summaryrefslogtreecommitdiff
path: root/etc/authzd/gitlab_simple.cedar
diff options
context:
space:
mode:
Diffstat (limited to 'etc/authzd/gitlab_simple.cedar')
-rw-r--r--etc/authzd/gitlab_simple.cedar144
1 files changed, 144 insertions, 0 deletions
diff --git a/etc/authzd/gitlab_simple.cedar b/etc/authzd/gitlab_simple.cedar
new file mode 100644
index 00000000..5ea8757d
--- /dev/null
+++ b/etc/authzd/gitlab_simple.cedar
@@ -0,0 +1,144 @@
+// Simplified GitLab Authorization - No Feature or License Checks
+// Based purely on user access levels and project visibility
+// Guest access (read-only operations)
+permit (
+ principal is User,
+ action in
+ [Action::"read_project",
+ Action::"read_group",
+ Action::"read_issue",
+ Action::"read_merge_request",
+ Action::"read_pipeline",
+ Action::"read_wiki",
+ Action::"read_repository",
+ Action::"download_code",
+ Action::"read_snippet",
+ Action::"read_container_image",
+ Action::"read_package",
+ Action::"read_build",
+ Action::"read_analytics",
+ Action::"read_release"],
+ resource
+)
+when
+{
+ principal has access_level &&
+ principal.access_level >= 10 &&
+ resource has visibility &&
+ (resource.visibility == "public" ||
+ resource has members &&
+ principal in resource.members)
+};
+
+// Reporter access (can create issues, notes)
+permit (
+ principal is User,
+ action in
+ [Action::"create_issue",
+ Action::"create_issue_note",
+ Action::"pull_container_image",
+ Action::"pull_package"],
+ resource
+)
+when
+{
+ principal has access_level &&
+ principal.access_level >= 20 &&
+ resource has members &&
+ principal in resource.members
+};
+
+// Developer access (can push code, create MRs)
+permit (
+ principal is User,
+ action in
+ [Action::"push_code",
+ Action::"create_merge_request",
+ Action::"update_merge_request",
+ Action::"update_issue",
+ Action::"create_pipeline",
+ Action::"retry_pipeline",
+ Action::"push_container_image",
+ Action::"push_package",
+ Action::"create_release",
+ Action::"create_wiki_page",
+ Action::"update_wiki_page",
+ Action::"create_snippet",
+ Action::"update_snippet"],
+ resource
+)
+when
+{
+ principal has access_level &&
+ principal.access_level >= 30 &&
+ resource has members &&
+ principal in resource.members
+};
+
+// Maintainer access (project administration)
+permit (
+ principal is User,
+ action in
+ [Action::"admin_project",
+ Action::"manage_project_members",
+ Action::"admin_merge_request",
+ Action::"push_to_delete_protected_branch",
+ Action::"admin_pipeline",
+ Action::"admin_container_registry",
+ Action::"admin_package_registry",
+ Action::"admin_wiki",
+ Action::"admin_snippet",
+ Action::"admin_repository",
+ Action::"admin_issue",
+ Action::"admin_release"],
+ resource
+)
+when
+{
+ principal has access_level &&
+ principal.access_level >= 40 &&
+ resource has members &&
+ principal in resource.members
+};
+
+// Owner access (full project control)
+permit (
+ principal is User,
+ action in
+ [Action::"destroy_project",
+ Action::"transfer_project",
+ Action::"archive_project",
+ Action::"change_visibility_level",
+ Action::"admin_project_hooks",
+ Action::"admin_project_runners"],
+ resource
+)
+when
+{
+ principal has access_level &&
+ principal.access_level >= 50 &&
+ resource has members &&
+ principal in resource.members
+};
+
+// Admin override - can do everything
+permit (
+ principal is User,
+ action,
+ resource
+)
+when
+{
+ principal has admin &&
+ principal.admin == true &&
+ principal has blocked &&
+ !principal.blocked
+};
+
+// Block all access for blocked users
+forbid (
+ principal is User,
+ action,
+ resource
+)
+when { principal has blocked && principal.blocked == true };
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 04:01:15 +0000