Add endpoint security tests for the V2 endpoints

Fixes #581
2015-10-02 14:01:12 -04:00 · 2015-10-02 14:01:12 -04:00 · d0dc8fe45d
commit d0dc8fe45d
parent 1cf930eb9c
5 changed files with 416 additions and 64 deletions
--- a/test/specs.py
+++ b/test/specs.py
@ -1,22 +1,33 @@
 import json
+import hashlib

 from flask import url_for
 from uuid import uuid4
 from base64 import b64encode
+from util.names import parse_namespace_repository


 NO_REPO = None
-PUBLIC_REPO = 'public/publicrepo'
-PRIVATE_REPO = 'devtable/shared'
+PUBLIC = 'public'
+PUBLIC_REPO_NAME = 'publicrepo'
+PUBLIC_REPO = PUBLIC + '/' + PUBLIC_REPO_NAME
+
+PRIVATE = 'devtable'
+PRIVATE_REPO_NAME = 'shared'
+PRIVATE_REPO = PRIVATE + '/' + PRIVATE_REPO_NAME

 ORG = 'buynlarge'
 ORG_REPO = ORG + '/orgrepo'
+ORG_REPO_NAME = 'orgrepo'
 ORG_READERS = 'readers'
 ORG_OWNER = 'devtable'
 ORG_OWNERS = 'owners'
 ORG_READERS = 'readers'

+FAKE_MANIFEST = 'unknown_tag'
+FAKE_DIGEST = 'sha256:' + hashlib.sha256(str(uuid4())).hexdigest()
 FAKE_IMAGE_ID = str(uuid4())
+FAKE_UPLOAD_ID = str(uuid4())
 FAKE_TAG_NAME = str(uuid4())
 FAKE_USERNAME = str(uuid4())
 FAKE_TOKEN = str(uuid4())
@ -72,7 +83,7 @@ UPDATE_REPO_DETAILS = {
 }


-class IndexTestSpec(object):
+class IndexV1TestSpec(object):
  def __init__(self, url, sess_repo=None, anon_code=403, no_access_code=403,
               read_code=200, admin_code=200):
    self._url = url
@ -103,129 +114,347 @@ class IndexTestSpec(object):
      'method': self._method
    }

-    if self._data or self._method == 'POST' or self._method == 'PUT':
+    if self._data or self._method == 'POST' or self._method == 'PUT' or self._method == 'PATCH':
      kwargs['data'] = self._data if self._data else '{}'
      kwargs['content_type'] = 'application/json'

    return self._url, kwargs


-def build_index_specs():
+def build_v1_index_specs():
  return [
-    IndexTestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
                  PUBLIC_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
                  PRIVATE_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
                  ORG_REPO, 403, 403, 404, 404),

-    IndexTestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
                  PUBLIC_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
                  PRIVATE_REPO, 403, 403, 403, 404).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
                  ORG_REPO, 403, 403, 403, 404).set_method('PUT'),

-    IndexTestSpec(url_for('v1.put_image_checksum',
+    IndexV1TestSpec(url_for('v1.put_image_checksum',
                          image_id=FAKE_IMAGE_ID),
                  PUBLIC_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_checksum',
+    IndexV1TestSpec(url_for('v1.put_image_checksum',
                          image_id=FAKE_IMAGE_ID),
                  PRIVATE_REPO, 403, 403, 403, 400).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_checksum',
+    IndexV1TestSpec(url_for('v1.put_image_checksum',
                          image_id=FAKE_IMAGE_ID),
                  ORG_REPO, 403, 403, 403, 400).set_method('PUT'),

-    IndexTestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
                  PUBLIC_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
                  PRIVATE_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
                  ORG_REPO, 403, 403, 404, 404),

-    IndexTestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
                  PUBLIC_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
                  PRIVATE_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
                  ORG_REPO, 403, 403, 404, 404),

-    IndexTestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
                  PUBLIC_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
                  PRIVATE_REPO, 403, 403, 403, 400).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
                  ORG_REPO, 403, 403, 403, 400).set_method('PUT'),

-    IndexTestSpec(url_for('v1.create_user'), NO_REPO, 400, 400, 400,
+    IndexV1TestSpec(url_for('v1.create_user'), NO_REPO, 400, 400, 400,
                  400).set_method('POST').set_data_from_obj(NEW_USER_DETAILS),

-    IndexTestSpec(url_for('v1.get_user'), NO_REPO, 404, 200, 200, 200),
+    IndexV1TestSpec(url_for('v1.get_user'), NO_REPO, 404, 200, 200, 200),

-    IndexTestSpec(url_for('v1.update_user', username=FAKE_USERNAME),
+    IndexV1TestSpec(url_for('v1.update_user', username=FAKE_USERNAME),
                  NO_REPO, 403, 403, 403, 403).set_method('PUT'),

-    IndexTestSpec(url_for('v1.create_repository', repository=PUBLIC_REPO),
+    IndexV1TestSpec(url_for('v1.create_repository', repository=PUBLIC_REPO),
                  NO_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.create_repository', repository=PRIVATE_REPO),
+    IndexV1TestSpec(url_for('v1.create_repository', repository=PRIVATE_REPO),
                  NO_REPO, 403, 403, 403, 201).set_method('PUT'),
-    IndexTestSpec(url_for('v1.create_repository', repository=ORG_REPO),
+    IndexV1TestSpec(url_for('v1.create_repository', repository=ORG_REPO),
                  NO_REPO, 403, 403, 403, 201).set_method('PUT'),

-    IndexTestSpec(url_for('v1.update_images', repository=PUBLIC_REPO),
+    IndexV1TestSpec(url_for('v1.update_images', repository=PUBLIC_REPO),
                  NO_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.update_images', repository=PRIVATE_REPO),
+    IndexV1TestSpec(url_for('v1.update_images', repository=PRIVATE_REPO),
                  NO_REPO, 403, 403, 403, 204).set_method('PUT'),
-    IndexTestSpec(url_for('v1.update_images', repository=ORG_REPO), NO_REPO,
+    IndexV1TestSpec(url_for('v1.update_images', repository=ORG_REPO), NO_REPO,
                  403, 403, 403, 204).set_method('PUT'),

-    IndexTestSpec(url_for('v1.get_repository_images',
+    IndexV1TestSpec(url_for('v1.get_repository_images',
                          repository=PUBLIC_REPO),
                  NO_REPO, 200, 200, 200, 200),
-    IndexTestSpec(url_for('v1.get_repository_images',
+    IndexV1TestSpec(url_for('v1.get_repository_images',
                          repository=PRIVATE_REPO)),
-    IndexTestSpec(url_for('v1.get_repository_images', repository=ORG_REPO)),
+    IndexV1TestSpec(url_for('v1.get_repository_images', repository=ORG_REPO)),

-    IndexTestSpec(url_for('v1.delete_repository_images',
+    IndexV1TestSpec(url_for('v1.delete_repository_images',
                          repository=PUBLIC_REPO),
                  NO_REPO, 501, 501, 501, 501).set_method('DELETE'),

-    IndexTestSpec(url_for('v1.put_repository_auth', repository=PUBLIC_REPO),
+    IndexV1TestSpec(url_for('v1.put_repository_auth', repository=PUBLIC_REPO),
                  NO_REPO, 501, 501, 501, 501).set_method('PUT'),

-    IndexTestSpec(url_for('v1.get_search'), NO_REPO, 200, 200, 200, 200),
+    IndexV1TestSpec(url_for('v1.get_search'), NO_REPO, 200, 200, 200, 200),

-    IndexTestSpec(url_for('v1.ping'), NO_REPO, 200, 200, 200, 200),
+    IndexV1TestSpec(url_for('v1.ping'), NO_REPO, 200, 200, 200, 200),

-    IndexTestSpec(url_for('v1.get_tags', repository=PUBLIC_REPO), NO_REPO,
+    IndexV1TestSpec(url_for('v1.get_tags', repository=PUBLIC_REPO), NO_REPO,
                  200, 200, 200, 200),
-    IndexTestSpec(url_for('v1.get_tags', repository=PRIVATE_REPO)),
-    IndexTestSpec(url_for('v1.get_tags', repository=ORG_REPO)),
+    IndexV1TestSpec(url_for('v1.get_tags', repository=PRIVATE_REPO)),
+    IndexV1TestSpec(url_for('v1.get_tags', repository=ORG_REPO)),

-    IndexTestSpec(url_for('v1.get_tag', repository=PUBLIC_REPO,
+    IndexV1TestSpec(url_for('v1.get_tag', repository=PUBLIC_REPO,
                          tag=FAKE_TAG_NAME), NO_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_tag', repository=PRIVATE_REPO,
+    IndexV1TestSpec(url_for('v1.get_tag', repository=PRIVATE_REPO,
                          tag=FAKE_TAG_NAME), NO_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_tag', repository=ORG_REPO,
+    IndexV1TestSpec(url_for('v1.get_tag', repository=ORG_REPO,
                          tag=FAKE_TAG_NAME), NO_REPO, 403, 403, 404, 404),

-    IndexTestSpec(url_for('v1.put_tag', repository=PUBLIC_REPO,
+    IndexV1TestSpec(url_for('v1.put_tag', repository=PUBLIC_REPO,
                          tag=FAKE_TAG_NAME),
                  NO_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_tag', repository=PRIVATE_REPO,
+    IndexV1TestSpec(url_for('v1.put_tag', repository=PRIVATE_REPO,
                          tag=FAKE_TAG_NAME),
                  NO_REPO, 403, 403, 403, 400).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_tag', repository=ORG_REPO,
+    IndexV1TestSpec(url_for('v1.put_tag', repository=ORG_REPO,
                          tag=FAKE_TAG_NAME),
                  NO_REPO, 403, 403, 403, 400).set_method('PUT'),

-    IndexTestSpec(url_for('v1.delete_tag', repository=PUBLIC_REPO,
+    IndexV1TestSpec(url_for('v1.delete_tag', repository=PUBLIC_REPO,
                          tag=FAKE_TAG_NAME),
                  NO_REPO, 403, 403, 403, 403).set_method('DELETE'),
-    IndexTestSpec(url_for('v1.delete_tag', repository=PRIVATE_REPO,
+    IndexV1TestSpec(url_for('v1.delete_tag', repository=PRIVATE_REPO,
                          tag=FAKE_TAG_NAME),
                  NO_REPO, 403, 403, 403, 400).set_method('DELETE'),
-    IndexTestSpec(url_for('v1.delete_tag', repository=ORG_REPO,
+    IndexV1TestSpec(url_for('v1.delete_tag', repository=ORG_REPO,
                          tag=FAKE_TAG_NAME),
                  NO_REPO, 403, 403, 403, 400).set_method('DELETE'),
  ]
+
+
+class IndexV2TestSpec(object):
+  def __init__(self, index_name, method_name, repo_name, scope=None, **kwargs):
+    self.index_name = index_name
+    self.repo_name = repo_name
+    self.method_name = method_name
+
+    default_scope = 'push,pull' if method_name != 'GET' and method_name != 'HEAD' else 'pull'
+    self.scope = scope or default_scope
+
+    self.kwargs = kwargs
+
+    self.auth_no_access_code = 403
+    self.auth_read_code = 403
+    self.auth_admin_code = 403
+
+    self.anon_code = 401
+    self.no_access_code = 403
+    self.read_code = 200
+    self.admin_code = 200
+
+  def auth_status(self, auth_no_access_code=403, auth_read_code=200, auth_admin_code=200):
+    self.auth_no_access_code = auth_no_access_code
+    self.auth_read_code = auth_read_code
+    self.auth_admin_code = auth_admin_code
+    return self
+
+  def request_status(self, anon_code=401, no_access_code=403, read_code=200, admin_code=200):
+    self.anon_code = anon_code
+    self.no_access_code = no_access_code
+    self.read_code = read_code
+    self.admin_code = admin_code
+    return self
+
+  def get_url(self):
+    namespace, repo_name = parse_namespace_repository(self.repo_name)
+    return url_for(self.index_name, namespace=namespace, repo_name=repo_name, **self.kwargs)
+
+  def gen_basic_auth(self, username, password):
+    encoded = b64encode('%s:%s' % (username, password))
+    return 'basic %s' % encoded
+
+  def get_scope_string(self):
+    return 'repository:%s:%s' % (self.repo_name, self.scope)
+
+
+def build_v2_index_specs():
+  return [
+    # v2.list_all_tags
+    IndexV2TestSpec('v2.list_all_tags', 'GET', PUBLIC_REPO).
+      auth_status(200, 200, 200).
+      request_status(200, 200, 200, 200),
+
+    IndexV2TestSpec('v2.list_all_tags', 'GET', PRIVATE_REPO).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 200, 200),
+
+    IndexV2TestSpec('v2.list_all_tags', 'GET', ORG_REPO).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 200, 200),
+
+    # v2.fetch_manifest_by_tagname
+    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', PUBLIC_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', PRIVATE_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', ORG_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.fetch_manifest_by_digest
+    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', ORG_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.write_manifest_by_tagname
+    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', PUBLIC_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', PRIVATE_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', ORG_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    # v2.write_manifest_by_digest
+    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', ORG_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    # v2.delete_manifest_by_digest
+    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', ORG_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    # v2.check_blob_exists
+    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', PUBLIC_REPO, digest=FAKE_DIGEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', PRIVATE_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', ORG_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.download_blob
+    IndexV2TestSpec('v2.download_blob', 'GET', PUBLIC_REPO, digest=FAKE_DIGEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.download_blob', 'GET', PRIVATE_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.download_blob', 'GET', ORG_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.start_blob_upload
+    IndexV2TestSpec('v2.start_blob_upload', 'POST', PUBLIC_REPO).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.start_blob_upload', 'POST', PRIVATE_REPO).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 202),
+
+    IndexV2TestSpec('v2.start_blob_upload', 'POST', ORG_REPO).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 202),
+
+    # v2.fetch_existing_upload
+    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', PUBLIC_REPO, 'push,pull', upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', PRIVATE_REPO, 'push,pull', upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', ORG_REPO, 'push,pull', upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    # v2.upload_chunk
+    IndexV2TestSpec('v2.upload_chunk', 'PATCH', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.upload_chunk', 'PATCH', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.upload_chunk', 'PATCH', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    # v2.monolithic_upload_or_last_chunk
+    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    # v2.cancel_upload
+    IndexV2TestSpec('v2.cancel_upload', 'DELETE', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.cancel_upload', 'DELETE', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.cancel_upload', 'DELETE', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+  ]
--- a/test/test_v1_endpoint_security.py
+++ b/test/test_v1_endpoint_security.py
@ -1,15 +1,16 @@
 import unittest
+import endpoints.decorated
+import json

 from app import app
 from util.names import parse_namespace_repository
 from initdb import setup_database_for_testing, finished_database_for_testing
-from specs import build_index_specs
+from specs import build_v1_index_specs
+
 from endpoints.v1 import v1_bp

-
 app.register_blueprint(v1_bp, url_prefix='/v1')

-
 NO_ACCESS_USER = 'freshuser'
 READ_ACCESS_USER = 'reader'
 ADMIN_ACCESS_USER = 'devtable'
@ -73,8 +74,8 @@ class _SpecTestBuilder(type):

        test_name_url = url.replace('/', '_').replace('-', '_')
        sess_repo = str(test_spec.sess_repo).replace('/', '_')
-        test_name = 'test_%s%s_%s' % (open_kwargs['method'].lower(),
-                                      test_name_url, sess_repo)
+        test_name = 'test_%s%s_%s_%s' % (open_kwargs['method'].lower(),
+                                      test_name_url, sess_repo, attrs['result_attr'])
        attrs[test_name] = test

    return type(name, bases, attrs)
@ -82,27 +83,31 @@ class _SpecTestBuilder(type):

 class TestAnonymousAccess(EndpointTestCase):
  __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
  result_attr = 'anon_code'
  auth_username = None


 class TestNoAccess(EndpointTestCase):
  __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
  result_attr = 'no_access_code'
  auth_username = NO_ACCESS_USER


 class TestReadAccess(EndpointTestCase):
  __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
  result_attr = 'read_code'
  auth_username = READ_ACCESS_USER


 class TestAdminAccess(EndpointTestCase):
  __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
  result_attr = 'admin_code'
  auth_username = ADMIN_ACCESS_USER
+
+
+if __name__ == '__main__':
+  unittest.main()
--- a/test/test_v2_endpoint_security.py
+++ b/test/test_v2_endpoint_security.py
@ -0,0 +1,110 @@
+import unittest
+import endpoints.decorated
+import json
+
+from app import app
+from util.names import parse_namespace_repository
+from initdb import setup_database_for_testing, finished_database_for_testing
+from specs import build_v2_index_specs
+from endpoints.v2 import v2_bp
+
+app.register_blueprint(v2_bp, url_prefix='/v2')
+
+NO_ACCESS_USER = 'freshuser'
+READ_ACCESS_USER = 'reader'
+ADMIN_ACCESS_USER = 'devtable'
+
+
+class EndpointTestCase(unittest.TestCase):
+  def setUp(self):
+    setup_database_for_testing(self)
+
+  def tearDown(self):
+    finished_database_for_testing(self)
+
+
+class _SpecTestBuilder(type):
+  @staticmethod
+  def _test_generator(url, test_spec, attrs):
+    def test(self):
+      with app.test_client() as c:
+        headers = []
+        expected_index_status = getattr(test_spec, attrs['result_attr'])
+
+        if attrs['auth_username']:
+          expected_auth_status = getattr(test_spec, 'auth_' + attrs['result_attr'])
+
+          # Get a signed JWT.
+          username = attrs['auth_username']
+          password = 'password'
+
+          jwt_scope = test_spec.get_scope_string()
+          query_string = 'service=' + app.config['SERVER_HOSTNAME'] + '&scope=' + jwt_scope
+
+          arv = c.open('/v2/auth',
+                       headers=[('authorization', test_spec.gen_basic_auth(username, password))],
+                       query_string=query_string)
+
+          msg = 'Auth failed for %s %s: got %s, expected: %s' % (
+            test_spec.method_name, test_spec.index_name, arv.status_code, expected_auth_status)
+          self.assertEqual(arv.status_code, expected_auth_status, msg)
+
+          if arv.status_code == 200:
+            headers = [('authorization', 'Bearer ' + json.loads(arv.data)['token'])]
+
+        rv = c.open(url, headers=headers, method=test_spec.method_name)
+        msg = '%s %s: got %s, expected: %s (auth: %s | headers %s)' % (test_spec.method_name,
+          test_spec.index_name, rv.status_code, expected_index_status, attrs['auth_username'],
+          len(headers))
+
+        self.assertEqual(rv.status_code, expected_index_status, msg)
+
+    return test
+
+
+  def __new__(cls, name, bases, attrs):
+    with app.test_request_context() as ctx:
+      specs = attrs['spec_func']()
+      for test_spec in specs:
+        test_name = '%s_%s_%s_%s_%s' % (test_spec.index_name, test_spec.method_name,
+                                        test_spec.repo_name, attrs['auth_username'] or 'anon',
+                                        attrs['result_attr'])
+        test_name = test_name.replace('/', '_').replace('-', '_')
+
+        test_name = 'test_' + test_name.lower().replace('v2.', 'v2_')
+        url = test_spec.get_url()
+        attrs[test_name] = _SpecTestBuilder._test_generator(url, test_spec, attrs)
+
+    return type(name, bases, attrs)
+
+
+class TestAnonymousAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'anon_code'
+  auth_username = None
+
+
+class TestNoAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'no_access_code'
+  auth_username = NO_ACCESS_USER
+
+
+class TestReadAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'read_code'
+  auth_username = READ_ACCESS_USER
+
+
+class TestAdminAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'admin_code'
+  auth_username = ADMIN_ACCESS_USER
+
+
+if __name__ == '__main__':
+  unittest.main()