From 662331decd468d83fc4a393b743e7f8a421e4ff5 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 28 Jan 2025 12:54:22 -0700
Subject: [PATCH 1/4] Add read_admin_monitoring permission

This change adds read support for granular permissions
in the admin area for monitoring data.

Changelog: added
EE: true
---
 ee/config/custom_abilities/read_admin_monitoring.yml | 12 ++++++++++++
 .../wip/custom_ability_read_admin_monitoring.yml     |  9 +++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 ee/config/custom_abilities/read_admin_monitoring.yml
 create mode 100644 ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml

diff --git a/ee/config/custom_abilities/read_admin_monitoring.yml b/ee/config/custom_abilities/read_admin_monitoring.yml
new file mode 100644
index 00000000000000..b6683d0e8844a2
--- /dev/null
+++ b/ee/config/custom_abilities/read_admin_monitoring.yml
@@ -0,0 +1,12 @@
+---
+title: View system monitoring
+name: read_admin_monitoring
+description: Allows read access to system monitoring including system info, background migrations, health checks, audit logs, and gitaly in the Admin Area.
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/507959
+introduced_by_mr: 
+feature_category: admin
+milestone: '17.9'
+group_ability: false
+project_ability: false
+admin_ability: true
+requirements: []
diff --git a/ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml b/ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml
new file mode 100644
index 00000000000000..6b2fcde39ce233
--- /dev/null
+++ b/ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml
@@ -0,0 +1,9 @@
+---
+name: custom_ability_read_admin_monitoring
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/507960
+introduced_by_url:
+rollout_issue_url:
+milestone: '17.9'
+group: group::authorization
+type: wip
+default_enabled: false
-- 
GitLab


From a8def0f8a5c8fb818280605e33b719f47cfce592 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 28 Jan 2025 13:05:58 -0700
Subject: [PATCH 2/4] Update Custom Roles documentation

---
 doc/api/graphql/reference/index.md                            | 2 ++
 ee/config/custom_abilities/read_admin_monitoring.yml          | 2 +-
 .../wip/custom_ability_read_admin_monitoring.yml              | 4 ++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 2ed172aee518b5..6419aaa7586d6c 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -40927,6 +40927,7 @@ Member role admin permission.
 | ----- | ----------- |
 | <a id="memberroleadminpermissionread_admin_cicd"></a>`READ_ADMIN_CICD` | Read CI/CD details including runners and jobs. |
 | <a id="memberroleadminpermissionread_admin_dashboard"></a>`READ_ADMIN_DASHBOARD` | Read-only access to admin dashboard. |
+| <a id="memberroleadminpermissionread_admin_monitoring"></a>`READ_ADMIN_MONITORING` | Allows read access to system monitoring including system info, background migrations, health checks, audit logs, and gitaly in the Admin Area. |
 
 ### `MemberRolePermission`
 
@@ -40954,6 +40955,7 @@ Member role permission.
 | <a id="memberrolepermissionmanage_security_policy_link"></a>`MANAGE_SECURITY_POLICY_LINK` | Allows linking security policy projects. |
 | <a id="memberrolepermissionread_admin_cicd"></a>`READ_ADMIN_CICD` | Read CI/CD details including runners and jobs. |
 | <a id="memberrolepermissionread_admin_dashboard"></a>`READ_ADMIN_DASHBOARD` | Read-only access to admin dashboard. |
+| <a id="memberrolepermissionread_admin_monitoring"></a>`READ_ADMIN_MONITORING` | Allows read access to system monitoring including system info, background migrations, health checks, audit logs, and gitaly in the Admin Area. |
 | <a id="memberrolepermissionread_code"></a>`READ_CODE` | Allows read-only access to the source code in the user interface. Does not allow users to edit or download repository archives, clone or pull repositories, view source code in an IDE, or view merge requests for private projects. You can download individual files because read-only access inherently grants the ability to make a local copy of the file. |
 | <a id="memberrolepermissionread_compliance_dashboard"></a>`READ_COMPLIANCE_DASHBOARD` | Read compliance capabilities including adherence, violations, and frameworks for groups and projects. |
 | <a id="memberrolepermissionread_crm_contact"></a>`READ_CRM_CONTACT` | Read CRM contact. |
diff --git a/ee/config/custom_abilities/read_admin_monitoring.yml b/ee/config/custom_abilities/read_admin_monitoring.yml
index b6683d0e8844a2..f981229e153d3f 100644
--- a/ee/config/custom_abilities/read_admin_monitoring.yml
+++ b/ee/config/custom_abilities/read_admin_monitoring.yml
@@ -3,7 +3,7 @@ title: View system monitoring
 name: read_admin_monitoring
 description: Allows read access to system monitoring including system info, background migrations, health checks, audit logs, and gitaly in the Admin Area.
 introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/507959
-introduced_by_mr: 
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179439
 feature_category: admin
 milestone: '17.9'
 group_ability: false
diff --git a/ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml b/ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml
index 6b2fcde39ce233..a18039b0eef87d 100644
--- a/ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml
+++ b/ee/config/feature_flags/wip/custom_ability_read_admin_monitoring.yml
@@ -1,8 +1,8 @@
 ---
 name: custom_ability_read_admin_monitoring
 feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/507960
-introduced_by_url:
-rollout_issue_url:
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179439
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/515665
 milestone: '17.9'
 group: group::authorization
 type: wip
-- 
GitLab


From 385da80974e539533fabd23a2948617fb7ee2d12 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 28 Jan 2025 13:17:12 -0700
Subject: [PATCH 3/4] Add request spec for audit logs endpoint

---
 .../json_schemas/member_role_permissions.json |  3 ++
 .../read_admin_monitoring/request_spec.rb     | 37 +++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb

diff --git a/app/validators/json_schemas/member_role_permissions.json b/app/validators/json_schemas/member_role_permissions.json
index 92efa0f0f5583f..7bb060fc379291 100644
--- a/app/validators/json_schemas/member_role_permissions.json
+++ b/app/validators/json_schemas/member_role_permissions.json
@@ -64,6 +64,9 @@
     "read_admin_dashboard": {
       "type": "boolean"
     },
+    "read_admin_monitoring": {
+      "type": "boolean"
+    },
     "read_code": {
       "type": "boolean"
     },
diff --git a/ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb b/ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb
new file mode 100644
index 00000000000000..1c481e918cf673
--- /dev/null
+++ b/ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'User with read_admin_monitoring', feature_category: :audit_events do
+  let_it_be(:current_user) { create(:user) }
+  let_it_be(:permission) { :read_admin_monitoring }
+  let_it_be(:role) { create(:member_role, permission) }
+  let_it_be(:membership) { create(:user_member_role, user: current_user, member_role: role) }
+
+  before do
+    stub_licensed_features(custom_roles: true)
+    sign_in(current_user)
+  end
+
+  describe Admin::AuditLogsController do
+    it "GET #index" do
+      pending "This is a work in progress"
+      get admin_audit_logs_path
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response).to render_template(:index)
+    end
+
+    context "with `custom_ability_read_admin_monitoring` feature flag disabled" do
+      before do
+        stub_feature_flags(custom_ability_read_admin_monitoring: false)
+      end
+
+      it "GET #index" do
+        get admin_users_path
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+end
-- 
GitLab


From 7dcf6227f266508205a3dbfebbe39f8bfa3e08e0 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 28 Jan 2025 13:40:49 -0700
Subject: [PATCH 4/4] Add pending specs to implement

---
 .../read_admin_monitoring/request_spec.rb     | 46 +++++++++++++++----
 1 file changed, 36 insertions(+), 10 deletions(-)

diff --git a/ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb b/ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb
index 1c481e918cf673..52f8a3b4a34349 100644
--- a/ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb
+++ b/ee/spec/requests/custom_roles/read_admin_monitoring/request_spec.rb
@@ -14,24 +14,50 @@
   end
 
   describe Admin::AuditLogsController do
-    it "GET #index" do
-      pending "This is a work in progress"
+    it "GET #index", pending: "🚧 Under Construction" do
       get admin_audit_logs_path
 
       expect(response).to have_gitlab_http_status(:ok)
       expect(response).to render_template(:index)
     end
+  end
+
+  describe Admin::BackgroundMigrationsController do
+    it "GET #index", pending: "🚧 Under Construction" do
+      get admin_background_migrations_path
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
+    it "GET #show", pending: "🚧 Under Construction" do
+      migration = create(:background_migration_job)
+      get admin_background_migration_path(migration)
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+  end
 
-    context "with `custom_ability_read_admin_monitoring` feature flag disabled" do
-      before do
-        stub_feature_flags(custom_ability_read_admin_monitoring: false)
-      end
+  describe Admin::GitalyServersController do
+    it "GET #index", pending: "🚧 Under Construction" do
+      get admin_gitaly_servers_path
 
-      it "GET #index" do
-        get admin_users_path
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+  end
+
+  describe Admin::HealthCheckController do
+    it "GET #show", pending: "🚧 Under Construction" do
+      get admin_health_check_path
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+  end
 
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
+  describe Admin::SystemInfoController do
+    it "GET #show", pending: "🚧 Under Construction" do
+      get admin_system_info_path
+
+      expect(response).to have_gitlab_http_status(:ok)
     end
   end
 end
-- 
GitLab