Add a container_registry project feature

This will eventually allow project admins to have more granular
control over the visibility of the container registry.

app/models/concerns/project_features_compatibility.rb

@@ -86,6 +86,10 @@ module ProjectFeaturesCompatibility
     write_feature_attribute_string(:security_and_compliance_access_level, value)
   end
 
+  def container_registry_access_level=(value)
+    write_feature_attribute_string(:container_registry_access_level, value)
+  end
+
   private
 
   def write_feature_attribute_boolean(field, value)

app/models/project.rb

@@ -393,6 +393,7 @@ class Project < ApplicationRecord
     :wiki_access_level, :snippets_access_level, :builds_access_level,
     :repository_access_level, :pages_access_level, :metrics_dashboard_access_level, :analytics_access_level,
     :operations_enabled?, :operations_access_level, :security_and_compliance_access_level,
+    :container_registry_access_level,
     to: :project_feature, allow_nil: true
   delegate :show_default_award_emojis, :show_default_award_emojis=,
     :show_default_award_emojis?,

app/models/project_feature.rb

@@ -3,7 +3,22 @@
 class ProjectFeature < ApplicationRecord
   include Featurable
 
-  FEATURES = %i(issues forking merge_requests wiki snippets builds repository pages metrics_dashboard analytics operations security_and_compliance).freeze
+  FEATURES = %i[
+    issues
+    forking
+    merge_requests
+    wiki
+    snippets
+    builds
+    repository
+    pages
+    metrics_dashboard
+    analytics
+    operations
+    security_and_compliance
+    container_registry
+  ].freeze
+
   EXPORTABLE_FEATURES = (FEATURES - [:security_and_compliance]).freeze
 
   set_available_features(FEATURES)

changelogs/unreleased/18792-add-container_registry_access_level.yml

+---
+title: Add a new project feature called container_registry
+merge_request: 54831
+author:
+type: changed

db/migrate/20210222105120_add_container_registry_access_level.rb

+# frozen_string_literal: true
+
+class AddContainerRegistryAccessLevel < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def up
+    with_lock_retries do
+      add_column(
+        :project_features,
+        :container_registry_access_level,
+        :integer,
+        default: 0, # ProjectFeature::DISABLED value
+        null: false
+      )
+    end
+  end
+
+  def down
+    with_lock_retries do
+      remove_column :project_features, :container_registry_access_level
+    end
+  end
+end

db/schema_migrations/20210222105120

+4da0131929bf59dd4a72bf05a889063df7978f8b5782e5f3b27d466302dc44b6
\ No newline at end of file

db/structure.sql

@@ -16054,7 +16054,8 @@ CREATE TABLE project_features (
     requirements_access_level integer DEFAULT 20 NOT NULL,
     operations_access_level integer DEFAULT 20 NOT NULL,
     analytics_access_level integer DEFAULT 20 NOT NULL,
-    security_and_compliance_access_level integer DEFAULT 10 NOT NULL
+    security_and_compliance_access_level integer DEFAULT 10 NOT NULL,
+    container_registry_access_level integer DEFAULT 0 NOT NULL
 );
 
 CREATE SEQUENCE project_features_id_seq

ee/lib/ee/audit/project_feature_changes_auditor.rb

@@ -17,7 +17,8 @@ module EE
                  :analytics_access_level,
                  :operations_access_level,
                  :requirements_access_level,
-                 :security_and_compliance_access_level].freeze
+                 :security_and_compliance_access_level,
+                 :container_registry_access_level].freeze
 
       def initialize(current_user, model, project)
         @project = project

ee/spec/lib/ee/audit/project_feature_changes_auditor_spec.rb

@@ -18,7 +18,11 @@ RSpec.describe EE::Audit::ProjectFeatureChangesAuditor do
 
       columns.each do |column|
         previous_value = features.method(column).call
-        new_value = ProjectFeature::DISABLED
+        new_value = if previous_value == ProjectFeature::DISABLED
+                      ProjectFeature::ENABLED
+                    else
+                      ProjectFeature::DISABLED
+                    end
 
         features.update_attribute(column, new_value)
         expect { foo_instance.execute }.to change { AuditEvent.count }.by(1)

spec/lib/gitlab/import_export/safe_model_attributes.yml

@@ -584,6 +584,7 @@ ProjectFeature:
 - analytics_access_level
 - operations_access_level
 - security_and_compliance_access_level
+- container_registry_access_level
 - created_at
 - updated_at
 ProtectedBranch::MergeAccessLevel:

spec/models/concerns/project_features_compatibility_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe ProjectFeaturesCompatibility do
   let(:project) { create(:project) }
   let(:features_enabled) { %w(issues wiki builds merge_requests snippets security_and_compliance) }
-  let(:features) { features_enabled + %w(repository pages operations) }
+  let(:features) { features_enabled + %w(repository pages operations container_registry) }
 
   # We had issues_enabled, snippets_enabled, builds_enabled, merge_requests_enabled and issues_enabled fields on projects table
   # All those fields got moved to a new table called project_feature and are now integers instead of booleans

spec/models/project_feature_spec.rb

@@ -40,7 +40,7 @@ RSpec.describe ProjectFeature do
   end
 
   context 'public features' do
-    features = %w(issues wiki builds merge_requests snippets repository metrics_dashboard operations)
+    features = ProjectFeature::FEATURES - %i(pages)
 
     features.each do |feature|
       it "does not allow public access level for #{feature}" do

spec/requests/api/project_attributes.yml

@@ -118,6 +118,7 @@ project_feature:
     - project_id
     - requirements_access_level
     - security_and_compliance_access_level
+    - container_registry_access_level
     - updated_at
   computed_attributes:
     - issues_enabled