Commit f8382487 authored by David Fernandez's avatar David Fernandez

Merge branch '332028-remove-repository-package-check' into 'master'

Disconnect package permission from repository

See merge request gitlab-org/gitlab!67632
parents 7e3c6e3e 4250c48d
...@@ -337,7 +337,7 @@ class ProjectPolicy < BasePolicy ...@@ -337,7 +337,7 @@ class ProjectPolicy < BasePolicy
enable :read_metrics_user_starred_dashboard enable :read_metrics_user_starred_dashboard
end end
rule { packages_disabled | repository_disabled }.policy do rule { packages_disabled }.policy do
prevent(*create_read_update_admin_destroy(:package)) prevent(*create_read_update_admin_destroy(:package))
end end
......
...@@ -840,6 +840,8 @@ RSpec.describe ProjectPolicy do ...@@ -840,6 +840,8 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_package) }
it { is_expected.to be_allowed(:read_project) } it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:create_package) } it { is_expected.to be_disallowed(:create_package) }
it_behaves_like 'package access with repository disabled'
end end
context 'a deploy token with write_package_registry scope' do context 'a deploy token with write_package_registry scope' do
...@@ -849,6 +851,8 @@ RSpec.describe ProjectPolicy do ...@@ -849,6 +851,8 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_package) }
it { is_expected.to be_allowed(:read_project) } it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:destroy_package) } it { is_expected.to be_disallowed(:destroy_package) }
it_behaves_like 'package access with repository disabled'
end end
end end
...@@ -1021,18 +1025,7 @@ RSpec.describe ProjectPolicy do ...@@ -1021,18 +1025,7 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_package) } it { is_expected.to be_allowed(:read_package) }
context 'when repository is disabled' do it_behaves_like 'package access with repository disabled'
before do
project.project_feature.update!(
# Disable merge_requests and builds as well, since merge_requests and
# builds cannot have higher visibility than repository.
merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
repository_access_level: ProjectFeature::DISABLED)
end
it { is_expected.to be_disallowed(:read_package) }
end
end end
context 'with owner' do context 'with owner' do
......
...@@ -217,6 +217,15 @@ RSpec.describe API::MavenPackages do ...@@ -217,6 +217,15 @@ RSpec.describe API::MavenPackages do
end end
end end
shared_examples 'successfully returning the file' do
it 'returns the file', :aggregate_failures do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
end
describe 'GET /api/v4/packages/maven/*path/:file_name' do describe 'GET /api/v4/packages/maven/*path/:file_name' do
context 'a public project' do context 'a public project' do
subject { download_file(file_name: package_file.file_name) } subject { download_file(file_name: package_file.file_name) }
...@@ -224,12 +233,7 @@ RSpec.describe API::MavenPackages do ...@@ -224,12 +233,7 @@ RSpec.describe API::MavenPackages do
shared_examples 'getting a file' do shared_examples 'getting a file' do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'returns sha1 of the file' do it 'returns sha1 of the file' do
download_file(file_name: package_file.file_name + '.sha1') download_file(file_name: package_file.file_name + '.sha1')
...@@ -260,12 +264,7 @@ RSpec.describe API::MavenPackages do ...@@ -260,12 +264,7 @@ RSpec.describe API::MavenPackages do
shared_examples 'getting a file' do shared_examples 'getting a file' do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'denies download when no private token' do it 'denies download when no private token' do
download_file(file_name: package_file.file_name) download_file(file_name: package_file.file_name)
...@@ -297,12 +296,7 @@ RSpec.describe API::MavenPackages do ...@@ -297,12 +296,7 @@ RSpec.describe API::MavenPackages do
shared_examples 'getting a file' do shared_examples 'getting a file' do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'denies download when not enough permissions' do it 'denies download when not enough permissions' do
unless project.root_namespace == user.namespace unless project.root_namespace == user.namespace
...@@ -409,12 +403,7 @@ RSpec.describe API::MavenPackages do ...@@ -409,12 +403,7 @@ RSpec.describe API::MavenPackages do
shared_examples 'getting a file for a group' do shared_examples 'getting a file for a group' do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'returns sha1 of the file' do it 'returns sha1 of the file' do
download_file(file_name: package_file.file_name + '.sha1') download_file(file_name: package_file.file_name + '.sha1')
...@@ -445,12 +434,7 @@ RSpec.describe API::MavenPackages do ...@@ -445,12 +434,7 @@ RSpec.describe API::MavenPackages do
shared_examples 'getting a file for a group' do shared_examples 'getting a file for a group' do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'denies download when no private token' do it 'denies download when no private token' do
download_file(file_name: package_file.file_name) download_file(file_name: package_file.file_name)
...@@ -482,12 +466,7 @@ RSpec.describe API::MavenPackages do ...@@ -482,12 +466,7 @@ RSpec.describe API::MavenPackages do
shared_examples 'getting a file for a group' do shared_examples 'getting a file for a group' do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'denies download when not enough permissions' do it 'denies download when not enough permissions' do
group.add_guest(user) group.add_guest(user)
...@@ -516,12 +495,7 @@ RSpec.describe API::MavenPackages do ...@@ -516,12 +495,7 @@ RSpec.describe API::MavenPackages do
context 'with group deploy token' do context 'with group deploy token' do
subject { download_file_with_token(file_name: package_file.file_name, request_headers: group_deploy_token_headers) } subject { download_file_with_token(file_name: package_file.file_name, request_headers: group_deploy_token_headers) }
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'returns the file with only write_package_registry scope' do it 'returns the file with only write_package_registry scope' do
deploy_token_for_group.update!(read_package_registry: false) deploy_token_for_group.update!(read_package_registry: false)
...@@ -553,12 +527,7 @@ RSpec.describe API::MavenPackages do ...@@ -553,12 +527,7 @@ RSpec.describe API::MavenPackages do
group.add_reporter(user) group.add_reporter(user)
end end
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
context 'with a non existing maven path' do context 'with a non existing maven path' do
subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3', request_headers: headers_with_token, group_id: root_group.id) } subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3', request_headers: headers_with_token, group_id: root_group.id) }
...@@ -657,12 +626,7 @@ RSpec.describe API::MavenPackages do ...@@ -657,12 +626,7 @@ RSpec.describe API::MavenPackages do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'returns sha1 of the file' do it 'returns sha1 of the file' do
download_file(file_name: package_file.file_name + '.sha1') download_file(file_name: package_file.file_name + '.sha1')
...@@ -672,6 +636,19 @@ RSpec.describe API::MavenPackages do ...@@ -672,6 +636,19 @@ RSpec.describe API::MavenPackages do
expect(response.body).to eq(package_file.file_sha1) expect(response.body).to eq(package_file.file_sha1)
end end
context 'when the repository is disabled' do
before do
project.project_feature.update!(
# Disable merge_requests and builds as well, since merge_requests and
# builds cannot have higher visibility than repository.
merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
repository_access_level: ProjectFeature::DISABLED)
end
it_behaves_like 'successfully returning the file'
end
context 'with a non existing maven path' do context 'with a non existing maven path' do
subject { download_file(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } subject { download_file(file_name: package_file.file_name, path: 'foo/bar/1.2.3') }
...@@ -688,12 +665,7 @@ RSpec.describe API::MavenPackages do ...@@ -688,12 +665,7 @@ RSpec.describe API::MavenPackages do
it_behaves_like 'tracking the file download event' it_behaves_like 'tracking the file download event'
it 'returns the file' do it_behaves_like 'successfully returning the file'
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response.media_type).to eq('application/octet-stream')
end
it 'denies download when not enough permissions' do it 'denies download when not enough permissions' do
project.add_guest(user) project.add_guest(user)
......
...@@ -330,3 +330,18 @@ RSpec.shared_examples 'project policies as admin without admin mode' do ...@@ -330,3 +330,18 @@ RSpec.shared_examples 'project policies as admin without admin mode' do
end end
end end
end end
RSpec.shared_examples 'package access with repository disabled' do
context 'when repository is disabled' do
before do
project.project_feature.update!(
# Disable merge_requests and builds as well, since merge_requests and
# builds cannot have higher visibility than repository.
merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
repository_access_level: ProjectFeature::DISABLED)
end
it { is_expected.to be_allowed(:read_package) }
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment