Commit a0289b5c authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'fix/registry2.7-delete-auth' into 'master'

Add support for deleting images in registry 2.7

See merge request gitlab-org/gitlab-ce!25862
parents b0169d03 eadee27a
...@@ -116,7 +116,7 @@ module Auth ...@@ -116,7 +116,7 @@ module Auth
build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project) build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
when 'push' when 'push'
build_can_push?(requested_project) || user_can_push?(requested_project) build_can_push?(requested_project) || user_can_push?(requested_project)
when '*' when '*', 'delete'
user_can_admin?(requested_project) user_can_admin?(requested_project)
else else
false false
......
...@@ -88,6 +88,12 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -88,6 +88,12 @@ describe Auth::ContainerRegistryAuthenticationService do
end end
end end
shared_examples 'a deletable since registry 2.7' do
it_behaves_like 'an accessible' do
let(:actions) { ['delete'] }
end
end
shared_examples 'a pullable' do shared_examples 'a pullable' do
it_behaves_like 'an accessible' do it_behaves_like 'an accessible' do
let(:actions) { ['pull'] } let(:actions) { ['pull'] }
...@@ -184,6 +190,19 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -184,6 +190,19 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
end end
context 'disallow developer to delete images since registry 2.7' do
before do
project.add_developer(current_user)
end
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
context 'allow reporter to pull images' do context 'allow reporter to pull images' do
before do before do
project.add_reporter(current_user) project.add_reporter(current_user)
...@@ -212,6 +231,19 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -212,6 +231,19 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
end end
context 'disallow reporter to delete images since registry 2.7' do
before do
project.add_reporter(current_user)
end
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
context 'return a least of privileges' do context 'return a least of privileges' do
before do before do
project.add_reporter(current_user) project.add_reporter(current_user)
...@@ -250,6 +282,19 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -250,6 +282,19 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'an inaccessible' it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
end end
context 'disallow guest to delete images since regsitry 2.7' do
before do
project.add_guest(current_user)
end
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
end end
context 'for public project' do context 'for public project' do
...@@ -282,6 +327,15 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -282,6 +327,15 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
end end
context 'disallow anyone to delete images since registry 2.7' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
context 'when repository name is invalid' do context 'when repository name is invalid' do
let(:current_params) do let(:current_params) do
{ scopes: ['repository:invalid:push'] } { scopes: ['repository:invalid:push'] }
...@@ -322,6 +376,15 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -322,6 +376,15 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'an inaccessible' it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
end end
context 'disallow anyone to delete images since registry 2.7' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
end end
context 'for external user' do context 'for external user' do
...@@ -344,6 +407,16 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -344,6 +407,16 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'an inaccessible' it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
end end
context 'disallow anyone to delete images since registry 2.7' do
let(:current_user) { create(:user, external: true) }
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
end end
end end
end end
...@@ -371,6 +444,16 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -371,6 +444,16 @@ describe Auth::ContainerRegistryAuthenticationService do
let(:project) { current_project } let(:project) { current_project }
end end
end end
context 'allow to delete images since registry 2.7' do
let(:current_params) do
{ scopes: ["repository:#{current_project.full_path}:delete"] }
end
it_behaves_like 'a deletable since registry 2.7' do
let(:project) { current_project }
end
end
end end
context 'build authorized as user' do context 'build authorized as user' do
...@@ -419,6 +502,16 @@ describe Auth::ContainerRegistryAuthenticationService do ...@@ -419,6 +502,16 @@ describe Auth::ContainerRegistryAuthenticationService do
end end
end end
context 'disallow to delete images since registry 2.7' do
let(:current_params) do
{ scopes: ["repository:#{current_project.full_path}:delete"] }
end
it_behaves_like 'an inaccessible' do
let(:project) { current_project }
end
end
context 'for other projects' do context 'for other projects' do
context 'when pulling' do context 'when pulling' do
let(:current_params) do let(:current_params) do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment