Add granular PATs for MR dependencies REST endpoints

Duo Developerrequested to merge
duo/feature/583235-granular-pats-mr-dependencies into master

Relates to issue #583235

Changes

This MR enables granular Personal Access Token (PAT) support for all Merge Request Dependencies REST endpoints, allowing fine-grained control over API access through three distinct permissions.

Configuration Files Created

Permission Definitions (3 files):

  • config/authz/permissions/merge_request_dependency/read.yml - Defines read permission for viewing dependencies
  • config/authz/permissions/merge_request_dependency/create.yml - Defines create permission for adding dependencies
  • config/authz/permissions/merge_request_dependency/delete.yml - Defines delete permission for removing dependencies

Permission Groups (3 files):

  • config/authz/permission_groups/assignable_permissions/merge_request_dependency/read.yml
  • config/authz/permission_groups/assignable_permissions/merge_request_dependency/create.yml
  • config/authz/permission_groups/assignable_permissions/merge_request_dependency/delete.yml

All configuration files follow the established pattern with:

  • Appropriate descriptions
  • Feature category: code_review_workflow
  • Boundary type: project

API Endpoints Updated

Added route_setting decorators to all 5 endpoints in ee/lib/api/merge_request_dependencies.rb:

  1. GET /projects/:id/merge_requests/:merge_request_iid/blocksread_merge_request_dependency
  2. GET /projects/:id/merge_requests/:merge_request_iid/blocks/:block_idread_merge_request_dependency
  3. DELETE /projects/:id/merge_requests/:merge_request_iid/blocks/:block_iddelete_merge_request_dependency
  4. POST /projects/:id/merge_requests/:merge_request_iid/blockscreate_merge_request_dependency
  5. GET /projects/:id/merge_requests/:merge_request_iid/blockeesread_merge_request_dependency

All decorators use :project as the boundary type.

Test Coverage Added

Added comprehensive test coverage in ee/spec/requests/api/merge_request_dependencies_spec.rb using the shared example 'authorizing granular token permissions' for all 5 endpoints:

  • GET blocks endpoint - tests read_merge_request_dependency permission
  • GET single block endpoint - tests read_merge_request_dependency permission
  • DELETE block endpoint - tests delete_merge_request_dependency permission
  • POST blocks endpoint - tests create_merge_request_dependency permission
  • GET blockees endpoint - tests read_merge_request_dependency permission

All test blocks follow the established pattern with correct user (maintainer), boundary_object (project), and appropriate request definitions.

Edited by Ayush Billore

Merge request reports