fix image permissions check after no-org removal (#2388)

Author: zubenkoivan

platform_api/handlers/jobs_handler.py

@@ -562,7 +562,7 @@ def infer_permissions_from_container(
     if container.belongs_to_registry(registry_host):
         permissions.append(
             Permission(
-                uri=str(container.to_image_uri(registry_host, cluster_name, org_name)),
+                uri=str(container.to_image_uri(registry_host, cluster_name)),
                 action="read",
             )
         )

platform_api/orchestrator/job_request.py

@@ -429,14 +429,13 @@ def belongs_to_registry(self, registry_host: str) -> bool:
         prefix = f"{registry_host}/"
         return self.image.startswith(prefix)
 
-    def to_image_uri(self, registry_host: str, cluster_name: str, org_name: str) -> URL:
+    def to_image_uri(self, registry_host: str, cluster_name: str) -> URL:
         assert self.belongs_to_registry(registry_host), "Unknown registry"
         prefix = f"{registry_host}/"
         repo = self.image[len(prefix) :]
         path, *_ = repo.split(":", 1)
         assert cluster_name
-        assert org_name
-        return URL.build(scheme="image", host=cluster_name) / org_name / path
+        return URL.build(scheme="image", host=cluster_name) / path
 
     def get_secrets(self) -> list[Secret]:
         return list(

tests/integration/test_api.py

@@ -3494,7 +3494,9 @@ async def test_forbidden_image(
     ) -> None:
         payload = {
             "container": {
-                "image": "registry.dev.neuromation.io/anotheruser/image:tag",
+                "image": (
+                    f"registry.dev.neuromation.io/{test_org_name}/anotheruser/image:tag"
+                ),
                 "command": "true",
                 "resources": {"cpu": 0.1, "memory_mb": 32, "memory": 32 * 2**20},
             }
@@ -3521,10 +3523,14 @@ async def test_allowed_image(
         client: aiohttp.ClientSession,
         jobs_client: JobsClient,
         regular_user: _User,
+        test_org_name: str,
     ) -> None:
         payload = {
             "container": {
-                "image": f"registry.dev.neuromation.io/{regular_user.name}/image:tag",
+                "image": (
+                    f"registry.dev.neuromation.io/{test_org_name}"
+                    f"/{regular_user.name}/image:tag"
+                ),
                 "command": "true",
                 "resources": {"cpu": 0.1, "memory_mb": 32, "memory": 32 * 2**20},
             }

tests/unit/test_job.py

@@ -114,34 +114,34 @@ def test_belongs_to_registry(self) -> None:
 
     def test_to_image_uri_failure(self) -> None:
         container = Container(
-            image="registry.com/project/testimage",
+            image="registry.com/test-org/project/testimage",
             resources=ContainerResources(cpu=1, memory=128 * 10**6),
         )
         with pytest.raises(AssertionError, match="Unknown registry"):
-            container.to_image_uri("example.com", "test-cluster", "test-org")
+            container.to_image_uri("example.com", "test-cluster")
 
     def test_to_image_uri(self) -> None:
         container = Container(
-            image="example.com/project/testimage%2d",
+            image="example.com/test-org/project/testimage%2d",
             resources=ContainerResources(cpu=1, memory=128 * 10**6),
         )
-        uri = container.to_image_uri("example.com", "test-cluster", "test-org")
+        uri = container.to_image_uri("example.com", "test-cluster")
         assert uri == URL("image://test-cluster/test-org/project/testimage%252d")
 
     def test_to_image_uri_registry_with_custom_port(self) -> None:
         container = Container(
-            image="example.com:5000/project/testimage",
+            image="example.com:5000/test-org/project/testimage",
             resources=ContainerResources(cpu=1, memory=128 * 10**6),
         )
-        uri = container.to_image_uri("example.com:5000", "test-cluster", "test-org")
+        uri = container.to_image_uri("example.com:5000", "test-cluster")
         assert uri == URL("image://test-cluster/test-org/project/testimage")
 
     def test_to_image_uri_ignore_tag(self) -> None:
         container = Container(
-            image="example.com/project/testimage:latest",
+            image="example.com/test-org/project/testimage:latest",
             resources=ContainerResources(cpu=1, memory=128 * 10**6),
         )
-        uri = container.to_image_uri("example.com", "test-cluster", "test-org")
+        uri = container.to_image_uri("example.com", "test-cluster")
         assert uri == URL("image://test-cluster/test-org/project/testimage")
 
 

tests/unit/test_models.py

@@ -1760,7 +1760,7 @@ def test_volumes(self) -> None:
 
     def test_image(self) -> None:
         container = Container(
-            image="example.com/testuser/image",
+            image="example.com/test-org/testuser/image",
             resources=ContainerResources(cpu=0.1, memory=16 * 10**6),
         )
         permissions = infer_permissions_from_container(