From a222db158197549da5a3a91a5f30717931975185 Mon Sep 17 00:00:00 2001 From: imand3r Date: Tue, 13 May 2025 23:49:24 +0000 Subject: [PATCH 1/4] Extract project roles from policy files --- app/policies/project_policy.rb | 245 ++------------------ config/authz/roles/project_developer.yml | 81 +++++++ config/authz/roles/project_guest.yml | 45 ++++ config/authz/roles/project_maintainer.yml | 117 ++++++++++ config/authz/roles/project_owner.yml | 53 +++++ config/authz/roles/project_planner.yml | 40 ++++ config/authz/roles/project_reporter.yml | 76 ++++++ ee/app/policies/ee/project_policy.rb | 15 -- ee/config/authz/roles/project_developer.yml | 19 ++ ee/config/authz/roles/project_reporter.yml | 9 + ee/lib/ee/authz/role.rb | 20 ++ lib/authz/role.rb | 89 +++++++ 12 files changed, 564 insertions(+), 245 deletions(-) create mode 100644 config/authz/roles/project_developer.yml create mode 100644 config/authz/roles/project_guest.yml create mode 100644 config/authz/roles/project_maintainer.yml create mode 100644 config/authz/roles/project_owner.yml create mode 100644 config/authz/roles/project_planner.yml create mode 100644 config/authz/roles/project_reporter.yml create mode 100644 ee/config/authz/roles/project_developer.yml create mode 100644 ee/config/authz/roles/project_reporter.yml create mode 100644 ee/lib/ee/authz/role.rb create mode 100644 lib/authz/role.rb diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index fea868a08e878d..6fc1fede28c88d 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -337,85 +337,28 @@ class ProjectPolicy < BasePolicy rule { project_pipeline_override_role_owner & ~can?(:owner_access) }.prevent :change_restrict_user_defined_variables - rule { can?(:owner_access) }.policy do - enable :guest_access - enable :planner_access - enable :reporter_access - enable :developer_access - enable :maintainer_access - - enable :change_namespace - enable :change_visibility_level - enable :remove_project - enable :archive_project - enable :link_forked_project - enable :remove_fork_project - enable :destroy_merge_request - enable :destroy_issue - - enable :set_issue_iid - enable :set_issue_created_at - enable :set_issue_updated_at - enable :set_note_created_at - enable :set_emails_disabled - enable :set_show_default_award_emojis - enable :set_show_diff_preview_in_email - enable :set_warn_about_potentially_unwanted_characters - enable :manage_owners + rule { can?(:guest_access) }.policy do + enable(*Authz::Role.get(:project_guest).permissions) + end - enable :add_catalog_resource + rule { can?(:planner_access) }.policy do + enable(*Authz::Role.get(:project_planner).permissions) + end - enable :destroy_pipeline + rule { can?(:reporter_access) }.policy do + enable(*Authz::Role.get(:project_reporter).permissions) + end - enable :create_container_registry_protection_immutable_tag_rule + rule { can?(:developer_access) }.policy do + enable(*Authz::Role.get(:project_developer).permissions) end - rule { can?(:guest_access) }.policy do - enable :read_project - enable :read_issue_board - enable :read_issue_board_list - enable :read_wiki - enable :read_issue - enable :read_label - enable :read_milestone - enable :read_snippet - enable :read_project_member - enable :read_note - enable :create_project - enable :create_issue - enable :create_note - enable :upload_file - enable :read_cycle_analytics - enable :award_emoji - enable :read_pages_content - enable :read_release - enable :read_analytics - enable :read_insights - enable :read_upload + rule { can?(:maintainer_access) }.policy do + enable(*Authz::Role.get(:project_maintainer).permissions) end - rule { can?(:planner_access) }.policy do - enable :guest_access - enable :admin_issue_board - enable :admin_issue_board_list - enable :update_issue - enable :reopen_issue - enable :admin_issue - enable :admin_work_item - enable :destroy_issue - enable :read_confidential_issues - enable :create_design - enable :update_design - enable :move_design - enable :destroy_design - enable :admin_label - enable :admin_milestone - enable :download_wiki_code - enable :create_wiki - enable :admin_wiki - enable :read_internal_note - enable :read_merge_request - enable :export_work_items + rule { can?(:owner_access) }.policy do + enable(*Authz::Role.get(:project_owner).permissions) end rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident @@ -433,46 +376,6 @@ class ProjectPolicy < BasePolicy rule { guest & ~public_project }.enable :read_grafana - rule { can?(:reporter_access) }.policy do - enable :admin_issue_board - enable :download_code - enable :read_statistics - enable :daily_statistics - enable :download_wiki_code - enable :create_snippet - enable :update_issue - enable :reopen_issue - enable :admin_issue - enable :admin_work_item - enable :admin_label - enable :admin_milestone - enable :admin_issue_board_list - enable :read_commit_status - enable :read_build - enable :read_container_image - enable :read_harbor_registry - enable :read_deploy_board - enable :read_pipeline - enable :read_pipeline_schedule - enable :read_environment - enable :read_deployment - enable :read_merge_request - enable :read_sentry_issue - enable :read_prometheus - enable :metrics_dashboard - enable :read_confidential_issues - enable :read_package - enable :read_ci_cd_analytics - enable :read_external_emails - enable :read_internal_note - enable :read_grafana - enable :export_work_items - enable :create_design - enable :update_design - enable :move_design - enable :destroy_design - end - # We define `:public_user_access` separately because there are cases in gitlab-ee # where we enable or prevent it based on other coditions. rule { (~anonymous & public_project) | internal_access }.policy do @@ -588,55 +491,6 @@ class ProjectPolicy < BasePolicy rule { (can?(:planner_access) | can?(:developer_access)) & can?(:create_issue) }.enable :import_issues rule { planner_or_reporter_access & can?(:create_work_item) }.enable :import_work_items - rule { can?(:developer_access) }.policy do - enable :create_package - enable :admin_issue_board - enable :admin_merge_request - enable :update_merge_request - enable :reopen_merge_request - enable :create_commit_status - enable :update_commit_status - enable :create_build - enable :update_build - enable :cancel_build - enable :read_resource_group - enable :update_resource_group - enable :create_merge_request_from - enable :create_wiki - enable :push_code - enable :resolve_note - enable :create_container_image - enable :update_container_image - enable :destroy_container_image - enable :destroy_container_image_tag - enable :destroy_container_registry_protection_tag_rule - enable :create_environment - enable :update_environment - enable :destroy_environment - enable :create_deployment - enable :update_deployment - enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`). - enable :read_cluster_agent - enable :use_k8s_proxies - enable :create_release - enable :update_release - enable :destroy_release - enable :publish_catalog_version - enable :read_alert_management_alert - enable :update_alert_management_alert - enable :read_terraform_state - enable :read_pod_logs - enable :read_feature_flag - enable :create_feature_flag - enable :update_feature_flag - enable :destroy_feature_flag - enable :admin_feature_flag - enable :admin_feature_flags_user_lists - enable :update_escalation_status - enable :read_secure_files - enable :update_sentry_issue - end - rule { can?(:developer_access) & user_confirmed? }.policy do enable :create_pipeline enable :update_pipeline @@ -644,75 +498,6 @@ class ProjectPolicy < BasePolicy enable :create_pipeline_schedule end - rule { can?(:maintainer_access) }.policy do - enable :destroy_package - enable :admin_package - enable :admin_issue_board - enable :push_to_delete_protected_branch - enable :update_snippet - enable :admin_snippet - enable :rename_project - enable :admin_project_member - enable :invite_member - enable :admin_note - enable :admin_wiki - enable :admin_project - enable :admin_integrations - enable :admin_commit_status - enable :admin_build - enable :admin_container_image - enable :admin_pipeline - enable :admin_environment - enable :admin_deployment - enable :destroy_deployment - enable :admin_pages - enable :read_pages - enable :update_pages - enable :remove_pages - enable :add_cluster - enable :create_cluster - enable :update_cluster - enable :admin_cluster - enable :create_environment_terminal - enable :destroy_release - enable :destroy_artifacts - enable :admin_operations - enable :admin_sentry - enable :read_deploy_token - enable :create_deploy_token - enable :destroy_deploy_token - enable :admin_terraform_state - enable :create_freeze_period - enable :read_freeze_period - enable :update_freeze_period - enable :destroy_freeze_period - enable :admin_feature_flags_client - enable :register_project_runners - enable :create_runner - enable :admin_project_runners - enable :read_project_runners - enable :read_runners_registration_token - enable :update_runners_registration_token - enable :admin_project_google_cloud - enable :admin_project_aws - enable :admin_secure_files - enable :admin_upload - enable :destroy_upload - enable :admin_incident_management_timeline_event_tag - enable :stop_environment - enable :read_import_error - enable :admin_cicd_variables - enable :admin_push_rules - enable :admin_runner - enable :manage_deploy_tokens - enable :manage_merge_request_settings - enable :manage_protected_tags - enable :change_restrict_user_defined_variables - enable :create_protected_branch - enable :admin_protected_branch - enable :admin_protected_environments - end - rule { can?(:manage_protected_tags) }.policy do enable :read_protected_tags enable :create_protected_tags diff --git a/config/authz/roles/project_developer.yml b/config/authz/roles/project_developer.yml new file mode 100644 index 00000000000000..8717da06b44321 --- /dev/null +++ b/config/authz/roles/project_developer.yml @@ -0,0 +1,81 @@ +--- +name: Developer +description: Developer access for projects +scope: project +include: +- project_reporter +permissions: + alert_management_alert: + - read + - update + build: + - cancel + - create + - update + catalog_version: + - publish + cluster: + - read + cluster_agent: + - read + code: + - push + commit_status: + - create + - update + container_image: + - create + - destroy + - update + container_image_tag: + - destroy + container_registry_protection_tag_rule: + - destroy + deployment: + - create + - update + environment: + - create + - destroy + - update + escalation_status: + - update + feature_flag: + - admin + - create + - destroy + - read + - update + feature_flags_user_lists: + - admin + issue_board: + - admin + k8s_proxies: + - use + merge_request: + - admin + - reopen + - update + merge_request_from: + - create + note: + - resolve + package: + - create + pod_logs: + - read + release: + - create + - destroy + - update + resource_group: + - read + - update + secure_files: + - read + sentry_issue: + - update + terraform_state: + - read + wiki: + - create diff --git a/config/authz/roles/project_guest.yml b/config/authz/roles/project_guest.yml new file mode 100644 index 00000000000000..f601d9b9085d95 --- /dev/null +++ b/config/authz/roles/project_guest.yml @@ -0,0 +1,45 @@ +--- +name: Guest +description: Guest access for projects +scope: project +include: +permissions: + analytics: + - read + cycle_analytics: + - read + emoji: + - award + file: + - upload + insights: + - read + issue: + - create + - read + issue_board: + - read + issue_board_list: + - read + label: + - read + milestone: + - read + note: + - create + - read + pages_content: + - read + project: + - create + - read + project_member: + - read + release: + - read + snippet: + - read + upload: + - read + wiki: + - read diff --git a/config/authz/roles/project_maintainer.yml b/config/authz/roles/project_maintainer.yml new file mode 100644 index 00000000000000..b02c10dc542ede --- /dev/null +++ b/config/authz/roles/project_maintainer.yml @@ -0,0 +1,117 @@ +--- +name: Project Maintainer +description: Maintainer access for projects +scope: project +include: +- project_developer +permissions: + artifacts: + - destroy + build: + - admin + cicd_variables: + - admin + cluster: + - add + - admin + - create + - update + commit_status: + - admin + container_image: + - admin + deploy_token: + - create + - destroy + - read + deploy_tokens: + - manage + deployment: + - admin + - destroy + environment: + - admin + - stop + environment_terminal: + - create + feature_flags_client: + - admin + freeze_period: + - create + - destroy + - read + - update + import_error: + - read + incident_management_timeline_event_tag: + - admin + integrations: + - admin + issue_board: + - admin + member: + - invite + merge_request_settings: + - manage + note: + - admin + operations: + - admin + package: + - admin + - destroy + pages: + - admin + - read + - remove + - update + pipeline: + - admin + project: + - admin + - rename + project_aws: + - admin + project_google_cloud: + - admin + project_member: + - admin + project_runners: + - admin + - read + - register + protected_branch: + - admin + - create + protected_environments: + - admin + protected_tags: + - manage + push_rules: + - admin + release: + - destroy + restrict_user_defined_variables: + - change + runner: + - admin + - create + runners_registration_token: + - read + - update + secure_files: + - admin + sentry: + - admin + snippet: + - admin + - update + terraform_state: + - admin + to_delete_protected_branch: + - push + upload: + - admin + - destroy + wiki: + - admin diff --git a/config/authz/roles/project_owner.yml b/config/authz/roles/project_owner.yml new file mode 100644 index 00000000000000..d01ce80bc6403c --- /dev/null +++ b/config/authz/roles/project_owner.yml @@ -0,0 +1,53 @@ +--- +name: Owner +description: Owner access for projects +scope: project +include: +- project_maintainer +- project_planner +permissions: + access: + - developer + - guest + - maintainer + - planner + - reporter + catalog_resource: + - add + container_registry_protection_immutable_tag_rule: + - create + emails_disabled: + - set + fork_project: + - remove + forked_project: + - link + issue: + - destroy + issue_created_at: + - set + issue_iid: + - set + issue_updated_at: + - set + merge_request: + - destroy + namespace: + - change + note_created_at: + - set + owners: + - manage + pipeline: + - destroy + project: + - archive + - remove + show_default_award_emojis: + - set + show_diff_preview_in_email: + - set + visibility_level: + - change + warn_about_potentially_unwanted_characters: + - set diff --git a/config/authz/roles/project_planner.yml b/config/authz/roles/project_planner.yml new file mode 100644 index 00000000000000..ecc4062e07f863 --- /dev/null +++ b/config/authz/roles/project_planner.yml @@ -0,0 +1,40 @@ +--- +name: Planner +description: Planner access for projects +scope: project +include: +- project_guest +permissions: + confidential_issues: + - read + design: + - create + - destroy + - move + - update + internal_note: + - read + issue: + - admin + - destroy + - reopen + - update + issue_board: + - admin + issue_board_list: + - admin + label: + - admin + merge_request: + - read + milestone: + - admin + wiki: + - admin + - create + wiki_code: + - download + work_item: + - admin + work_items: + - export diff --git a/config/authz/roles/project_reporter.yml b/config/authz/roles/project_reporter.yml new file mode 100644 index 00000000000000..a290cc43facf32 --- /dev/null +++ b/config/authz/roles/project_reporter.yml @@ -0,0 +1,76 @@ +--- +name: Reporter +description: Reporter access for projects +scope: project +include: +- project_guest +permissions: + build: + - read + ci_cd_analytics: + - read + code: + - download + commit_status: + - read + confidential_issues: + - read + container_image: + - read + dashboard: + - metrics + deploy_board: + - read + deployment: + - read + design: + - create + - destroy + - move + - update + environment: + - read + external_emails: + - read + grafana: + - read + harbor_registry: + - read + internal_note: + - read + issue: + - admin + - reopen + - update + issue_board: + - admin + issue_board_list: + - admin + label: + - admin + merge_request: + - read + milestone: + - admin + package: + - read + pipeline: + - read + pipeline_schedule: + - read + prometheus: + - read + sentry_issue: + - read + snippet: + - create + - read + statistics: + - daily + - read + wiki_code: + - download + work_item: + - admin + work_items: + - export diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 1c7ad156f2bf16..d4b6d3f227f246 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -426,11 +426,6 @@ module ProjectPolicy rule { can?(:guest_access) & iterations_available }.enable :read_iteration - rule { can?(:reporter_access) }.policy do - enable :admin_issue_board - enable :read_product_analytics - end - rule { monitor_disabled }.policy do prevent :read_incident_management_oncall_schedule prevent :admin_incident_management_oncall_schedule @@ -445,16 +440,6 @@ module ProjectPolicy enable :read_path_locks end - rule { can?(:developer_access) }.policy do - enable :admin_issue_board - enable :admin_feature_flags_issue_links - enable :read_project_audit_events - enable :create_workspace - enable :enable_continuous_vulnerability_scans - enable :read_project_security_exclusions - enable :read_security_settings - end - rule { can?(:push_code) }.policy do enable :create_path_lock end diff --git a/ee/config/authz/roles/project_developer.yml b/ee/config/authz/roles/project_developer.yml new file mode 100644 index 00000000000000..87e92a35a1b54b --- /dev/null +++ b/ee/config/authz/roles/project_developer.yml @@ -0,0 +1,19 @@ +--- +name: Developer +description: Developer access for projects +scope: project +permissions: + continuous_vulnerability_scans: + - enable + feature_flags_issue_links: + - admin + issue_board: + - admin + project_audit_events: + - read + project_security_exclusions: + - read + security_settings: + - read + workspace: + - create diff --git a/ee/config/authz/roles/project_reporter.yml b/ee/config/authz/roles/project_reporter.yml new file mode 100644 index 00000000000000..08fa81a298099a --- /dev/null +++ b/ee/config/authz/roles/project_reporter.yml @@ -0,0 +1,9 @@ +--- +name: Reporter +description: Reporter access for projects +scope: project +permissions: + issue_board: + - admin + product_analytics: + - read diff --git a/ee/lib/ee/authz/role.rb b/ee/lib/ee/authz/role.rb new file mode 100644 index 00000000000000..ff16025b288132 --- /dev/null +++ b/ee/lib/ee/authz/role.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +module EE + module Authz + module Role + extend ActiveSupport::Concern + + class_methods do + extend ::Gitlab::Utils::Override + + private + + override :role_path + def role_path + Rails.root.join("{,ee}/config/authz/roles/*.yml") + end + end + end + end +end diff --git a/lib/authz/role.rb b/lib/authz/role.rb new file mode 100644 index 00000000000000..78a7c53d6802b2 --- /dev/null +++ b/lib/authz/role.rb @@ -0,0 +1,89 @@ +# frozen_string_literal: true + +module Authz + class Role + def self.get(name) + @roles ||= {} + @roles[name] ||= new(definitions[name]) + end + + def initialize(definition) + @definition = definition + end + + def permissions + return @permissions if @permissions + + permission_list = [] + + definition[:permissions].each do |resource, actions| + actions.each do |action| + permission_list << :"#{action}_#{resource}" + end + end + + included = definition[:include] || [] + + included.each do |role| + permission_list.concat(self.class.get(role.to_sym).permissions) + end + + @permissions = permission_list.sort.uniq + end + + private + + attr_reader :definition + + class << self + def definitions + @definitions ||= load_definitions + end + + def load_definitions + role_defs = {} + + Dir.glob(role_path).each do |file| + definition = load_from_file(file) + + role_name = File.basename(file, '.*').to_sym + role_defs[role_name] = merge_definitions(role_defs[role_name], definition) + end + + role_defs + end + + def load_from_file(path) + definition = File.read(path) + definition = YAML.safe_load(definition) + definition.deep_symbolize_keys! + definition[:include] ||= [] + definition[:permissions] ||= {} + definition + end + + def role_path + Rails.root.join("config/authz/roles/*.yml") + end + + def merge_definitions(existing, to_add) + return to_add unless existing + + existing.merge(to_add) do |key, old_value, new_value| + case key + when :permissions + old_value.merge(new_value) do |_key, old_permissions, new_permissions| + (old_permissions + new_permissions).uniq + end + when :include + (old_value + new_value).uniq + else + new_value || old_value + end + end + end + end + end +end + +Authz::Role.prepend_mod -- GitLab From d6f74d6581089d0908bb30309bb9b20db101e801 Mon Sep 17 00:00:00 2001 From: imand3r Date: Mon, 28 Jul 2025 21:35:07 +0000 Subject: [PATCH 2/4] Extract permissions --- config/authz/permissions/alert_management_alert/read.yml | 7 +++++++ config/authz/permissions/alert_management_alert/update.yml | 0 config/authz/permissions/build/cancel.yml | 0 config/authz/permissions/build/create.yml | 0 config/authz/permissions/build/update.yml | 0 config/authz/permissions/merge_request/admin.yml | 0 config/authz/permissions/merge_request/reopen.yml | 0 config/authz/permissions/merge_request/update.yml | 0 8 files changed, 7 insertions(+) create mode 100644 config/authz/permissions/alert_management_alert/read.yml create mode 100644 config/authz/permissions/alert_management_alert/update.yml create mode 100644 config/authz/permissions/build/cancel.yml create mode 100644 config/authz/permissions/build/create.yml create mode 100644 config/authz/permissions/build/update.yml create mode 100644 config/authz/permissions/merge_request/admin.yml create mode 100644 config/authz/permissions/merge_request/reopen.yml create mode 100644 config/authz/permissions/merge_request/update.yml diff --git a/config/authz/permissions/alert_management_alert/read.yml b/config/authz/permissions/alert_management_alert/read.yml new file mode 100644 index 00000000000000..fa039c251ffb63 --- /dev/null +++ b/config/authz/permissions/alert_management_alert/read.yml @@ -0,0 +1,7 @@ +--- +name: read_alert_management_alert +description: +feature_category: +application_setting: +license: +feature_flag: diff --git a/config/authz/permissions/alert_management_alert/update.yml b/config/authz/permissions/alert_management_alert/update.yml new file mode 100644 index 00000000000000..e69de29bb2d1d6 diff --git a/config/authz/permissions/build/cancel.yml b/config/authz/permissions/build/cancel.yml new file mode 100644 index 00000000000000..e69de29bb2d1d6 diff --git a/config/authz/permissions/build/create.yml b/config/authz/permissions/build/create.yml new file mode 100644 index 00000000000000..e69de29bb2d1d6 diff --git a/config/authz/permissions/build/update.yml b/config/authz/permissions/build/update.yml new file mode 100644 index 00000000000000..e69de29bb2d1d6 diff --git a/config/authz/permissions/merge_request/admin.yml b/config/authz/permissions/merge_request/admin.yml new file mode 100644 index 00000000000000..e69de29bb2d1d6 diff --git a/config/authz/permissions/merge_request/reopen.yml b/config/authz/permissions/merge_request/reopen.yml new file mode 100644 index 00000000000000..e69de29bb2d1d6 diff --git a/config/authz/permissions/merge_request/update.yml b/config/authz/permissions/merge_request/update.yml new file mode 100644 index 00000000000000..e69de29bb2d1d6 -- GitLab From 319de8269b09299ae5c1deb3254a2160c78d7551 Mon Sep 17 00:00:00 2001 From: imand3r Date: Mon, 4 Aug 2025 19:26:58 +0000 Subject: [PATCH 3/4] Add POC for enabling permissions when roles are extracted --- app/policies/project_policy.rb | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 6fc1fede28c88d..9baa92f41195b0 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -326,6 +326,31 @@ class ProjectPolicy < BasePolicy enable :read_storage_disk_path end + ######################################################################################################## + # POC for moving permissions to roles + ######################################################################################################## + # Once we have a permission catalog this may be Authz.all_permissions + Authz::Role.get(:project_owner).permissions.each do |permission| + condition("role_enables_#{permission}".to_sym) { role.permissions.include?(permission) } + rule { send("role_enables_#{permission}") }.enable permission + end + + # this can be modified to include custom roles as well as account for public/internal access + def role + case team_access_level + when 10 then Authz::Role.get(:project_guest) + when 15 then Authz::Role.get(:project_planner) + when 20 then Authz::Role.get(:project_reporter) + when 30 then Authz::Role.get(:project_developer) + when 40 then Authz::Role.get(:project_maintainer) + when 50 then Authz::Role.get(:project_owner) + else Authz::Role.get(:no_access) + end + end + ######################################################################################################## + # POC for moving permissions to roles + ######################################################################################################## + rule { can?(:read_all_resources) }.enable :read_confidential_issues rule { guest }.enable :guest_access -- GitLab From d028532d2b84d94f54253efbc1d333f455dd6c4a Mon Sep 17 00:00:00 2001 From: imand3r Date: Mon, 4 Aug 2025 19:49:45 +0000 Subject: [PATCH 4/4] Add permission groups --- app/policies/project_policy.rb | 10 +++++++++- .../authz/permission_groups/manage_protected_tags.yml | 7 +++++++ config/authz/roles/no_access.yml | 4 ++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 config/authz/permission_groups/manage_protected_tags.yml create mode 100644 config/authz/roles/no_access.yml diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 9baa92f41195b0..e9ab119fe35064 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -329,12 +329,20 @@ class ProjectPolicy < BasePolicy ######################################################################################################## # POC for moving permissions to roles ######################################################################################################## - # Once we have a permission catalog this may be Authz.all_permissions + # Once we have a permission catalog this may be Authz::Permissions.all Authz::Role.get(:project_owner).permissions.each do |permission| condition("role_enables_#{permission}".to_sym) { role.permissions.include?(permission) } rule { send("role_enables_#{permission}") }.enable permission end + # With permission groups + Authz::Permissions.groups.each do |permission_group| + condition("role_includes_#{permission_group}".to_sym) { role.permission_groups.include?(permission_group) } + rule { send("role_includes_#{permission_group}") }.enable Authz::PermissionGroup.get(permission_group).permissions + end + + rule { container_registry_disabled }.prevent Authz::PermissionGroup.get(:container_registry).permissions + # this can be modified to include custom roles as well as account for public/internal access def role case team_access_level diff --git a/config/authz/permission_groups/manage_protected_tags.yml b/config/authz/permission_groups/manage_protected_tags.yml new file mode 100644 index 00000000000000..a283523aa92514 --- /dev/null +++ b/config/authz/permission_groups/manage_protected_tags.yml @@ -0,0 +1,7 @@ +name: manage_protected_tags +description: All CRUD permissions for protected tags +permissions: + - read_protected_tags + - create_protected_tags + - update_protected_tags + - destroy_protected_tags diff --git a/config/authz/roles/no_access.yml b/config/authz/roles/no_access.yml new file mode 100644 index 00000000000000..6b40b2c188867d --- /dev/null +++ b/config/authz/roles/no_access.yml @@ -0,0 +1,4 @@ +--- +name: No Access +description: An empty role with no permissions +permissions: [] -- GitLab