Allow all authenticated users to push/pull (not just human+user role)
The previous default policy required both AccountTypes=["human"] and Roles=["user"], but MCIAS validate responses don't reliably include these fields. For a private registry, any successfully authenticated caller should have content access. Admin-only operations (policy management) still require the admin role. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -27,15 +27,15 @@ func TestEngineDefaultsOnly(t *testing.T) {
|
||||
t.Fatalf("admin push with defaults: got %s, want allow", effect)
|
||||
}
|
||||
|
||||
// System account should be denied.
|
||||
// System account should be allowed (rule -2: authenticated users).
|
||||
effect, _ = e.Evaluate(PolicyInput{
|
||||
Subject: "system-uuid",
|
||||
AccountType: "system",
|
||||
Action: ActionPull,
|
||||
Repository: "myapp",
|
||||
})
|
||||
if effect != Deny {
|
||||
t.Fatalf("system pull with defaults: got %s, want deny", effect)
|
||||
if effect != Allow {
|
||||
t.Fatalf("system pull with defaults: got %s, want allow", effect)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -62,15 +62,15 @@ func TestEngineWithCustomRules(t *testing.T) {
|
||||
t.Fatalf("ci pull with custom rule: got %s, want allow", effect)
|
||||
}
|
||||
|
||||
// Different subject should still be denied.
|
||||
// Different subject is still allowed via default rule -2 (authenticated users).
|
||||
effect, _ = e.Evaluate(PolicyInput{
|
||||
Subject: "other-uuid",
|
||||
AccountType: "system",
|
||||
Action: ActionPull,
|
||||
Repository: "myapp",
|
||||
})
|
||||
if effect != Deny {
|
||||
t.Fatalf("other pull: got %s, want deny", effect)
|
||||
if effect != Allow {
|
||||
t.Fatalf("other pull: got %s, want allow", effect)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -117,15 +117,15 @@ func TestEngineReload(t *testing.T) {
|
||||
t.Fatalf("Reload (second): %v", err)
|
||||
}
|
||||
|
||||
// ci-uuid should now be denied (old rule gone).
|
||||
// ci-uuid custom rule is gone, but still allowed via default rule -2.
|
||||
effect, _ = e.Evaluate(PolicyInput{
|
||||
Subject: "ci-uuid",
|
||||
AccountType: "system",
|
||||
Action: ActionPull,
|
||||
Repository: "myapp",
|
||||
})
|
||||
if effect != Deny {
|
||||
t.Fatalf("ci pull after second reload: got %s, want deny", effect)
|
||||
if effect != Allow {
|
||||
t.Fatalf("ci pull after second reload: got %s, want allow", effect)
|
||||
}
|
||||
|
||||
// deploy-uuid should now be allowed.
|
||||
@@ -149,14 +149,14 @@ func TestEngineReloadDisabledExcluded(t *testing.T) {
|
||||
t.Fatalf("Reload: %v", err)
|
||||
}
|
||||
|
||||
// No custom rules, so system account should be denied.
|
||||
// No custom rules, but system account is allowed via default rule -2.
|
||||
effect, _ := e.Evaluate(PolicyInput{
|
||||
Subject: "ci-uuid",
|
||||
AccountType: "system",
|
||||
Action: ActionPull,
|
||||
Repository: "myapp",
|
||||
})
|
||||
if effect != Deny {
|
||||
t.Fatalf("system pull with no custom rules: got %s, want deny", effect)
|
||||
if effect != Allow {
|
||||
t.Fatalf("system pull with no custom rules: got %s, want allow", effect)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user