Skip to content

Add protection to ContainerRepositoryTagType

Adie (she/her) requested to merge 499870-507919-update-tag-type-to-include-protection-rule into master

Overview

In this MR, we allow the fetching of protection of a specific tag via the ContainerRepositoryTagType in GraphQL.

Among the tag protection rules for the project, we match the maximum access levels from the rules whos tag_name_pattern matches the name of the ContainerRepository::Tag.

How to set up and validate locally

  1. Prepare a project with several container registry tags on it.
  2. Create several tag protection rules for the project. Create some rule that matches the registry tags and some don't.
project = Project.find(id)

# will not match a tag, unless that tag has the name `thiswillnotmatch`
project.container_registry_protection_tag_rules.create(tag_name_pattern: "thiswillnotmatch", minimum_access_level_for_push: "maintainer", minimum_access_level_for_delete: "maintainer")

# will always match a tag
project.container_registry_protection_tag_rules.create(tag_name_pattern: ".*", minimum_access_level_for_push: "maintainer", minimum_access_level_for_delete: "owner")

# another rule that matches the tag, update `name` to the tag name to make sure it matches
project.container_registry_protection_tag_rules.create(tag_name_pattern: "name", minimum_access_level_for_push: "owner", minimum_access_level_for_delete: "maintainer")

A. When the flag is enabled

  1. Enable the container_registry_protected_tags feature flag:
Feature.enable(:container_registry_protected_tags, project)
  1. Query the following in GraphQL. Replace container-repository-id with the ID of the container repository where the tags belong to:
query {
  containerRepository(id: "gid://gitlab/ContainerRepository/container-repository-id") {
    id
    tagsCount
    tags(first: 5) {
      nodes {
        protection {
          minimumAccessLevelForPush
          minimumAccessLevelForDelete
        }
      }
    }
  }
}
  1. You should be able to see the protection rules that match the tag name.
{
  "data": {
    "containerRepository": {
      "id": "gid://gitlab/ContainerRepository/226",
      "tagsCount": 1,
      "tags": {
        "nodes": [
          {
            "name": "tag1",
            "protection": {
              {
                "minimumAccessLevelForPush": "OWNER",
                "minimumAccessLevelForDelete": "OWNER"
              }
            }
          }
        ]
      }
    }
  }
}

B. When the flag is disabled

  1. Disable the container_registry_protected_tags feature flag:
Feature.disable(:container_registry_protected_tags, project)

  1. Use the same query as in (2.) above where the flag is enabled.

  2. It should return nil

{
  "data": {
    "containerRepository": {
      "id": "gid://gitlab/ContainerRepository/226",
      "tagsCount": 1,
      "tags": {
        "nodes": [
          {
            "name": "tag1",
            "protection": null
          }
        ]
      }
    }
  }
}

MR acceptance checklist

✔️ Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #499870

Edited by Adie (she/her)

Merge request reports