, :public) }
+    context 'for public project with container registry `enabled`' do
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }

      context 'when pulling and pushing' do
        let(:current_params) do
@@ -818,6 +855,19 @@ RSpec.shared_examples 'a container registry auth service' do
      end
    end

+    context 'for public project with container registry `private`' do
+      let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+      context 'when pulling and pushing' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull,push"] }
+        end
+
+        it_behaves_like 'a forbidden'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
    context 'for registry catalog' do
      let(:current_params) do
        { scopes: ["registry:catalog:*"] }
@@ -898,6 +948,24 @@ RSpec.shared_examples 'a container registry auth service' do

        it_behaves_like 'able to login'
      end
+
+      context 'for public project with private container registry' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token }
+          end
+
+          it_behaves_like 'a pushable'
+        end
+
+        it_behaves_like 'able to login'
+      end
    end

    context 'when deploy token does not have read_registry scope' do
@@ -919,8 +987,8 @@ RSpec.shared_examples 'a container registry auth service' do
        end
      end

-      context 'for public project' do
-        let_it_be(:project) { create(:project, :public) }
+      context 'for public project with container registry `enabled`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }

        context 'when pulling' do
          it_behaves_like 'a pullable'
@@ -929,6 +997,16 @@ RSpec.shared_examples 'a container registry auth service' do
        it_behaves_like 'unable to login'
      end

+      context 'for public project with container registry `private`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+
+        it_behaves_like 'unable to login'
+      end
+
      context 'for internal project' do
        let_it_be(:project) { create(:project, :internal) }

@@ -960,14 +1038,22 @@ RSpec.shared_examples 'a container registry auth service' do
    context 'when deploy token is not related to the project' do
      let_it_be(:deploy_token) { create(:deploy_token, read_registry: false) }

-      context 'for public project' do
-        let_it_be(:project) { create(:project, :public) }
+      context 'for public project with container registry `enabled`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }

        context 'when pulling' do
          it_behaves_like 'a pullable'
        end
      end

+      context 'for public project with container registry `private`' do
+        let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+
      context 'for internal project' do
        let_it_be(:project) { create(:project, :internal) }

@@ -988,12 +1074,18 @@ RSpec.shared_examples 'a container registry auth service' do
    context 'when deploy token has been revoked' do
      let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) }

-      context 'for public project' do
-        let_it_be(:project) { create(:project, :public) }
+      context 'for public project with container registry `enabled`' do
+        let_it_be(:project) { create(:project, :public, :container_registry_enabled) }

        it_behaves_like 'a pullable'
      end

+      context 'for public project with container registry `private`' do
+        let_it_be(:project) { create(:project, :public, :container_registry_private) }
+
+        it_behaves_like 'an inaccessible'
+      end
+
      context 'for internal project' do
        let_it_be(:project) { create(:project, :internal) }