Maven Virtual Registry: Permissions policy
🗒 Context
The Maven virtual registry will need a new set of permissions.
The target will be an instance of VirtualRegistries::Packages::Maven::Registry but we will need to leverage the group policy to apply the rules:
-
read_virtual_registry- For
Users- Authenticated users only. Anonymous users should not have any permission.
- Must have
read_groupon the target (root)Group.
- For
DeployToken- Must have the
read_virtual_registryscope. This is a new scope to introduce.
- Must have the
- For
-
create_virtual_registry,update_virtual_registry,destroy_virtual_registry.- For
Users, granted to directmaintainer+ users of the target (root)Group.
- For
What does this MR do and why?
- Adds a new wrapper class around
Group:VirtualRegistries::Packages::Policies::Group. This wrapper is used to always pass the root group as a subject to the new policyVirtualRegistries::Packages::Policies::GroupPolicy. - The new policy
VirtualRegistries::Packages::Policies::GroupPolicycontains all virtual registry permissions. It delegates to theGrouppolicy to reference theread_grouppermission. This way, we can reuse whatever permissions in the mainGruopPolicy. - Objects below the (root)
Group, such as theUpstreamcan simply delegate to the parent level up toRegistry, where we can instantiate the wrapper class on the (root)Groupand delegate to that. - Add a new boolean column
read_virtual_registryto the databasedeploy_tokenstable. - Add the related specs.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
N/A
How to set up and validate locally
- We can test and play around in rails console:
# create a private group private_group = FactoryBot.create(:group, :private) # create users with different access level to the group non_group_member = FactoryBot.create(:user) external = FactoryBot.create(:user, :external) guest = FactoryBot.create(:user, guest_of: private_group) reporter = FactoryBot.create(:user, reporter_of: private_group) developer = FactoryBot.create(:user, developer_of: private_group) maintainer = FactoryBot.create(:user, maintainer_of: private_group) owner = FactoryBot.create(:user, owner_of: private_group) # check if each user is allowed to :read_virtual_registry in the group Ability.allowed?(non_group_member, :read_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(private_group)) => false Ability.allowed?(external, :read_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(private_group)) => false Ability.allowed?(guest, :read_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(private_group)) => true Ability.allowed?(reporter, :read_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(private_group)) => true # And so on. Create `public` & `internal` groups to test users permissions. # We can do the the same for `create_virtual_registry`, `update_virtual_registry` & `destroy_virtual_registry` # Ability.allowed?(reporter, :create_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(private_group)) # Ability.allowed?(reporter, :update_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(private_group)) # Ability.allowed?(reporter, :destroy_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(private_group)) # Test Deploy Token: group = FactoryBot.create(:group) deploy_token = FactoryBot.create(:deploy_token, :group).tap do |token| FactoryBot.create(:group_deploy_token, group: group, deploy_token: token) end Ability.allowed?(deploy_token, :read_virtual_registry, VirtualRegistries::Packages::Policies::Group.new(group)) => true # We can test the other permissions the same way
Related to #467977 (closed)
Edited by Moaz Khalifa