From eed5c58d8542cef8cc4012a303c9bb963b7f5f20 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Thu, 15 Sep 2016 16:36:39 +0200 Subject: [PATCH] Verify permission of build in context of dependent project --- spec/requests/lfs_http_spec.rb | 6 +-- ...er_registry_authentication_service_spec.rb | 40 ++++++++++++++++--- 2 files changed, 38 insertions(+), 8 deletions(-) diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index 1ee3881b839..7bf43a03f23 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -14,6 +14,8 @@ describe 'Git LFS API and storage' do end let(:authorization) { } let(:sendfile) { } + let(:pipeline) { create(:ci_empty_pipeline, project: project) } + let(:build) { create(:ci_build, :running, pipeline: pipeline) } let(:sample_oid) { lfs_object.oid } let(:sample_size) { lfs_object.size } @@ -244,7 +246,7 @@ describe 'Git LFS API and storage' do end end - context 'when CI is authorized' do + context 'when build is authorized' do let(:authorization) { authorize_ci_project } let(:update_permissions) do @@ -897,8 +899,6 @@ describe 'Git LFS API and storage' do end def authorize_ci_project - pipeline = create(:ci_empty_pipeline, project: project) - build = create(:ci_build, :running, pipeline: pipeline) ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token) end diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index 5f82fee43c6..2d39bd61b8f 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -195,8 +195,9 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do end end - context 'project authorization' do + context 'build authorized as user' do let(:current_project) { create(:empty_project) } + let(:current_user) { create(:user) } let(:capabilities) do [ :build_read_container_image, @@ -204,10 +205,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ] end - context 'allow to use scope-less authentication' do - it_behaves_like 'a valid token' + before do + current_project.team << [current_user, :developer] end + it_behaves_like 'a valid token' + context 'allow to pull and push images' do let(:current_params) do { scope: "repository:#{current_project.path_with_namespace}:pull,push" } @@ -226,12 +229,34 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do context 'allow for public' do let(:project) { create(:empty_project, :public) } + it_behaves_like 'a pullable' end - context 'disallow for private' do + shared_examples 'pullable for being team member' do + context 'when you are not member' do + it_behaves_like 'an inaccessible' + end + + context 'when you are member' do + before do + project.team << [current_user, :developer] + end + + it_behaves_like 'a pullable' + end + end + + context 'for private' do let(:project) { create(:empty_project, :private) } - it_behaves_like 'an inaccessible' + + it_behaves_like 'pullable for being team member' + + context 'when you are admin' do + let(:current_user) { create(:admin) } + + it_behaves_like 'pullable for being team member' + end end end @@ -242,6 +267,11 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do context 'disallow for all' do let(:project) { create(:empty_project, :public) } + + before do + project.team << [current_user, :developer] + end + it_behaves_like 'an inaccessible' end end -- GitLab