Add check for immutable rules when checking if a container repository is protected for delete

Adie (she/her)requested to merge
519853-consider-immutable-tags-when-deleting-repositories into master

What does this MR do and why?

In this MR, we update ContainerRepository#protected_from_delete_by_tag_rules to also take into account immutable rules. In addition to checking mutable protected tag rules, we are also now checking for immutable tag rules when the feature flag container_registry_immutable_tags is enabled. The immutable tag rule check happens before the admin check, as no user, not even admins, can delete container repositories protected by tag rules.

Additional behaviour:

  • Feature flag container_registry_immutable_tags is enabled
    • if immutable tag rules are present
      • if there are tags (admin user or not): true
      • if there are no tags: false
    • if there are no immutable tag rules: falls back to existing behaviour
  • Feature flag container_registry_immutable_tags is disabled
    • if immutable tag rules are present
      • immutable tag rules are ignored; falls back to existing behaviour
    • if there are no immutable tags rule: falls back to existing behaviour

Existing behaviour:

  • No tag rules at all: false
  • Has mutable tag rules and has tags:
    • User is admin: false
    • User is not admin: true
  • Has mutable tag rules but no tags: false

How to set up and validate locally

Prerequisites:

  • A container repository
    • that has tags
    • whose project has immutable tag rule/s (or create it with project.container_registry_protection_tag_rules.create(tag_name_pattern: 'pattern'))

Below, we will test the added check with the feature flag disabled and enabled.

project = Project.find(31) # a project that has an immutable rule and container repository with tags
project.container_registry_protection_tag_rules.immutable.count > 0
# => true

admin = User.find_by(username: 'root')
non_admin = User.last
container_repository = project.container_repositories.first

Feature.enable(:container_registry_immutable_tags)

container_repository.protected_from_delete_by_tag_rules?(admin)
# => true

container_repository.protected_from_delete_by_tag_rules?(non_admin)
# => true

Feature.disable(:container_registry_immutable_tags)

container_repository.protected_from_delete_by_tag_rules?(admin)
# => false

container_repository.protected_from_delete_by_tag_rules?(non_admin)
# => false if there are no mutable protection rules; otherwise true

MR acceptance checklist

✔️ Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #519853 (closed)

Edited by Adie (she/her)

Merge request reports