[go: up one dir, main page]

Draft: feat: enable granular PATs for approval rules

Duo Developerrequested to merge
duo/feature/583250-wave2-approval-rules-granular-pats into master

Relates to issue #583250

Changes

This MR implements granular Personal Access Token (PAT) permissions for all Approval Rules REST API endpoints across both project and group levels.

Permission Definitions

Created 5 new YAML files in config/authz/permissions/approval_rule/:

  • read.yml - Grants the ability to read approval rules
  • create.yml - Grants the ability to create approval rules
  • update.yml - Grants the ability to update approval rules
  • delete.yml - Grants the ability to delete approval rules
  • _metadata.yml - Feature category metadata

All permissions support both project and group boundaries with feature_category: source_code_management.

API Endpoint Updates

Project Approval Rules API (ee/lib/api/project_approval_rules.rb):

  • GET /projects/:id/approval_rules → read_approval_rule
  • POST /projects/:id/approval_rules → create_approval_rule
  • GET /projects/:id/approval_rules/:approval_rule_id → read_approval_rule
  • PUT /projects/:id/approval_rules/:approval_rule_id → update_approval_rule
  • DELETE /projects/:id/approval_rules/:approval_rule_id → delete_approval_rule

Group Approval Rules API (ee/lib/api/group_approval_rules.rb):

  • GET /groups/:id/approval_rules → read_approval_rule
  • POST /groups/:id/approval_rules → create_approval_rule
  • PUT /groups/:id/approval_rules/:approval_rule_id → update_approval_rule

Test Coverage

Added comprehensive test coverage using the shared example 'authorizing granular token permissions':

  • Project Approval Rules: Tests for all 5 endpoints (GET list, GET single, POST, PUT, DELETE)
  • Group Approval Rules: Tests for all 3 endpoints (GET list, POST, PUT)

Each test validates:

  • Legacy PAT access
  • Granular PAT with correct permissions
  • Granular PAT without permissions (403 Forbidden)

Benefits

This implementation enables fine-grained access control for approval rules, allowing administrators to:

  • Grant read-only access to view approval rules without modification rights
  • Separate creation, update, and deletion permissions
  • Follow the principle of least privilege for better security
  • Maintain consistency with GitLab's granular PAT permission framework
Edited by Matthew MacRae-Bovell

Merge request reports