verify registry access after token revoked

vijaysawant · vijaysawant · commit d738c1e444dd · 2026-02-12T12:30:34.000+05:30
diff --git a/tests/foreman/cli/test_container_management.py b/tests/foreman/cli/test_container_management.py
@@ -551,3 +551,66 @@ def _finalize():
         request.addfinalizer(lambda: host.execute(f'podman rmi {cv_path}'))
         res = host.execute('podman images')
         assert cv_path in res.stdout
+
+    def test_positive_revoke_registry_token_prevents_access(self, request, target_sat):
+        """Verify that revoking a registry access token prevents client access to registry.
+
+        :id: 8b4e5c2a-1f3d-4a7e-9c8b-2d6f4e5a3b1c
+
+        :steps:
+            1. Create a new org and product
+            2. Sync a small container repo (quay/busybox from quay.io)
+            3. Login to Satellite registry
+            4. Pull the synced image - should succeed
+            5. Revoke the registry personal access token via CLI
+            6. Try to pull again - should fail with authentication error
+
+        :expectedresults:
+            After revoking the authentication token, podman pull fails with
+            authentication error.
+
+        :Verifies: SAT-38785
+        """
+        # 1. Create org and product
+        org = target_sat.cli_factory.make_org()
+        product = target_sat.cli_factory.make_product_wait({'organization-id': org['id']})
+
+        @request.addfinalizer
+        def _cleanup():
+            target_sat.execute(f'podman logout {target_sat.hostname}')
+            target_sat.execute('podman rmi -a -f')
+
+        # 2. Sync a small container repo (quay/busybox from quay.io)
+        repo = _repo(target_sat, product['id'], upstream_name='quay/busybox', url='https://quay.io')
+        target_sat.cli.Repository.synchronize({'id': repo['id']})
+
+        # Build the registry path for the synced image
+        # Format: hostname/org_label/product_label/repo_name
+        repo_info = target_sat.cli.Repository.info({'id': repo['id']})
+        registry_path = repo_info['published-at']
+
+        # 3. Login to Satellite registry
+        result = target_sat.execute(
+            f'podman login -u {settings.server.admin_username}'
+            f' -p {settings.server.admin_password} {target_sat.hostname}'
+        )
+        assert result.status == 0, f'Failed to login to registry: {result.stderr}'
+
+        # 4. Pull the synced image - should succeed
+        result = target_sat.execute(f'podman pull {registry_path}')
+        assert result.status == 0, f'Failed to pull synced image: {result.stderr}'
+
+        # 5. Revoke the registry personal access token via CLI
+        admin_user = target_sat.cli.User.info({'login': settings.server.admin_username})
+        target_sat.cli.User.access_token(
+            action='revoke',
+            options={'name': 'registry', 'user-id': admin_user['id']},
+        )
+
+        # 6. Try to pull again - should fail with authentication error
+        result = target_sat.execute(f'podman pull {registry_path}')
+        assert result.status != 0, 'Pull should have failed after token revocation'
+        assert (
+            'authentication required' in result.stderr.lower()
+            or 'unauthorized' in result.stderr.lower()
+        ), f'Expected authentication error, got: {result.stderr}'
