From a78c15026d6b413f63cf5e419321cbe01304b509 Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 12 Jul 2023 15:47:19 -0600 Subject: [PATCH 1/6] Add read_dependency column to member_roles table This change adds a new column to the `member_roles` table to allow custom roles to enable the `read_dependency` ability. Changelog: added --- .../20230712214613_add_read_dependency_to_member_roles.rb | 7 +++++++ db/schema_migrations/20230712214613 | 1 + db/structure.sql | 3 ++- 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20230712214613_add_read_dependency_to_member_roles.rb create mode 100644 db/schema_migrations/20230712214613 diff --git a/db/migrate/20230712214613_add_read_dependency_to_member_roles.rb b/db/migrate/20230712214613_add_read_dependency_to_member_roles.rb new file mode 100644 index 00000000000000..c6c9f3a061173b --- /dev/null +++ b/db/migrate/20230712214613_add_read_dependency_to_member_roles.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AddReadDependencyToMemberRoles < Gitlab::Database::Migration[2.1] + def change + add_column :member_roles, :read_dependency, :boolean, default: false, null: false + end +end diff --git a/db/schema_migrations/20230712214613 b/db/schema_migrations/20230712214613 new file mode 100644 index 00000000000000..f9afbe825d699a --- /dev/null +++ b/db/schema_migrations/20230712214613 @@ -0,0 +1 @@ +56415a907d3bba749b9d42b5f37919981e779f0422c86793028d128350875f2d \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 633b2943d1aa66..1daa1ed99b6632 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -17885,7 +17885,8 @@ CREATE TABLE member_roles ( base_access_level integer NOT NULL, read_code boolean DEFAULT false, read_vulnerability boolean DEFAULT false NOT NULL, - admin_vulnerability boolean DEFAULT false NOT NULL + admin_vulnerability boolean DEFAULT false NOT NULL, + read_dependency boolean DEFAULT false NOT NULL ); CREATE SEQUENCE member_roles_id_seq -- GitLab From d176393c531f6c771116d487c05f14d4c2f64cfb Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 12 Jul 2023 16:55:28 -0600 Subject: [PATCH 2/6] Add policy to enable read_dependeny via custom roles --- ee/app/models/members/member_role.rb | 4 ++++ ee/app/policies/ee/project_policy.rb | 10 ++++++++++ ee/spec/policies/project_policy_spec.rb | 7 +++++++ 3 files changed, 21 insertions(+) diff --git a/ee/app/models/members/member_role.rb b/ee/app/models/members/member_role.rb index 2138bb6327dfc2..ca93374ab721d6 100644 --- a/ee/app/models/members/member_role.rb +++ b/ee/app/models/members/member_role.rb @@ -5,6 +5,10 @@ class MemberRole < ApplicationRecord # rubocop:disable Gitlab/NamespacedClass ALL_CUSTOMIZABLE_PERMISSIONS = { read_code: { description: 'Permission to read code', minimal_level: Gitlab::Access::GUEST }, + read_dependency: { + description: 'Permission to read dependency', + minimal_level: Gitlab::Access::GUEST + }, read_vulnerability: { descripition: 'Permission to read vulnerability', minimal_level: Gitlab::Access::GUEST }, admin_vulnerability: { diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 2cede9edbb9dbf..45400370fe2906 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -233,6 +233,13 @@ module ProjectPolicy @user.custom_permission_for?(project, :admin_vulnerability) end + desc "Custom role on project that enables read dependency" + condition(:role_enables_read_dependency) do + next unless @user.is_a?(User) + + @user.custom_permission_for?(project, :read_dependency) + end + with_scope :subject condition(:suggested_reviewers_available) do @subject.can_suggest_reviewers? @@ -606,6 +613,9 @@ module ProjectPolicy rule { custom_roles_allowed & role_enables_admin_vulnerability }.policy do enable :admin_vulnerability end + rule { custom_roles_allowed & role_enables_read_dependency }.policy do + enable :read_dependencies + end rule { can?(:create_issue) & okrs_enabled }.policy do enable :create_objective diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 61e55788aec491..8dd6f0443b4fe3 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -2552,6 +2552,13 @@ def create_member_role(member, abilities = member_role_abilities) it_behaves_like 'custom roles abilities' end + + context 'for a member role with read_dependency true' do + let(:member_role_abilities) { { read_dependency: true } } + let(:allowed_abilities) { [:read_dependencies] } + + it_behaves_like 'custom roles abilities' + end end describe 'permissions for suggested reviewers bot', :saas do -- GitLab From 22463c1fb3e5d12c32dbe1f020347140b8e06d0e Mon Sep 17 00:00:00 2001 From: mo khan Date: Wed, 12 Jul 2023 17:35:50 -0600 Subject: [PATCH 3/6] Ensure dependency_scanning is enabled --- ee/app/policies/ee/project_policy.rb | 2 +- ee/spec/policies/project_policy_spec.rb | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 45400370fe2906..26ed4b6f19fb9c 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -613,7 +613,7 @@ module ProjectPolicy rule { custom_roles_allowed & role_enables_admin_vulnerability }.policy do enable :admin_vulnerability end - rule { custom_roles_allowed & role_enables_read_dependency }.policy do + rule { custom_roles_allowed & role_enables_read_dependency & dependency_scanning_enabled }.policy do enable :read_dependencies end diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 8dd6f0443b4fe3..b99ec3feae6dd6 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -2459,6 +2459,7 @@ def expect_private_project_permissions_as_if_non_member let(:member_role_abilities) { {} } let(:allowed_abilities) { [] } let(:current_user) { guest } + let(:licensed_features) { {} } def create_member_role(member, abilities = member_role_abilities) params = abilities.merge(namespace: project.group) @@ -2483,7 +2484,7 @@ def create_member_role(member, abilities = member_role_abilities) context 'with custom_roles license enabled' do before do - stub_licensed_features(custom_roles: true) + stub_licensed_features(licensed_features.merge(custom_roles: true)) end context 'custom role for parent group' do @@ -2556,6 +2557,7 @@ def create_member_role(member, abilities = member_role_abilities) context 'for a member role with read_dependency true' do let(:member_role_abilities) { { read_dependency: true } } let(:allowed_abilities) { [:read_dependencies] } + let(:licensed_features) { { dependency_scanning: true } } it_behaves_like 'custom roles abilities' end -- GitLab From be8758541dd0e97be9371c1d22073d29e3944860 Mon Sep 17 00:00:00 2001 From: mo khan Date: Thu, 13 Jul 2023 10:43:57 -0600 Subject: [PATCH 4/6] Update assertion to include read_dependency ability --- ee/spec/requests/api/member_roles_spec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ee/spec/requests/api/member_roles_spec.rb b/ee/spec/requests/api/member_roles_spec.rb index 8d1b6a99408b69..60868585a9bd19 100644 --- a/ee/spec/requests/api/member_roles_spec.rb +++ b/ee/spec/requests/api/member_roles_spec.rb @@ -95,6 +95,7 @@ "id" => member_role_1.id, "base_access_level" => ::Gitlab::Access::REPORTER, "read_code" => false, + "read_dependency" => false, "read_vulnerability" => true, "admin_vulnerability" => false, "group_id" => group_id @@ -103,6 +104,7 @@ "id" => member_role_2.id, "base_access_level" => ::Gitlab::Access::REPORTER, "read_code" => true, + "read_dependency" => false, "read_vulnerability" => false, "admin_vulnerability" => false, "group_id" => group_id -- GitLab From 422fd84e3e5fc8221b14c7af78bfcb611fe44a74 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 17 Jul 2023 11:21:25 -0600 Subject: [PATCH 5/6] Add spec for when read_dependency is false --- ee/spec/policies/project_policy_spec.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index b99ec3feae6dd6..92b7fe1bfeb144 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -2561,6 +2561,14 @@ def create_member_role(member, abilities = member_role_abilities) it_behaves_like 'custom roles abilities' end + + context 'for a member role with read_dependency false' do + let(:member_role_abilities) { { read_dependency: false } } + let(:allowed_abilities) { [] } + let(:licensed_features) { { dependency_scanning: true } } + + it_behaves_like 'custom roles abilities' + end end describe 'permissions for suggested reviewers bot', :saas do -- GitLab From da60e762f7fb359db6b04725d561de35fa8b7c99 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 17 Jul 2023 11:25:49 -0600 Subject: [PATCH 6/6] Enable read_dependency for one of them members in the test fixture --- ee/spec/requests/api/member_roles_spec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ee/spec/requests/api/member_roles_spec.rb b/ee/spec/requests/api/member_roles_spec.rb index 60868585a9bd19..2703e217bab8ce 100644 --- a/ee/spec/requests/api/member_roles_spec.rb +++ b/ee/spec/requests/api/member_roles_spec.rb @@ -23,6 +23,7 @@ namespace: group_with_member_roles, base_access_level: ::Gitlab::Access::REPORTER, read_code: false, + read_dependency: false, read_vulnerability: true ) end @@ -33,6 +34,7 @@ namespace: group_with_member_roles, base_access_level: ::Gitlab::Access::REPORTER, read_code: true, + read_dependency: true, read_vulnerability: false ) end @@ -104,7 +106,7 @@ "id" => member_role_2.id, "base_access_level" => ::Gitlab::Access::REPORTER, "read_code" => true, - "read_dependency" => false, + "read_dependency" => true, "read_vulnerability" => false, "admin_vulnerability" => false, "group_id" => group_id -- GitLab