1 files changed, 127 insertions, 0 deletions

diff --git a/etc/authzd/gitlab_access.cedar b/etc/authzd/gitlab_access.cedar
new file mode 100644
index 00000000..ca17aa67
--- /dev/null
+++ b/etc/authzd/gitlab_access.cedar
@@ -0,0 +1,127 @@
+// GitLab Access Level Based Authorization
+// Maps to Gitlab::Access constants: Guest(10), Reporter(20), Developer(30), Maintainer(40), Owner(50)
+// Guest access (read-only operations)
+permit (
+  principal is User,
+  action in
+    [Action::"read_project",
+     Action::"read_group",
+     Action::"read_issue",
+     Action::"read_merge_request",
+     Action::"read_pipeline",
+     Action::"read_wiki",
+     Action::"download_code"],
+  resource
+)
+when
+{
+  principal has access_level &&
+  principal.access_level >= 10 &&
+  resource has visibility &&
+  (resource.visibility == "public" ||
+   resource has members &&
+   principal in resource.members)
+};
+
+// Reporter access (can create issues, view builds)
+permit (
+  principal is User,
+  action in
+    [Action::"create_issue",
+     Action::"create_issue_note",
+     Action::"read_build",
+     Action::"read_container_image",
+     Action::"pull_container_image"],
+  resource
+)
+when
+{
+  principal has access_level &&
+  principal.access_level >= 20 &&
+  resource has members &&
+  principal in resource.members
+};
+
+// Developer access (can push code, create MRs)
+permit (
+  principal is User,
+  action in
+    [Action::"push_code",
+     Action::"create_merge_request",
+     Action::"update_merge_request",
+     Action::"create_pipeline",
+     Action::"retry_pipeline",
+     Action::"push_container_image",
+     Action::"create_release"],
+  resource
+)
+when
+{
+  principal has access_level &&
+  principal.access_level >= 30 &&
+  resource has members &&
+  principal in resource.members
+};
+
+// Maintainer access (project administration)
+permit (
+  principal is User,
+  action in
+    [Action::"admin_project",
+     Action::"manage_project_members",
+     Action::"admin_merge_request",
+     Action::"push_to_delete_protected_branch",
+     Action::"admin_pipeline",
+     Action::"admin_container_registry",
+     Action::"admin_package_registry"],
+  resource
+)
+when
+{
+  principal has access_level &&
+  principal.access_level >= 40 &&
+  resource has members &&
+  principal in resource.members
+};
+
+// Owner access (full project control)
+permit (
+  principal is User,
+  action in
+    [Action::"destroy_project",
+     Action::"transfer_project",
+     Action::"archive_project",
+     Action::"change_visibility_level",
+     Action::"admin_project_hooks",
+     Action::"admin_project_runners"],
+  resource
+)
+when
+{
+  principal has access_level &&
+  principal.access_level >= 50 &&
+  resource has members &&
+  principal in resource.members
+};
+
+// Admin override - can do everything
+permit (
+  principal is User,
+  action,
+  resource
+)
+when
+{
+  principal has admin &&
+  principal.admin == true &&
+  principal has blocked &&
+  !principal.blocked
+};
+
+// Block all access for blocked users
+forbid (
+  principal is User,
+  action,
+  resource
+)
+when { principal has blocked && principal.blocked == true };