Merge branch '421786-add-admin-push-rules-ability' into 'master'

Add admin_push_rules custom ability See merge request gitlab-org/gitlab!147872 Merged-by: Fabio Pitino <fpitino@gitlab.com> Approved-by: Alex Buijs <abuijs@gitlab.com> Approved-by: Fabio Pitino <fpitino@gitlab.com> Reviewed-by: Fabio Pitino <fpitino@gitlab.com> Reviewed-by: Alex Buijs <abuijs@gitlab.com> Co-authored-by: Hinam Mehra <hmehra@gitlab.com>

Merge branch '421786-add-admin-push-rules-ability' into 'master'
0c7ee783 · Fabio Pitino · GitLab · f0697cce · 85143524 · 0c7ee783
Verified Commit 0c7ee783 authored 11 months ago by Fabio Pitino Committed by GitLab 11 months ago
--- a/app/validators/json_schemas/member_role_permissions.json
+++ b/app/validators/json_schemas/member_role_permissions.json
@@ -13,6 +13,9 @@
    "admin_merge_request": {
      "type": "boolean"
    },
+    "admin_push_rules": {
+      "type": "boolean"
+    },
    "admin_terraform_state": {
      "type": "boolean"
    },

--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -32282,6 +32282,7 @@ Member role permission.
 | <a id="memberrolepermissionadmin_cicd_variables"></a>`ADMIN_CICD_VARIABLES` | Create, read, update, and delete CI/CD variables. |
 | <a id="memberrolepermissionadmin_group_member"></a>`ADMIN_GROUP_MEMBER` | Add or remove users in a group, and assign roles to users. When assigning a role, users with this custom permission must select a role that has the same or fewer permissions as the default role used as the base for their custom role. |
 | <a id="memberrolepermissionadmin_merge_request"></a>`ADMIN_MERGE_REQUEST` | Allows approval of merge requests. |
+| <a id="memberrolepermissionadmin_push_rules"></a>`ADMIN_PUSH_RULES` | Configure push rules for repositories at the group or project level. |
 | <a id="memberrolepermissionadmin_terraform_state"></a>`ADMIN_TERRAFORM_STATE` | Execute terraform commands, lock/unlock terraform state files, and remove file versions. |
 | <a id="memberrolepermissionadmin_vulnerability"></a>`ADMIN_VULNERABILITY` | Edit the vulnerability object, including the status and linking an issue. Includes the `read_vulnerability` permission actions. |
 | <a id="memberrolepermissionarchive_project"></a>`ARCHIVE_PROJECT` | Allows archiving of projects. |
--- a/doc/user/custom_roles/abilities.md
+++ b/doc/user/custom_roles/abilities.md
@@ -56,6 +56,12 @@ These requirements are documented in the `Required permission` column in the fol
 |:-----|:------------|:------------------|:---------|:--------------|:---------|
 | [`admin_cicd_variables`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143369) |  | Create, read, update, and delete CI/CD variables. | GitLab [16.10](https://gitlab.com/gitlab-org/gitlab/-/issues/437947) |  |  |

+## Source code management
+
+| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
+|:-----|:------------|:------------------|:---------|:--------------|:---------|
+| [`admin_push_rules`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147872) |  | Configure push rules for repositories at the group or project level. | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/421786) | `custom_ability_admin_push_rules` |  |
+
 ## System access

 | Name | Required permission | Description | Introduced in | Feature flag | Enabled in |

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -265,6 +265,15 @@ module GroupPolicy
        ).has_ability?
      end

+      desc 'Custom role on group that enables admin push rules for repositories'
+      condition(:role_enables_admin_push_rules) do
+        ::Auth::MemberRoleAbilityLoader.new(
+          user: @user,
+          resource: @subject,
+          ability: :admin_push_rules
+        ).has_ability?
+      end
+
      rule { owner & unique_project_download_limit_enabled }.policy do
        enable :ban_group_member
      end
@@ -580,6 +589,10 @@ module GroupPolicy
        enable :remove_group
      end

+      rule { custom_roles_allowed & role_enables_admin_push_rules }.policy do
+        enable :admin_push_rules
+      end
+
      rule { can?(:read_group_security_dashboard) }.policy do
        enable :create_vulnerability_export
        enable :read_security_resource

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -307,6 +307,15 @@ module ProjectPolicy
        ).has_ability?
      end

+      desc 'Custom role on project that enables admin push rules for repositories'
+      condition(:role_enables_admin_push_rules) do
+        ::Auth::MemberRoleAbilityLoader.new(
+          user: @user,
+          resource: @subject,
+          ability: :admin_push_rules
+        ).has_ability?
+      end
+
      condition(:developer_access_to_admin_vulnerability) do
        ::Feature.disabled?(:disable_developer_access_to_admin_vulnerability, subject&.root_namespace) &&
          can?(:developer_access)
@@ -387,6 +396,10 @@ module ProjectPolicy
        enable :admin_cicd_variables
      end

+      rule { custom_roles_allowed & role_enables_admin_push_rules }.policy do
+        enable :admin_push_rules
+      end
+
      condition(:ci_cancellation_maintainers_only, scope: :subject) do
        project.ci_cancellation_restriction.maintainers_only_allowed?
      end

--- a/ee/config/custom_abilities/admin_push_rules.yml
+++ b/ee/config/custom_abilities/admin_push_rules.yml
+---
+name: admin_push_rules
+description: Configure push rules for repositories at the group or project level.
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/421786
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147872
+feature_category: source_code_management
+milestone: '16.11'
+group_ability: true
+project_ability: true
+requirements: []
+feature_flag: custom_ability_admin_push_rules
+available_from_access_level:
--- a/ee/config/feature_flags/wip/custom_ability_admin_push_rules.yml
+++ b/ee/config/feature_flags/wip/custom_ability_admin_push_rules.yml
+---
+name: custom_ability_admin_push_rules
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/421786
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147872
+rollout_issue_url:
+milestone: '16.11'
+group: group::authorization
+type: wip
+default_enabled: false
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -3329,6 +3329,13 @@ def create_member_role(member, abilities = member_role_abilities)
        it { is_expected.to be_disallowed(*allowed_abilities) }
      end
    end
+
+    context 'for a custom role with the `admin_push_rules` ability' do
+      let(:member_role_abilities) { { admin_push_rules: true } }
+      let(:allowed_abilities) { [:admin_push_rules] }
+
+      it_behaves_like 'custom roles abilities'
+    end
  end

  context 'for :read_limit_alert' do

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -2783,6 +2783,13 @@ def create_member_role(member, abilities = member_role_abilities)

      it_behaves_like 'custom roles abilities'
    end
+
+    context 'for a custom role with the `admin_push_rules` ability' do
+      let(:member_role_abilities) { { admin_push_rules: true } }
+      let(:allowed_abilities) { [:admin_push_rules] }
+
+      it_behaves_like 'custom roles abilities'
+    end
  end

  describe 'permissions for suggested reviewers bot', :saas do