218 lines
		
	
	
	
		
			9.7 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			218 lines
		
	
	
	
		
			9.7 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| import unittest
 | |
| import json as py_json
 | |
| 
 | |
| from flask import url_for
 | |
| from endpoints.api import api
 | |
| from app import app, storage
 | |
| from initdb import setup_database_for_testing, finished_database_for_testing
 | |
| from data import model
 | |
| 
 | |
| NO_ACCESS_USER = 'freshuser'
 | |
| READ_ACCESS_USER = 'reader'
 | |
| ADMIN_ACCESS_USER = 'devtable'
 | |
| PUBLIC_USER = 'public'
 | |
| RANDOM_USER = 'randomuser'
 | |
| OUTSIDE_ORG_USER = 'outsideorg'
 | |
| 
 | |
| ADMIN_ROBOT_USER = 'devtable+dtrobot'
 | |
| 
 | |
| ORGANIZATION = 'buynlarge'
 | |
| 
 | |
| REPO = 'devtable/simple'
 | |
| PUBLIC_REPO = 'public/publicrepo'
 | |
| RANDOM_REPO = 'randomuser/randomrepo'
 | |
| 
 | |
| OUTSIDE_ORG_REPO = 'outsideorg/coolrepo'
 | |
| 
 | |
| ORG_REPO = 'buynlarge/orgrepo'
 | |
| ANOTHER_ORG_REPO = 'buynlarge/anotherorgrepo'
 | |
| 
 | |
| # Note: The shared repo has devtable as admin, public as a writer and reader as a reader.
 | |
| SHARED_REPO = 'devtable/shared'
 | |
| 
 | |
| class TestImageSharing(unittest.TestCase):
 | |
|   def setUp(self):
 | |
|     setup_database_for_testing(self)
 | |
|     self.app = app.test_client()
 | |
|     self.ctx = app.test_request_context()
 | |
|     self.ctx.__enter__()
 | |
| 
 | |
|   def tearDown(self):
 | |
|     finished_database_for_testing(self)
 | |
|     self.ctx.__exit__(True, None, None)
 | |
| 
 | |
|   def createStorage(self, docker_image_id, repository=REPO, username=ADMIN_ACCESS_USER):
 | |
|     repository_obj = model.get_repository(repository.split('/')[0], repository.split('/')[1])
 | |
|     preferred = storage.preferred_locations[0]
 | |
|     image = model.find_create_or_link_image(docker_image_id, repository_obj, username, {},
 | |
|                                             preferred)
 | |
|     image.storage.uploading = False
 | |
|     image.storage.save()
 | |
|     return image.storage
 | |
| 
 | |
|   def assertSameStorage(self, docker_image_id, existing_storage, repository=REPO,
 | |
|                         username=ADMIN_ACCESS_USER):
 | |
|     new_storage = self.createStorage(docker_image_id, repository, username)
 | |
|     self.assertEquals(existing_storage.id, new_storage.id)
 | |
| 
 | |
|   def assertDifferentStorage(self, docker_image_id, existing_storage, repository=REPO,
 | |
|                              username=ADMIN_ACCESS_USER):
 | |
|     new_storage = self.createStorage(docker_image_id, repository, username)
 | |
|     self.assertNotEquals(existing_storage.id, new_storage.id)
 | |
| 
 | |
| 
 | |
|   def test_same_user(self):
 | |
|     """ The same user creates two images, each which should be shared in the same repo. This is a
 | |
|       sanity check. """
 | |
| 
 | |
|     # Create a reference to a new docker ID => new image.
 | |
|     first_storage = self.createStorage('first-image')
 | |
|     
 | |
|     # Create a reference to the same docker ID => same image.
 | |
|     self.assertSameStorage('first-image', first_storage)
 | |
| 
 | |
|     # Create a reference to another new docker ID => new image.
 | |
|     second_storage_id = self.createStorage('second-image')
 | |
| 
 | |
|     # Create a reference to that same docker ID => same image.
 | |
|     self.assertSameStorage('second-image', second_storage_id)
 | |
| 
 | |
|     # Make sure the images are different.
 | |
|     self.assertNotEquals(first_storage, second_storage_id)
 | |
| 
 | |
| 
 | |
|   def test_no_user_private_repo(self):
 | |
|     """ If no user is specified (token case usually), then no sharing can occur on a private repo. """
 | |
|     # Create a reference to a new docker ID => new image.
 | |
|     first_storage = self.createStorage('the-image', username=None, repository=SHARED_REPO)
 | |
| 
 | |
|     # Create a areference to the same docker ID, but since no username => new image.
 | |
|     self.assertDifferentStorage('the-image', first_storage, username=None, repository=RANDOM_REPO)
 | |
| 
 | |
| 
 | |
|   def test_no_user_public_repo(self):
 | |
|     """ If no user is specified (token case usually), then no sharing can occur on a private repo except when the image is first public. """
 | |
|     # Create a reference to a new docker ID => new image.
 | |
|     first_storage = self.createStorage('the-image', username=None, repository=PUBLIC_REPO)
 | |
| 
 | |
|     # Create a areference to the same docker ID. Since no username, we'd expect different but the first image is public so => shaed image.
 | |
|     self.assertSameStorage('the-image', first_storage, username=None, repository=RANDOM_REPO)
 | |
| 
 | |
| 
 | |
|   def test_different_user_same_repo(self):
 | |
|     """ Two different users create the same image in the same repo. """
 | |
| 
 | |
|     # Create a reference to a new docker ID under the first user => new image.
 | |
|     first_storage = self.createStorage('the-image', username=PUBLIC_USER, repository=SHARED_REPO)
 | |
| 
 | |
|     # Create a reference to the *same* docker ID under the second user => same image.
 | |
|     self.assertSameStorage('the-image', first_storage, username=ADMIN_ACCESS_USER, repository=SHARED_REPO)
 | |
| 
 | |
| 
 | |
|   def test_different_repo_no_shared_access(self):
 | |
|     """ Neither user has access to the other user's repository. """
 | |
| 
 | |
|     # Create a reference to a new docker ID under the first user => new image.
 | |
|     first_storage = self.createStorage('the-image', username=RANDOM_USER, repository=RANDOM_REPO)
 | |
| 
 | |
|     # Create a reference to the *same* docker ID under the second user => new image.
 | |
|     second_storage_id = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=REPO)
 | |
| 
 | |
|     # Verify that the users do not share storage.
 | |
|     self.assertNotEquals(first_storage, second_storage_id)
 | |
| 
 | |
| 
 | |
|   def test_public_than_private(self):
 | |
|     """ An image is created publicly then used privately, so it should be shared. """
 | |
| 
 | |
|     # Create a reference to a new docker ID under the first user => new image.
 | |
|     first_storage = self.createStorage('the-image', username=PUBLIC_USER, repository=PUBLIC_REPO)
 | |
| 
 | |
|     # Create a reference to the *same* docker ID under the second user => same image, since the first was public.
 | |
|     self.assertSameStorage('the-image', first_storage, username=ADMIN_ACCESS_USER, repository=REPO)
 | |
| 
 | |
| 
 | |
|   def test_private_than_public(self):
 | |
|     """ An image is created privately then used publicly, so it should *not* be shared. """
 | |
| 
 | |
|     # Create a reference to a new docker ID under the first user => new image.
 | |
|     first_storage = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=REPO)
 | |
| 
 | |
|     # Create a reference to the *same* docker ID under the second user => new image, since the first was private.
 | |
|     self.assertDifferentStorage('the-image', first_storage, username=PUBLIC_USER, repository=PUBLIC_REPO)
 | |
| 
 | |
| 
 | |
|   def test_different_repo_with_access(self):
 | |
|     """ An image is created in one repo (SHARED_REPO) which the user (PUBLIC_USER) has access to. Later, the
 | |
|         image is created in another repo (PUBLIC_REPO) that the user also has access to. The image should
 | |
|         be shared since the user has access.
 | |
|     """
 | |
|     # Create the image in the shared repo => new image.
 | |
|     first_storage = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=SHARED_REPO)
 | |
| 
 | |
|     # Create the image in the other user's repo, but since the user (PUBLIC) still has access to the shared
 | |
|     # repository, they should reuse the storage.
 | |
|     self.assertSameStorage('the-image', first_storage, username=PUBLIC_USER, repository=PUBLIC_REPO)
 | |
| 
 | |
| 
 | |
|   def test_org_access(self):
 | |
|     """ An image is accessible by being a member of the organization. """
 | |
| 
 | |
|     # Create the new image under the org's repo => new image.
 | |
|     first_storage = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
 | |
| 
 | |
|     # Create an image under the user's repo, but since the user has access to the organization => shared image.
 | |
|     self.assertSameStorage('the-image', first_storage, username=ADMIN_ACCESS_USER, repository=REPO)
 | |
| 
 | |
|     # Ensure that the user's robot does not have access, since it is not on the permissions list for the repo.
 | |
|     self.assertDifferentStorage('the-image', first_storage, username=ADMIN_ROBOT_USER, repository=SHARED_REPO)
 | |
| 
 | |
| 
 | |
|   def test_org_access_different_user(self):
 | |
|     """ An image is accessible by being a member of the organization. """
 | |
| 
 | |
|     # Create the new image under the org's repo => new image.
 | |
|     first_storage = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
 | |
| 
 | |
|     # Create an image under a user's repo, but since the user has access to the organization => shared image.
 | |
|     self.assertSameStorage('the-image', first_storage, username=PUBLIC_USER, repository=PUBLIC_REPO)
 | |
| 
 | |
|     # Also verify for reader.
 | |
|     self.assertSameStorage('the-image', first_storage, username=READ_ACCESS_USER, repository=PUBLIC_REPO)
 | |
| 
 | |
| 
 | |
|   def test_org_no_access(self):
 | |
|     """ An image is not accessible if not a member of the organization. """
 | |
| 
 | |
|     # Create the new image under the org's repo => new image.
 | |
|     first_storage = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
 | |
| 
 | |
|     # Create an image under a user's repo. Since the user is not a member of the organization => new image.
 | |
|     self.assertDifferentStorage('the-image', first_storage, username=RANDOM_USER, repository=RANDOM_REPO)
 | |
| 
 | |
| 
 | |
|   def test_org_not_team_member_with_access(self):
 | |
|     """ An image is accessible to a user specifically listed as having permission on the org repo. """
 | |
| 
 | |
|     # Create the new image under the org's repo => new image.
 | |
|     first_storage = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=ORG_REPO)
 | |
| 
 | |
|     # Create an image under a user's repo. Since the user has read access on that repo, they can see the image => shared image.
 | |
|     self.assertSameStorage('the-image', first_storage, username=OUTSIDE_ORG_USER, repository=OUTSIDE_ORG_REPO)
 | |
| 
 | |
| 
 | |
|   def test_org_not_team_member_with_no_access(self):
 | |
|     """ A user that has access to one org repo but not another and is not a team member. """
 | |
| 
 | |
|     # Create the new image under the org's repo => new image.
 | |
|     first_storage = self.createStorage('the-image', username=ADMIN_ACCESS_USER, repository=ANOTHER_ORG_REPO)
 | |
| 
 | |
|     # Create an image under a user's repo. The user doesn't have access to the repo (ANOTHER_ORG_REPO) so => new image.
 | |
|     self.assertDifferentStorage('the-image', first_storage, username=OUTSIDE_ORG_USER, repository=OUTSIDE_ORG_REPO)
 | |
| 
 | |
|   def test_no_link_to_uploading(self):
 | |
|     still_uploading = self.createStorage('an-image', repository=PUBLIC_REPO)
 | |
|     still_uploading.uploading = True
 | |
|     still_uploading.save()
 | |
| 
 | |
|     self.assertDifferentStorage('an-image', still_uploading)
 |