spec/lib/ssh_access_spec.rb

0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehaserequire 'spec_helper'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
f198c0ec200763fe1b0db998cd9418f412be8361Tim Reddehasedescribe SSHAccess do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase  let(:permission) { create :permission, role: 'reader' }
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase  let(:user) { permission.subject }
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase  let(:repository) { permission.item }
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase  context 'without a permission' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow read on public readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should disallow write on public readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be false
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow read on public read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow write on public read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should disallow read on private readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be false
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should disallow write on private readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be false
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should disallow read on private read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be false
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should disallow write on private read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', nil, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be false
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase    it 'should raise error on write to mirror repository' do
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      repository.source_address = 'http://some_source_address.example.com'
63690d8280c5282c6bd057da5330a6ae8859af35Eugen Kuksa      repository.source_type = 'git'
8f845e804ef24c045876941e34930a9ac6720dbfEugen Kuksa      repository.remote_type = 'mirror'
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      expect { described_class.determine_permission('write', nil, repository) }.
73120e371051954b252e1f5e7231620254ca6862Tim Reddehase        to raise_error(SSHAccess::InvalidAccessOnMirrorError)
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase    end
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase  end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase  context 'with permission' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase    context 'denoting owner rights' do
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      let(:permission) { create :permission, role: 'owner' }
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      it 'should allow write on public readable repository' do
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        repository.access = 'public_r'
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase        expect(access).to be true
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      end
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      it 'should allow write on private readable repository' do
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        repository.access = 'private_r'
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase        expect(access).to be true
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      end
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      it 'should raise error on write to mirror repository' do
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase        repository.source_address = 'http://some_source_address.example.com'
63690d8280c5282c6bd057da5330a6ae8859af35Eugen Kuksa        repository.source_type = 'git'
8f845e804ef24c045876941e34930a9ac6720dbfEugen Kuksa        repository.remote_type = 'mirror'
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase        expect { described_class.determine_permission('write', permission, repository) }.
73120e371051954b252e1f5e7231620254ca6862Tim Reddehase          to raise_error(SSHAccess::InvalidAccessOnMirrorError)
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      end
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase    end
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase    context 'denoting editor rights' do
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      let(:permission) { create :permission, role: 'editor' }
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      it 'should allow write on public readable repository' do
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        repository.access = 'public_r'
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase        expect(access).to be true
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      end
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      it 'should allow write on private readable repository' do
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        repository.access = 'private_r'
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase        access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase        expect(access).to be true
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase      end
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      it 'should raise error on write to mirror repository' do
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase        repository.source_address = 'http://some_source_address.example.com'
63690d8280c5282c6bd057da5330a6ae8859af35Eugen Kuksa        repository.source_type = 'git'
8f845e804ef24c045876941e34930a9ac6720dbfEugen Kuksa        repository.remote_type = 'mirror'
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase        expect { described_class.determine_permission('write', permission, repository) }.
73120e371051954b252e1f5e7231620254ca6862Tim Reddehase          to raise_error(SSHAccess::InvalidAccessOnMirrorError)
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      end
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase    end
d60ddfb99765ab4fe956503f3f83d9c8f493eb99Tim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow read on public readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should disallow write on public readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be false
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow read on public read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow write on public read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'public_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow read on private readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should disallow write on private readable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_r'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be false
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow read on private read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('read', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    it 'should allow write on private read-writeable repository' do
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      repository.access = 'private_rw'
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase      access = described_class.determine_permission('write', permission, repository)
6876ece18854869a08606c12e0e814435fa73a29Tim Reddehase      expect(access).to be true
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase    end
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase    it 'should raise error on write to mirror repository' do
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      repository.source_address = 'http://some_source_address.example.com'
63690d8280c5282c6bd057da5330a6ae8859af35Eugen Kuksa      repository.source_type = 'git'
8f845e804ef24c045876941e34930a9ac6720dbfEugen Kuksa      repository.remote_type = 'mirror'
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase      expect { described_class.determine_permission('write', permission, repository) }.
73120e371051954b252e1f5e7231620254ca6862Tim Reddehase        to raise_error(SSHAccess::InvalidAccessOnMirrorError)
9c3a9ea5002b6efbb3e3640fe215e63b8dfb619dTim Reddehase    end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase  end
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehase
0dcf2700340141bc08344977e966e7ec095a8e8eTim Reddehaseend