feat: add support for GitLab groups

Signed-off-by: Pierre Guinoiseau <[email protected]>

Author: peikk0

cmd/server.go

@@ -106,6 +106,7 @@ const (
 	GiteaUserFlag                    = "gitea-user"
 	GiteaWebhookSecretFlag           = "gitea-webhook-secret" // nolint: gosec
 	GiteaPageSizeFlag                = "gitea-page-size"
+	GitlabGroupAllowlistFlag         = "gitlab-group-allowlist"
 	GitlabHostnameFlag               = "gitlab-hostname"
 	GitlabTokenFlag                  = "gitlab-token"
 	GitlabUserFlag                   = "gitlab-user"
@@ -358,6 +359,17 @@ var stringFlags = map[string]stringFlag{
 			"This means that an attacker could spoof calls to Atlantis and cause it to perform malicious actions. " +
 			"Should be specified via the ATLANTIS_GITEA_WEBHOOK_SECRET environment variable.",
 	},
+	GitlabGroupAllowlistFlag: {
+		description: "Comma separated list of key-value pairs representing the GitLab groups and the operations that " +
+			"the members of a particular group are allowed to perform. " +
+			"The format is {group}:{command},{group}:{command}. " +
+			"Valid values for 'command' are 'plan', 'apply' and '*', e.g. 'myorg/dev:plan,myorg/ops:apply,myorg/devops:*'" +
+			"This example gives the users from the 'myorg/dev' GitLab group the permissions to execute the 'plan' command, " +
+			"the 'myorg/ops' group the permissions to execute the 'apply' command, " +
+			"and allows the 'myorg/devops' group to perform any operation. If this argument is not provided, the default value (*:*) " +
+			"will be used and the default behavior will be to not check permissions " +
+			"and to allow users from any group to perform any operation.",
+	},
 	GitlabHostnameFlag: {
 		description:  "Hostname of your GitLab Enterprise installation. If using gitlab.com, no need to set.",
 		defaultValue: DefaultGitlabHostname,

cmd/server_test.go

@@ -100,6 +100,7 @@ var testFlags = map[string]interface{}{
 	GiteaUserFlag:                    "gitea-user",
 	GiteaWebhookSecretFlag:           "gitea-secret",
 	GiteaPageSizeFlag:                30,
+	GitlabGroupAllowlistFlag:         "",
 	GitlabHostnameFlag:               "gitlab-hostname",
 	GitlabTokenFlag:                  "gitlab-token",
 	GitlabUserFlag:                   "gitlab-user",

runatlantis.io/docs/server-configuration.md

@@ -770,6 +770,22 @@ based on the organization or user that triggered the webhook.
   This means that an attacker could spoof calls to Atlantis and cause it to perform malicious actions.
   :::
 
+### `--gitlab-group-allowlist`
+
+  ```bash
+  atlantis server --gitlab-group-allowlist="myorg/mygroup:plan, myorg/secteam:apply, myorg/devops:apply, myorg/devops:import"
+  # or
+  ATLANTIS_GITLAB_GROUP_ALLOWLIST="myorg/mygroup:plan, myorg/secteam:apply, myorg/devops:apply, myorg/devops:import"
+  ```
+
+  Comma-separated list of GitLab groups and permission pairs.
+
+  By default, any group can plan and apply.
+
+  ::: warning NOTE
+  Atlantis needs to be able to view the listed group members, inaccessible or non-existent groups are silently ignored.
+  :::
+
 ### `--gitlab-hostname`
 
   ```bash

runatlantis.io/docs/server-side-repo-config.md

@@ -592,12 +592,12 @@ mode: on_apply
 
 ### Policies
 
-| Key                    | Type            | Default | Required  | Description                                              |
-|------------------------|-----------------|---------|-----------|----------------------------------------------------------|
-| conftest_version       | string          | none    | no        | conftest version to run all policy sets                  |
-| owners                 | Owners(#Owners) | none    | yes       | owners that can approve failing policies                 |
-| approve_count          | int             | 1       | no        | number of approvals required to bypass failing policies. |
-| policy_sets            | []PolicySet     | none    | yes       | set of policies to run on a plan output                  |
+| Key                    | Type            | Default | Required  | Description                                             |
+|------------------------|-----------------|---------|-----------|---------------------------------------------------------|
+| conftest_version       | string          | none    | no        | conftest version to run all policy sets                 |
+| owners                 | Owners(#Owners) | none    | yes       | owners that can approve failing policies                |
+| approve_count          | int             | 1       | no        | number of approvals required to bypass failing policies |
+| policy_sets            | []PolicySet     | none    | yes       | set of policies to run on a plan output                 |
 
 ### Owners
 

server/core/config/valid/policies.go

@@ -1,6 +1,7 @@
 package valid
 
 import (
+	"slices"
 	"strings"
 
 	version "github.com/hashicorp/go-version"
@@ -67,3 +68,16 @@ func (o *PolicyOwners) IsOwner(username string, userTeams []string) bool {
 
 	return false
 }
+
+// Return all owner teams from all policy sets
+func (p *PolicySets) AllTeams() []string {
+	teams := p.Owners.Teams
+	for _, policySet := range p.PolicySets {
+		for _, team := range policySet.Owners.Teams {
+			if !slices.Contains(teams, team) {
+				teams = append(teams, team)
+			}
+		}
+	}
+	return teams
+}

server/core/config/valid/policies_test.go

@@ -120,3 +120,66 @@ func TestPoliciesConfig_IsOwners(t *testing.T) {
 		})
 	}
 }
+
+func TestPoliciesConfig_AllTeams(t *testing.T) {
+	cases := []struct {
+		description string
+		input       valid.PolicySets
+		expResult   []string
+	}{
+		{
+			description: "has only top-level team owner",
+			input: valid.PolicySets{
+				Owners: valid.PolicyOwners{
+					Teams: []string{
+						"team1",
+					},
+				},
+			},
+			expResult: []string{"team1"},
+		},
+		{
+			description: "has only policy-level team owner",
+			input: valid.PolicySets{
+				PolicySets: []valid.PolicySet{
+					{
+						Name: "policy1",
+						Owners: valid.PolicyOwners{
+							Teams: []string{
+								"team2",
+							},
+						},
+					},
+				},
+			},
+			expResult: []string{"team2"},
+		},
+		{
+			description: "has both top-level and policy-level team owners",
+			input: valid.PolicySets{
+				Owners: valid.PolicyOwners{
+					Teams: []string{
+						"team1",
+					},
+				},
+				PolicySets: []valid.PolicySet{
+					{
+						Name: "policy1",
+						Owners: valid.PolicyOwners{
+							Teams: []string{
+								"team2",
+							},
+						},
+					},
+				},
+			},
+			expResult: []string{"team1", "team2"},
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.description, func(t *testing.T) {
+			result := c.input.AllTeams()
+			Equals(t, c.expResult, result)
+		})
+	}
+}

server/events/command/team_allowlist_checker.go

@@ -21,6 +21,9 @@ type TeamAllowlistChecker interface {
 
 	// IsCommandAllowedForAnyTeam determines if any of the specified teams can perform the specified action
 	IsCommandAllowedForAnyTeam(ctx models.TeamAllowlistCheckerContext, teams []string, command string) bool
+
+	// AllTeams returns all teams configured in the allowlist
+	AllTeams() []string
 }
 
 // DefaultTeamAllowlistChecker implements checking the teams and the operations that the members
@@ -84,3 +87,14 @@ func (checker *DefaultTeamAllowlistChecker) IsCommandAllowedForAnyTeam(ctx model
 	}
 	return false
 }
+
+// AllTeams returns all teams configured in the allowlist
+func (checker *DefaultTeamAllowlistChecker) AllTeams() []string {
+	var teamNames []string
+	for _, rule := range checker.rules {
+		for key := range rule {
+			teamNames = append(teamNames, key)
+		}
+	}
+	return teamNames
+}

server/events/command_runner.go

@@ -157,7 +157,7 @@ func (c *DefaultCommandRunner) RunAutoplanCommand(baseRepo models.Repo, headRepo
 
 	// Check if the user who triggered the autoplan has permissions to run 'plan'.
 	if c.TeamAllowlistChecker != nil && c.TeamAllowlistChecker.HasRules() {
-		err := c.fetchUserTeams(baseRepo, &user)
+		err := c.fetchUserTeams(log, baseRepo, &user)
 		if err != nil {
 			log.Err("Unable to fetch user teams: %s", err)
 			return
@@ -300,7 +300,7 @@ func (c *DefaultCommandRunner) RunCommentCommand(baseRepo models.Repo, maybeHead
 
 	// Check if the user who commented has the permissions to execute the 'plan' or 'apply' commands
 	if c.TeamAllowlistChecker != nil && c.TeamAllowlistChecker.HasRules() {
-		err := c.fetchUserTeams(baseRepo, &user)
+		err := c.fetchUserTeams(log, baseRepo, &user)
 		if err != nil {
 			c.Logger.Err("Unable to fetch user teams: %s", err)
 			return
@@ -491,8 +491,8 @@ func (c *DefaultCommandRunner) ensureValidRepoMetadata(
 	return
 }
 
-func (c *DefaultCommandRunner) fetchUserTeams(repo models.Repo, user *models.User) error {
-	teams, err := c.VCSClient.GetTeamNamesForUser(repo, *user)
+func (c *DefaultCommandRunner) fetchUserTeams(logger logging.SimpleLogging, repo models.Repo, user *models.User) error {
+	teams, err := c.VCSClient.GetTeamNamesForUser(logger, repo, *user)
 	if err != nil {
 		return err
 	}

server/events/command_runner_test.go

@@ -313,7 +313,7 @@ func TestRunCommentCommand_TeamAllowListChecker(t *testing.T) {
 		When(eventParsing.ParseGithubPull(Any[logging.SimpleLogging](), Eq(&pull))).ThenReturn(modelPull, modelPull.BaseRepo, testdata.GithubRepo, nil)
 
 		ch.RunCommentCommand(testdata.GithubRepo, nil, nil, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.Plan})
-		vcsClient.VerifyWasCalled(Never()).GetTeamNamesForUser(testdata.GithubRepo, testdata.User)
+		vcsClient.VerifyWasCalled(Never()).GetTeamNamesForUser(ch.Logger, testdata.GithubRepo, testdata.User)
 		vcsClient.VerifyWasCalledOnce().CreateComment(
 			Any[logging.SimpleLogging](), Eq(testdata.GithubRepo), Eq(modelPull.Num), Eq("Ran Plan for 0 projects:"), Eq("plan"))
 	})
@@ -331,7 +331,7 @@ func TestRunCommentCommand_TeamAllowListChecker(t *testing.T) {
 		When(eventParsing.ParseGithubPull(Any[logging.SimpleLogging](), Eq(&pull))).ThenReturn(modelPull, modelPull.BaseRepo, testdata.GithubRepo, nil)
 
 		ch.RunCommentCommand(testdata.GithubRepo, nil, nil, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.Plan})
-		vcsClient.VerifyWasCalled(Never()).GetTeamNamesForUser(testdata.GithubRepo, testdata.User)
+		vcsClient.VerifyWasCalled(Never()).GetTeamNamesForUser(ch.Logger, testdata.GithubRepo, testdata.User)
 		vcsClient.VerifyWasCalledOnce().CreateComment(
 			Any[logging.SimpleLogging](), Eq(testdata.GithubRepo), Eq(modelPull.Num), Eq("Ran Plan for 0 projects:"), Eq("plan"))
 	})

server/events/external_team_allowlist_checker.go

@@ -39,6 +39,10 @@ func (checker *ExternalTeamAllowlistChecker) IsCommandAllowedForAnyTeam(ctx mode
 	return checker.checkOutputResults(out)
 }
 
+func (checker *ExternalTeamAllowlistChecker) AllTeams() []string {
+	return []string{}
+}
+
 func (checker *ExternalTeamAllowlistChecker) buildCommandString(ctx models.TeamAllowlistCheckerContext, teams []string, command string) string {
 	// Build command string
 	// Format is "$external_cmd $external_args $command $repo $teams"