1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
# frozen_string_literal: true
module API
class ProjectContainerRegistryProtectionRules < ::API::Base
feature_category :container_registry
after_validation do
if Feature.disabled?(:container_registry_protected_containers, user_project.root_ancestor)
render_api_error!("'container_registry_protected_containers' feature flag is disabled", :not_found)
end
authenticate!
authorize! :admin_container_image, user_project
end
params do
requires :id, types: [String, Integer], desc: 'The ID or URL-encoded path of the project'
end
resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
resource ':id/registry/protection/rules' do
desc 'Get list of container registry protection rules for a project' do
success Entities::Projects::ContainerRegistry::Protection::Rule
failure [
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not Found' }
]
tags %w[projects]
is_array true
hidden true
end
get do
present user_project.container_registry_protection_rules,
with: Entities::Projects::ContainerRegistry::Protection::Rule
end
desc 'Create a container protection rule for a project' do
success Entities::Projects::ContainerRegistry::Protection::Rule
failure [
{ code: 400, message: 'Bad Request' },
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not Found' },
{ code: 422, message: 'Unprocessable Entity' }
]
tags %w[projects]
hidden true
end
params do
requires :repository_path_pattern, type: String,
desc: 'Container repository path pattern protected by the protection rule.
For example `flight/flight-*`. Wildcard character `*` allowed.'
optional :minimum_access_level_for_push, type: String,
values: ContainerRegistry::Protection::Rule.minimum_access_level_for_pushes.keys,
desc: 'Minimum GitLab access level to allow to push container images to the container registry.
For example maintainer, owner or admin.'
optional :minimum_access_level_for_delete, type: String,
values: ContainerRegistry::Protection::Rule.minimum_access_level_for_deletes.keys,
desc: 'Minimum GitLab access level to allow to delete container images in the container registry.
For example maintainer, owner or admin.'
at_least_one_of :minimum_access_level_for_push, :minimum_access_level_for_delete
end
post do
response = ::ContainerRegistry::Protection::CreateRuleService.new(user_project,
current_user, declared_params).execute
render_api_error!({ error: response.message }, :unprocessable_entity) if response.error?
present response[:container_registry_protection_rule],
with: Entities::Projects::ContainerRegistry::Protection::Rule
end
params do
requires :protection_rule_id, type: Integer,
desc: 'The ID of the container protection rule'
end
resource ':protection_rule_id' do
desc 'Update a container protection rule for a project' do
success Entities::Projects::ContainerRegistry::Protection::Rule
failure [
{ code: 400, message: 'Bad Request' },
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not Found' },
{ code: 422, message: 'Unprocessable Entity' }
]
tags %w[projects]
hidden true
end
params do
optional :repository_path_pattern, type: String,
desc: 'Container repository path pattern protected by the protection rule.
For example `flight/flight-*`. Wildcard character `*` allowed.'
optional :minimum_access_level_for_push, type: String,
values: ContainerRegistry::Protection::Rule.minimum_access_level_for_pushes.keys << "",
desc: 'Minimum GitLab access level to allow to push container images to the container registry.
For example maintainer, owner or admin. To unset the value, use an empty string `""`.'
optional :minimum_access_level_for_delete, type: String,
values: ContainerRegistry::Protection::Rule.minimum_access_level_for_deletes.keys << "",
desc: 'Minimum GitLab access level to allow to delete container images in the container registry.
For example maintainer, owner or admin. To unset the value, use an empty string `""`.'
end
patch do
protection_rule = user_project.container_registry_protection_rules.find(params[:protection_rule_id])
response = ::ContainerRegistry::Protection::UpdateRuleService.new(protection_rule,
current_user: current_user, params: declared_params(include_missing: false)).execute
render_api_error!({ error: response.message }, :unprocessable_entity) if response.error?
present response[:container_registry_protection_rule],
with: Entities::Projects::ContainerRegistry::Protection::Rule
end
desc 'Delete container protection rule' do
success code: 204, message: '204 No Content'
failure [
{ code: 400, message: 'Bad Request' },
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not Found' }
]
tags %w[projects]
hidden true
end
delete do
protection_rule = user_project.container_registry_protection_rules.find(params[:protection_rule_id])
destroy_conditionally!(protection_rule) do |protection_rule|
response = ::ContainerRegistry::Protection::DeleteRuleService.new(protection_rule,
current_user: current_user).execute
render_api_error!({ error: response.message }, :bad_request) if response.error?
end
end
end
end
end
end
end
|
