Add GraphQL endpoints to attach policies to ci allowlist (!167872) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This MR follows from !166688 (merged) where we added a job_token_policies column to the ci_job_token_group_scope_links & ci_job_token_project_scope_links.
This MR updates the graphQL mutations to update the two tables if policies is provided in the request.
The changes are behind a feature-flag hence a changelog isn't required.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Enable feature-flag in rails console:

Feature.enable(:add_policies_to_ci_job_token)

Run the Graphql mutations, by navigating to /-/graphql-explorer. The following mutation creates an allowlist with a group as the target.

mutation {
  ciJobTokenScopeAddGroupOrProject(input: {
    projectPath: "flightjs/Flight",
    targetPath: "gitlab-org",
    policies: [READ_PROJECT, READ_GROUP]
  }) {
    errors
  }
}

You can then check that the policies have been successfully added by running the following in the rails console:

Ci::JobToken::GroupScopeLink.last

Run another mutation, which creates an allowlist with a project as the target.

mutation {
  ciJobTokenScopeAddGroupOrProject(input: {
    projectPath: "flightjs/Flight",
    targetPath: "gitlab-org",
    policies: [READ_PROJECT, READ_GROUP]
  }) {
    errors
  }
}

Similarly, you can verify the record by:

Ci::JobToken::ProjectScopeLink.last

Resolves gitlab-org/govern/authorization/team-tasks#69

Edited Oct 04, 2024 by Hinam Mehra

Add GraphQL endpoints to attach policies to ci allowlist

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports