Skip to content

feat(gitlab): add access, membership, and user-admin operations#5707

Open
mzxchandra wants to merge 7 commits into
simstudioai:stagingfrom
mzxchandra:feature/sim-817
Open

feat(gitlab): add access, membership, and user-admin operations#5707
mzxchandra wants to merge 7 commits into
simstudioai:stagingfrom
mzxchandra:feature/sim-817

Conversation

@mzxchandra

Copy link
Copy Markdown
Contributor

Summary

Adds access / membership / user-administration operations to the existing GitLab block so teams can build native access-provisioning workflows (IT help-desk auto-provisioning) without dropping to a raw API block and hand-rolling auth.

This extends the block rather than splitting it — the admin boundary is handled by the existing per-operation access-control feature, not a second block.

New operations (27 tools):

  • Members: list (/members/all by default, direct-only opt-in), add, update access level, remove
  • Invitations: invite by email, list, update, revoke
  • Access requests: list, approve (with access level), deny
  • SAML group links: list (group-scoped), add, delete
  • Users: search (resolve email → user id), and admin ops — create, update, delete, block/unblock, deactivate/activate, ban/unban, approve/reject signup, delete auth identity

All resource-scoped ops work against projects or groups via a Resource Type selector. Every tool reuses the existing getGitLabApiBase() host resolution + SSRF guard, and a new shared getGitLabResourcePath() helper.

Design details:

  • access_level is a named dropdown (Guest…Owner, full official enum) that serializes to the GitLab integer — no free-text integer guessing on a permissions call.
  • expires_at is a first-class field so time-boxed grants are the default.
  • Read defaults to /members/all (includes inherited members) to avoid false "no access" answers, with a direct-only opt-in.
  • A duplicate-member add (409) is treated as a soft success so provisioning workflows are re-runnable.
  • Configurable self-managed base URL (reuses the existing host param + SSRF guard).
  • member_role_id passthrough for Ultimate custom roles.
  • list_saml_group_links ships in the first cut so a workflow can detect SAML-governed groups before choosing an IdP-side vs GitLab-native member add.

Type of Change

  • New feature

Testing

  • Unit tests (Vitest) cover the risk-bearing paths flagged in the design: access_level enum→integer coercion, /members/all default vs direct-only, the 409-duplicate-add soft success, invitation per-email error handling, user-status-action response parsing, and getGitLabResourcePath.
  • Full GitLab tool/block suite plus the registry-consistency tests (tools/index.test.ts, blocks/blocks.test.ts) pass: 202 tests green.
  • tsc --noEmit and Biome are clean.

Reviewers should focus on: the config.params coercions in blocks/blocks/gitlab.ts (enum→int, id coercion happens at execution, never in config.tool), and the 409 handling in tools/gitlab/add_member.ts.

Not covered by automated tests: live end-to-end against a real GitLab instance (needs a sandbox + PAT; admin ops need an admin_mode token) — recommended as a manual smoke test before relying on the admin operations.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

🤖 Generated with Claude Code

Adds member, invitation, access-request, SAML group link, and user
administration tools to the GitLab integration. Resource-scoped ops work
against projects or groups; user-admin ops require an admin token. All tools
reuse the existing host/SSRF guard via getGitLabApiBase and add a shared
getGitLabResourcePath helper.
Adds the new operations to the block dropdown and tools access list, with a
named access-level dropdown (enum in, integer out), first-class expires_at,
a /members/all default (direct-only opt-in), resource-type selector, and
member_role_id passthrough.
Covers the access_level enum-to-integer coercion, the /members/all default vs
direct-only, the 409-duplicate-add soft success, invitation per-email error
handling, user-status-action response parsing, and getGitLabResourcePath.
@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

@mzxchandra is attempting to deploy a commit to the Sim Team on Vercel.

A member of the Team first needs to authorize it.

@cursor

cursor Bot commented Jul 16, 2026

Copy link
Copy Markdown

PR Summary

High Risk
New workflows can change GitLab membership, SAML links, and admin user state (including delete/hard-delete and admin demotion); mistakes or over-broad tokens have real authorization impact despite tests on coercion and idempotency.

Overview
Extends the GitLab workflow block and tool registry with 27 new operations for membership, invitations, access requests, SAML group links, user search, and instance admin user lifecycle actions—so provisioning can stay in the existing block instead of raw API calls.

The block gains conditional UI for project/group resource type, named access level dropdowns (coerced to GitLab integers at execution), optional expires at, invitation “leave unchanged” behavior, and admin user fields. New tools share getGitLabResourcePath() for project/group URLs; gitlab_add_member treats 409 as idempotent success, and gitlab_invite_member fails when GitLab returns status: error on 201.

Docs in gitlab.mdx document the new tools; several admin status-action sections appear to reuse a full global output table with empty input tables—worth a quick doc pass. Vitest covers coercion, list-members defaults, and response edge cases.

Reviewed by Cursor Bugbot for commit d41d8f1. Bugbot is set up for automated code reviews on this repo. Configure here.

Comment thread apps/sim/blocks/blocks/gitlab.ts
Comment thread apps/sim/blocks/blocks/gitlab.ts Outdated
@greptile-apps

greptile-apps Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR expands the GitLab integration with access provisioning and user administration. The main changes are:

  • Adds member, invitation, access-request, and SAML group-link operations.
  • Adds GitLab user search and administrator operations.
  • Extends the GitLab block, tool registry, response types, and documentation.
  • Adds tests for parameter conversion, member listing, invitation handling, and status actions.

Confidence Score: 5/5

This looks safe to merge.

  • The invitation access-level field is visible and leaves the existing level unchanged by default.
  • Comma-separated invitation addresses are normalized before the request is sent.
  • No blocking issues remain in the updated code.

Important Files Changed

Filename Overview
apps/sim/blocks/blocks/gitlab.ts Adds block configuration and execution mapping for GitLab access, membership, SAML, and user-administration operations.
apps/sim/tools/gitlab/invite_member.ts Adds member invitations and normalizes comma-separated email addresses.
apps/sim/tools/gitlab/update_invitation.ts Adds optional invitation access-level and expiration updates.
apps/sim/tools/gitlab/utils.ts Adds shared GitLab resource-path handling for project and group operations.
apps/sim/tools/gitlab/access.test.ts Covers membership, invitation, and user-status request behavior.
apps/sim/blocks/blocks/gitlab.test.ts Covers block routing, field visibility, defaults, and execution-time parameter conversion.

Reviews (3): Last reviewed commit: "fix(gitlab): make update-invitation acce..." | Re-trigger Greptile

Comment thread apps/sim/blocks/blocks/gitlab.ts
Comment thread apps/sim/tools/gitlab/invite_member.ts Outdated
mzxchandra and others added 2 commits July 16, 2026 02:02
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
- update_user now sends admin:false so the Administrator switch can demote
  (an untouched switch stays undefined and leaves the flag unchanged)
- expose the access-level dropdown for Update Invitation
- normalize comma-separated invite emails so spaced multi-email input works
@mzxchandra

Copy link
Copy Markdown
Contributor Author

@greptile

@mzxchandra

Copy link
Copy Markdown
Contributor Author

@cursor review

Comment thread apps/sim/blocks/blocks/gitlab.ts
Update Invitation now uses a dedicated dropdown that defaults to 'Leave
unchanged', so updating only the expiration no longer silently resets the
invitation's access level to Developer. The level is sent only when explicitly
chosen.
@mzxchandra

Copy link
Copy Markdown
Contributor Author

@greptile

@mzxchandra

Copy link
Copy Markdown
Contributor Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit d41d8f1. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant