From c4c9b8a1e0290654872f642e3b9f04f084d939ac Mon Sep 17 00:00:00 2001 From: Hordur Freyr Yngvason Date: Wed, 6 Nov 2024 06:03:20 -0500 Subject: [PATCH] Add project setting ci_pipeline_variables_minimum_override_role This is a companion setting to `restrict_user_defined_variables`, allowing more granular control over who can set job variables and pipeline variables in a project. Currently, the setting `restrict_user_defined_variables` acts as a toggle for the restriction set by `ci_pipeline_variables_minimum_override_role`, but it is likely that `restrict_user_defined_variable` will be deprecated in favor of just `ci_pipeline_variables_minimum_override_role` in the future. See https://docs.gitlab.com/ee/ci/variables/#restrict-who-can-override-variables --- projects.go | 2 ++ projects_test.go | 32 +++++++++++++++++++------------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/projects.go b/projects.go index 424196b5f..a22ebaf4b 100644 --- a/projects.go +++ b/projects.go @@ -157,6 +157,7 @@ type Project struct { MergePipelinesEnabled bool `json:"merge_pipelines_enabled"` MergeTrainsEnabled bool `json:"merge_trains_enabled"` RestrictUserDefinedVariables bool `json:"restrict_user_defined_variables"` + CIPipelineVariablesMinimumOverrideRole AccessControlValue `json:"ci_pipeline_variables_minimum_override_role"` MergeCommitTemplate string `json:"merge_commit_template"` SquashCommitTemplate string `json:"squash_commit_template"` AutoDevopsDeployStrategy string `json:"auto_devops_deploy_strategy"` @@ -854,6 +855,7 @@ type EditProjectOptions struct { CIForwardDeploymentRollbackAllowed *bool `url:"ci_forward_deployment_rollback_allowed,omitempty" json:"ci_forward_deployment_rollback_allowed,omitempty"` CISeperateCache *bool `url:"ci_separated_caches,omitempty" json:"ci_separated_caches,omitempty"` CIRestrictPipelineCancellationRole *AccessControlValue `url:"ci_restrict_pipeline_cancellation_role,omitempty" json:"ci_restrict_pipeline_cancellation_role,omitempty"` + CIPipelineVariablesMinimumOverrideRole *AccessControlValue `url:"ci_pipeline_variables_minimum_override_role,omitempty" json:"ci_pipeline_variables_minimum_override_role,omitempty"` ContainerExpirationPolicyAttributes *ContainerExpirationPolicyAttributes `url:"container_expiration_policy_attributes,omitempty" json:"container_expiration_policy_attributes,omitempty"` ContainerRegistryAccessLevel *AccessControlValue `url:"container_registry_access_level,omitempty" json:"container_registry_access_level,omitempty"` DefaultBranch *string `url:"default_branch,omitempty" json:"default_branch,omitempty"` diff --git a/projects_test.go b/projects_test.go index e17a7da32..025a30abf 100644 --- a/projects_test.go +++ b/projects_test.go @@ -280,13 +280,14 @@ func TestListOwnedProjects(t *testing.T) { func TestEditProject(t *testing.T) { mux, client := setup(t) - var developerAccessLevel AccessControlValue = "developer" + var developerRole AccessControlValue = "developer" opt := &EditProjectOptions{ - CIRestrictPipelineCancellationRole: Ptr(developerAccessLevel), + CIRestrictPipelineCancellationRole: Ptr(developerRole), + CIPipelineVariablesMinimumOverrideRole: Ptr(developerRole), } - // Store whether we've set the restrict value in our edit properly - restrictValueSet := false + // Store whether we've seen all the attributes we set + attributesFound := false mux.HandleFunc("/api/v4/projects/1", func(w http.ResponseWriter, r *http.Request) { testMethod(t, r, http.MethodPut) @@ -298,7 +299,8 @@ func TestEditProject(t *testing.T) { } // Set the value to check if our value is included - restrictValueSet = strings.Contains(string(body), "ci_restrict_pipeline_cancellation_role") + attributesFound = strings.Contains(string(body), "ci_restrict_pipeline_cancellation_role") && + strings.Contains(string(body), "ci_pipeline_variables_minimum_override_role") // Print the start of the mock example from https://docs.gitlab.com/ee/api/projects.html#edit-project // including the attribute we edited @@ -313,15 +315,17 @@ func TestEditProject(t *testing.T) { "http_url_to_repo": "http://example.com/diaspora/diaspora-project-site.git", "web_url": "http://example.com/diaspora/diaspora-project-site", "readme_url": "http://example.com/diaspora/diaspora-project-site/blob/main/README.md", - "ci_restrict_pipeline_cancellation_role": "developer" + "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "developer" }`) }) project, resp, err := client.Projects.EditProject(1, opt) assert.NoError(t, err) assert.Equal(t, http.StatusOK, resp.StatusCode) - assert.Equal(t, true, restrictValueSet) - assert.Equal(t, developerAccessLevel, project.CIRestrictPipelineCancellationRole) + assert.Equal(t, true, attributesFound) + assert.Equal(t, developerRole, project.CIRestrictPipelineCancellationRole) + assert.Equal(t, developerRole, project.CIPipelineVariablesMinimumOverrideRole) } func TestListStarredProjects(t *testing.T) { @@ -374,6 +378,7 @@ func TestGetProjectByID(t *testing.T) { "ci_forward_deployment_enabled": true, "ci_forward_deployment_rollback_allowed": true, "ci_restrict_pipeline_cancellation_role": "developer", + "ci_pipeline_variables_minimum_override_role": "no_one_allowed", "packages_enabled": false, "build_coverage_regex": "Total.*([0-9]{1,3})%" }`) @@ -387,11 +392,12 @@ func TestGetProjectByID(t *testing.T) { Cadence: "7d", NextRunAt: &wantTimestamp, }, - PackagesEnabled: false, - BuildCoverageRegex: `Total.*([0-9]{1,3})%`, - CIForwardDeploymentEnabled: true, - CIForwardDeploymentRollbackAllowed: true, - CIRestrictPipelineCancellationRole: "developer", + PackagesEnabled: false, + BuildCoverageRegex: `Total.*([0-9]{1,3})%`, + CIForwardDeploymentEnabled: true, + CIForwardDeploymentRollbackAllowed: true, + CIRestrictPipelineCancellationRole: "developer", + CIPipelineVariablesMinimumOverrideRole: "no_one_allowed", } project, _, err := client.Projects.GetProject(1, nil)