Enforce `require_password_to_approve` MR approval policy property

Merge branch 'security-461248-confidential-issue' into 'master' See merge request gitlab-org/security/gitlab!4191 Changelog: security

Enforce `require_password_to_approve` MR approval policy property
42526d75 · Dominic Bauer · GitLab Release Tools Bot · 595e173a · 42526d75 · 42526d75
Commit 42526d75 authored 7 months ago by Dominic Bauer Committed by GitLab Release Tools Bot 7 months ago
--- a/ee/app/services/ee/merge_requests/approval_service.rb
+++ b/ee/app/services/ee/merge_requests/approval_service.rb
@@ -91,6 +91,7 @@ def saml_approval_in_time?
      end

      def mr_approval_setting_password_required?(merge_request)
+        return true if merge_request.require_password_to_approve?
        return false unless root_group.is_a? Group

        ComplianceManagement::MergeRequestApprovalSettings::Resolver

--- a/ee/spec/services/merge_requests/approval_service_spec.rb
+++ b/ee/spec/services/merge_requests/approval_service_spec.rb
@@ -28,6 +28,7 @@
      stub_feature_flags ff_require_saml_auth_to_approve: false

      create(:saml_provider, group: project.group, enforced_sso: enforced_sso, enabled: true)
+      merge_request.clear_memoization(:policy_approval_settings)
    end

    before_all do
@@ -171,6 +172,56 @@ def simulate_saml_approval_in_time?(in_time:)
        end
      end
    end
+
+    context 'with MR approval policy that sets `require_password_to_approve`' do
+      let_it_be(:policy) do
+        create(
+          :scan_result_policy_read,
+          :require_password_to_approve,
+          commits: :any,
+          project: merge_request.target_project)
+      end
+
+      let_it_be(:policy_violation) do
+        create(
+          :scan_result_policy_violation,
+          project: project,
+          merge_request: merge_request,
+          scan_result_policy_read: policy)
+      end
+
+      shared_examples 'enforces policy' do
+        subject(:service) { described_class.new(project: project, current_user: user, params: params) }
+
+        context 'when incorrect password is specified' do
+          let(:params) { { approval_password: 'incorrect' } }
+
+          it 'does not approve' do
+            expect { service.execute(merge_request) }.not_to change { merge_request.approvals.count }
+          end
+        end
+
+        context 'when correct password is specified' do
+          let(:params) { { approval_password: user.password } }
+
+          it 'approves' do
+            expect { service.execute(merge_request) }.to change { merge_request.approvals.count }.by(1)
+          end
+        end
+      end
+
+      context 'with `ff_require_saml_auth_to_approve` feature enabled' do
+        before do
+          stub_feature_flags(ff_require_saml_auth_to_approve: true)
+        end
+
+        it_behaves_like 'enforces policy'
+      end
+
+      context 'with `ff_require_saml_auth_to_approve` feature disabled' do
+        it_behaves_like 'enforces policy'
+      end
+    end
  end

  describe '#execute with instance saml' do