Commit 781fbfe0 authored by David Kim's avatar David Kim

Merge branch '18792-update-specs' into 'master'

Add specs for private container registry

See merge request gitlab-org/gitlab!65831
parents af4c94c7 f0a875f5
......@@ -26,6 +26,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do
expect(policy_project.protected_branches.first.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MAINTAINER])
expect(policy_project.protected_branches.first.push_access_levels.map(&:access_level)).to eq([Gitlab::Access::NO_ACCESS])
expect(policy_project.team.developers).to contain_exactly(maintainer)
expect(policy_project.container_registry_access_level).to eq(ProjectFeature::DISABLED)
end
end
......
......@@ -9,12 +9,12 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
let_it_be(:project, reload: true) { create(:project, namespace: user.namespace) }
let(:container_registry_enabled) { true }
let(:container_registry_enabled_on_project) { true }
let(:container_registry_enabled_on_project) { ProjectFeature::ENABLED }
subject { visit project_settings_packages_and_registries_path(project) }
before do
project.update!(container_registry_enabled: container_registry_enabled_on_project)
project.project_feature.update!(container_registry_access_level: container_registry_enabled_on_project)
project.container_expiration_policy.update!(enabled: true)
sign_in(user)
......@@ -104,7 +104,7 @@ RSpec.describe 'Project > Settings > CI/CD > Container registry tag expiration p
end
context 'when container registry is disabled on project' do
let(:container_registry_enabled_on_project) { false }
let(:container_registry_enabled_on_project) { ProjectFeature::DISABLED }
it 'does not exists' do
subject
......
......@@ -3151,6 +3151,17 @@ RSpec.describe Ci::Build do
end
context 'when container registry is enabled' do
let_it_be_with_reload(:project) { create(:project, :public, :repository, group: group) }
let_it_be_with_reload(:pipeline) do
create(:ci_pipeline, project: project,
sha: project.commit.id,
ref: project.default_branch,
status: 'success')
end
let_it_be_with_refind(:build) { create(:ci_build, pipeline: pipeline) }
let(:container_registry_enabled) { true }
let(:ci_registry) do
{ key: 'CI_REGISTRY', value: 'registry.example.com', public: true, masked: false }
......@@ -3162,7 +3173,7 @@ RSpec.describe Ci::Build do
context 'and is disabled for project' do
before do
project.update!(container_registry_enabled: false)
project.project_feature.update_column(:container_registry_access_level, ProjectFeature::DISABLED)
end
it { is_expected.to include(ci_registry) }
......@@ -3171,7 +3182,16 @@ RSpec.describe Ci::Build do
context 'and is enabled for project' do
before do
project.update!(container_registry_enabled: true)
project.project_feature.update_column(:container_registry_access_level, ProjectFeature::ENABLED)
end
it { is_expected.to include(ci_registry) }
it { is_expected.to include(ci_registry_image) }
end
context 'and is private for project' do
before do
project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
end
it { is_expected.to include(ci_registry) }
......
......@@ -203,9 +203,7 @@ RSpec.shared_examples 'a container registry auth service' do
end
end
context 'for private project' do
let_it_be(:project) { create(:project) }
shared_examples 'private project' do
context 'allow to use scope-less authentication' do
it_behaves_like 'a valid token'
end
......@@ -345,8 +343,20 @@ RSpec.shared_examples 'a container registry auth service' do
end
end
context 'for public project' do
let_it_be(:project) { create(:project, :public) }
context 'for private project' do
let_it_be_with_reload(:project) { create(:project) }
it_behaves_like 'private project'
end
context 'for public project with private container registry' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
it_behaves_like 'private project'
end
context 'for public project with container_registry `enabled`' do
let_it_be(:project) { create(:project, :public, :container_registry_enabled) }
context 'allow anyone to pull images' do
let(:current_params) do
......@@ -394,8 +404,8 @@ RSpec.shared_examples 'a container registry auth service' do
end
end
context 'for internal project' do
let_it_be(:project) { create(:project, :internal) }
context 'for internal project with container_registry `enabled`' do
let_it_be(:project) { create(:project, :internal, :container_registry_enabled) }
context 'for internal user' do
context 'allow anyone to pull images' do
......@@ -470,6 +480,12 @@ RSpec.shared_examples 'a container registry auth service' do
end
end
end
context 'for internal project with private container registry' do
let_it_be_with_reload(:project) { create(:project, :internal, :container_registry_private) }
it_behaves_like 'private project'
end
end
context 'delete authorized as maintainer' do
......@@ -630,12 +646,8 @@ RSpec.shared_examples 'a container registry auth service' do
end
end
context 'for project with private container registry' do
let_it_be(:project, reload: true) { create(:project, :public) }
before do
project.project_feature.update!(container_registry_access_level: ProjectFeature::PRIVATE)
end
context 'for public project with private container registry' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
it_behaves_like 'pullable for being team member'
......@@ -675,11 +687,7 @@ RSpec.shared_examples 'a container registry auth service' do
end
context 'for project without container registry' do
let_it_be(:project) { create(:project, :public, container_registry_enabled: false) }
before do
project.update!(container_registry_enabled: false)
end
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_disabled) }
context 'disallow when pulling' do
let(:current_params) do
......@@ -719,12 +727,16 @@ RSpec.shared_examples 'a container registry auth service' do
context 'support for multiple scopes' do
let_it_be(:internal_project) { create(:project, :internal) }
let_it_be(:private_project) { create(:project, :private) }
let_it_be(:public_project) { create(:project, :public) }
let_it_be(:public_project_private_container_registry) { create(:project, :public, :container_registry_private) }
let(:current_params) do
{
scopes: [
"repository:#{internal_project.full_path}:pull",
"repository:#{private_project.full_path}:pull"
"repository:#{private_project.full_path}:pull",
"repository:#{public_project.full_path}:pull",
"repository:#{public_project_private_container_registry.full_path}:pull"
]
}
end
......@@ -744,13 +756,19 @@ RSpec.shared_examples 'a container registry auth service' do
'actions' => ['pull'] },
{ 'type' => 'repository',
'name' => private_project.full_path,
'actions' => ['pull'] },
{ 'type' => 'repository',
'name' => public_project.full_path,
'actions' => ['pull'] },
{ 'type' => 'repository',
'name' => public_project_private_container_registry.full_path,
'actions' => ['pull'] }
]
end
end
end
context 'user only has access to internal project' do
context 'user only has access to internal and public projects' do
let_it_be(:current_user) { create(:user) }
it_behaves_like 'a browsable' do
......@@ -758,16 +776,35 @@ RSpec.shared_examples 'a container registry auth service' do
[
{ 'type' => 'repository',
'name' => internal_project.full_path,
'actions' => ['pull'] },
{ 'type' => 'repository',
'name' => public_project.full_path,
'actions' => ['pull'] }
]
end
end
end
context 'anonymous access is rejected' do
context 'anonymous user has access only to public project' do
let(:current_user) { nil }
it_behaves_like 'a forbidden'
it_behaves_like 'a browsable' do
let(:access) do
[
{ 'type' => 'repository',
'name' => public_project.full_path,
'actions' => ['pull'] }
]
end
end
context 'with no public container registry' do
before do
public_project.project_feature.update_column(:container_registry_access_level, ProjectFeature::PRIVATE)
end
it_behaves_like 'a forbidden'
end
end
end
......@@ -796,8 +833,8 @@ RSpec.shared_examples 'a container registry auth service' do
it_behaves_like 'a forbidden'
end
context 'for public project' do
let_it_be(:project) { create(:project, :public) }
context 'for public project with container registry `enabled`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
context 'when pulling and pushing' do
let(:current_params) do
......@@ -818,6 +855,19 @@ RSpec.shared_examples 'a container registry auth service' do
end
end
context 'for public project with container registry `private`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling and pushing' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull,push"] }
end
it_behaves_like 'a forbidden'
it_behaves_like 'not a container repository factory'
end
end
context 'for registry catalog' do
let(:current_params) do
{ scopes: ["registry:catalog:*"] }
......@@ -898,6 +948,24 @@ RSpec.shared_examples 'a container registry auth service' do
it_behaves_like 'able to login'
end
context 'for public project with private container registry' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling' do
it_behaves_like 'a pullable'
end
context 'when pushing' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:push"], deploy_token: deploy_token }
end
it_behaves_like 'a pushable'
end
it_behaves_like 'able to login'
end
end
context 'when deploy token does not have read_registry scope' do
......@@ -919,8 +987,8 @@ RSpec.shared_examples 'a container registry auth service' do
end
end
context 'for public project' do
let_it_be(:project) { create(:project, :public) }
context 'for public project with container registry `enabled`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
context 'when pulling' do
it_behaves_like 'a pullable'
......@@ -929,6 +997,16 @@ RSpec.shared_examples 'a container registry auth service' do
it_behaves_like 'unable to login'
end
context 'for public project with container registry `private`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
end
it_behaves_like 'unable to login'
end
context 'for internal project' do
let_it_be(:project) { create(:project, :internal) }
......@@ -960,14 +1038,22 @@ RSpec.shared_examples 'a container registry auth service' do
context 'when deploy token is not related to the project' do
let_it_be(:deploy_token) { create(:deploy_token, read_registry: false) }
context 'for public project' do
let_it_be(:project) { create(:project, :public) }
context 'for public project with container registry `enabled`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_enabled) }
context 'when pulling' do
it_behaves_like 'a pullable'
end
end
context 'for public project with container registry `private`' do
let_it_be_with_reload(:project) { create(:project, :public, :container_registry_private) }
context 'when pulling' do
it_behaves_like 'an inaccessible'
end
end
context 'for internal project' do
let_it_be(:project) { create(:project, :internal) }
......@@ -988,12 +1074,18 @@ RSpec.shared_examples 'a container registry auth service' do
context 'when deploy token has been revoked' do
let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) }
context 'for public project' do
let_it_be(:project) { create(:project, :public) }
context 'for public project with container registry `enabled`' do
let_it_be(:project) { create(:project, :public, :container_registry_enabled) }
it_behaves_like 'a pullable'
end
context 'for public project with container registry `private`' do
let_it_be(:project) { create(:project, :public, :container_registry_private) }
it_behaves_like 'an inaccessible'
end
context 'for internal project' do
let_it_be(:project) { create(:project, :internal) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment