[go: up one dir, main page]

Draft: feat: enable granular PATs for MR approvals

Duo Developerrequested to merge
duo/feature/583249-mr-approvals-granular-pats into master

Relates to issue #583249

Changes

This MR implements granular Personal Access Token (PAT) permissions for all 5 Merge Request Approvals REST API endpoints as specified in the issue.

Permission YAML Files Created

  • config/authz/permissions/merge_request_approval/read.yml - Permission for reading merge request approvals
  • config/authz/permissions/merge_request_approval/approve.yml - Permission for approving merge requests

Authorization Decorators Added to Endpoints

CE Endpoints (lib/api/merge_request_approvals.rb):

  • GET /approvals - Added read_merge_request_approval permission
  • POST /approve - Added approve_merge_request permission
  • POST /unapprove - Added approve_merge_request permission
  • PUT /reset_approvals - Added approve_merge_request permission

EE Endpoint (ee/lib/ee/api/merge_request_approvals.rb):

  • GET /approval_state - Added read_merge_request_approval permission

Test Coverage Added

CE Tests (spec/requests/api/merge_request_approvals_spec.rb):

  • Test for GET /approvals endpoint
  • Test for POST /approve endpoint
  • Test for POST /unapprove endpoint
  • Test for PUT /reset_approvals endpoint

EE Test (ee/spec/requests/api/merge_request_approvals_spec.rb):

  • Test for GET /approval_state endpoint

All tests use the shared example 'authorizing granular token permissions' pattern following GitLab's testing conventions.

Permission Design

Two permissions were created following GitLab's authorization conventions:

  1. read_merge_request_approval - Used by both GET endpoints (/approvals and /approval_state)
  2. approve_merge_request - Used by all write operations (/approve, /unapprove, /reset_approvals)

Both permissions are scoped to the project boundary with feature category source_code_management.

Files Modified

  1. config/authz/permissions/merge_request_approval/read.yml (created)
  2. config/authz/permissions/merge_request_approval/approve.yml (created)
  3. lib/api/merge_request_approvals.rb (4 route_setting decorators added)
  4. ee/lib/ee/api/merge_request_approvals.rb (1 route_setting decorator added)
  5. spec/requests/api/merge_request_approvals_spec.rb (4 test cases added)
  6. ee/spec/requests/api/merge_request_approvals_spec.rb (1 test case added)
Edited by Matthew MacRae-Bovell

Merge request reports