Protected containers: New scope for finding container protection rule
requested to merge gitlab-community/gitlab:427546-protected-containters-write-protection-for-container-repositories into master
What does this MR do and why?
- Necessary scopes for the model ContainerRegistry::Protection::Rule to construct the complete DB query for checking if a container registry protection rule exists
- The scope is intended to be used in a follow-up MR; this MR focusses just on adding the necessary scope in order to keep the changes small, focussed and tangible
- This MR follows the implementation of the MR related to the feature "Protected Packages"
- Code necessary for the implementation of the feature
protected containers
, see &9825
DB queries
The following queries are used to find and evaluate the container protection rules for a given container path, e.g. see example below.
SELECT 1 AS one FROM "container_registry_protection_rules" WHERE "container_registry_protection_rules"."push_protected_up_to_access_level" >= 30 AND ('flightjs/flight/sub-image' ILIKE container_path_pattern_ilike_query) LIMIT 1
Screenshots or screen recordings
There are no frontend changes. Only changes in the backend .
How to set up and validate locally
- Create one
ContainerRegistry::Protection::Rule
ContainerRegistry::Protection::Rule.create(project: Project.find(7), push_protected_up_to_access_level: :developer, delete_protected_up_to_access_level: :developer, repository_path_pattern: "flightjs/flight/*")
- Check if a container registry protection rule exists for a project developer
Project.find(7).container_registry_protection_rules.for_push_exists?(access_level: :developer, repository_path: "flightjs/flight/sub-image")
# => Returns `true` because developers are not allowed to push based on the created protection rule, see step 1.
- Check if a container registry protection rule exists for a project owner or another container path
Project.find(7).container_registry_protection_rules.for_push_exists?(access_level: :developer, repository_path: "flightjs/flight")
# => Returns false because the `repository_path` does not match with the existing container registry protection rule, see step 1.
Project.find(7).container_registry_protection_rules.for_push_exists?(access_level: :owner, repository_path: "flightjs/flight/sub-image")
# => Returns false because owners are still allowed to push because there is no protection rule, see step 1.
Todos
-
Add validation for container path; the field container_path
of the protection rule should start with the full_path of the project that it is assigned to, see MR !135972 (merged)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. -
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
-
Related to #427546
Edited by Gerardo Navarro