Merge pull request #2121 from nwt/delete-action

Change DELETE action from "*" to "delete"
2017-01-09 12:34:23 -08:00 · 2017-01-09 12:34:23 -08:00 · 2bc4a9459c
commit 2bc4a9459c
parent 7dba427612 a33af0587b
3 changed files with 25 additions and 6 deletions
--- a/registry/auth/token/token_test.go
+++ b/registry/auth/token/token_test.go
@ -454,6 +454,27 @@ func TestAccessController(t *testing.T) {
 	if userInfo.Name != "foo" {
 		t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name)
 	}
+
+	// 5. Supply a token with full admin rights, which is represented as "*".
+	token, err = makeTestToken(
+		issuer, service,
+		[]*ResourceActions{{
+			Type:    testAccess.Type,
+			Name:    testAccess.Name,
+			Actions: []string{"*"},
+		}},
+		rootKeys[0], 1, time.Now(), time.Now().Add(5*time.Minute),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token.compactRaw()))
+
+	_, err = accessController.Authorized(ctx, testAccess)
+	if err != nil {
+		t.Fatalf("accessController returned unexpected error: %s", err)
+	}
 }

 // This tests that newAccessController can handle PEM blocks in the certificate
--- a/registry/handlers/app.go
+++ b/registry/handlers/app.go
@ -901,12 +901,10 @@ func appendAccessRecords(records []auth.Access, method string, repo string) []au
 				Action:   "push",
 			})
 	case "DELETE":
-		// DELETE access requires full admin rights, which is represented
-		// as "*". This may not be ideal.
 		records = append(records,
 			auth.Access{
 				Resource: resource,
-				Action:   "*",
+				Action:   "delete",
 			})
 	}
 	return records
--- a/registry/handlers/app_test.go
+++ b/registry/handlers/app_test.go
@ -229,9 +229,9 @@ func TestAppendAccessRecords(t *testing.T) {
 		Resource: expectedResource,
 		Action:   "push",
 	}
-	expectedAllRecord := auth.Access{
+	expectedDeleteRecord := auth.Access{
 		Resource: expectedResource,
-		Action:   "*",
+		Action:   "delete",
 	}

 	records := []auth.Access{}
@ -271,7 +271,7 @@ func TestAppendAccessRecords(t *testing.T) {

 	records = []auth.Access{}
 	result = appendAccessRecords(records, "DELETE", repo)
-	expectedResult = []auth.Access{expectedAllRecord}
+	expectedResult = []auth.Access{expectedDeleteRecord}
 	if ok := reflect.DeepEqual(result, expectedResult); !ok {
 		t.Fatalf("Actual access record differs from expected")
 	}