summaryrefslogtreecommitdiff
path: root/etc/authzd/gitlab_visibility.cedar
diff options
context:
space:
mode:
Diffstat (limited to 'etc/authzd/gitlab_visibility.cedar')
-rw-r--r--etc/authzd/gitlab_visibility.cedar127
1 files changed, 127 insertions, 0 deletions
diff --git a/etc/authzd/gitlab_visibility.cedar b/etc/authzd/gitlab_visibility.cedar
new file mode 100644
index 00000000..78049cae
--- /dev/null
+++ b/etc/authzd/gitlab_visibility.cedar
@@ -0,0 +1,127 @@
+// GitLab Visibility Level Authorization
+// Controls access based on project/group visibility: public, internal, private
+// Public projects - anyone can read
+permit (
+ principal,
+ action in
+ [Action::"read_project",
+ Action::"read_repository",
+ Action::"download_code",
+ Action::"read_issue",
+ Action::"read_merge_request",
+ Action::"read_wiki",
+ Action::"read_snippet"],
+ resource
+)
+when
+{
+ resource has visibility &&
+ resource.visibility == "public" &&
+ principal has blocked &&
+ !principal.blocked
+};
+
+// Internal projects - authenticated users can read
+permit (
+ principal is User,
+ action in
+ [Action::"read_project",
+ Action::"read_repository",
+ Action::"download_code",
+ Action::"read_issue",
+ Action::"read_merge_request",
+ Action::"read_wiki",
+ Action::"read_snippet"],
+ resource
+)
+when
+{
+ resource has visibility &&
+ resource.visibility == "internal" &&
+ principal has external &&
+ !principal.external &&
+ principal has blocked &&
+ !principal.blocked
+};
+
+// Private projects - only members can access
+permit (
+ principal is User,
+ action in
+ [Action::"read_project",
+ Action::"read_repository",
+ Action::"download_code",
+ Action::"read_issue",
+ Action::"read_merge_request",
+ Action::"read_wiki",
+ Action::"read_snippet"],
+ resource
+)
+when
+{
+ resource has visibility &&
+ resource.visibility == "private" &&
+ principal in resource.members &&
+ principal has blocked &&
+ !principal.blocked
+};
+
+// Prevent external users from accessing internal projects
+forbid (
+ principal is User,
+ action,
+ resource
+)
+when
+{
+ resource has visibility &&
+ resource.visibility == "internal" &&
+ principal has external &&
+ principal.external == true
+};
+
+// Group visibility rules - similar to projects
+permit (
+ principal,
+ action in [Action::"read_group", Action::"read_group_details"],
+ resource is Group
+)
+when { resource has visibility && resource.visibility == "public" };
+
+permit (
+ principal is User,
+ action in [Action::"read_group", Action::"read_group_details"],
+ resource is Group
+)
+when
+{
+ resource has visibility &&
+ resource.visibility == "internal" &&
+ principal has external &&
+ !principal.external
+};
+
+permit (
+ principal is User,
+ action in [Action::"read_group", Action::"read_group_details"],
+ resource is Group
+)
+when
+{
+ resource has visibility &&
+ resource.visibility == "private" &&
+ principal in resource.members
+};
+
+// Archived projects have limited access
+forbid (
+ principal,
+ action in
+ [Action::"push_code",
+ Action::"create_issue",
+ Action::"create_merge_request",
+ Action::"update_issue",
+ Action::"update_merge_request"],
+ resource
+)
+when { resource has archived && resource.archived == true };
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-01 22:57:34 +0000