Merge branch...

Merge branch '427546-gerardo-navarro-protected-containers-write-protection-for-container-repositories-integration-container-registry-auth-service-follow-up-bugfix-user-role-admin' into 'master' 

Protected containers: Push protection for admin users

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157464



Merged-by: Aboobacker MK <akarakath@gitlab.com>
Approved-by: Ian Baum <ibaum@gitlab.com>
Approved-by: Leaminn Ma <lma@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Reviewed-by: Gerardo Navarro <gerardo@b310.de>
Reviewed-by: Eduardo Sanz García <esanz-garcia@gitlab.com>
Co-authored-by: Gerardo Navarro <gerardo@b310.de>

app/services/auth/container_registry_authentication_service.rb

@@ -329,6 +329,7 @@ def has_registry_ability?
     def repository_path_push_protected?
       return false if Feature.disabled?(:container_registry_protected_containers, project&.root_ancestor)
+      return false if current_user&.can_admin_all_resources?
       push_scopes = scopes.select { |scope| scope[:actions].include?('push') || scope[:actions].include?('*') }

spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb

@@ -1424,7 +1424,6 @@
     let_it_be(:current_project) { create(:project) }
     let_it_be(:project) { current_project }
-    let_it_be(:current_user) { create(:user) }
     let_it_be(:container_repository_path) { current_project.full_path }
     let_it_be(:container_repository_path_pattern_no_match) { "#{container_repository_path}_no_match" }
@@ -1437,6 +1436,7 @@
     let_it_be(:project_developer) { create(:user, developer_of: current_project) }
     let_it_be(:project_maintainer) { create(:user, maintainer_of: current_project) }
     let_it_be(:project_owner) { current_project.owner }
+    let_it_be(:instance_admin) { create(:admin) }
     let(:current_params) { { scopes: ["repository:#{container_repository_path}:push"] } }
@@ -1449,13 +1449,16 @@
       end
     end
-    context 'for different repository_path_patterns and current user roles' do
+    context 'for different repository_path_patterns and current user roles', :enable_admin_mode do
       # rubocop:disable Layout/LineLength -- Avoid formatting to keep one-line table layout
       where(:repository_path_pattern, :minimum_access_level_for_push, :current_user, :shared_examples_name) do
         ref(:container_repository_path)                  | :maintainer | ref(:project_developer)  | 'a protected container repository'
         ref(:container_repository_path)                  | :maintainer | ref(:project_owner)      | 'a pushable'
         ref(:container_repository_path)                  | :owner      | ref(:project_maintainer) | 'a protected container repository'
+        ref(:container_repository_path)                  | :owner      | ref(:project_owner)      | 'a pushable'
+        ref(:container_repository_path)                  | :owner      | ref(:instance_admin)     | 'a pushable'
         ref(:container_repository_path)                  | :admin      | ref(:project_owner)      | 'a protected container repository'
+        ref(:container_repository_path)                  | :admin      | ref(:instance_admin)     | 'a pushable'
         ref(:container_repository_path_pattern_no_match) | :maintainer | ref(:project_developer)  | 'a pushable'
         ref(:container_repository_path_pattern_no_match) | :admin      | ref(:project_owner)      | 'a pushable'
       end