diff --git a/app/graphql/mutations/packages/protection/rule/update.rb b/app/graphql/mutations/packages/protection/rule/update.rb
new file mode 100644
index 0000000000000000000000000000000000000000..dc1f78e6822f9aa18761a2a5c90a2b51ad1c49da
--- /dev/null
+++ b/app/graphql/mutations/packages/protection/rule/update.rb
@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Mutations
+ module Packages
+ module Protection
+ module Rule
+ class Update < ::Mutations::BaseMutation
+ graphql_name 'UpdatePackagesProtectionRule'
+ description 'Updates a package protection rule to restrict access to project packages. ' \
+ 'You can prevent users without certain permissions from altering packages. ' \
+ 'Available only when feature flag `packages_protected_packages` is enabled.'
+
+ authorize :admin_package
+
+ argument :id,
+ ::Types::GlobalIDType[::Packages::Protection::Rule],
+ required: true,
+ description: 'Global ID of the package protection rule to be updated.'
+
+ argument :package_name_pattern,
+ GraphQL::Types::String,
+ required: false,
+ validates: { allow_blank: false },
+ description:
+ 'Package name protected by the protection rule. For example, `@my-scope/my-package-*`. ' \
+ 'Wildcard character `*` allowed.'
+
+ argument :package_type,
+ Types::Packages::Protection::RulePackageTypeEnum,
+ required: false,
+ validates: { allow_blank: false },
+ description: 'Package type protected by the protection rule. For example, `NPM`.'
+
+ argument :push_protected_up_to_access_level,
+ Types::Packages::Protection::RuleAccessLevelEnum,
+ required: false,
+ validates: { allow_blank: false },
+ description:
+ 'Maximum GitLab access level unable to push a package. For example, `DEVELOPER`, `MAINTAINER`, `OWNER`.'
+
+ field :package_protection_rule,
+ Types::Packages::Protection::RuleType,
+ null: true,
+ description: 'Packages protection rule after mutation.'
+
+ def resolve(id:, **kwargs)
+ package_protection_rule = authorized_find!(id: id)
+
+ if Feature.disabled?(:packages_protected_packages, package_protection_rule.project)
+ raise_resource_not_available_error!("'packages_protected_packages' feature flag is disabled")
+ end
+
+ response = ::Packages::Protection::UpdateRuleService.new(package_protection_rule,
+ current_user: current_user, params: kwargs).execute
+
+ { package_protection_rule: response.payload[:package_protection_rule], errors: response.errors }
+ end
+ end
+ end
+ end
+ end
+end
diff --git a/app/graphql/types/mutation_type.rb b/app/graphql/types/mutation_type.rb
index 8055247fb8abfdf70b1b9024eb08b2e9d0ddb7d2..d0a9ea11a272d87f069d850d3ffca01a9a467f5e 100644
--- a/app/graphql/types/mutation_type.rb
+++ b/app/graphql/types/mutation_type.rb
@@ -177,6 +177,7 @@ class MutationType < BaseObject
mount_mutation Mutations::Packages::DestroyFile
mount_mutation Mutations::Packages::Protection::Rule::Create, alpha: { milestone: '16.5' }
mount_mutation Mutations::Packages::Protection::Rule::Delete, alpha: { milestone: '16.6' }
+ mount_mutation Mutations::Packages::Protection::Rule::Update, alpha: { milestone: '16.6' }
mount_mutation Mutations::Packages::DestroyFiles
mount_mutation Mutations::Packages::Cleanup::Policy::Update
mount_mutation Mutations::Echo
diff --git a/app/services/packages/protection/update_rule_service.rb b/app/services/packages/protection/update_rule_service.rb
new file mode 100644
index 0000000000000000000000000000000000000000..0dc7eb6a7b9836b73330cc25b7a4c823a348c0e3
--- /dev/null
+++ b/app/services/packages/protection/update_rule_service.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Packages
+ module Protection
+ class UpdateRuleService
+ include Gitlab::Allowable
+
+ ALLOWED_ATTRIBUTES = %i[
+ package_name_pattern
+ package_type
+ push_protected_up_to_access_level
+ ].freeze
+
+ def initialize(package_protection_rule, current_user:, params:)
+ if package_protection_rule.blank? || current_user.blank?
+ raise ArgumentError,
+ 'package_protection_rule and current_user must be set'
+ end
+
+ @package_protection_rule = package_protection_rule
+ @current_user = current_user
+ @params = params || {}
+ end
+
+ def execute
+ unless can?(current_user, :admin_package, package_protection_rule.project)
+ error_message = _('Unauthorized to update a package protection rule')
+ return service_response_error(message: error_message)
+ end
+
+ package_protection_rule.update(params.slice(*ALLOWED_ATTRIBUTES))
+
+ if package_protection_rule.errors.present?
+ return service_response_error(message: package_protection_rule.errors.full_messages)
+ end
+
+ ServiceResponse.success(payload: { package_protection_rule: package_protection_rule })
+ rescue StandardError => e
+ service_response_error(message: e.message)
+ end
+
+ private
+
+ attr_reader :package_protection_rule, :current_user, :params
+
+ def service_response_error(message:)
+ ServiceResponse.error(
+ message: message,
+ payload: { package_protection_rule: nil }
+ )
+ end
+ end
+ end
+end
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index c8a5bf4a5cf73f2036042532ed7e2d8d76ec411f..fca6b472f30d4fb2017efc9e3acbf9b66a3b1a1f 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -7494,6 +7494,34 @@ Input type: `UpdatePackagesCleanupPolicyInput`
| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
| `packagesCleanupPolicy` | [`PackagesCleanupPolicy`](#packagescleanuppolicy) | Packages cleanup policy after mutation. |
+### `Mutation.updatePackagesProtectionRule`
+
+Updates a package protection rule to restrict access to project packages. You can prevent users without certain permissions from altering packages. Available only when feature flag `packages_protected_packages` is enabled.
+
+WARNING:
+**Introduced** in 16.6.
+This feature is an Experiment. It can be changed or removed at any time.
+
+Input type: `UpdatePackagesProtectionRuleInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `id` | [`PackagesProtectionRuleID!`](#packagesprotectionruleid) | Global ID of the package protection rule to be updated. |
+| `packageNamePattern` | [`String`](#string) | Package name protected by the protection rule. For example, `@my-scope/my-package-*`. Wildcard character `*` allowed. |
+| `packageType` | [`PackagesProtectionRulePackageType`](#packagesprotectionrulepackagetype) | Package type protected by the protection rule. For example, `NPM`. |
+| `pushProtectedUpToAccessLevel` | [`PackagesProtectionRuleAccessLevel`](#packagesprotectionruleaccesslevel) | Maximum GitLab access level unable to push a package. For example, `DEVELOPER`, `MAINTAINER`, `OWNER`. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+| `packageProtectionRule` | [`PackagesProtectionRule`](#packagesprotectionrule) | Packages protection rule after mutation. |
+
### `Mutation.updateRequirement`
Input type: `UpdateRequirementInput`
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 09caceda198212a6cb8b395443f8f92e61759623..e7da008a60f7a1249d883768c47a1b9946524c6f 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -51281,6 +51281,9 @@ msgstr ""
msgid "Unauthorized to delete a package protection rule"
msgstr ""
+msgid "Unauthorized to update a package protection rule"
+msgstr ""
+
msgid "Unauthorized to update the environment"
msgstr ""
diff --git a/spec/requests/api/graphql/mutations/packages/protection/rule/update_spec.rb b/spec/requests/api/graphql/mutations/packages/protection/rule/update_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..cb4f92403116807d7deff10a6de44c07914572d1
--- /dev/null
+++ b/spec/requests/api/graphql/mutations/packages/protection/rule/update_spec.rb
@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Updating the packages protection rule', :aggregate_failures, feature_category: :package_registry do
+ include GraphqlHelpers
+
+ let_it_be(:project) { create(:project) }
+ let_it_be_with_reload(:package_protection_rule) do
+ create(:package_protection_rule, project: project, push_protected_up_to_access_level: :developer)
+ end
+
+ let_it_be(:current_user) { create(:user, maintainer_projects: [project]) }
+
+ let(:package_protection_rule_attributes) { build_stubbed(:package_protection_rule, project: project) }
+
+ let(:mutation) do
+ graphql_mutation(:update_packages_protection_rule, input,
+ <<~QUERY
+ packageProtectionRule {
+ packageNamePattern
+ pushProtectedUpToAccessLevel
+ }
+ clientMutationId
+ errors
+ QUERY
+ )
+ end
+
+ let(:input) do
+ {
+ id: package_protection_rule.to_global_id,
+ package_name_pattern: "#{package_protection_rule.package_name_pattern}-updated",
+ push_protected_up_to_access_level: 'MAINTAINER'
+ }
+ end
+
+ let(:mutation_response) { graphql_mutation_response(:update_packages_protection_rule) }
+
+ subject { post_graphql_mutation(mutation, current_user: current_user) }
+
+ shared_examples 'a successful response' do
+ it { subject.tap { expect_graphql_errors_to_be_empty } }
+
+ it 'returns the updated package protection rule' do
+ subject
+
+ expect(mutation_response).to include(
+ 'packageProtectionRule' => {
+ 'packageNamePattern' => input[:package_name_pattern],
+ 'pushProtectedUpToAccessLevel' => input[:push_protected_up_to_access_level]
+ }
+ )
+ end
+
+ it do
+ subject.tap do
+ expect(package_protection_rule.reload).to have_attributes(
+ package_name_pattern: input[:package_name_pattern],
+ push_protected_up_to_access_level: input[:push_protected_up_to_access_level].downcase
+ )
+ end
+ end
+ end
+
+ shared_examples 'an erroneous reponse' do
+ it { subject.tap { expect(mutation_response).to be_blank } }
+ it { expect { subject }.not_to change { package_protection_rule.reload.updated_at } }
+ end
+
+ it_behaves_like 'a successful response'
+
+ context 'with other existing package protection rule with same package_name_pattern' do
+ let_it_be_with_reload(:other_existing_package_protection_rule) do
+ create(:package_protection_rule, project: project,
+ package_name_pattern: "#{package_protection_rule.package_name_pattern}-other")
+ end
+
+ let(:input) { super().merge(package_name_pattern: other_existing_package_protection_rule.package_name_pattern) }
+
+ it { is_expected.tap { expect_graphql_errors_to_be_empty } }
+
+ it 'returns a blank package protection rule' do
+ is_expected.tap { expect(mutation_response['packageProtectionRule']).to be_blank }
+ end
+
+ it 'includes error message in response' do
+ is_expected.tap { expect(mutation_response['errors']).to eq ['Package name pattern has already been taken'] }
+ end
+ end
+
+ context 'with invalid input param `pushProtectedUpToAccessLevel`' do
+ let(:input) { super().merge(push_protected_up_to_access_level: nil) }
+
+ it_behaves_like 'an erroneous reponse'
+
+ it { is_expected.tap { expect_graphql_errors_to_include(/pushProtectedUpToAccessLevel can't be blank/) } }
+ end
+
+ context 'with invalid input param `packageNamePattern`' do
+ let(:input) { super().merge(package_name_pattern: '') }
+
+ it_behaves_like 'an erroneous reponse'
+
+ it { is_expected.tap { expect_graphql_errors_to_include(/packageNamePattern can't be blank/) } }
+ end
+
+ context 'when current_user does not have permission' do
+ let_it_be(:developer) { create(:user).tap { |u| project.add_developer(u) } }
+ let_it_be(:reporter) { create(:user).tap { |u| project.add_reporter(u) } }
+ let_it_be(:guest) { create(:user).tap { |u| project.add_guest(u) } }
+ let_it_be(:anonymous) { create(:user) }
+
+ where(:current_user) do
+ [ref(:developer), ref(:reporter), ref(:guest), ref(:anonymous)]
+ end
+
+ with_them do
+ it { is_expected.tap { expect_graphql_errors_to_include(/you don't have permission to perform this action/) } }
+ end
+ end
+
+ context "when feature flag ':packages_protected_packages' disabled" do
+ before do
+ stub_feature_flags(packages_protected_packages: false)
+ end
+
+ it_behaves_like 'an erroneous reponse'
+
+ it 'returns error of disabled feature flag' do
+ is_expected.tap { expect_graphql_errors_to_include(/'packages_protected_packages' feature flag is disabled/) }
+ end
+ end
+end
diff --git a/spec/services/packages/protection/update_rule_service_spec.rb b/spec/services/packages/protection/update_rule_service_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..70619a1caa3ddc030bd32e5d72b47312d87ceca8
--- /dev/null
+++ b/spec/services/packages/protection/update_rule_service_spec.rb
@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Packages::Protection::UpdateRuleService, '#execute', feature_category: :environment_management do
+ let_it_be(:project) { create(:project, :repository) }
+ let_it_be(:current_user) { create(:user, maintainer_projects: [project]) }
+ let_it_be_with_reload(:package_protection_rule) { create(:package_protection_rule, project: project) }
+
+ let(:service) { described_class.new(package_protection_rule, current_user: current_user, params: params) }
+
+ let(:params) do
+ attributes_for(
+ :package_protection_rule,
+ package_name_pattern: "#{package_protection_rule.package_name_pattern}-updated",
+ package_type: 'npm',
+ push_protected_up_to_access_level: 'owner'
+ )
+ end
+
+ subject(:service_execute) { service.execute }
+
+ shared_examples 'a successful service response' do
+ let(:expected_attributes) { params }
+
+ it { is_expected.to be_success }
+
+ it do
+ is_expected.to have_attributes(
+ errors: be_blank,
+ message: be_blank,
+ payload: { package_protection_rule: be_a(Packages::Protection::Rule).and(have_attributes(expected_attributes)) }
+ )
+ end
+
+ it { expect { subject }.not_to change { Packages::Protection::Rule.count } }
+
+ it { subject.tap { expect(package_protection_rule.reload).to have_attributes expected_attributes } }
+ end
+
+ shared_examples 'an erroneous service response' do
+ it { is_expected.to be_error }
+
+ it do
+ is_expected.to have_attributes(
+ errors: be_present,
+ message: be_present,
+ payload: { package_protection_rule: nil }
+ )
+ end
+
+ it { expect { subject }.not_to change { Packages::Protection::Rule.count } }
+ it { expect { subject }.not_to change { package_protection_rule.reload.updated_at } }
+ end
+
+ it_behaves_like 'a successful service response'
+
+ context 'with disallowed params' do
+ let(:params) { super().merge!(project_id: 1, unsupported_param: 'unsupported_param_value') }
+
+ it_behaves_like 'a successful service response' do
+ let(:expected_attributes) { params.except(:project_id, :unsupported_param) }
+ end
+ end
+
+ context 'when fields are invalid' do
+ let(:params) do
+ { package_name_pattern: '', package_type: 'unknown_package_type',
+ push_protected_up_to_access_level: 1000 }
+ end
+
+ it_behaves_like 'an erroneous service response'
+
+ it { is_expected.to have_attributes message: /'unknown_package_type' is not a valid package_type/ }
+ end
+
+ context 'with empty params' do
+ let(:params) { {} }
+
+ it_behaves_like 'a successful service response' do
+ let(:expected_attributes) { package_protection_rule.attributes }
+ end
+
+ it { expect { service_execute }.not_to change { package_protection_rule.reload.updated_at } }
+ end
+
+ context 'with nil params' do
+ let(:params) { nil }
+
+ it_behaves_like 'a successful service response' do
+ let(:expected_attributes) { package_protection_rule.attributes }
+ end
+
+ it { expect { service_execute }.not_to change { package_protection_rule.reload.updated_at } }
+ end
+
+ context 'when updated field `package_name_pattern` is already taken' do
+ let_it_be_with_reload(:other_existing_package_protection_rule) do
+ create(:package_protection_rule, project: project,
+ package_name_pattern: "#{package_protection_rule.package_name_pattern}-other")
+ end
+
+ let(:params) { { package_name_pattern: other_existing_package_protection_rule.package_name_pattern } }
+
+ it_behaves_like 'an erroneous service response'
+
+ it do
+ expect { service_execute }.not_to(
+ change { other_existing_package_protection_rule.reload.package_name_pattern }
+ )
+ end
+
+ it do
+ is_expected.to have_attributes(
+ errors: match_array([/Package name pattern has already been taken/]),
+ message: match_array([/Package name pattern has already been taken/])
+ )
+ end
+ end
+
+ context 'when current_user does not have permission' do
+ let_it_be(:developer) { create(:user).tap { |u| project.add_developer(u) } }
+ let_it_be(:reporter) { create(:user).tap { |u| project.add_reporter(u) } }
+ let_it_be(:guest) { create(:user).tap { |u| project.add_guest(u) } }
+ let_it_be(:anonymous) { create(:user) }
+
+ where(:current_user) do
+ [ref(:developer), ref(:reporter), ref(:guest), ref(:anonymous)]
+ end
+
+ with_them do
+ it_behaves_like 'an erroneous service response'
+
+ it { is_expected.to have_attributes errors: match_array(/Unauthorized/), message: /Unauthorized/ }
+ end
+ end
+
+ context 'without package protection rule' do
+ let(:package_protection_rule) { nil }
+ let(:params) { {} }
+
+ it { expect { service_execute }.to raise_error(ArgumentError) }
+ end
+
+ context 'without current_user' do
+ let(:current_user) { nil }
+
+ it { expect { service_execute }.to raise_error(ArgumentError) }
+ end
+end