Protected containers: New scope for finding container protection rule (!135969) · Merge requests · GitLab.org / GitLab

The 17.0 major release is coming on May 16, 2024! This version brings many exciting improvements to GitLab, but also removes some deprecated features. We are introducing three breaking change windows during which we expect breaking changes to be deployed to GitLab.com. You can read more about it on our blogpost . The second breaking change window begins 2024-04-29 09:00 UTC and ends 2024-05-01 22:00 UTC.

Gerardo Navarro requested to merge gitlab-community/gitlab:427546-protected-containters-write-protection-for-container-repositories into master Nov 03, 2023

What does this MR do and why?

Necessary scopes for the model ContainerRegistry::Protection::Rule to construct the complete DB query for checking if a container registry protection rule exists
The scope is intended to be used in a follow-up MR; this MR focusses just on adding the necessary scope in order to keep the changes small, focussed and tangible
This MR follows the implementation of the MR related to the feature "Protected Packages"
Code necessary for the implementation of the feature protected containers, see &9825

🛠 with ❤ at Siemens

DB queries

The following queries are used to find and evaluate the container protection rules for a given container path, e.g. see example below.

SELECT 1 AS one FROM "container_registry_protection_rules" WHERE "container_registry_protection_rules"."push_protected_up_to_access_level" >= 30 AND ('flightjs/flight/sub-image' ILIKE container_path_pattern_ilike_query) LIMIT 1

Screenshots or screen recordings

There are no frontend changes. Only changes in the backend .

How to set up and validate locally

Create one ContainerRegistry::Protection::Rule

ContainerRegistry::Protection::Rule.create(project: Project.find(7), push_protected_up_to_access_level: :developer, delete_protected_up_to_access_level: :developer, repository_path_pattern: "flightjs/flight/*")

Check if a container registry protection rule exists for a project developer

Project.find(7).container_registry_protection_rules.for_push_exists?(access_level: :developer, repository_path: "flightjs/flight/sub-image")
# => Returns `true` because developers are not allowed to push based on the created protection rule, see step 1.

Check if a container registry protection rule exists for a project owner or another container path

Project.find(7).container_registry_protection_rules.for_push_exists?(access_level: :developer, repository_path: "flightjs/flight")
# => Returns false because the `repository_path` does not match with the existing container registry protection rule, see step 1.

Project.find(7).container_registry_protection_rules.for_push_exists?(access_level: :owner, repository_path: "flightjs/flight/sub-image")
# => Returns false because owners are still allowed to push because there is no protection rule, see step 1.

Todos

Add validation for container path; the field container_path of the protection rule should start with the full_path of the project that it is assigned to, see MR !135972 (merged)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #427546

Edited Dec 20, 2023 by Gerardo Navarro

Admin message

Protected containers: New scope for finding container protection rule