Allow deploy_key_id in Protected Tags/Branches API for Free tier

Hunter Stewartrequested to merge
545283-protected-tags-deploy-keys-api into master

Why

Users can configure deploy keys for protected tags and branches via the UI in the Free tier, but the API restricts this functionality to Premium/Ultimate only. This creates an inconsistency between UI and API behavior.

Relates to #545283 (closed)

What

This MR enables the deploy_key_id parameter in the allowed_to_create array for the Protected Tags API in the Free tier.

This MR enables the deploy_key_id parameter in the allowed_to_push array for the Protected Branches API in the Free tier.

  • two private methods have changed names to be more clear about what they do (ce_style_access_levels and ee_style_access_levels) instead of where they are found
  • CE helper now accepts "allowed_to_#{type}" with deploy_key_id only
  • AccessLevelParams in CE extracts deploy key entries, so that depoloy_key_id can be set in the API in CE
  • EE uses uniq to deduplicate any deploy keys from super

User/group granular access (user_id, group_id) remains restricted to Premium/Ultimate tiers.

Reviewer, please note

The params are structured a little differently for these APIs. To make it more clear, please have a look at the docs on how the params are structured

API docs for how to protect a branch: https://docs.gitlab.com/api/protected_branches/#protect-repository-branches

API docs for how to protect tag: https://docs.gitlab.com/api/protected_tags/#protect-a-repository-tag

I made it all one MR because shared Refs code gets updated.

I considered drying up the specs but I think shared testing here is more complicated than it's worth, and these APIs may diverge one day, so there's very little to be gained in trying to DRY this test code up.

How to set up and validate locally

If you want to verify the current behavior, switch to master and make sure to run GDK in FOSS. You'll see the deploy_key_id is ignored and not set.

Protected Tags:

curl --header "PRIVATE-TOKEN: $GDK_TOKEN" \
     --header "Content-Type: application/json" \
     --data '{"name": "v*", "allowed_to_create": [{"deploy_key_id": <id>}]}' \
     "$GDK_URL/api/v4/projects/:id/protected_tags"

Protected Branches:

curl --header "PRIVATE-TOKEN: $GDK_TOKEN" \
     --header "Content-Type: application/json" \
     --data '{"name": "feature-*", "allowed_to_push": [{"deploy_key_id": <id>}]}' \
     "$GDK_URL/api/v4/projects/:id/protected_branches"

Switch to 545283-protected-tags-deploy-keys-api and try to the same API request to verify the response includes deploy_key_id in create_access_levels

Edited by Hunter Stewart

Merge request reports