Make GitLab pages support access control

What does this MR do?

Adds option to use GitLab access control in project pages #33422 (closed) and implement the necessary changes for pages config file generation.

This depends on the pages MR gitlab-pages!94 (merged).

The changes required for GitLab to automatically configure necessary pages client id, secret etc. are implemented in omnibus-gitlab!2583 (merged).

All feedback is appreciated!

Testing

At the moment this can be tested by creating the authentication id and secret manually and compiling GitLab pages from gitlab-pages branch.

CI

I haven't done any changes to gitlab-ee so the ee_compat_check job is failing at the moment.

Are there points in the code the reviewer needs to double check?

Not that I know of.

Why was this MR needed?

Closes #33422 (closed).

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated
• API support added
• Tests added for this feature/bug
• Review
  • Has been reviewed by UX
  • Has been reviewed by Frontend
  • Has been reviewed by Backend
  • Has been reviewed by Database
• Conform by the merge request performance guides
• Conform by the style guides
• Squashed related commits together
• Internationalization required/considered
• End-to-end tests pass (package-and-qa manual pipeline job)

What are the relevant issue numbers?

#33422 (closed)

app/models/project_feature.rb

@@ -13,14 +13,16 @@ class ProjectFeature < ActiveRecord::Base
   # Disabled: not enabled for anyone
   # Private:  enabled only for team members
   # Enabled:  enabled for everyone able to access the project
+  # Public:   enabled for everyone (only allowed for pages)
   #
 
   # Permission levels
   DISABLED = 0
   PRIVATE  = 10
   ENABLED  = 20
+  PUBLIC   = 30
 
-  FEATURES = %i(issues merge_requests wiki snippets builds repository).freeze
+  FEATURES = %i(issues merge_requests wiki snippets builds repository pages).freeze
 
   class << self
     def access_level_attribute(feature)
@@ -46,6 +48,7 @@ class ProjectFeature < ActiveRecord::Base
   validates :project, presence: true
 
   validate :repository_children_level
+  validate :allowed_access_levels
 
   default_value_for :builds_access_level,         value: ENABLED, allows_nil: false
   default_value_for :issues_access_level,         value: ENABLED, allows_nil: false
@@ -81,6 +84,16 @@ class ProjectFeature < ActiveRecord::Base
     issues_access_level > DISABLED
   end
 
+  def pages_enabled?
+    pages_access_level > DISABLED
+  end
+
+  def public_pages?
+    return true unless Gitlab.config.pages.access_control
+
+    pages_access_level == PUBLIC || pages_access_level == ENABLED && project.public?
+  end
+
   private
 
   # Validates builds and merge requests access level
@@ -95,6 +108,17 @@ class ProjectFeature < ActiveRecord::Base
     %i(merge_requests_access_level builds_access_level).each(&validator)
   end
 
+  # Validates access level for other than pages cannot be PUBLIC
+  def allowed_access_levels
+    validator = lambda do |field|
+      level = public_send(field) || ProjectFeature::ENABLED # rubocop:disable GitlabSecurity/PublicSend
+      not_allowed = level > ProjectFeature::ENABLED
+      self.errors.add(field, "cannot have public visibility level") if not_allowed
+    end
+
+    (FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")}
+  end
+
   def get_permission(user, level)
     case level
     when DISABLED
@@ -103,6 +127,8 @@ class ProjectFeature < ActiveRecord::Base
       user && (project.team.member?(user) || user.full_private_access?)
     when ENABLED
       true
+    when PUBLIC
+      true
     else
       true
     end