qontract-reconcile 0.10.1rc861__py3-none-any.whl → 0.10.1rc862__py3-none-any.whl

{qontract_reconcile-0.10.1rc861.dist-info → qontract_reconcile-0.10.1rc862.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc861
+Version: 0.10.1rc862
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc861.dist-info → qontract_reconcile-0.10.1rc862.dist-info}/RECORD

@@ -35,7 +35,7 @@ reconcile/gitlab_labeler.py,sha256=IxE1XM5o4rDOFuR4cM2yAHTy4Uzdg3Nyz2mp7b8Fx1g,4
 reconcile/gitlab_members.py,sha256=M6LwFOrwgvl1NNdOJa1mrQFUon-bEVv1AyhGeLed454,8443
 reconcile/gitlab_mr_sqs_consumer.py,sha256=O46mdziPgGOndbU-0_UJKJVUaiEoVzJPEgKm4_UvYoI,2571
 reconcile/gitlab_owners.py,sha256=sn9njaKOtqcvnhi2qtm-faAfAR4zNqflbSuusA9RUuI,13456
-reconcile/gitlab_permissions.py,sha256=K6Ta59c_Hib2DI5DnryiQbDNSOJTiY5B8cGy5a9xNkI,2199
+reconcile/gitlab_permissions.py,sha256=LcO5tVND3Rh-onU6WFh5ZWPCqZ-U4AVuFTZIs_bmPwA,3153
 reconcile/gitlab_projects.py,sha256=K3tFf_aD1W4Ijp5q-9Qek3kwFGEWPcZ1kd7tzFJ4GyQ,1781
 reconcile/integrations_manager.py,sha256=J_VV-HINI7YNav2NPIolePZkll-7VBuBXWAyMNhsM_Q,9535
 reconcile/jenkins_base.py,sha256=0Gocu3fU2YTltaxBlbDQOUvP-7CP2OSQV1ZRwtWeVXw,875
@@ -501,6 +501,7 @@ reconcile/test/test_github_repo_invites.py,sha256=UVaDlxSxi5iooyUbz8F11d7cvINHLK
 reconcile/test/test_gitlab_housekeeping.py,sha256=Sn5rERCp28sMiBx5vJaQ5yy80y37GouMClejmXocsT8,10068
 reconcile/test/test_gitlab_labeler.py,sha256=vFLUJXSIaCduj6wSqgw7Fg7FhlopaDnYI5SLzNHtLoY,4362
 reconcile/test/test_gitlab_members.py,sha256=kaCOA02eZSrSMkzHmaLwWW3LY6Af0ciLSEP4PlMLvOU,9949
+reconcile/test/test_gitlab_permissions.py,sha256=FAKT7UuNAjxmke90P2cA-924_CGZ7Kp3JLTb6rmTseM,1965
 reconcile/test/test_instrumented_wrappers.py,sha256=CZzhnQH0c4i7-Rxjg7-0dfFMvVPegLHL46z5NHOOCwo,608
 reconcile/test/test_integrations_manager.py,sha256=l6KwSFT0NS9VSR-b_9z_ZEGXDWH3EMitUEMC_1h8Xkk,38184
 reconcile/test/test_jenkins_worker_fleets.py,sha256=o1jlT7OBBSgu0M3iI4xMdz_x6SciF7yhNBpLk5gTJfg,2361
@@ -652,7 +653,7 @@ reconcile/utils/filtering.py,sha256=zZnHH0u0SaTDyzuFXZ_mREURGLvjEqQIQy4z-7QBVlc,
 reconcile/utils/git.py,sha256=BdxXFgQ1XOZpS-4qb3qMsKTCFDG8MlE26rv1jAhvCkM,1560
 reconcile/utils/git_secrets.py,sha256=0wGNL5mvDtVPRuu3vEQgld1Am64gIDJHtmu1_ZKxMAI,1973
 reconcile/utils/github_api.py,sha256=_bttNxYKeam_tLVe27L7O4gKqSn6CeyuFnJn8tSaUVY,2488
-reconcile/utils/gitlab_api.py,sha256=9C6oS98w1z-pDAAz5k9kgEvRO6r7hduHoOl7cufFr5s,27400
+reconcile/utils/gitlab_api.py,sha256=kGYNyx6pbF43rd6R3a3wcIGmATiqNUFJUUHP4sELgNI,29027
 reconcile/utils/gpg.py,sha256=EKG7_fdMv8BMlV5yUdPiqoTx-KrzmVSEAl2sLkaKwWI,1123
 reconcile/utils/gql.py,sha256=qMWj39ilJGV1YAeUvbqVYq6u9zxuPvZqxFLaLb6A-bA,14256
 reconcile/utils/grouping.py,sha256=kWKivD14eAkiDneH_VIl_XyUdcVVQgiaKA9sLsuD2dw,441
@@ -835,8 +836,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jrss,4941
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc861.dist-info/METADATA,sha256=It9nMQuWCqX18i1qQ8klhL2EgIc89K-bhaa5wy9NeQ8,2273
-qontract_reconcile-0.10.1rc861.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc861.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc861.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc861.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc862.dist-info/METADATA,sha256=NyCtuFntbeQx8o2HfebLbLpZ_q3fqxZgXGUUgOY7h2Y,2273
+qontract_reconcile-0.10.1rc862.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc862.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc862.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc862.dist-info/RECORD,,

reconcile/gitlab_permissions.py

@@ -8,8 +8,10 @@ from reconcile import queries
 from reconcile.utils import batches
 from reconcile.utils.defer import defer
 from reconcile.utils.gitlab_api import GitLabApi
+from reconcile.utils.unleash import get_feature_toggle_state
 
 QONTRACT_INTEGRATION = "gitlab-permissions"
+APP_SRE_GROUP_NAME = "app-sre"
 PAGE_SIZE = 100
 
 
@@ -50,6 +52,19 @@ def run(dry_run, thread_pool_size=10, defer=None):
     if defer:
         defer(gl.cleanup)
     repos = queries.get_repos(server=gl.server, exclude_manage_permissions=True)
+    share_with_group_enabled = get_feature_toggle_state(
+        "gitlab-permissions-share-with-group",
+        default=False,
+    )
+    if share_with_group_enabled:
+        share_project_with_group(gl, repos, dry_run)
+    else:
+        share_project_with_group_members(gl, repos, thread_pool_size, dry_run)
+
+
+def share_project_with_group_members(
+    gl: GitLabApi, repos: list[str], thread_pool_size: int, dry_run: bool
+) -> None:
     app_sre = gl.get_app_sre_group_users()
     results = threaded.run(
         get_members_to_add, repos, thread_pool_size, gl=gl, app_sre=app_sre
@@ -61,6 +76,14 @@ def run(dry_run, thread_pool_size=10, defer=None):
             gl.add_project_member(m["repo"], m["user"])
 
 
+def share_project_with_group(gl: GitLabApi, repos: list[str], dry_run: bool) -> None:
+    group_id, shared_projects = gl.get_group_id_and_shared_projects(APP_SRE_GROUP_NAME)
+    shared_project_repos = {project["web_url"] for project in shared_projects}
+    repos_to_share = set(repos) - shared_project_repos
+    for repo in repos_to_share:
+        gl.share_project_with_group(repo_url=repo, group_id=group_id, dry_run=dry_run)
+
+
 def early_exit_desired_state(*args, **kwargs) -> dict[str, Any]:
     instance = queries.get_gitlab_instance()
     return {

reconcile/test/test_gitlab_permissions.py

@@ -0,0 +1,57 @@
+from unittest.mock import MagicMock, create_autospec
+
+import pytest
+from gitlab.v4.objects import CurrentUser, GroupMember
+from pytest_mock import MockerFixture
+
+from reconcile import gitlab_permissions
+from reconcile.utils.gitlab_api import GitLabApi
+
+
+@pytest.fixture()
+def mocked_queries(mocker: MockerFixture) -> MagicMock:
+    queries = mocker.patch("reconcile.gitlab_permissions.queries")
+    queries.get_gitlab_instance.return_value = {}
+    queries.get_app_interface_settings.return_value = {}
+    queries.get_repos.return_value = ["https://test-gitlab.com"]
+    return queries
+
+
+@pytest.fixture()
+def mocked_gl() -> MagicMock:
+    gl = create_autospec(GitLabApi)
+    gl.server = "test_server"
+    gl.user = create_autospec(CurrentUser)
+    gl.user.username = "test_name"
+    return gl
+
+
+def test_run_share_with_members(
+    mocked_queries: MagicMock, mocker: MockerFixture, mocked_gl: MagicMock
+) -> None:
+    mocker.patch("reconcile.gitlab_permissions.GitLabApi").return_value = mocked_gl
+    mocked_gl.get_app_sre_group_users.return_value = [
+        create_autospec(GroupMember, id=123, username="test_name2")
+    ]
+    mocker.patch(
+        "reconcile.gitlab_permissions.get_feature_toggle_state"
+    ).return_value = False
+    mocked_gl.get_project_maintainers.return_value = ["test_name"]
+
+    gitlab_permissions.run(False, thread_pool_size=1)
+    mocked_gl.add_project_member.assert_called_once()
+
+
+def test_run_share_with_group(
+    mocked_queries: MagicMock, mocker: MockerFixture, mocked_gl: MagicMock
+) -> None:
+    mocker.patch("reconcile.gitlab_permissions.GitLabApi").return_value = mocked_gl
+    mocker.patch(
+        "reconcile.gitlab_permissions.get_feature_toggle_state"
+    ).return_value = True
+    mocked_gl.get_group_id_and_shared_projects.return_value = (
+        1234,
+        [{"web_url": "https://test.com"}],
+    )
+    gitlab_permissions.run(False, thread_pool_size=1)
+    mocked_gl.share_project_with_group.assert_called_once()

reconcile/utils/gitlab_api.py

@@ -19,6 +19,13 @@ from urllib.parse import urlparse
 
 import gitlab
 import urllib3
+from gitlab.const import (
+    DEVELOPER_ACCESS,
+    GUEST_ACCESS,
+    MAINTAINER_ACCESS,
+    OWNER_ACCESS,
+    REPORTER_ACCESS,
+)
 from gitlab.v4.objects import (
     CurrentUser,
     Group,
@@ -250,6 +257,46 @@ class GitLabApi:  # pylint: disable=too-many-public-methods
         except gitlab.exceptions.GitlabGetError:
             return None
 
+    def share_project_with_group(
+        self, repo_url: str, group_id: int, dry_run: bool, access: str = "maintainer"
+    ) -> None:
+        project = self.get_project(repo_url)
+        if project is None:
+            return None
+        access_level = self.get_access_level(access)
+        # check if we have 'access_level' access so we can  add the group with same role.
+        members = self.get_items(
+            project.members.all, query_parameters={"user_ids": self.user.id}
+        )
+        if not any(
+            self.user.id == member.id and member.access_level >= access_level
+            for member in members
+        ):
+            logging.error(
+                "%s is not shared with %s as %s",
+                repo_url,
+                self.user.username,
+                access,
+            )
+            return None
+        logging.info(["add_group_as_maintainer", repo_url, group_id])
+        if not dry_run:
+            gitlab_request.labels(integration=INTEGRATION_NAME).inc()
+            project.share(group_id, access_level)
+
+    def get_group_id_and_shared_projects(
+        self, group_name: str
+    ) -> tuple[int, list[dict]]:
+        gitlab_request.labels(integration=INTEGRATION_NAME).inc()
+        group = self.gl.groups.get(group_name)
+        return group.id, [
+            project
+            for project in group.shared_projects
+            for shared_group in project["shared_with_groups"]
+            if shared_group["group_id"] == group.id
+            and shared_group["group_access_level"] >= MAINTAINER_ACCESS
+        ]
+
     @staticmethod
     def _is_bot_username(username: str) -> bool:
         """crudely checking for the username
@@ -331,30 +378,30 @@ class GitLabApi:  # pylint: disable=too-many-public-methods
 
     @staticmethod
     def get_access_level_string(access_level):
-        if access_level == gitlab.OWNER_ACCESS:
+        if access_level == OWNER_ACCESS:
             return "owner"
-        if access_level == gitlab.MAINTAINER_ACCESS:
+        if access_level == MAINTAINER_ACCESS:
             return "maintainer"
-        if access_level == gitlab.DEVELOPER_ACCESS:
+        if access_level == DEVELOPER_ACCESS:
             return "developer"
-        if access_level == gitlab.REPORTER_ACCESS:
+        if access_level == REPORTER_ACCESS:
             return "reporter"
-        if access_level == gitlab.GUEST_ACCESS:
+        if access_level == GUEST_ACCESS:
             return "guest"
 
     @staticmethod
     def get_access_level(access):
         access = access.lower()
         if access == "owner":
-            return gitlab.OWNER_ACCESS
+            return OWNER_ACCESS
         if access == "maintainer":
-            return gitlab.MAINTAINER_ACCESS
+            return MAINTAINER_ACCESS
         if access == "developer":
-            return gitlab.DEVELOPER_ACCESS
+            return DEVELOPER_ACCESS
         if access == "reporter":
-            return gitlab.REPORTER_ACCESS
+            return REPORTER_ACCESS
         if access == "guest":
-            return gitlab.GUEST_ACCESS
+            return GUEST_ACCESS
 
     def get_group_id_and_projects(self, group_name: str) -> tuple[str, list[str]]:
         gitlab_request.labels(integration=INTEGRATION_NAME).inc()