Commit eed5c58d authored by Kamil Trzcinski's avatar Kamil Trzcinski

Verify permission of build in context of dependent project

parent e3a422c2
...@@ -14,6 +14,8 @@ describe 'Git LFS API and storage' do ...@@ -14,6 +14,8 @@ describe 'Git LFS API and storage' do
end end
let(:authorization) { } let(:authorization) { }
let(:sendfile) { } let(:sendfile) { }
let(:pipeline) { create(:ci_empty_pipeline, project: project) }
let(:build) { create(:ci_build, :running, pipeline: pipeline) }
let(:sample_oid) { lfs_object.oid } let(:sample_oid) { lfs_object.oid }
let(:sample_size) { lfs_object.size } let(:sample_size) { lfs_object.size }
...@@ -244,7 +246,7 @@ describe 'Git LFS API and storage' do ...@@ -244,7 +246,7 @@ describe 'Git LFS API and storage' do
end end
end end
context 'when CI is authorized' do context 'when build is authorized' do
let(:authorization) { authorize_ci_project } let(:authorization) { authorize_ci_project }
let(:update_permissions) do let(:update_permissions) do
...@@ -897,8 +899,6 @@ describe 'Git LFS API and storage' do ...@@ -897,8 +899,6 @@ describe 'Git LFS API and storage' do
end end
def authorize_ci_project def authorize_ci_project
pipeline = create(:ci_empty_pipeline, project: project)
build = create(:ci_build, :running, pipeline: pipeline)
ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token) ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token)
end end
......
...@@ -195,8 +195,9 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -195,8 +195,9 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
end end
end end
context 'project authorization' do context 'build authorized as user' do
let(:current_project) { create(:empty_project) } let(:current_project) { create(:empty_project) }
let(:current_user) { create(:user) }
let(:capabilities) do let(:capabilities) do
[ [
:build_read_container_image, :build_read_container_image,
...@@ -204,10 +205,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -204,10 +205,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
] ]
end end
context 'allow to use scope-less authentication' do before do
it_behaves_like 'a valid token' current_project.team << [current_user, :developer]
end end
it_behaves_like 'a valid token'
context 'allow to pull and push images' do context 'allow to pull and push images' do
let(:current_params) do let(:current_params) do
{ scope: "repository:#{current_project.path_with_namespace}:pull,push" } { scope: "repository:#{current_project.path_with_namespace}:pull,push" }
...@@ -226,12 +229,34 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -226,12 +229,34 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'allow for public' do context 'allow for public' do
let(:project) { create(:empty_project, :public) } let(:project) { create(:empty_project, :public) }
it_behaves_like 'a pullable' it_behaves_like 'a pullable'
end end
context 'disallow for private' do shared_examples 'pullable for being team member' do
context 'when you are not member' do
it_behaves_like 'an inaccessible'
end
context 'when you are member' do
before do
project.team << [current_user, :developer]
end
it_behaves_like 'a pullable'
end
end
context 'for private' do
let(:project) { create(:empty_project, :private) } let(:project) { create(:empty_project, :private) }
it_behaves_like 'an inaccessible'
it_behaves_like 'pullable for being team member'
context 'when you are admin' do
let(:current_user) { create(:admin) }
it_behaves_like 'pullable for being team member'
end
end end
end end
...@@ -242,6 +267,11 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -242,6 +267,11 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'disallow for all' do context 'disallow for all' do
let(:project) { create(:empty_project, :public) } let(:project) { create(:empty_project, :public) }
before do
project.team << [current_user, :developer]
end
it_behaves_like 'an inaccessible' it_behaves_like 'an inaccessible'
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment