Verify permission of build in context of dependent project

eed5c58d · Kamil Trzcinski · e3a422c2 · eed5c58d · eed5c58d
Showing with 38 addition and 8 deletion

spec/requests/lfs_http_spec.rb spec/requests/lfs_http_spec.rb +3 -3

spec/services/auth/container_registry_authentication_service_spec.rb ...es/auth/container_registry_authentication_service_spec.rb +35 -5

未找到文件。
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -14,6 +14,8 @@ describe 'Git LFS API and storage' do
  end
  let(:authorization) { }
  let(:sendfile) { }
+  let(:pipeline) { create(:ci_empty_pipeline, project: project) }
+  let(:build) { create(:ci_build, :running, pipeline: pipeline) }

  let(:sample_oid) { lfs_object.oid }
  let(:sample_size) { lfs_object.size }
@@ -244,7 +246,7 @@ describe 'Git LFS API and storage' do
          end
        end

-        context 'when CI is authorized' do
+        context 'when build is authorized' do
          let(:authorization) { authorize_ci_project }

          let(:update_permissions) do
@@ -897,8 +899,6 @@ describe 'Git LFS API and storage' do
  end

  def authorize_ci_project
-    pipeline = create(:ci_empty_pipeline, project: project)
-    build = create(:ci_build, :running, pipeline: pipeline)
    ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token)
  end


--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -195,8 +195,9 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
    end
  end

-  context 'project authorization' do
+  context 'build authorized as user' do
    let(:current_project) { create(:empty_project) }
+    let(:current_user) { create(:user) }
    let(:capabilities) do
      [
        :build_read_container_image,
@@ -204,10 +205,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
      ]
    end

-    context 'allow to use scope-less authentication' do
-      it_behaves_like 'a valid token'
+    before do
+      current_project.team << [current_user, :developer]
    end

+    it_behaves_like 'a valid token'
+
    context 'allow to pull and push images' do
      let(:current_params) do
        { scope: "repository:#{current_project.path_with_namespace}:pull,push" }
@@ -226,12 +229,34 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do

        context 'allow for public' do
          let(:project) { create(:empty_project, :public) }
+
          it_behaves_like 'a pullable'
        end

-        context 'disallow for private' do
+        shared_examples 'pullable for being team member' do
+          context 'when you are not member' do
+            it_behaves_like 'an inaccessible'
+          end
+
+          context 'when you are member' do
+            before do
+              project.team << [current_user, :developer]
+            end
+
+            it_behaves_like 'a pullable'
+          end
+        end
+
+        context 'for private' do
          let(:project) { create(:empty_project, :private) }
-          it_behaves_like 'an inaccessible'
+
+          it_behaves_like 'pullable for being team member'
+
+          context 'when you are admin' do
+            let(:current_user) { create(:admin) }
+
+            it_behaves_like 'pullable for being team member'
+          end
        end
      end

@@ -242,6 +267,11 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do

        context 'disallow for all' do
          let(:project) { create(:empty_project, :public) }
+
+          before do
+            project.team << [current_user, :developer]
+          end
+
          it_behaves_like 'an inaccessible'
        end
      end