Add support of user under allow_to_push and allowed_to_merge in protect branches method

[florentio]

Continuation of #232

[florentio]

Hi @gdubicki @Pigueiras @barryib, this pull request aims to deal with allowed_to_push and allowed_to_merge in a following way:

branches:
  main:
    protected: true
    push_access_level: 30
    merge_access_level: 30
    unprotect_access_level: 40
    allowed_to_push:
      - access_level: 40
      - access_level: 30
      - user_id: 15
      - user: john
    allowed_to_merge:
      - access_level: 40
      - access_level: 30
      - user_id: 15
      - user: doe

The extra parameter allowed_to_push and allowed_to_merge in the config.yml file can contains either access_level or user or user_id. You can provide user_id if you know the id of user, otherwise use user attribute and assign the related gitlab username.
There is conversion of user to user_id in the process to transform that config to:

branches:
  main:
    protected: true
    push_access_level: 30
    merge_access_level: 30
    unprotect_access_level: 40
    allowed_to_push:
      - access_level: 40
      - access_level: 30
      - user_id: 15
      - user_id: 16
    allowed_to_merge:
      - access_level: 40
      - access_level: 30
      - user_id: 15
      - user_id: 17

To update the configuration, we can now use the gitlab api https://docs.gitlab.com/ee/api/protected_branches.html#example-with-user--group-level-access. The post data look like this:

 {
    "push_access_level": 30,
    "merge_access_level": 30,
    "unprotect_access_level": 40,
    "allowed_to_push": [
        {
            "access_level": 40
        },
        {
            "access_level": 30
        },
        {
            "user_id": 15
        },
        {
            "user_id": 16
        }
    ],
    "allowed_to_merge": [
        {
            "access_level": 30
        },
        {
            "access_level": 40
        },
        {
            "user_id": 15
        },
       {
            "user_id": 17
        }
    ]
}

and respect the excepted payload according to the documentation.

How do I deal with the configuration to be sure to update only if there is change to make?
I have separated the acces_level number from the user_id value for each push_access_levels and merge_access_levels attributes.

First when I read the exiting config of the branch from gitlab api in the get_only_branch_access_levels function inside branches.py, i retrieve 4 difference arrays :

• current_push_access_levels an array of all acces_level in push_access_levels api response
• current_merge_access_levels an array of all acces_level in merge_access_levels api response
• current_push_access_user_ids an array of all user_id in push_access_levels api response
• current_merge_access_user_ids an array of all user_id in merge_access_levels api response

Second, when I read the requested configuration (config.yml), i split it to have 4 arrays too :

• requested_push_access_levels an array which contains push_access_level value and values of acces_level keys in allow_to_push
• requested_merge_access_levels an array which contains merge_access_level value and values of acces_level keys in allow_to_merge
• requested_push_access_user_ids an array of values of user_id/user keys in allow_to_push
• requested_merge_access_user_ids an array of values of user_id/user keys in allow_to_merge

Then, we compare them to see if there is change before applying the new configuration

[gdubicki]

The approach you have taken looks good to me, @florentio . 😊

[gdubicki]

Please make the existing acceptance tests pass again and add new ones if needed for the coverage to not decrease, @florentio.

PS Don't worry about the codecov reporting a total drop of the coverage just after you push new commits. Its report gets updated as the acceptance tests finish, which takes a few minutes. :)

[codecov]

Codecov Report

Merging #273 (3023d51) into main (c0d2873) will decrease coverage by 53.91%.
The diff coverage is 3.33%.

@@             Coverage Diff             @@
##             main     #273       +/-   ##
===========================================
- Coverage   73.36%   19.45%   -53.92%     
===========================================
  Files          57       57               
  Lines        2099     2138       +39     
===========================================
- Hits         1540      416     -1124     
- Misses        559     1722     +1163     

Impacted Files	Coverage Δ
gitlabform/processors/util/branch_protector.py	0.00% <0.00%> (-72.98%)	⬇️
gitlabform/gitlab/branches.py	22.85% <10.52%> (-62.66%)	⬇️
gitlabform/processors/group/__init__.py	0.00% <0.00%> (-100.00%)	⬇️
gitlabform/processors/project/__init__.py	0.00% <0.00%> (-100.00%)	⬇️
gitlabform/processors/project/badges_processor.py	0.00% <0.00%> (-100.00%)	⬇️
gitlabform/processors/project/project_processor.py	0.00% <0.00%> (-100.00%)	⬇️
...itlabform/processors/project/branches_processor.py	0.00% <0.00%> (-100.00%)	⬇️
...labform/processors/group/group_badges_processor.py	0.00% <0.00%> (-100.00%)	⬇️
...abform/processors/group/group_members_processor.py	0.00% <0.00%> (-100.00%)	⬇️
...abform/processors/project/deploy_keys_processor.py	0.00% <0.00%> (-100.00%)	⬇️
... and 37 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c0d2873...3023d51. Read the comment docs.

[florentio]

Please make the existing acceptance tests pass again and add new ones if needed for the coverage to not decrease, @florentio.

PS Don't worry about the codecov reporting a total drop of the coverage just after you push new commits. Its report gets updated as the acceptance tests finish, which takes a few minutes. :)

Hi, Ok I will start working on acceptance tests

[barryib]

@gdubicki It sounds like your Test workflow has been manually disabled. Was it desired ?

[gdubicki]

Yes, @barryib . We have moved to running tests under this workflow: https://github.com/egnyte/gitlabform/actions/workflows/linter-and-tests.yml

I am not sure why the tests are not running in the PRs now. :(

[gdubicki]

Looks like the way to run the tests now is for me to get a branch from your fork and push it to egnyte/gitlabform.. :/

[gdubicki]

A few tests are flaky, but all of them are passing now. 🎊

We still need to increase the test coverage though as it has dropped a bit.
Please see the updated comment from Codecov, @florentio .

[florentio]

Hi @gdubicki . I'm working on the acceptance for the feature. At the end, it should resolve codecov issue.
But I've two important questions

• The feature is related to Gitlab premium (https://docs.gitlab.com/ee/api/protected_branches.html#example-with-user--group-level-access. To test I had to activate a free trial of gitlab premium.
  If I push that acceptance tests, It will fail unless we automate the installation of gitlab in CI to activate premium https://docs.gitlab.com/14.0/ee/user/admin_area/license.html. Do you have input for that?

• I've to deal with users (create user and make it member of project related to the protected branch) to test the feature. Do you have any input about how I can reuse some part of the existing code to avoid code duplication ?

[gdubicki]

• The feature is related to Gitlab premium (https://docs.gitlab.com/ee/api/protected_branches.html#example-with-user--group-level-access. To test I had to activate a free trial of gitlab premium.
  If I push that acceptance tests, It will fail unless we automate the installation of gitlab in CI to activate premium https://docs.gitlab.com/14.0/ee/user/admin_area/license.html. Do you have input for that?

For now please share the result of such test that you have run locally as a screenshot and add the test commented out. I will deal with automating running those tests with GitHub Actions shortly.

• I've to deal with users (create user and make it member of project related to the protected branch) to test the feature. Do you have any input about how I can reuse some part of the existing code to avoid code duplication ?

Sure! To create protected branches you can use a fixture like this one http://github.com/egnyte/gitlabform/blob/7151d65d51ad8b9e97954db9aaa7a158b1b24d3c/tests/acceptance/test_branches.py#L10-L37 , that you use by adding a parameter to your test method with the name matching the fixture function name, f.e. here http://github.com/egnyte/gitlabform/blob/7151d65d51ad8b9e97954db9aaa7a158b1b24d3c/tests/acceptance/test_branches.py#L53-L53 . Similar thing done for the users is here: http://github.com/egnyte/gitlabform/blob/7151d65d51ad8b9e97954db9aaa7a158b1b24d3c/tests/acceptance/test_members.py#L9-L28 and then http://github.com/egnyte/gitlabform/blob/7151d65d51ad8b9e97954db9aaa7a158b1b24d3c/tests/acceptance/test_members.py#L53-L53 .

[florentio]

Hi @gdubicki , bellow a full dump of my test output,
you can check those sections in the file, where the test I've implemented are passed.

• tests/acceptance/test_branches.py::TestBranches::test__mixed_config_with_new_api
• tests/acceptance/test_branches.py::TestBranches::test_protect_branch_with_old_api_next_update_with_new_api_and_userid_and_unprotect

test.log

[amimas]

Hi - not sure if I've missed it. Based on the description I think only users can be specified, but not a group. Is that correct?

[gdubicki]

Hi - not sure if I've missed it. Based on the description I think only users can be specified, but not a group. Is that correct?

In this PR as of now - yes.

[gdubicki]

I have (re)added a way to run the tests using GitLab Premium in a Docker container and made it possible in GitHub Actions. Note: in GitHub Actions this will only work in this repo, NOT in its forks. This is GitHub Actions' secrets' limitation/security feature. We'll see how it goes.

But you can see that the tests for the new feature are passing when I pushed the commit to egnyte/gitlabform, here: https://github.com/egnyte/gitlabform/runs/3641552180?check_suite_focus=true#step:5:1581

Thank you for your contribution @florentio and @barryib ! Merging and releasing a new version with this feature in a moment.

[barryib]

Thank to @florentio and to you @gdubicki.

I have (re)added a way to run the tests using GitLab Premium in a Docker container and made it possible in GitHub Actions. Note: in GitHub Actions this will only work in this repo, NOT in its forks. This is GitHub Actions' secrets' limitation/security feature. We'll see how it goes.

This is the normal behavior and is what you want. The licence must remain secret in this repo only.