Add latest changes from gitlab-org/gitlab@master

4 files changed, 118 insertions, 3 deletions

diff --git a/app/graphql/mutations/packages/protection/rule/update.rb b/app/graphql/mutations/packages/protection/rule/update.rb
new file mode 100644
index 00000000000..dc1f78e6822
--- /dev/null
+++ b/app/graphql/mutations/packages/protection/rule/update.rb
@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Mutations
+  module Packages
+    module Protection
+      module Rule
+        class Update < ::Mutations::BaseMutation
+          graphql_name 'UpdatePackagesProtectionRule'
+          description 'Updates a package protection rule to restrict access to project packages. ' \
+                      'You can prevent users without certain permissions from altering packages. ' \
+                      'Available only when feature flag `packages_protected_packages` is enabled.'
+
+          authorize :admin_package
+
+          argument :id,
+            ::Types::GlobalIDType[::Packages::Protection::Rule],
+            required: true,
+            description: 'Global ID of the package protection rule to be updated.'
+
+          argument :package_name_pattern,
+            GraphQL::Types::String,
+            required: false,
+            validates: { allow_blank: false },
+            description:
+            'Package name protected by the protection rule. For example, `@my-scope/my-package-*`. ' \
+            'Wildcard character `*` allowed.'
+
+          argument :package_type,
+            Types::Packages::Protection::RulePackageTypeEnum,
+            required: false,
+            validates: { allow_blank: false },
+            description: 'Package type protected by the protection rule. For example, `NPM`.'
+
+          argument :push_protected_up_to_access_level,
+            Types::Packages::Protection::RuleAccessLevelEnum,
+            required: false,
+            validates: { allow_blank: false },
+            description:
+              'Maximum GitLab access level unable to push a package. For example, `DEVELOPER`, `MAINTAINER`, `OWNER`.'
+
+          field :package_protection_rule,
+            Types::Packages::Protection::RuleType,
+            null: true,
+            description: 'Packages protection rule after mutation.'
+
+          def resolve(id:, **kwargs)
+            package_protection_rule = authorized_find!(id: id)
+
+            if Feature.disabled?(:packages_protected_packages, package_protection_rule.project)
+              raise_resource_not_available_error!("'packages_protected_packages' feature flag is disabled")
+            end
+
+            response = ::Packages::Protection::UpdateRuleService.new(package_protection_rule,
+              current_user: current_user, params: kwargs).execute
+
+            { package_protection_rule: response.payload[:package_protection_rule], errors: response.errors }
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/app/graphql/types/mutation_type.rb b/app/graphql/types/mutation_type.rb
index 8055247fb8a..d0a9ea11a27 100644
--- a/app/graphql/types/mutation_type.rb
+++ b/app/graphql/types/mutation_type.rb
@@ -177,6 +177,7 @@ module Types
     mount_mutation Mutations::Packages::DestroyFile
     mount_mutation Mutations::Packages::Protection::Rule::Create, alpha: { milestone: '16.5' }
     mount_mutation Mutations::Packages::Protection::Rule::Delete, alpha: { milestone: '16.6' }
+    mount_mutation Mutations::Packages::Protection::Rule::Update, alpha: { milestone: '16.6' }
     mount_mutation Mutations::Packages::DestroyFiles
     mount_mutation Mutations::Packages::Cleanup::Policy::Update
     mount_mutation Mutations::Echo
diff --git a/app/models/concerns/transitionable.rb b/app/models/concerns/transitionable.rb
index 70e1fc8b78a..b64b09336bb 100644
--- a/app/models/concerns/transitionable.rb
+++ b/app/models/concerns/transitionable.rb
@@ -6,9 +6,7 @@ module Transitionable
   attr_accessor :transitioning
 
   def transitioning?
-    return false unless transitioning && Feature.enabled?(:skip_validations_during_transitions, project)
-
-    true
+    transitioning
   end
 
   def enable_transitioning
diff --git a/app/services/packages/protection/update_rule_service.rb b/app/services/packages/protection/update_rule_service.rb
new file mode 100644
index 00000000000..0dc7eb6a7b9
--- /dev/null
+++ b/app/services/packages/protection/update_rule_service.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Packages
+  module Protection
+    class UpdateRuleService
+      include Gitlab::Allowable
+
+      ALLOWED_ATTRIBUTES = %i[
+        package_name_pattern
+        package_type
+        push_protected_up_to_access_level
+      ].freeze
+
+      def initialize(package_protection_rule, current_user:, params:)
+        if package_protection_rule.blank? || current_user.blank?
+          raise ArgumentError,
+            'package_protection_rule and current_user must be set'
+        end
+
+        @package_protection_rule = package_protection_rule
+        @current_user = current_user
+        @params = params || {}
+      end
+
+      def execute
+        unless can?(current_user, :admin_package, package_protection_rule.project)
+          error_message = _('Unauthorized to update a package protection rule')
+          return service_response_error(message: error_message)
+        end
+
+        package_protection_rule.update(params.slice(*ALLOWED_ATTRIBUTES))
+
+        if package_protection_rule.errors.present?
+          return service_response_error(message: package_protection_rule.errors.full_messages)
+        end
+
+        ServiceResponse.success(payload: { package_protection_rule: package_protection_rule })
+      rescue StandardError => e
+        service_response_error(message: e.message)
+      end
+
+      private
+
+      attr_reader :package_protection_rule, :current_user, :params
+
+      def service_response_error(message:)
+        ServiceResponse.error(
+          message: message,
+          payload: { package_protection_rule: nil }
+        )
+      end
+    end
+  end
+end