Refactor GitLab access levels to log human-readable names (#567)

* Refactor GitLab access levels to log human-readable names instead of numbers
---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

pkg/gitlab/enum/enum.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/CompassSecurity/pipeleek/pkg/gitlab/util"
 	"github.com/rs/zerolog/log"
+	gitlab "gitlab.com/gitlab-org/api/client-go"
 
 	"resty.dev/v3"
 )
@@ -157,12 +158,12 @@ func listTokenAssociations(client resty.Client, baseUrl string, pat string, acce
 	}
 
 	for _, group := range resp.Groups {
-		log.Warn().Str("group", group.WebURL).Int("accessLevel", group.AccessLevels).Str("name", group.Name).Str("visibility", string(group.Visibility)).Msg("Group")
+		log.Warn().Str("group", group.WebURL).Str("accessLevel", util.AccessLevelName(gitlab.AccessLevelValue(group.AccessLevels))).Str("name", group.Name).Str("visibility", string(group.Visibility)).Msg("Group")
 		log.Debug().Interface("full_group", group).Msg("Full Group details")
 	}
 
 	for _, project := range resp.Projects {
-		log.Warn().Str("project", project.WebURL).Str("name", project.NameWithNamespace).Int("groupAccessLevel", project.AccessLevels.GroupAccessLevel).Int("projectAccessLevel", project.AccessLevels.ProjectAccessLevel).Msg("Project")
+		log.Warn().Str("project", project.WebURL).Str("name", project.NameWithNamespace).Str("groupAccessLevel", util.AccessLevelName(gitlab.AccessLevelValue(project.AccessLevels.GroupAccessLevel))).Str("projectAccessLevel", util.AccessLevelName(gitlab.AccessLevelValue(project.AccessLevels.ProjectAccessLevel))).Msg("Project")
 		log.Debug().Interface("full_project", project).Msg("Full Project details")
 	}
 

pkg/gitlab/renovate/privesc/privesc.go

@@ -37,7 +37,7 @@ func RunExploit(gitlabUrl, gitlabApiToken, repoName, renovateBranchesRegex, moni
 
 	projectAccessLevel := getUserAccessLevel(project)
 	if projectAccessLevel < gogitlab.DeveloperPermissions {
-		log.Fatal().Any("projectAccessLevel", projectAccessLevel).Msg("You (probably) need at least Developer permissions to exploit this vulnerability, you must be able to push to the Renovate Bot created branches branches")
+		log.Fatal().Str("projectAccessLevel", util.AccessLevelName(projectAccessLevel)).Msg("You (probably) need at least Developer permissions to exploit this vulnerability, you must be able to push to the Renovate Bot created branches")
 	}
 
 	ciCdYml, err := util.FetchCICDYml(git, project.ID)
@@ -91,20 +91,20 @@ func checkDefaultBranchProtections(git *gogitlab.Client, project *gogitlab.Proje
 	}
 
 	for _, accessLevel := range protectedbranch.PushAccessLevels {
-		log.Debug().Str("branch", project.DefaultBranch).Any("userAccessLevel", currentAccessLevel).Any("requiredAccessLevel", accessLevel.AccessLevel).Msg("Testing push access level for default branch")
+		log.Debug().Str("branch", project.DefaultBranch).Str("userAccessLevel", util.AccessLevelName(currentAccessLevel)).Str("requiredAccessLevel", util.AccessLevelName(accessLevel.AccessLevel)).Msg("Testing push access level for default branch")
 		if currentAccessLevel >= accessLevel.AccessLevel {
-			log.Fatal().Str("branch", project.DefaultBranch).Any("userAccessLevel", currentAccessLevel).Any("requiredAccessLevel", accessLevel.AccessLevel).Msg("You can already push to the default branch, no need to exploit")
+			log.Fatal().Str("branch", project.DefaultBranch).Str("userAccessLevel", util.AccessLevelName(currentAccessLevel)).Str("requiredAccessLevel", util.AccessLevelName(accessLevel.AccessLevel)).Msg("You can already push to the default branch, no need to exploit")
 		}
 	}
 
 	for _, accessLevel := range protectedbranch.MergeAccessLevels {
-		log.Debug().Str("branch", project.DefaultBranch).Any("userAccessLevel", currentAccessLevel).Any("requiredAccessLevel", accessLevel.AccessLevel).Msg("Testing merge access level for default branch")
+		log.Debug().Str("branch", project.DefaultBranch).Str("userAccessLevel", util.AccessLevelName(currentAccessLevel)).Str("requiredAccessLevel", util.AccessLevelName(accessLevel.AccessLevel)).Msg("Testing merge access level for default branch")
 		if currentAccessLevel >= accessLevel.AccessLevel {
-			log.Fatal().Str("branch", project.DefaultBranch).Any("userAccessLevel", currentAccessLevel).Any("requiredAccessLevel", accessLevel.AccessLevel).Msg("You can already merge to the default branch, no need to exploit")
+			log.Fatal().Str("branch", project.DefaultBranch).Str("userAccessLevel", util.AccessLevelName(currentAccessLevel)).Str("requiredAccessLevel", util.AccessLevelName(accessLevel.AccessLevel)).Msg("You can already merge to the default branch, no need to exploit")
 		}
 	}
 
-	log.Info().Str("branch", project.DefaultBranch).Any("currentAccessLevel", currentAccessLevel).Msg("Default branch is protected and you do not have direct access, proceeding with exploit")
+	log.Info().Str("branch", project.DefaultBranch).Str("currentAccessLevel", util.AccessLevelName(currentAccessLevel)).Msg("Default branch is protected and you do not have direct access, proceeding with exploit")
 }
 
 func monitorBranches(git *gogitlab.Client, project *gogitlab.Project, branchMonitor *pkgrenovate.BranchMonitor, monitoringInterval time.Duration) *gogitlab.Branch {

pkg/gitlab/util/util.go

@@ -2,6 +2,7 @@ package util
 
 import (
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -17,6 +18,32 @@ import (
 	gitlab "gitlab.com/gitlab-org/api/client-go"
 )
 
+// AccessLevelName returns the human-readable name for a GitLab access level value.
+func AccessLevelName(level gitlab.AccessLevelValue) string {
+	switch level {
+	case gitlab.NoPermissions:
+		return "No access"
+	case gitlab.MinimalAccessPermissions:
+		return "Minimal access"
+	case gitlab.GuestPermissions:
+		return "Guest"
+	case gitlab.PlannerPermissions:
+		return "Planner"
+	case gitlab.ReporterPermissions:
+		return "Reporter"
+	case gitlab.DeveloperPermissions:
+		return "Developer"
+	case gitlab.MaintainerPermissions:
+		return "Maintainer"
+	case gitlab.OwnerPermissions:
+		return "Owner"
+	case gitlab.AdminPermissions:
+		return "Admin"
+	default:
+		return fmt.Sprintf("Unknown (%d)", int(level))
+	}
+}
+
 // ProjectIteratorFunc is a callback function type for processing each project
 type ProjectIteratorFunc func(project *gitlab.Project) error
 

pkg/gitlab/util/util_test.go

@@ -12,7 +12,41 @@ import (
 	gitlab "gitlab.com/gitlab-org/api/client-go"
 )
 
-// TestDetermineVersion_ParsesVersion ensures the help page parsing extracts instance_version.
+// TestAccessLevelName_KnownLevels ensures all known access levels return correct names.
+func TestAccessLevelName_KnownLevels(t *testing.T) {
+	tests := []struct {
+		level    gitlab.AccessLevelValue
+		expected string
+	}{
+		{gitlab.NoPermissions, "No access"},
+		{gitlab.MinimalAccessPermissions, "Minimal access"},
+		{gitlab.GuestPermissions, "Guest"},
+		{gitlab.PlannerPermissions, "Planner"},
+		{gitlab.ReporterPermissions, "Reporter"},
+		{gitlab.DeveloperPermissions, "Developer"},
+		{gitlab.MaintainerPermissions, "Maintainer"},
+		{gitlab.OwnerPermissions, "Owner"},
+		{gitlab.AdminPermissions, "Admin"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.expected, func(t *testing.T) {
+			result := AccessLevelName(tt.level)
+			if result != tt.expected {
+				t.Fatalf("AccessLevelName(%d) = %q, want %q", int(tt.level), result, tt.expected)
+			}
+		})
+	}
+}
+
+// TestAccessLevelName_UnknownLevel ensures unknown access levels return a descriptive fallback.
+func TestAccessLevelName_UnknownLevel(t *testing.T) {
+	result := AccessLevelName(gitlab.AccessLevelValue(99))
+	expected := "Unknown (99)"
+	if result != expected {
+		t.Fatalf("AccessLevelName(99) = %q, want %q", result, expected)
+	}
+}
 func TestDetermineVersion_ParsesVersion(t *testing.T) {
 	// Simulate GitLab /help endpoint content containing instance_version JSON fragment
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {