Merge branch 'ci_job_token_delete_registry_images' into 'master'

Allow access to registry API of the current project using the job token [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!49750

Merge branch 'ci_job_token_delete_registry_images' into 'master'
Allow access to registry API of the current project using the job token [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!49750
4553e8bb · Sean McGivern · 96dd516f · 49964377 · 4553e8bb · 4553e8bb
Commit 4553e8bb authored Apr 21, 2021 by Sean McGivern
9 changed files
--- a/changelogs/unreleased/ci_job_token_delete_registry_images.yml
+++ b/changelogs/unreleased/ci_job_token_delete_registry_images.yml
+---
+title: Allow access to registry API of the current project using the job token
+merge_request: 49750
+author: Mathieu Parent
+type: added
--- a/config/feature_flags/development/ci_job_token_scope.yml
+++ b/config/feature_flags/development/ci_job_token_scope.yml
+---
+name: ci_job_token_scope
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/49750
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/300821
+milestone: '13.12'
+type: development
+group: group::package
+default_enabled: false
--- a/doc/api/README.md
+++ b/doc/api/README.md
@@ -208,6 +208,7 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints
    Package Registry, you can use [deploy tokens](../user/project/deploy_tokens/index.md).
  - [Container Registry](../user/packages/container_registry/index.md)
    (the `$CI_REGISTRY_PASSWORD` is `$CI_JOB_TOKEN`).
+  - [Container Registry API](container_registry.md) (scoped to the job's project, when the `ci_job_token_scope` feature flag is enabled)
 - [Get job artifacts](job_artifacts.md#get-job-artifacts).
 - [Get job token's job](jobs.md#get-job-tokens-job).
 - [Pipeline triggers](pipeline_triggers.md), using the `token=` parameter.

--- a/doc/api/container_registry.md
+++ b/doc/api/container_registry.md
@@ -6,10 +6,30 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 # Container Registry API
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/55978) in GitLab 11.8.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/55978) in GitLab 11.8.
+> - The use of `CI_JOB_TOKEN` scoped to the current project was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/49750) in GitLab 13.12.
 This is the API documentation of the [GitLab Container Registry](../user/packages/container_registry/index.md).
+When the `ci_job_token_scope` feature flag is enabled (it is **disabled by default**), you can use the below endpoints
+from a CI/CD job, by passing the `$CI_JOB_TOKEN` variable as the `JOB-TOKEN` header.
+The job token will only have access to its own project.
+[GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
+can opt to enable it.
+To enable it:
+```ruby
+Feature.enable(:ci_job_token_scope)
+```
+To disable it:
+```ruby
+Feature.disable(:ci_job_token_scope)
+```
 ## List registry repositories
 ### Within a project

--- a/ee/lib/ee/api/helpers.rb
+++ b/ee/lib/ee/api/helpers.rb
@@ -87,6 +87,8 @@ module EE
      def find_project!(id)
        project = find_project(id)
+        return forbidden! unless authorized_project_scope?(project)
        # CI job token authentication:
        # this method grants limited privileged for admin users
        # admin users can only access project if they are direct member

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -124,12 +124,22 @@ module API
    def find_project!(id)
      project = find_project(id)
+      return forbidden! unless authorized_project_scope?(project)
      return project if can?(current_user, :read_project, project)
      return unauthorized! if authenticate_non_public?
      not_found!('Project')
    end
+    def authorized_project_scope?(project)
+      return true unless job_token_authentication?
+      return true unless route_authentication_setting[:job_token_scope] == :project
+      ::Feature.enabled?(:ci_job_token_scope, project, default_enabled: :yaml) &&
+        current_authenticated_job.project == project
+    end
    # rubocop: disable CodeReuse/ActiveRecord
    def find_group(id)
      if id.to_s =~ /^\d+$/

--- a/lib/api/project_container_repositories.rb
+++ b/lib/api/project_container_repositories.rb
@@ -15,6 +15,7 @@ module API
    params do
      requires :id, type: String, desc: 'The ID of a project'
    end
+    route_setting :authentication, job_token_allowed: true, job_token_scope: :project
    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
      desc 'Get a project container repositories' do
        detail 'This feature was introduced in GitLab 11.8.'

--- a/spec/lib/api/helpers_spec.rb
+++ b/spec/lib/api/helpers_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 RSpec.describe API::Helpers do
+  using RSpec::Parameterized::TableSyntax
  subject { Class.new.include(described_class).new }
  describe '#find_project' do
@@ -99,6 +101,59 @@ RSpec.describe API::Helpers do
    end
  end
+  describe '#find_project!' do
+    let_it_be(:project) { create(:project) }
+    let(:user) { project.owner}
+    before do
+      allow(subject).to receive(:current_user).and_return(user)
+      allow(subject).to receive(:authorized_project_scope?).and_return(true)
+      allow(subject).to receive(:job_token_authentication?).and_return(false)
+      allow(subject).to receive(:authenticate_non_public?).and_return(false)
+    end
+    shared_examples 'project finder' do
+      context 'when project exists' do
+        it 'returns requested project' do
+          expect(subject.find_project!(existing_id)).to eq(project)
+        end
+        it 'returns nil' do
+          expect(subject).to receive(:render_api_error!).with('404 Project Not Found', 404)
+          expect(subject.find_project!(non_existing_id)).to be_nil
+        end
+      end
+    end
+    context 'when ID is used as an argument' do
+      let(:existing_id) { project.id }
+      let(:non_existing_id) { non_existing_record_id }
+      it_behaves_like 'project finder'
+    end
+    context 'when PATH is used as an argument' do
+      let(:existing_id) { project.full_path }
+      let(:non_existing_id) { 'something/else' }
+      it_behaves_like 'project finder'
+      context 'with an invalid PATH' do
+        let(:non_existing_id) { 'undefined' } # path without slash
+        it_behaves_like 'project finder'
+        it 'does not hit the database' do
+          expect(Project).not_to receive(:find_by_full_path)
+          expect(subject).to receive(:render_api_error!).with('404 Project Not Found', 404)
+          subject.find_project!(non_existing_id)
+        end
+      end
+    end
+  end
  describe '#find_namespace' do
    let(:namespace) { create(:namespace) }
@@ -191,6 +246,49 @@ RSpec.describe API::Helpers do
    it_behaves_like 'user namespace finder'
  end
+  describe '#authorized_project_scope?' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:other_project) { create(:project) }
+    let_it_be(:job) { create(:ci_build) }
+    let(:send_authorized_project_scope) { subject.authorized_project_scope?(project) }
+    where(:job_token_authentication, :route_setting, :feature_flag, :same_job_project, :expected_result) do
+      false | false | false | false | true
+      false | false | false | true  | true
+      false | false | true  | false | true
+      false | false | true  | true  | true
+      false | true  | false | false | true
+      false | true  | false | true  | true
+      false | true  | true  | false | true
+      false | true  | true  | true  | true
+      true  | false | false | false | true
+      true  | false | false | true  | true
+      true  | false | true  | false | true
+      true  | false | true  | true  | true
+      true  | true  | false | false | false
+      true  | true  | false | true  | false
+      true  | true  | true  | false | false
+      true  | true  | true  | true  | true
+    end
+    with_them do
+      before do
+        allow(subject).to receive(:job_token_authentication?).and_return(job_token_authentication)
+        allow(subject).to receive(:route_authentication_setting).and_return(job_token_scope: route_setting ? :project : nil)
+        allow(subject).to receive(:current_authenticated_job).and_return(job)
+        allow(job).to receive(:project).and_return(same_job_project ? project : other_project)
+        stub_feature_flags(ci_job_token_scope: false)
+        stub_feature_flags(ci_job_token_scope: project) if feature_flag
+      end
+      it 'returns the expected result' do
+        expect(send_authorized_project_scope).to eq(expected_result)
+      end
+    end
+  end
  describe '#send_git_blob' do
    let(:repository) { double }
    let(:blob) { double(name: 'foobar') }

--- a/spec/requests/api/project_container_repositories_spec.rb
+++ b/spec/requests/api/project_container_repositories_spec.rb
@@ -6,12 +6,14 @@ RSpec.describe API::ProjectContainerRepositories do
  include ExclusiveLeaseHelpers
  let_it_be(:project) { create(:project, :private) }
+  let_it_be(:project2) { create(:project, :public) }
  let_it_be(:maintainer) { create(:user) }
  let_it_be(:developer) { create(:user) }
  let_it_be(:reporter) { create(:user) }
  let_it_be(:guest) { create(:user) }
  let(:root_repository) { create(:container_repository, :root, project: project) }
  let(:test_repository) { create(:container_repository, project: project) }
+  let(:root_repository2) { create(:container_repository, :root, project: project2) }
  let(:users) do
    {
@@ -24,315 +26,408 @@ RSpec.describe API::ProjectContainerRepositories do
  end
  let(:api_user) { maintainer }
+  let(:job) { create(:ci_build, :running, user: api_user, project: project) }
+  let(:job2) { create(:ci_build, :running, user: api_user, project: project2) }
-  before do
+  let(:method) { :get }
+  let(:params) { {} }
+  before_all do
    project.add_maintainer(maintainer)
    project.add_developer(developer)
    project.add_reporter(reporter)
    project.add_guest(guest)
-    stub_container_registry_config(enabled: true)
+    project2.add_maintainer(maintainer)
+    project2.add_developer(developer)
+    project2.add_reporter(reporter)
+    project2.add_guest(guest)
+  end
+  before do
    root_repository
    test_repository
-  end
-  describe 'GET /projects/:id/registry/repositories' do
+    stub_container_registry_config(enabled: true)
-    let(:url) { "/projects/#{project.id}/registry/repositories" }
+  end
-    subject { get api(url, api_user) }
-    it_behaves_like 'rejected container repository access', :guest, :forbidden
+  shared_context 'using API user' do
-    it_behaves_like 'rejected container repository access', :anonymous, :not_found
+    subject { public_send(method, api(url, api_user), params: params) }
-    it_behaves_like 'a package tracking event', described_class.name, 'list_repositories'
+  end
-    it_behaves_like 'returns repositories for allowed users', :reporter, 'project' do
+  shared_context 'using job token' do
-      let(:object) { project }
+    before do
+      stub_exclusive_lease
+      stub_feature_flags(ci_job_token_scope: true)
    end
+    subject { public_send(method, api(url), params: params.merge({ job_token: job.token })) }
  end
-  describe 'DELETE /projects/:id/registry/repositories/:repository_id' do
+  shared_context 'using job token from another project' do
-    subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}", api_user) }
+    before do
+      stub_exclusive_lease
+      stub_feature_flags(ci_job_token_scope: true)
+    end
-    it_behaves_like 'rejected container repository access', :developer, :forbidden
+    subject { public_send(method, api(url), params: { job_token: job2.token }) }
-    it_behaves_like 'rejected container repository access', :anonymous, :not_found
+  end
-    it_behaves_like 'a package tracking event', described_class.name, 'delete_repository'
-    context 'for maintainer' do
+  shared_context 'using job token while ci_job_token_scope feature flag is disabled' do
-      let(:api_user) { maintainer }
+    before do
+      stub_exclusive_lease
+      stub_feature_flags(ci_job_token_scope: false)
+    end
-      it 'schedules removal of repository' do
+    subject { public_send(method, api(url), params: params.merge({ job_token: job.token })) }
-        expect(DeleteContainerRepositoryWorker).to receive(:perform_async)
+  end
-          .with(maintainer.id, root_repository.id)
-        subject
+  shared_examples 'rejected job token scopes' do
+    include_context 'using job token from another project' do
+      it_behaves_like 'rejected container repository access', :maintainer, :forbidden
+    end
-        expect(response).to have_gitlab_http_status(:accepted)
+    include_context 'using job token while ci_job_token_scope feature flag is disabled' do
-      end
+      it_behaves_like 'rejected container repository access', :maintainer, :forbidden
    end
  end
-  describe 'GET /projects/:id/registry/repositories/:repository_id/tags' do
+  describe 'GET /projects/:id/registry/repositories' do
-    subject { get api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags", api_user) }
+    let(:url) { "/projects/#{project.id}/registry/repositories" }
-    it_behaves_like 'rejected container repository access', :guest, :forbidden
-    it_behaves_like 'rejected container repository access', :anonymous, :not_found
-    context 'for reporter' do
-      let(:api_user) { reporter }
-      before do
-        stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA latest))
-      end
-      it_behaves_like 'a package tracking event', described_class.name, 'list_tags'
-      it 'returns a list of tags' do
-        subject
-        expect(json_response.length).to eq(2)
+    ['using API user', 'using job token'].each do |context|
-        expect(json_response.map { |repository| repository['name'] }).to eq %w(latest rootA)
+      context context do
-      end
+        include_context context
-      it 'returns a matching schema' do
+        it_behaves_like 'rejected container repository access', :guest, :forbidden unless context == 'using job token'
-        subject
+        it_behaves_like 'rejected container repository access', :anonymous, :not_found
+        it_behaves_like 'a package tracking event', described_class.name, 'list_repositories'
-        expect(response).to have_gitlab_http_status(:ok)
+        it_behaves_like 'returns repositories for allowed users', :reporter, 'project' do
-        expect(response).to match_response_schema('registry/tags')
+          let(:object) { project }
+        end
      end
    end
+    include_examples 'rejected job token scopes'
  end
-  describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags' do
+  describe 'DELETE /projects/:id/registry/repositories/:repository_id' do
-    subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags", api_user), params: params }
+    let(:method) { :delete }
+    let(:url) { "/projects/#{project.id}/registry/repositories/#{root_repository.id}" }
-    context 'disallowed' do
+    ['using API user', 'using job token'].each do |context|
-      let(:params) do
+      context context do
-        { name_regex_delete: 'v10.*' }
+        include_context context
-      end
-      it_behaves_like 'rejected container repository access', :developer, :forbidden
+        it_behaves_like 'rejected container repository access', :developer, :forbidden
-      it_behaves_like 'rejected container repository access', :anonymous, :not_found
+        it_behaves_like 'rejected container repository access', :anonymous, :not_found
-      it_behaves_like 'a package tracking event', described_class.name, 'delete_tag_bulk'
+        it_behaves_like 'a package tracking event', described_class.name, 'delete_repository'
-    end
-    context 'for maintainer' do
+        context 'for maintainer' do
-      let(:api_user) { maintainer }
+          let(:api_user) { maintainer }
-      context 'without required parameters' do
+          it 'schedules removal of repository' do
-        let(:params) { }
+            expect(DeleteContainerRepositoryWorker).to receive(:perform_async)
+              .with(maintainer.id, root_repository.id)
-        it 'returns bad request' do
+            subject
-          subject
-          expect(response).to have_gitlab_http_status(:bad_request)
+            expect(response).to have_gitlab_http_status(:accepted)
+          end
        end
      end
+    end
-      context 'without name_regex' do
+    include_examples 'rejected job token scopes'
-        let(:params) do
+  end
-          { keep_n: 100,
-            older_than: '1 day',
-            other: 'some value' }
-        end
-        it 'returns bad request' do
-          subject
-          expect(response).to have_gitlab_http_status(:bad_request)
-        end
-      end
-      context 'passes all declared parameters' do
+  describe 'GET /projects/:id/registry/repositories/:repository_id/tags' do
-        let(:params) do
+    let(:url) { "/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags" }
-          { name_regex_delete: 'v10.*',
-            name_regex_keep: 'v10.1.*',
-            keep_n: 100,
-            older_than: '1 day',
-            other: 'some value' }
-        end
-        let(:worker_params) do
+    ['using API user', 'using job token'].each do |context|
-          { name_regex: nil,
+      context context do
-            name_regex_delete: 'v10.*',
+        include_context context
-            name_regex_keep: 'v10.1.*',
-            keep_n: 100,
-            older_than: '1 day',
-            container_expiration_policy: false }
-        end
-        let(:lease_key) { "container_repository:cleanup_tags:#{root_repository.id}" }
+        it_behaves_like 'rejected container repository access', :guest, :forbidden unless context == 'using job token'
+        it_behaves_like 'rejected container repository access', :anonymous, :not_found
-        it 'schedules cleanup of tags repository' do
+        context 'for reporter' do
-          stub_last_activity_update
+          let(:api_user) { reporter }
-          stub_exclusive_lease(lease_key, timeout: 1.hour)
-          expect(CleanupContainerRepositoryWorker).to receive(:perform_async)
-            .with(maintainer.id, root_repository.id, worker_params)
-          subject
+          before do
+            stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA latest))
+          end
-          expect(response).to have_gitlab_http_status(:accepted)
+          it_behaves_like 'a package tracking event', described_class.name, 'list_tags'
-        end
-        context 'called multiple times in one hour', :clean_gitlab_redis_shared_state do
+          it 'returns a list of tags' do
-          it 'returns 400 with an error message' do
-            stub_exclusive_lease_taken(lease_key, timeout: 1.hour)
            subject
-            expect(response).to have_gitlab_http_status(:bad_request)
+            expect(json_response.length).to eq(2)
-            expect(response.body).to include('This request has already been made.')
+            expect(json_response.map { |repository| repository['name'] }).to eq %w(latest rootA)
          end
-          it 'executes service only for the first time' do
+          it 'returns a matching schema' do
-            expect(CleanupContainerRepositoryWorker).to receive(:perform_async).once
+            subject
-            2.times { subject }
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(response).to match_response_schema('registry/tags')
          end
        end
      end
+    end
-      context 'with deprecated name_regex param' do
+    include_examples 'rejected job token scopes'
-        let(:params) do
+  end
-          { name_regex: 'v10.*',
-            name_regex_keep: 'v10.1.*',
-            keep_n: 100,
-            older_than: '1 day',
-            other: 'some value' }
-        end
-        let(:worker_params) do
-          { name_regex: 'v10.*',
-            name_regex_delete: nil,
-            name_regex_keep: 'v10.1.*',
-            keep_n: 100,
-            older_than: '1 day',
-            container_expiration_policy: false }
-        end
-        let(:lease_key) { "container_repository:cleanup_tags:#{root_repository.id}" }
+  describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags' do
+    let(:method) { :delete }
+    let(:url) { "/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags" }
-        it 'schedules cleanup of tags repository' do
+    ['using API user', 'using job token'].each do |context|
-          stub_last_activity_update
+      context context do
-          stub_exclusive_lease(lease_key, timeout: 1.hour)
+        include_context context
-          expect(CleanupContainerRepositoryWorker).to receive(:perform_async)
-            .with(maintainer.id, root_repository.id, worker_params)
-          subject
+        context 'disallowed' do
+          let(:params) do
+            { name_regex_delete: 'v10.*' }
+          end
-          expect(response).to have_gitlab_http_status(:accepted)
+          it_behaves_like 'rejected container repository access', :developer, :forbidden
+          it_behaves_like 'rejected container repository access', :anonymous, :not_found
+          it_behaves_like 'a package tracking event', described_class.name, 'delete_tag_bulk'
        end
-      end
-      context 'with invalid regex' do
+        context 'for maintainer' do
-        let(:invalid_regex) { '*v10.' }
+          let(:api_user) { maintainer }
-        let(:lease_key) { "container_repository:cleanup_tags:#{root_repository.id}" }
-        RSpec.shared_examples 'rejecting the invalid regex' do |param_name|
+          context 'without required parameters' do
-          it 'does not enqueue a job' do
+            it 'returns bad request' do
-            expect(CleanupContainerRepositoryWorker).not_to receive(:perform_async)
+              subject
-            subject
+              expect(response).to have_gitlab_http_status(:bad_request)
+            end
          end
-          it_behaves_like 'returning response status', :bad_request
+          context 'without name_regex' do
+            let(:params) do
+              { keep_n: 100,
+                older_than: '1 day',
+                other: 'some value' }
+            end
-          it 'returns an error message' do
+            it 'returns bad request' do
-            subject
+              subject
-            expect(json_response['error']).to include("#{param_name} is an invalid regexp")
+              expect(response).to have_gitlab_http_status(:bad_request)
+            end
          end
-        end
-        before do
+          context 'passes all declared parameters' do
-          stub_last_activity_update
+            let(:params) do
-          stub_exclusive_lease(lease_key, timeout: 1.hour)
+              { name_regex_delete: 'v10.*',
-        end
+                name_regex_keep: 'v10.1.*',
+                keep_n: 100,
+                older_than: '1 day',
+                other: 'some value' }
+            end
+            let(:worker_params) do
+              { name_regex: nil,
+                name_regex_delete: 'v10.*',
+                name_regex_keep: 'v10.1.*',
+                keep_n: 100,
+                older_than: '1 day',
+                container_expiration_policy: false }
+            end
+            let(:lease_key) { "container_repository:cleanup_tags:#{root_repository.id}" }
+            it 'schedules cleanup of tags repository' do
+              stub_last_activity_update
+              expect(CleanupContainerRepositoryWorker).to receive(:perform_async)
+                .with(maintainer.id, root_repository.id, worker_params)
+              subject
+              expect(response).to have_gitlab_http_status(:accepted)
+            end
+            context 'called multiple times in one hour', :clean_gitlab_redis_shared_state do
+              it 'returns 400 with an error message' do
+                stub_exclusive_lease_taken(lease_key, timeout: 1.hour)
+                subject
+                expect(response).to have_gitlab_http_status(:bad_request)
+                expect(response.body).to include('This request has already been made.')
+              end
+              it 'executes service only for the first time' do
+                expect(CleanupContainerRepositoryWorker).to receive(:perform_async).once
+                2.times { subject }
+              end
+            end
+          end
+          context 'with deprecated name_regex param' do
+            let(:params) do
+              { name_regex: 'v10.*',
+                name_regex_keep: 'v10.1.*',
+                keep_n: 100,
+                older_than: '1 day',
+                other: 'some value' }
+            end
+            let(:worker_params) do
+              { name_regex: 'v10.*',
+                name_regex_delete: nil,
+                name_regex_keep: 'v10.1.*',
+                keep_n: 100,
+                older_than: '1 day',
+                container_expiration_policy: false }
+            end
+            it 'schedules cleanup of tags repository' do
+              stub_last_activity_update
+              expect(CleanupContainerRepositoryWorker).to receive(:perform_async)
+                .with(maintainer.id, root_repository.id, worker_params)
+              subject
+              expect(response).to have_gitlab_http_status(:accepted)
+            end
+          end
+          context 'with invalid regex' do
+            let(:invalid_regex) { '*v10.' }
+            RSpec.shared_examples 'rejecting the invalid regex' do |param_name|
+              it 'does not enqueue a job' do
+                expect(CleanupContainerRepositoryWorker).not_to receive(:perform_async)
+                subject
+              end
-        %i[name_regex_delete name_regex name_regex_keep].each do |param_name|
+              it_behaves_like 'returning response status', :bad_request
-          context "for #{param_name}" do
-            let(:params) { { param_name => invalid_regex } }
-            it_behaves_like 'rejecting the invalid regex', param_name
+              it 'returns an error message' do
+                subject
+                expect(json_response['error']).to include("#{param_name} is an invalid regexp")
+              end
+            end
+            before do
+              stub_last_activity_update
+            end
+            %i[name_regex_delete name_regex name_regex_keep].each do |param_name|
+              context "for #{param_name}" do
+                let(:params) { { param_name => invalid_regex } }
+                it_behaves_like 'rejecting the invalid regex', param_name
+              end
+            end
          end
        end
      end
    end
+    include_examples 'rejected job token scopes'
  end
  describe 'GET /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
-    subject { get api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }
+    let(:url) { "/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA" }
-    it_behaves_like 'rejected container repository access', :guest, :forbidden
+    ['using API user', 'using job token'].each do |context|
-    it_behaves_like 'rejected container repository access', :anonymous, :not_found
+      context context do
+        include_context context
-    context 'for reporter' do
+        it_behaves_like 'rejected container repository access', :guest, :forbidden unless context == 'using job token'
-      let(:api_user) { reporter }
+        it_behaves_like 'rejected container repository access', :anonymous, :not_found
-      before do
+        context 'for reporter' do
-        stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)
+          let(:api_user) { reporter }
-      end
-      it 'returns a details of tag' do
+          before do
-        subject
+            stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)
+          end
-        expect(json_response).to include(
+          it 'returns a details of tag' do
-          'name' => 'rootA',
+            subject
-          'digest' => 'sha256:4c8e63ca4cb663ce6c688cb06f1c372b088dac5b6d7ad7d49cd620d85cf72a15',
-          'revision' => 'd7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac',
+            expect(json_response).to include(
-          'total_size' => 2319870)
+              'name' => 'rootA',
-      end
+              'digest' => 'sha256:4c8e63ca4cb663ce6c688cb06f1c372b088dac5b6d7ad7d49cd620d85cf72a15',
+              'revision' => 'd7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac',
+              'total_size' => 2319870)
+          end
-      it 'returns a matching schema' do
+          it 'returns a matching schema' do
-        subject
+            subject
-        expect(response).to have_gitlab_http_status(:ok)
+            expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to match_response_schema('registry/tag')
+            expect(response).to match_response_schema('registry/tag')
+          end
+        end
      end
    end
+    include_examples 'rejected job token scopes'
  end
  describe 'DELETE /projects/:id/registry/repositories/:repository_id/tags/:tag_name' do
+    let(:method) { :delete }
+    let(:url) { "/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA" }
    let(:service) { double('service') }
-    subject { delete api("/projects/#{project.id}/registry/repositories/#{root_repository.id}/tags/rootA", api_user) }
+    ['using API user', 'using job token'].each do |context|
+      context context do
+        include_context context
-    it_behaves_like 'rejected container repository access', :reporter, :forbidden
+        it_behaves_like 'rejected container repository access', :reporter, :forbidden
-    it_behaves_like 'rejected container repository access', :anonymous, :not_found
+        it_behaves_like 'rejected container repository access', :anonymous, :not_found
-    context 'for developer', :snowplow do
+        context 'for developer', :snowplow do
-      let(:api_user) { developer }
+          let(:api_user) { developer }
-      context 'when there are multiple tags' do
+          context 'when there are multiple tags' do
-        before do
+            before do
-          stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA rootB), with_manifest: true)
+              stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA rootB), with_manifest: true)
-        end
+            end
-        it 'properly removes tag' do
+            it 'properly removes tag' do
-          expect(service).to receive(:execute).with(root_repository) { { status: :success } }
+              expect(service).to receive(:execute).with(root_repository) { { status: :success } }
-          expect(Projects::ContainerRepository::DeleteTagsService).to receive(:new).with(root_repository.project, api_user, tags: %w[rootA]) { service }
+              expect(Projects::ContainerRepository::DeleteTagsService).to receive(:new).with(root_repository.project, api_user, tags: %w[rootA]) { service }
-          subject
+              subject
-          expect(response).to have_gitlab_http_status(:ok)
+              expect(response).to have_gitlab_http_status(:ok)
-          expect_snowplow_event(category: described_class.name, action: 'delete_tag')
+              expect_snowplow_event(category: described_class.name, action: 'delete_tag')
-        end
+            end
-      end
+          end
-      context 'when there\'s only one tag' do
+          context 'when there\'s only one tag' do
-        before do
+            before do
-          stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)
+              stub_container_registry_tags(repository: root_repository.path, tags: %w(rootA), with_manifest: true)
-        end
+            end
-        it 'properly removes tag' do
+            it 'properly removes tag' do
-          expect(service).to receive(:execute).with(root_repository) { { status: :success } }
+              expect(service).to receive(:execute).with(root_repository) { { status: :success } }
-          expect(Projects::ContainerRepository::DeleteTagsService).to receive(:new).with(root_repository.project, api_user, tags: %w[rootA]) { service }
+              expect(Projects::ContainerRepository::DeleteTagsService).to receive(:new).with(root_repository.project, api_user, tags: %w[rootA]) { service }
-          subject
+              subject
-          expect(response).to have_gitlab_http_status(:ok)
+              expect(response).to have_gitlab_http_status(:ok)
-          expect_snowplow_event(category: described_class.name, action: 'delete_tag')
+              expect_snowplow_event(category: described_class.name, action: 'delete_tag')
+            end
+          end
        end
      end
    end
+    include_examples 'rejected job token scopes'
  end
 end