Add support for deleting images in registry 2.7

eadee27a · Peter Bábics · 5c59ff3d · eadee27a · eadee27a
Commit eadee27a authored Mar 07, 2019 by Peter Bábics
2 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -116,7 +116,7 @@ module Auth
        build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
      when 'push'
        build_can_push?(requested_project) || user_can_push?(requested_project)
-      when '*'
+      when '*', 'delete'
        user_can_admin?(requested_project)
      else
        false

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -88,6 +88,12 @@ describe Auth::ContainerRegistryAuthenticationService do
    end
  end

+  shared_examples 'a deletable since registry 2.7' do
+    it_behaves_like 'an accessible' do
+      let(:actions) { ['delete'] }
+    end
+  end
+
  shared_examples 'a pullable' do
    it_behaves_like 'an accessible' do
      let(:actions) { ['pull'] }
@@ -184,6 +190,19 @@ describe Auth::ContainerRegistryAuthenticationService do
        it_behaves_like 'not a container repository factory'
      end

+      context 'disallow developer to delete images since registry 2.7' do
+        before do
+          project.add_developer(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
      context 'allow reporter to pull images' do
        before do
          project.add_reporter(current_user)
@@ -212,6 +231,19 @@ describe Auth::ContainerRegistryAuthenticationService do
        it_behaves_like 'not a container repository factory'
      end

+      context 'disallow reporter to delete images since registry 2.7' do
+        before do
+          project.add_reporter(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
      context 'return a least of privileges' do
        before do
          project.add_reporter(current_user)
@@ -250,6 +282,19 @@ describe Auth::ContainerRegistryAuthenticationService do
        it_behaves_like 'an inaccessible'
        it_behaves_like 'not a container repository factory'
      end
+
+      context 'disallow guest to delete images since regsitry 2.7' do
+        before do
+          project.add_guest(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
    end

    context 'for public project' do
@@ -282,6 +327,15 @@ describe Auth::ContainerRegistryAuthenticationService do
        it_behaves_like 'not a container repository factory'
      end

+      context 'disallow anyone to delete images since registry 2.7' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
      context 'when repository name is invalid' do
        let(:current_params) do
          { scopes: ['repository:invalid:push'] }
@@ -322,6 +376,15 @@ describe Auth::ContainerRegistryAuthenticationService do
          it_behaves_like 'an inaccessible'
          it_behaves_like 'not a container repository factory'
        end
+
+        context 'disallow anyone to delete images since registry 2.7' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:delete"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
      end

      context 'for external user' do
@@ -344,6 +407,16 @@ describe Auth::ContainerRegistryAuthenticationService do
          it_behaves_like 'an inaccessible'
          it_behaves_like 'not a container repository factory'
        end
+
+        context 'disallow anyone to delete images since registry 2.7' do
+          let(:current_user) { create(:user, external: true) }
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:delete"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
      end
    end
  end
@@ -371,6 +444,16 @@ describe Auth::ContainerRegistryAuthenticationService do
        let(:project) { current_project }
      end
    end
+
+    context 'allow to delete images since registry 2.7' do
+      let(:current_params) do
+        { scopes: ["repository:#{current_project.full_path}:delete"] }
+      end
+
+      it_behaves_like 'a deletable since registry 2.7' do
+        let(:project) { current_project }
+      end
+    end
  end

  context 'build authorized as user' do
@@ -419,6 +502,16 @@ describe Auth::ContainerRegistryAuthenticationService do
      end
    end

+    context 'disallow to delete images since registry 2.7' do
+      let(:current_params) do
+        { scopes: ["repository:#{current_project.full_path}:delete"] }
+      end
+
+      it_behaves_like 'an inaccessible' do
+        let(:project) { current_project }
+      end
+    end
+
    context 'for other projects' do
      context 'when pulling' do
        let(:current_params) do