feat: add PermissionsDefinition to SettingsDefinition to enable m… (#1775)

**What this PR does / Why we need it:**
Introduction of config type Permission and introduction of the FF to
toggle the behavior of it.
_Feature flag added:_
```
	// AccessControlSettings toggles whether settings enable the access control
	// Introduced: v2.21.0
	AccessControlSettings FeatureFlag = "MONACO_ACC_CONTROL_SETTINGS"
```
_Example yml file:_
```
configs:
  - id: some-long-id-of-my-config
    type:
      settings:
        schema: builtin:alerting.profile
        schemaVersion: "8.5"
        scope: "some-scope"
        permissions:
          allUsers: read
    config:
      template: 'template.json'
```
**Special notes for your reviewer:**
**Does this PR introduce a user-facing change?**
Currently, the FF is disabled, so no user-facing changes

---------

Co-authored-by: Arthur Pitman <arthur.pitman@dynatrace.com>

Author: tomazpu

internal/featureflags/temporary.go

@@ -43,6 +43,9 @@ const (
 	// ServiceLevelObjective toggles whether slo configurations are downloaded and / or deployed.
 	// Introduced: v2.19.0
 	ServiceLevelObjective FeatureFlag = "MONACO_FEAT_SLO_V2"
+	// AccessControlSettings toggles whether settings enable the access control
+	// Introduced: v2.21.0
+	AccessControlSettings FeatureFlag = "MONACO_FEAT_ACCESS_CONTROL_SETTINGS"
 )
 
 // temporaryDefaultValues defines temporary feature flags and their default values.
@@ -57,4 +60,5 @@ var temporaryDefaultValues = map[FeatureFlag]defaultValue{
 	ServiceUsers:                       false,
 	OnlyCreateReferencesInStringValues: false,
 	ServiceLevelObjective:              false,
+	AccessControlSettings:              false,
 }

internal/strings/strings.go

@@ -21,3 +21,7 @@ import "fmt"
 func ToString(v interface{}) string {
 	return fmt.Sprintf("%v", v)
 }
+
+func Pointer(str string) *string {
+	return &str
+}

pkg/config/types.go

@@ -30,8 +30,19 @@ const (
 
 var _ Type = SettingsType{}
 
+type AllUserPermissionKind = string
+
+const (
+	ReadPermission  AllUserPermissionKind = "read"
+	WritePermission AllUserPermissionKind = "write"
+	NonePermission  AllUserPermissionKind = "none"
+)
+
+var KnownAllUserPermissionKind = []AllUserPermissionKind{ReadPermission, WritePermission, NonePermission}
+
 type SettingsType struct {
 	SchemaId, SchemaVersion string
+	AllUserPermission       *AllUserPermissionKind
 }
 
 func (SettingsType) ID() TypeID {

pkg/persistence/config/internal/persistence/type_definition.go

@@ -46,10 +46,15 @@ type ComplexApiDefinition struct {
 }
 
 type SettingsDefinition struct {
-	Schema        string          `yaml:"schema,omitempty" json:"schema,omitempty" jsonschema:"required,description=The Settings 2.0 schema of this config."`
-	SchemaVersion string          `yaml:"schemaVersion,omitempty" json:"schemaVersion,omitempty" jsonschema:"description=This optionally informs the Settings API that a specific schema version was used for this config."`
-	Scope         ConfigParameter `yaml:"scope,omitempty" json:"scope,omitempty"  jsonschema:"required,description=This defines the scope in which this Setting applies."`
-	InsertAfter   ConfigParameter `yaml:"insertAfter,omitempty" json:"insertAfter,omitempty" jsonschema:"description=This optionally informs the settings API that this particular objects needs to be inserted after the referenced one."`
+	Schema        string                `yaml:"schema,omitempty" json:"schema,omitempty" jsonschema:"required,description=The Settings 2.0 schema of this config."`
+	SchemaVersion string                `yaml:"schemaVersion,omitempty" json:"schemaVersion,omitempty" jsonschema:"description=This optionally informs the Settings API that a specific schema version was used for this config."`
+	Scope         ConfigParameter       `yaml:"scope,omitempty" json:"scope,omitempty"  jsonschema:"required,description=This defines the scope in which this Setting applies."`
+	InsertAfter   ConfigParameter       `yaml:"insertAfter,omitempty" json:"insertAfter,omitempty" jsonschema:"description=This optionally informs the settings API that this particular objects needs to be inserted after the referenced one."`
+	Permissions   *PermissionDefinition `yaml:"permissions,omitempty" json:"permissions,omitempty" jsonschema:"description=The optional permissions to be applied to this config."`
+}
+
+type PermissionDefinition struct {
+	AllUsers *string `yaml:"allUsers,omitempty" json:"allUsers" jsonschema:"required,enum=read,enum=write,enum=none,description=All users can use this permission." mapstructure:"allUsers"`
 }
 
 type AutomationDefinition struct {
@@ -156,9 +161,18 @@ func (c *TypeDefinition) parseSettingsType(a any) error {
 		return fmt.Errorf("failed to unmarshal settings-type: %w", err)
 	}
 
+	if !featureflags.AccessControlSettings.Enabled() && r.Permissions != nil {
+		return fmt.Errorf("unknown settings configuration property 'permissions'")
+	}
+
+	var allUserPermission *config.AllUserPermissionKind
+	if r.Permissions != nil {
+		allUserPermission = r.Permissions.AllUsers
+	}
 	c.Type = config.SettingsType{
-		SchemaId:      r.Schema,
-		SchemaVersion: r.SchemaVersion,
+		SchemaId:          r.Schema,
+		SchemaVersion:     r.SchemaVersion,
+		AllUserPermission: allUserPermission,
 	}
 	c.Scope = r.Scope
 	c.InsertAfter = r.InsertAfter
@@ -223,6 +237,12 @@ func (c *TypeDefinition) Validate(apis map[string]struct{}) error {
 			return errors.New("missing settings scope")
 		}
 
+		if featureflags.AccessControlSettings.Enabled() {
+			if t.AllUserPermission != nil && !slices.Contains(config.KnownAllUserPermissionKind, *t.AllUserPermission) {
+				return fmt.Errorf("unknown allUsers value: '%s', allowed: %v", *t.AllUserPermission, config.KnownAllUserPermissionKind)
+			}
+		}
+
 	case config.AutomationType:
 		switch t.Resource {
 		case "":
@@ -303,14 +323,22 @@ func (c TypeDefinition) MarshalYAML() (interface{}, error) {
 			insertAfterValue = c.InsertAfter
 		}
 
-		return map[string]any{
-			"settings": SettingsDefinition{
-				Schema:        t.SchemaId,
-				SchemaVersion: t.SchemaVersion,
-				Scope:         c.Scope,
-				InsertAfter:   insertAfterValue,
-			},
-		}, nil
+		setDefinition := SettingsDefinition{
+			Schema:        t.SchemaId,
+			SchemaVersion: t.SchemaVersion,
+			Scope:         c.Scope,
+			InsertAfter:   insertAfterValue,
+		}
+
+		if featureflags.AccessControlSettings.Enabled() {
+			if t.AllUserPermission != nil {
+				setDefinition.Permissions = &PermissionDefinition{
+					AllUsers: t.AllUserPermission,
+				}
+			}
+		}
+
+		return map[string]any{"settings": setDefinition}, nil
 
 	case config.AutomationType:
 		return map[string]any{

pkg/persistence/config/loader/config_loader_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/internal/featureflags"
+	strUtils "github.com/dynatrace/dynatrace-configuration-as-code/v2/internal/strings"
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/pkg/api"
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/pkg/config"
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/pkg/config/coordinate"
@@ -720,6 +721,91 @@ configs:
 				},
 			},
 		},
+		{
+			name:             "loads settings 2.0 config with all properties and allUsers permission with FF on",
+			envVars:          map[string]string{featureflags.AccessControlSettings.EnvName(): "true"},
+			filePathArgument: "test-file.yaml",
+			filePathOnDisk:   "test-file.yaml",
+			fileContentOnDisk: `
+configs:
+- id: profile-id
+  config:
+    name: 'Star Trek > Star Wars'
+    template: 'profile.json'
+    originObjectId: origin-object-id
+  type:
+    settings:
+      schema: 'builtin:profile.test'
+      schemaVersion: '1.0'
+      scope: 'tenant'
+      permissions:
+        allUsers: 'read'`,
+			wantConfigs: []config.Config{
+				{
+					Coordinate: coordinate.Coordinate{
+						Project:  "project",
+						Type:     "builtin:profile.test",
+						ConfigId: "profile-id",
+					},
+					Type: config.SettingsType{
+						SchemaId:          "builtin:profile.test",
+						SchemaVersion:     "1.0",
+						AllUserPermission: strUtils.Pointer(config.ReadPermission),
+					},
+					Template: template.NewInMemoryTemplate("profile.json", "{}"),
+					Parameters: config.Parameters{
+						"name":                &value.ValueParameter{Value: "Star Trek > Star Wars"},
+						config.ScopeParameter: &value.ValueParameter{Value: "tenant"},
+					},
+					Skip:           false,
+					Environment:    "env name",
+					Group:          "default",
+					OriginObjectId: "origin-object-id",
+				},
+			},
+		},
+		{
+			name:             "loads settings 2.0 config allUsers permission with invalid value with FF on",
+			envVars:          map[string]string{featureflags.AccessControlSettings.EnvName(): "true"},
+			filePathArgument: "test-file.yaml",
+			filePathOnDisk:   "test-file.yaml",
+			fileContentOnDisk: `
+configs:
+- id: profile-id
+  config:
+    name: 'Star Trek > Star Wars'
+    template: 'profile.json'
+    originObjectId: origin-object-id
+  type:
+    settings:
+      schema: 'builtin:profile.test'
+      schemaVersion: '1.0'
+      scope: 'tenant'
+      permissions:
+        allUsers: 'wrong-value'`,
+			wantErrorsContain: []string{"cannot parse definition in `test-file.yaml`: unknown allUsers value: 'wrong-value', allowed: [read write none]"},
+		},
+		{
+			name:             "loads settings 2.0 config with all properties and allUsers permission with FF off",
+			envVars:          map[string]string{featureflags.AccessControlSettings.EnvName(): "false"},
+			filePathArgument: "test-file.yaml",
+			filePathOnDisk:   "test-file.yaml",
+			fileContentOnDisk: `
+configs:
+- id: profile-id
+  config:
+    name: 'Star Trek > Star Wars'
+    template: 'profile.json'
+    originObjectId: origin-object-id
+  type:
+    settings:
+      schema: 'builtin:profile.test'
+      schemaVersion: '1.0'
+      scope: 'tenant'
+      permissions:
+        allUsers: 'read'`,
+			wantErrorsContain: []string{"unknown settings configuration property 'permissions'"},
+		},
 		{
 			name:              "loading a config without type content",
 			filePathArgument:  "test-file.yaml",

pkg/persistence/config/writer/config_writer_test.go

@@ -30,6 +30,7 @@ import (
 	"gopkg.in/yaml.v2"
 
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/internal/featureflags"
+	strUtils "github.com/dynatrace/dynatrace-configuration-as-code/v2/internal/strings"
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/internal/testutils"
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/pkg/config"
 	"github.com/dynatrace/dynatrace-configuration-as-code/v2/pkg/config/coordinate"
@@ -869,6 +870,105 @@ func TestWriteConfigs(t *testing.T) {
 				"project/schemaid/a.json",
 			},
 		},
+		{
+			name:    "Simple settings 2.0 write with all-user permissions FF on",
+			envVars: map[string]string{featureflags.AccessControlSettings.EnvName(): "true"},
+			configs: []config.Config{
+				{
+					Template: template.NewInMemoryTemplateWithPath("project/schemaid/a.json", ""),
+					Coordinate: coordinate.Coordinate{
+						Project:  "project",
+						Type:     "schemaid",
+						ConfigId: "configId",
+					},
+					Type: config.SettingsType{
+						SchemaId:          "schemaid",
+						SchemaVersion:     "1.2.3",
+						AllUserPermission: strUtils.Pointer(config.ReadPermission),
+					},
+					Parameters: map[string]parameter.Parameter{
+						config.ScopeParameter: &value.ValueParameter{Value: "scope"},
+						config.NameParameter:  &value.ValueParameter{Value: "name"},
+					},
+					Skip: true,
+				},
+			},
+			expectedConfigs: map[string]persistence.TopLevelDefinition{
+				"schemaid": {
+					Configs: []persistence.TopLevelConfigDefinition{
+						{
+							Id: "configId",
+							Config: persistence.ConfigDefinition{
+								Name:       "name",
+								Parameters: nil,
+								Template:   "a.json",
+								Skip:       true,
+							},
+							Type: persistence.TypeDefinition{
+								Type: config.SettingsType{
+									SchemaId:          "schemaid",
+									SchemaVersion:     "1.2.3",
+									AllUserPermission: strUtils.Pointer(config.ReadPermission),
+								},
+								Scope: "scope",
+							},
+						},
+					},
+				},
+			},
+			expectedTemplatePaths: []string{
+				"project/schemaid/a.json",
+			},
+		},
+		{
+			name: "Simple settings 2.0 write with all-user permissions with FF off",
+			configs: []config.Config{
+				{
+					Template: template.NewInMemoryTemplateWithPath("project/schemaid/a.json", ""),
+					Coordinate: coordinate.Coordinate{
+						Project:  "project",
+						Type:     "schemaid",
+						ConfigId: "configId",
+					},
+					Type: config.SettingsType{
+						SchemaId:          "schemaid",
+						SchemaVersion:     "1.2.3",
+						AllUserPermission: strUtils.Pointer(config.ReadPermission),
+					},
+					Parameters: map[string]parameter.Parameter{
+						config.ScopeParameter: &value.ValueParameter{Value: "scope"},
+						config.NameParameter:  &value.ValueParameter{Value: "name"},
+					},
+					Skip: true,
+				},
+			},
+			envVars: map[string]string{featureflags.AccessControlSettings.EnvName(): "false"},
+			expectedConfigs: map[string]persistence.TopLevelDefinition{
+				"schemaid": {
+					Configs: []persistence.TopLevelConfigDefinition{
+						{
+							Id: "configId",
+							Config: persistence.ConfigDefinition{
+								Name:       "name",
+								Parameters: nil,
+								Template:   "a.json",
+								Skip:       true,
+							},
+							Type: persistence.TypeDefinition{
+								Type: config.SettingsType{
+									SchemaId:      "schemaid",
+									SchemaVersion: "1.2.3",
+								},
+								Scope: "scope",
+							},
+						},
+					},
+				},
+			},
+			expectedTemplatePaths: []string{
+				"project/schemaid/a.json",
+			},
+		},
 		{
 			name: "Automation resources",
 			configs: []config.Config{