Add endpoint security tests for the V2 endpoints

Fixes #581

endpoints/v2/blob.py

@@ -10,7 +10,7 @@ from app import storage, app
 from data import model, database
 from digest import digest_tools
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write, get_input_stream
-from endpoints.v2.errors import BlobUnknown, BlobUploadInvalid, BlobUploadUnknown
+from endpoints.v2.errors import BlobUnknown, BlobUploadInvalid, BlobUploadUnknown, Unsupported
 from auth.jwt_auth import process_jwt_auth
 from endpoints.decorators import anon_protect
 from util.cache import cache_control
@@ -303,6 +303,6 @@ def cancel_upload(namespace, repo_name, upload_uuid):
 @anon_protect
 def delete_digest(namespace, repo_name, upload_uuid):
   # We do not support deleting arbitrary digests, as they break repo images.
-  return make_response('', 501)
+  raise Unsupported()
 
 

endpoints/v2/manifest.py

@@ -238,7 +238,11 @@ def fetch_manifest_by_digest(namespace, repo_name, manifest_ref):
 @require_repo_write
 @anon_protect
 def write_manifest_by_tagname(namespace, repo_name, manifest_ref):
-  manifest = SignedManifest(request.data)
+  try:
+    manifest = SignedManifest(request.data)
+  except ValueError:
+    raise ManifestInvalid()
+
   if manifest.tag != manifest_ref:
     raise TagInvalid()
 
@@ -250,7 +254,11 @@ def write_manifest_by_tagname(namespace, repo_name, manifest_ref):
 @require_repo_write
 @anon_protect
 def write_manifest_by_digest(namespace, repo_name, manifest_ref):
-  manifest = SignedManifest(request.data)
+  try:
+    manifest = SignedManifest(request.data)
+  except ValueError:
+    raise ManifestInvalid()
+
   if manifest.digest != manifest_ref:
     raise ManifestInvalid()
 

test/specs.py

@@ -1,22 +1,33 @@
 import json
+import hashlib
 
 from flask import url_for
 from uuid import uuid4
 from base64 import b64encode
+from util.names import parse_namespace_repository
 
 
 NO_REPO = None
-PUBLIC_REPO = 'public/publicrepo'
+PUBLIC = 'public'
-PRIVATE_REPO = 'devtable/shared'
+PUBLIC_REPO_NAME = 'publicrepo'
+PUBLIC_REPO = PUBLIC + '/' + PUBLIC_REPO_NAME
+
+PRIVATE = 'devtable'
+PRIVATE_REPO_NAME = 'shared'
+PRIVATE_REPO = PRIVATE + '/' + PRIVATE_REPO_NAME
 
 ORG = 'buynlarge'
 ORG_REPO = ORG + '/orgrepo'
+ORG_REPO_NAME = 'orgrepo'
 ORG_READERS = 'readers'
 ORG_OWNER = 'devtable'
 ORG_OWNERS = 'owners'
 ORG_READERS = 'readers'
 
+FAKE_MANIFEST = 'unknown_tag'
+FAKE_DIGEST = 'sha256:' + hashlib.sha256(str(uuid4())).hexdigest()
 FAKE_IMAGE_ID = str(uuid4())
+FAKE_UPLOAD_ID = str(uuid4())
 FAKE_TAG_NAME = str(uuid4())
 FAKE_USERNAME = str(uuid4())
 FAKE_TOKEN = str(uuid4())
@@ -72,7 +83,7 @@ UPDATE_REPO_DETAILS = {
 }
 
 
-class IndexTestSpec(object):
+class IndexV1TestSpec(object):
   def __init__(self, url, sess_repo=None, anon_code=403, no_access_code=403,
                read_code=200, admin_code=200):
     self._url = url
@@ -103,129 +114,347 @@ class IndexTestSpec(object):
       'method': self._method
     }
 
-    if self._data or self._method == 'POST' or self._method == 'PUT':
+    if self._data or self._method == 'POST' or self._method == 'PUT' or self._method == 'PATCH':
       kwargs['data'] = self._data if self._data else '{}'
       kwargs['content_type'] = 'application/json'
 
     return self._url, kwargs
 
 
-def build_index_specs():
+def build_v1_index_specs():
   return [
-    IndexTestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
                   PUBLIC_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
                   PRIVATE_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_layer', image_id=FAKE_IMAGE_ID),
                   ORG_REPO, 403, 403, 404, 404),
 
-    IndexTestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
                   PUBLIC_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
                   PRIVATE_REPO, 403, 403, 403, 404).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_layer', image_id=FAKE_IMAGE_ID),
                   ORG_REPO, 403, 403, 403, 404).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.put_image_checksum',
+    IndexV1TestSpec(url_for('v1.put_image_checksum',
                           image_id=FAKE_IMAGE_ID),
                   PUBLIC_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_checksum',
+    IndexV1TestSpec(url_for('v1.put_image_checksum',
                           image_id=FAKE_IMAGE_ID),
                   PRIVATE_REPO, 403, 403, 403, 400).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_checksum',
+    IndexV1TestSpec(url_for('v1.put_image_checksum',
                           image_id=FAKE_IMAGE_ID),
                   ORG_REPO, 403, 403, 403, 400).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
                   PUBLIC_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
                   PRIVATE_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_json', image_id=FAKE_IMAGE_ID),
                   ORG_REPO, 403, 403, 404, 404),
 
-    IndexTestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
                   PUBLIC_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
                   PRIVATE_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.get_image_ancestry', image_id=FAKE_IMAGE_ID),
                   ORG_REPO, 403, 403, 404, 404),
 
-    IndexTestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
                   PUBLIC_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
                   PRIVATE_REPO, 403, 403, 403, 400).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
+    IndexV1TestSpec(url_for('v1.put_image_json', image_id=FAKE_IMAGE_ID),
                   ORG_REPO, 403, 403, 403, 400).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.create_user'), NO_REPO, 400, 400, 400,
+    IndexV1TestSpec(url_for('v1.create_user'), NO_REPO, 400, 400, 400,
                   400).set_method('POST').set_data_from_obj(NEW_USER_DETAILS),
 
-    IndexTestSpec(url_for('v1.get_user'), NO_REPO, 404, 200, 200, 200),
+    IndexV1TestSpec(url_for('v1.get_user'), NO_REPO, 404, 200, 200, 200),
 
-    IndexTestSpec(url_for('v1.update_user', username=FAKE_USERNAME),
+    IndexV1TestSpec(url_for('v1.update_user', username=FAKE_USERNAME),
                   NO_REPO, 403, 403, 403, 403).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.create_repository', repository=PUBLIC_REPO),
+    IndexV1TestSpec(url_for('v1.create_repository', repository=PUBLIC_REPO),
                   NO_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.create_repository', repository=PRIVATE_REPO),
+    IndexV1TestSpec(url_for('v1.create_repository', repository=PRIVATE_REPO),
                   NO_REPO, 403, 403, 403, 201).set_method('PUT'),
-    IndexTestSpec(url_for('v1.create_repository', repository=ORG_REPO),
+    IndexV1TestSpec(url_for('v1.create_repository', repository=ORG_REPO),
                   NO_REPO, 403, 403, 403, 201).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.update_images', repository=PUBLIC_REPO),
+    IndexV1TestSpec(url_for('v1.update_images', repository=PUBLIC_REPO),
                   NO_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.update_images', repository=PRIVATE_REPO),
+    IndexV1TestSpec(url_for('v1.update_images', repository=PRIVATE_REPO),
                   NO_REPO, 403, 403, 403, 204).set_method('PUT'),
-    IndexTestSpec(url_for('v1.update_images', repository=ORG_REPO), NO_REPO,
+    IndexV1TestSpec(url_for('v1.update_images', repository=ORG_REPO), NO_REPO,
                   403, 403, 403, 204).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.get_repository_images',
+    IndexV1TestSpec(url_for('v1.get_repository_images',
                           repository=PUBLIC_REPO),
                   NO_REPO, 200, 200, 200, 200),
-    IndexTestSpec(url_for('v1.get_repository_images',
+    IndexV1TestSpec(url_for('v1.get_repository_images',
                           repository=PRIVATE_REPO)),
-    IndexTestSpec(url_for('v1.get_repository_images', repository=ORG_REPO)),
+    IndexV1TestSpec(url_for('v1.get_repository_images', repository=ORG_REPO)),
 
-    IndexTestSpec(url_for('v1.delete_repository_images',
+    IndexV1TestSpec(url_for('v1.delete_repository_images',
                           repository=PUBLIC_REPO),
                   NO_REPO, 501, 501, 501, 501).set_method('DELETE'),
 
-    IndexTestSpec(url_for('v1.put_repository_auth', repository=PUBLIC_REPO),
+    IndexV1TestSpec(url_for('v1.put_repository_auth', repository=PUBLIC_REPO),
                   NO_REPO, 501, 501, 501, 501).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.get_search'), NO_REPO, 200, 200, 200, 200),
+    IndexV1TestSpec(url_for('v1.get_search'), NO_REPO, 200, 200, 200, 200),
 
-    IndexTestSpec(url_for('v1.ping'), NO_REPO, 200, 200, 200, 200),
+    IndexV1TestSpec(url_for('v1.ping'), NO_REPO, 200, 200, 200, 200),
 
-    IndexTestSpec(url_for('v1.get_tags', repository=PUBLIC_REPO), NO_REPO,
+    IndexV1TestSpec(url_for('v1.get_tags', repository=PUBLIC_REPO), NO_REPO,
                   200, 200, 200, 200),
-    IndexTestSpec(url_for('v1.get_tags', repository=PRIVATE_REPO)),
+    IndexV1TestSpec(url_for('v1.get_tags', repository=PRIVATE_REPO)),
-    IndexTestSpec(url_for('v1.get_tags', repository=ORG_REPO)),
+    IndexV1TestSpec(url_for('v1.get_tags', repository=ORG_REPO)),
 
-    IndexTestSpec(url_for('v1.get_tag', repository=PUBLIC_REPO,
+    IndexV1TestSpec(url_for('v1.get_tag', repository=PUBLIC_REPO,
                           tag=FAKE_TAG_NAME), NO_REPO, 404, 404, 404, 404),
-    IndexTestSpec(url_for('v1.get_tag', repository=PRIVATE_REPO,
+    IndexV1TestSpec(url_for('v1.get_tag', repository=PRIVATE_REPO,
                           tag=FAKE_TAG_NAME), NO_REPO, 403, 403, 404, 404),
-    IndexTestSpec(url_for('v1.get_tag', repository=ORG_REPO,
+    IndexV1TestSpec(url_for('v1.get_tag', repository=ORG_REPO,
                           tag=FAKE_TAG_NAME), NO_REPO, 403, 403, 404, 404),
 
-    IndexTestSpec(url_for('v1.put_tag', repository=PUBLIC_REPO,
+    IndexV1TestSpec(url_for('v1.put_tag', repository=PUBLIC_REPO,
                           tag=FAKE_TAG_NAME),
                   NO_REPO, 403, 403, 403, 403).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_tag', repository=PRIVATE_REPO,
+    IndexV1TestSpec(url_for('v1.put_tag', repository=PRIVATE_REPO,
                           tag=FAKE_TAG_NAME),
                   NO_REPO, 403, 403, 403, 400).set_method('PUT'),
-    IndexTestSpec(url_for('v1.put_tag', repository=ORG_REPO,
+    IndexV1TestSpec(url_for('v1.put_tag', repository=ORG_REPO,
                           tag=FAKE_TAG_NAME),
                   NO_REPO, 403, 403, 403, 400).set_method('PUT'),
 
-    IndexTestSpec(url_for('v1.delete_tag', repository=PUBLIC_REPO,
+    IndexV1TestSpec(url_for('v1.delete_tag', repository=PUBLIC_REPO,
                           tag=FAKE_TAG_NAME),
                   NO_REPO, 403, 403, 403, 403).set_method('DELETE'),
-    IndexTestSpec(url_for('v1.delete_tag', repository=PRIVATE_REPO,
+    IndexV1TestSpec(url_for('v1.delete_tag', repository=PRIVATE_REPO,
                           tag=FAKE_TAG_NAME),
                   NO_REPO, 403, 403, 403, 400).set_method('DELETE'),
-    IndexTestSpec(url_for('v1.delete_tag', repository=ORG_REPO,
+    IndexV1TestSpec(url_for('v1.delete_tag', repository=ORG_REPO,
                           tag=FAKE_TAG_NAME),
                   NO_REPO, 403, 403, 403, 400).set_method('DELETE'),
   ]
+
+
+class IndexV2TestSpec(object):
+  def __init__(self, index_name, method_name, repo_name, scope=None, **kwargs):
+    self.index_name = index_name
+    self.repo_name = repo_name
+    self.method_name = method_name
+
+    default_scope = 'push,pull' if method_name != 'GET' and method_name != 'HEAD' else 'pull'
+    self.scope = scope or default_scope
+
+    self.kwargs = kwargs
+
+    self.auth_no_access_code = 403
+    self.auth_read_code = 403
+    self.auth_admin_code = 403
+
+    self.anon_code = 401
+    self.no_access_code = 403
+    self.read_code = 200
+    self.admin_code = 200
+
+  def auth_status(self, auth_no_access_code=403, auth_read_code=200, auth_admin_code=200):
+    self.auth_no_access_code = auth_no_access_code
+    self.auth_read_code = auth_read_code
+    self.auth_admin_code = auth_admin_code
+    return self
+
+  def request_status(self, anon_code=401, no_access_code=403, read_code=200, admin_code=200):
+    self.anon_code = anon_code
+    self.no_access_code = no_access_code
+    self.read_code = read_code
+    self.admin_code = admin_code
+    return self
+
+  def get_url(self):
+    namespace, repo_name = parse_namespace_repository(self.repo_name)
+    return url_for(self.index_name, namespace=namespace, repo_name=repo_name, **self.kwargs)
+
+  def gen_basic_auth(self, username, password):
+    encoded = b64encode('%s:%s' % (username, password))
+    return 'basic %s' % encoded
+
+  def get_scope_string(self):
+    return 'repository:%s:%s' % (self.repo_name, self.scope)
+
+
+def build_v2_index_specs():
+  return [
+    # v2.list_all_tags
+    IndexV2TestSpec('v2.list_all_tags', 'GET', PUBLIC_REPO).
+      auth_status(200, 200, 200).
+      request_status(200, 200, 200, 200),
+
+    IndexV2TestSpec('v2.list_all_tags', 'GET', PRIVATE_REPO).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 200, 200),
+
+    IndexV2TestSpec('v2.list_all_tags', 'GET', ORG_REPO).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 200, 200),
+
+    # v2.fetch_manifest_by_tagname
+    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', PUBLIC_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', PRIVATE_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_tagname', 'GET', ORG_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.fetch_manifest_by_digest
+    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.fetch_manifest_by_digest', 'GET', ORG_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.write_manifest_by_tagname
+    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', PUBLIC_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', PRIVATE_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    IndexV2TestSpec('v2.write_manifest_by_tagname', 'PUT', ORG_REPO, manifest_ref=FAKE_MANIFEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    # v2.write_manifest_by_digest
+    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    IndexV2TestSpec('v2.write_manifest_by_digest', 'PUT', ORG_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    # v2.delete_manifest_by_digest
+    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', PUBLIC_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', PRIVATE_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.delete_manifest_by_digest', 'DELETE', ORG_REPO, manifest_ref=FAKE_DIGEST).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    # v2.check_blob_exists
+    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', PUBLIC_REPO, digest=FAKE_DIGEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', PRIVATE_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.check_blob_exists', 'HEAD', ORG_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.download_blob
+    IndexV2TestSpec('v2.download_blob', 'GET', PUBLIC_REPO, digest=FAKE_DIGEST).
+      auth_status(200, 200, 200).
+      request_status(404, 404, 404, 404),
+
+    IndexV2TestSpec('v2.download_blob', 'GET', PRIVATE_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    IndexV2TestSpec('v2.download_blob', 'GET', ORG_REPO, digest=FAKE_DIGEST).
+      auth_status(403, 200, 200).
+      request_status(401, 401, 404, 404),
+
+    # v2.start_blob_upload
+    IndexV2TestSpec('v2.start_blob_upload', 'POST', PUBLIC_REPO).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.start_blob_upload', 'POST', PRIVATE_REPO).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 202),
+
+    IndexV2TestSpec('v2.start_blob_upload', 'POST', ORG_REPO).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 202),
+
+    # v2.fetch_existing_upload
+    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', PUBLIC_REPO, 'push,pull', upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', PRIVATE_REPO, 'push,pull', upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.fetch_existing_upload', 'GET', ORG_REPO, 'push,pull', upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    # v2.upload_chunk
+    IndexV2TestSpec('v2.upload_chunk', 'PATCH', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.upload_chunk', 'PATCH', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.upload_chunk', 'PATCH', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    # v2.monolithic_upload_or_last_chunk
+    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    IndexV2TestSpec('v2.monolithic_upload_or_last_chunk', 'PUT', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 400),
+
+    # v2.cancel_upload
+    IndexV2TestSpec('v2.cancel_upload', 'DELETE', PUBLIC_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 403).
+      request_status(401, 401, 401, 401),
+
+    IndexV2TestSpec('v2.cancel_upload', 'DELETE', PRIVATE_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+
+    IndexV2TestSpec('v2.cancel_upload', 'DELETE', ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
+      auth_status(403, 403, 200).
+      request_status(401, 401, 401, 404),
+  ]

test/test_v1_endpoint_security.py

@@ -1,15 +1,16 @@
 import unittest
+import endpoints.decorated
+import json
 
 from app import app
 from util.names import parse_namespace_repository
 from initdb import setup_database_for_testing, finished_database_for_testing
-from specs import build_index_specs
+from specs import build_v1_index_specs
+
 from endpoints.v1 import v1_bp
 
-
 app.register_blueprint(v1_bp, url_prefix='/v1')
 
-
 NO_ACCESS_USER = 'freshuser'
 READ_ACCESS_USER = 'reader'
 ADMIN_ACCESS_USER = 'devtable'
@@ -73,8 +74,8 @@ class _SpecTestBuilder(type):
 
         test_name_url = url.replace('/', '_').replace('-', '_')
         sess_repo = str(test_spec.sess_repo).replace('/', '_')
-        test_name = 'test_%s%s_%s' % (open_kwargs['method'].lower(),
+        test_name = 'test_%s%s_%s_%s' % (open_kwargs['method'].lower(),
-                                      test_name_url, sess_repo)
+                                      test_name_url, sess_repo, attrs['result_attr'])
         attrs[test_name] = test
 
     return type(name, bases, attrs)
@@ -82,27 +83,31 @@ class _SpecTestBuilder(type):
 
 class TestAnonymousAccess(EndpointTestCase):
   __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
   result_attr = 'anon_code'
   auth_username = None
 
 
 class TestNoAccess(EndpointTestCase):
   __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
   result_attr = 'no_access_code'
   auth_username = NO_ACCESS_USER
 
 
 class TestReadAccess(EndpointTestCase):
   __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
   result_attr = 'read_code'
   auth_username = READ_ACCESS_USER
 
 
 class TestAdminAccess(EndpointTestCase):
   __metaclass__ = _SpecTestBuilder
-  spec_func = build_index_specs
+  spec_func = build_v1_index_specs
   result_attr = 'admin_code'
   auth_username = ADMIN_ACCESS_USER
+
+
+if __name__ == '__main__':
+  unittest.main()

test/test_v2_endpoint_security.py

@@ -0,0 +1,110 @@
+import unittest
+import endpoints.decorated
+import json
+
+from app import app
+from util.names import parse_namespace_repository
+from initdb import setup_database_for_testing, finished_database_for_testing
+from specs import build_v2_index_specs
+from endpoints.v2 import v2_bp
+
+app.register_blueprint(v2_bp, url_prefix='/v2')
+
+NO_ACCESS_USER = 'freshuser'
+READ_ACCESS_USER = 'reader'
+ADMIN_ACCESS_USER = 'devtable'
+
+
+class EndpointTestCase(unittest.TestCase):
+  def setUp(self):
+    setup_database_for_testing(self)
+
+  def tearDown(self):
+    finished_database_for_testing(self)
+
+
+class _SpecTestBuilder(type):
+  @staticmethod
+  def _test_generator(url, test_spec, attrs):
+    def test(self):
+      with app.test_client() as c:
+        headers = []
+        expected_index_status = getattr(test_spec, attrs['result_attr'])
+
+        if attrs['auth_username']:
+          expected_auth_status = getattr(test_spec, 'auth_' + attrs['result_attr'])
+
+          # Get a signed JWT.
+          username = attrs['auth_username']
+          password = 'password'
+
+          jwt_scope = test_spec.get_scope_string()
+          query_string = 'service=' + app.config['SERVER_HOSTNAME'] + '&scope=' + jwt_scope
+
+          arv = c.open('/v2/auth',
+                       headers=[('authorization', test_spec.gen_basic_auth(username, password))],
+                       query_string=query_string)
+
+          msg = 'Auth failed for %s %s: got %s, expected: %s' % (
+            test_spec.method_name, test_spec.index_name, arv.status_code, expected_auth_status)
+          self.assertEqual(arv.status_code, expected_auth_status, msg)
+
+          if arv.status_code == 200:
+            headers = [('authorization', 'Bearer ' + json.loads(arv.data)['token'])]
+
+        rv = c.open(url, headers=headers, method=test_spec.method_name)
+        msg = '%s %s: got %s, expected: %s (auth: %s | headers %s)' % (test_spec.method_name,
+          test_spec.index_name, rv.status_code, expected_index_status, attrs['auth_username'],
+          len(headers))
+
+        self.assertEqual(rv.status_code, expected_index_status, msg)
+
+    return test
+
+
+  def __new__(cls, name, bases, attrs):
+    with app.test_request_context() as ctx:
+      specs = attrs['spec_func']()
+      for test_spec in specs:
+        test_name = '%s_%s_%s_%s_%s' % (test_spec.index_name, test_spec.method_name,
+                                        test_spec.repo_name, attrs['auth_username'] or 'anon',
+                                        attrs['result_attr'])
+        test_name = test_name.replace('/', '_').replace('-', '_')
+
+        test_name = 'test_' + test_name.lower().replace('v2.', 'v2_')
+        url = test_spec.get_url()
+        attrs[test_name] = _SpecTestBuilder._test_generator(url, test_spec, attrs)
+
+    return type(name, bases, attrs)
+
+
+class TestAnonymousAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'anon_code'
+  auth_username = None
+
+
+class TestNoAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'no_access_code'
+  auth_username = NO_ACCESS_USER
+
+
+class TestReadAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'read_code'
+  auth_username = READ_ACCESS_USER
+
+
+class TestAdminAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v2_index_specs
+  result_attr = 'admin_code'
+  auth_username = ADMIN_ACCESS_USER
+
+
+if __name__ == '__main__':
+  unittest.main()