registry auth tests: test more access types

auth/permissions.py

@@ -66,6 +66,10 @@ def repository_write_grant(namespace, repository):
   return _RepositoryNeed(namespace, repository, 'write')
 
 
+def repository_admin_grant(namespace, repository):
+  return _RepositoryNeed(namespace, repository, 'admin')
+
+
 class QuayDeferredPermissionUser(Identity):
   def __init__(self, uuid, auth_type, auth_scopes, user=None):
     super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)

auth/registry_jwt_auth.py

@@ -8,7 +8,7 @@ from flask_principal import identity_changed, Identity
 
 from app import app, get_app_url, instance_keys
 from .auth_context import set_grant_context, get_grant_context
-from .permissions import repository_read_grant, repository_write_grant
+from .permissions import repository_read_grant, repository_write_grant, repository_admin_grant
 from util.names import parse_namespace_repository
 from util.http import abort
 from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_header,
@@ -50,6 +50,7 @@ ACCESS_SCHEMA = {
           'enum': [
             'push',
             'pull',
+            '*',
           ],
         },
       },
@@ -165,7 +166,9 @@ def identity_from_bearer_token(bearer_header):
     for grant in payload['access']:
       namespace, repo_name = parse_namespace_repository(grant['name'], lib_namespace)
 
-      if 'push' in grant['actions']:
+      if '*' in grant['actions']:
+        loaded_identity.provides.add(repository_admin_grant(namespace, repo_name))
+      elif 'push' in grant['actions']:
         loaded_identity.provides.add(repository_write_grant(namespace, repo_name))
       elif 'pull' in grant['actions']:
         loaded_identity.provides.add(repository_read_grant(namespace, repo_name))