From 62fba6e91edee6f0e92fa6a2040abc4328e0efab Mon Sep 17 00:00:00 2001 From: Hinam Mehra Date: Tue, 26 Mar 2024 17:13:50 +1100 Subject: [PATCH 1/2] Add admin_push_rules custom ability Custom roles created with admin_push_rules ability, on top of any base role will allow users to manage push rules settings for repositories in groups and projects EE: true --- .../json_schemas/member_role_permissions.json | 3 +++ ...304_add_admin_push_rules_to_member_roles.rb | 18 ++++++++++++++++++ db/schema_migrations/20240326055304 | 1 + doc/api/graphql/reference/index.md | 1 + doc/user/custom_roles/abilities.md | 6 ++++++ ee/app/policies/ee/group_policy.rb | 13 +++++++++++++ ee/app/policies/ee/project_policy.rb | 13 +++++++++++++ .../custom_abilities/admin_push_rules.yml | 12 ++++++++++++ .../wip/custom_ability_admin_push_rules.yml | 9 +++++++++ ee/spec/policies/group_policy_spec.rb | 7 +++++++ ee/spec/policies/project_policy_spec.rb | 7 +++++++ .../admin_push_rules/request_spec.rb | 13 +++++++++++++ 12 files changed, 103 insertions(+) create mode 100644 db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb create mode 100644 db/schema_migrations/20240326055304 create mode 100644 ee/config/custom_abilities/admin_push_rules.yml create mode 100644 ee/config/feature_flags/wip/custom_ability_admin_push_rules.yml create mode 100644 ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb diff --git a/app/validators/json_schemas/member_role_permissions.json b/app/validators/json_schemas/member_role_permissions.json index 9d14329c3671b9..a4b6109da101df 100644 --- a/app/validators/json_schemas/member_role_permissions.json +++ b/app/validators/json_schemas/member_role_permissions.json @@ -13,6 +13,9 @@ "admin_merge_request": { "type": "boolean" }, + "admin_push_rules": { + "type": "boolean" + }, "admin_terraform_state": { "type": "boolean" }, diff --git a/db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb b/db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb new file mode 100644 index 00000000000000..9f99d493dec6a4 --- /dev/null +++ b/db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +# See https://docs.gitlab.com/ee/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class AddAdminPushRulesToMemberRoles < Gitlab::Database::Migration[2.2] + milestone '16.11' + + enable_lock_retries! + + def up + add_column :member_roles, :admin_push_rules, :boolean, default: false, null: false + end + + def down + remove_column :member_roles, :admin_push_rules + end +end diff --git a/db/schema_migrations/20240326055304 b/db/schema_migrations/20240326055304 new file mode 100644 index 00000000000000..e29105c9807884 --- /dev/null +++ b/db/schema_migrations/20240326055304 @@ -0,0 +1 @@ +c0b57b79b89ec704173fb419589af53619b61dd682a614177af736ec913f0168 \ No newline at end of file diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 47788252676361..a8f6858f807104 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -32281,6 +32281,7 @@ Member role permission. | `ADMIN_CICD_VARIABLES` | Create, read, update, and delete CI/CD variables. | | `ADMIN_GROUP_MEMBER` | Add or remove users in a group, and assign roles to users. When assigning a role, users with this custom permission must select a role that has the same or fewer permissions as the default role used as the base for their custom role. | | `ADMIN_MERGE_REQUEST` | Allows approval of merge requests. | +| `ADMIN_PUSH_RULES` | Configure push rules for repositories at the group or project level. | | `ADMIN_TERRAFORM_STATE` | Execute terraform commands, lock/unlock terraform state files, and remove file versions. | | `ADMIN_VULNERABILITY` | Edit the vulnerability object, including the status and linking an issue. Includes the `read_vulnerability` permission actions. | | `ARCHIVE_PROJECT` | Allows archiving of projects. | diff --git a/doc/user/custom_roles/abilities.md b/doc/user/custom_roles/abilities.md index 9c15f3e1262e59..9919b543f1dc1b 100644 --- a/doc/user/custom_roles/abilities.md +++ b/doc/user/custom_roles/abilities.md @@ -56,6 +56,12 @@ These requirements are documented in the `Required permission` column in the fol |:-----|:------------|:------------------|:---------|:--------------|:---------| | [`admin_cicd_variables`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143369) | | Create, read, update, and delete CI/CD variables. | GitLab [16.10](https://gitlab.com/gitlab-org/gitlab/-/issues/437947) | | | +## Source code management + +| Name | Required permission | Description | Introduced in | Feature flag | Enabled in | +|:-----|:------------|:------------------|:---------|:--------------|:---------| +| [`admin_push_rules`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147872) | | Configure push rules for repositories at the group or project level. | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/421786) | `custom_ability_admin_push_rules` | | + ## System access | Name | Required permission | Description | Introduced in | Feature flag | Enabled in | diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index cb2cdb227ab649..c6eb2d433a0f81 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -265,6 +265,15 @@ module GroupPolicy ).has_ability? end + desc 'Custom role on group that enables admin push rules for repositories' + condition(:role_enables_admin_push_rules) do + ::Auth::MemberRoleAbilityLoader.new( + user: @user, + resource: @subject, + ability: :admin_push_rules + ).has_ability? + end + rule { owner & unique_project_download_limit_enabled }.policy do enable :ban_group_member end @@ -580,6 +589,10 @@ module GroupPolicy enable :remove_group end + rule { custom_roles_allowed & role_enables_admin_push_rules }.policy do + enable :admin_push_rules + end + rule { can?(:read_group_security_dashboard) }.policy do enable :create_vulnerability_export enable :read_security_resource diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 2a8c3a728d17f5..1e28c8aa9a5079 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -307,6 +307,15 @@ module ProjectPolicy ).has_ability? end + desc 'Custom role on project that enables admin push rules for repositories' + condition(:role_enables_admin_push_rules) do + ::Auth::MemberRoleAbilityLoader.new( + user: @user, + resource: @subject, + ability: :admin_push_rules + ).has_ability? + end + condition(:developer_access_to_admin_vulnerability) do ::Feature.disabled?(:disable_developer_access_to_admin_vulnerability, subject&.root_namespace) && can?(:developer_access) @@ -387,6 +396,10 @@ module ProjectPolicy enable :admin_cicd_variables end + rule { custom_roles_allowed & role_enables_admin_push_rules }.policy do + enable :admin_push_rules + end + condition(:ci_cancellation_maintainers_only, scope: :subject) do project.ci_cancellation_restriction.maintainers_only_allowed? end diff --git a/ee/config/custom_abilities/admin_push_rules.yml b/ee/config/custom_abilities/admin_push_rules.yml new file mode 100644 index 00000000000000..ec4dbd26874cc9 --- /dev/null +++ b/ee/config/custom_abilities/admin_push_rules.yml @@ -0,0 +1,12 @@ +--- +name: admin_push_rules +description: Configure push rules for repositories at the group or project level. +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/421786 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147872 +feature_category: source_code_management +milestone: '16.11' +group_ability: true +project_ability: true +requirements: [] +feature_flag: custom_ability_admin_push_rules +available_from_access_level: diff --git a/ee/config/feature_flags/wip/custom_ability_admin_push_rules.yml b/ee/config/feature_flags/wip/custom_ability_admin_push_rules.yml new file mode 100644 index 00000000000000..c958a72e69d7c3 --- /dev/null +++ b/ee/config/feature_flags/wip/custom_ability_admin_push_rules.yml @@ -0,0 +1,9 @@ +--- +name: custom_ability_admin_push_rules +feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/421786 +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147872 +rollout_issue_url: +milestone: '16.11' +group: group::authorization +type: wip +default_enabled: false diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index 036863108b7c2a..bc92adf8bff5d5 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -3329,6 +3329,13 @@ def create_member_role(member, abilities = member_role_abilities) it { is_expected.to be_disallowed(*allowed_abilities) } end end + + context 'for a custom role with the `admin_push_rules` ability' do + let(:member_role_abilities) { { admin_push_rules: true } } + let(:allowed_abilities) { [:admin_push_rules] } + + it_behaves_like 'custom roles abilities' + end end context 'for :read_limit_alert' do diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 5cba645b27ecf0..640823d3cb9d1d 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -2783,6 +2783,13 @@ def create_member_role(member, abilities = member_role_abilities) it_behaves_like 'custom roles abilities' end + + context 'for a custom role with the `admin_push_rules` ability' do + let(:member_role_abilities) { { admin_push_rules: true } } + let(:allowed_abilities) { [:admin_push_rules] } + + it_behaves_like 'custom roles abilities' + end end describe 'permissions for suggested reviewers bot', :saas do diff --git a/ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb b/ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb new file mode 100644 index 00000000000000..bfd57a87f3845b --- /dev/null +++ b/ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'User with admin_push_rules custom role', feature_category: :source_code_management do + let_it_be(:user) { create(:user) } + + before do + stub_licensed_features(custom_roles: true) + + sign_in(user) + end +end -- GitLab From b56ffa545a34bc7e8003fe70b6d58026bfce8e89 Mon Sep 17 00:00:00 2001 From: Hinam Mehra Date: Thu, 28 Mar 2024 15:15:15 +1100 Subject: [PATCH 2/2] Delete migrations for admin_push_rules --- ...304_add_admin_push_rules_to_member_roles.rb | 18 ------------------ db/schema_migrations/20240326055304 | 1 - .../admin_push_rules/request_spec.rb | 13 ------------- 3 files changed, 32 deletions(-) delete mode 100644 db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb delete mode 100644 db/schema_migrations/20240326055304 delete mode 100644 ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb diff --git a/db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb b/db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb deleted file mode 100644 index 9f99d493dec6a4..00000000000000 --- a/db/migrate/20240326055304_add_admin_push_rules_to_member_roles.rb +++ /dev/null @@ -1,18 +0,0 @@ -# frozen_string_literal: true - -# See https://docs.gitlab.com/ee/development/migration_style_guide.html -# for more information on how to write migrations for GitLab. - -class AddAdminPushRulesToMemberRoles < Gitlab::Database::Migration[2.2] - milestone '16.11' - - enable_lock_retries! - - def up - add_column :member_roles, :admin_push_rules, :boolean, default: false, null: false - end - - def down - remove_column :member_roles, :admin_push_rules - end -end diff --git a/db/schema_migrations/20240326055304 b/db/schema_migrations/20240326055304 deleted file mode 100644 index e29105c9807884..00000000000000 --- a/db/schema_migrations/20240326055304 +++ /dev/null @@ -1 +0,0 @@ -c0b57b79b89ec704173fb419589af53619b61dd682a614177af736ec913f0168 \ No newline at end of file diff --git a/ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb b/ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb deleted file mode 100644 index bfd57a87f3845b..00000000000000 --- a/ee/spec/requests/custom_roles/admin_push_rules/request_spec.rb +++ /dev/null @@ -1,13 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe 'User with admin_push_rules custom role', feature_category: :source_code_management do - let_it_be(:user) { create(:user) } - - before do - stub_licensed_features(custom_roles: true) - - sign_in(user) - end -end -- GitLab