feat: Enable granular PAT permissions for Protected Branches API

Duo Developerrequested to merge
duo/feature/583241-enable-granular-pats-protected-branches into master

Relates to issue #583241

Changes

This MR enables granular Personal Access Token (PAT) permissions for all Protected Branches REST API endpoints, allowing fine-grained access control for protected branch operations.

Permission Files Created (4 files)

  • config/authz/permissions/protected_branch/read.yml - read_protected_branch permission
  • config/authz/permissions/protected_branch/create.yml - create_protected_branch permission
  • config/authz/permissions/protected_branch/update.yml - update_protected_branch permission
  • config/authz/permissions/protected_branch/delete.yml - delete_protected_branch permission

All permissions support both project and group boundaries with feature category source_code_management.

API Endpoints Modified

Project-Level API (lib/api/protected_branches.rb)

Added authorization decorators to 5 endpoints:

  • GET /projects/:id/protected_branchesread_protected_branch
  • GET /projects/:id/protected_branches/:nameread_protected_branch
  • POST /projects/:id/protected_branchescreate_protected_branch
  • PATCH /projects/:id/protected_branches/:nameupdate_protected_branch
  • DELETE /projects/:id/protected_branches/:namedelete_protected_branch

Group-Level API (ee/lib/api/group_protected_branches.rb)

Added authorization decorators to 5 endpoints:

  • GET /groups/:id/protected_branchesread_protected_branch
  • GET /groups/:id/protected_branches/:nameread_protected_branch
  • POST /groups/:id/protected_branchescreate_protected_branch
  • PATCH /groups/:id/protected_branches/:nameupdate_protected_branch
  • DELETE /groups/:id/protected_branches/:namedelete_protected_branch

Tests Added

  • spec/requests/api/protected_branches_spec.rb - 5 authorization test blocks for project-level endpoints
  • ee/spec/requests/api/group_protected_branches_spec.rb - 5 authorization test blocks for group-level endpoints

All tests use the it_behaves_like 'authorizing granular token permissions' shared example.

Summary

  • Total Endpoints Modified: 10 (5 project-level + 5 group-level)
  • Permissions Created: 4 (read, create, update, delete)
  • Authorization Decorators Added: 10
  • Test Cases Added: 10

This implementation follows established patterns from the CI Pipelines API and enables users to create PATs with specific scopes for protected branch management.

Edited by Matthew MacRae-Bovell

Merge request reports