Skip to content
Snippets Groups Projects
Commit f66ca4ce authored by Etienne Baqué's avatar Etienne Baqué :red_circle:
Browse files

Merge branch '430718-be-allow-for-some-modifications-to-protected-branches' into 'master'

Allow updates of protected branch with block_unprotecting_branches

See merge request !136351



Merged-by: default avatarEtienne Baqué <ebaque@gitlab.com>
Approved-by: default avatarAndy Soiron <asoiron@gitlab.com>
Approved-by: default avatarEtienne Baqué <ebaque@gitlab.com>
Reviewed-by: default avatarAndy Soiron <asoiron@gitlab.com>
Co-authored-by: default avatarMartin Čavoj <mcavoj@gitlab.com>
parents f539e39d 9aa18b94
No related branches found
No related tags found
1 merge request!136351Allow updates of protected branch with block_unprotecting_branches
Pipeline #1068432289 passed
Pipeline: E2E Omnibus GitLab EE

#1068503405

    Pipeline: GitLab

    #1068436499

      Pipeline: E2E GDK

      #1068434951

        +21
        # frozen_string_literal: true
        module EE
        module ProtectedBranches
        module BlockedByPolicy
        def execute(protected_branch)
        raise ::Gitlab::Access::AccessDeniedError if blocked_by_scan_result_policy?(protected_branch)
        super
        end
        private
        def blocked_by_scan_result_policy?(protected_branch)
        project = protected_branch.project
        return false unless project&.licensed_feature_available?(:security_orchestration_policies)
        return false unless ::Feature.enabled?(:scan_result_policies_block_unprotecting_branches, project)
        service = ::Security::SecurityOrchestrationPolicies::ProtectedBranchesDeletionCheckService.new(project: project)
        protected_from_deletion = service.execute([protected_branch])
        protected_branch.in?(protected_from_deletion)
        end
        end
        end
        end
        ......@@ -5,10 +5,11 @@ module ProtectedBranches
        module DestroyService
        extend ::Gitlab::Utils::Override
        include Loggable
        prepend BlockedByPolicy
        override :execute
        def execute(protected_branch)
        raise ::Gitlab::Access::AccessDeniedError if blocked_by_scan_result_policy?(protected_branch)
        super(protected_branch).tap do |protected_branch_service|
        # DestroyService returns the value of #.destroy instead of the
        # instance, in comparison with the other services
        ......@@ -21,6 +22,20 @@ def execute(protected_branch)
        def after_execute(*)
        sync_scan_finding_approval_rules
        end
        private
        def blocked_by_scan_result_policy?(protected_branch)
        project = protected_branch.project
        return false unless project&.licensed_feature_available?(:security_orchestration_policies)
        return false unless ::Feature.enabled?(:scan_result_policies_block_unprotecting_branches, project)
        service = ::Security::SecurityOrchestrationPolicies::ProtectedBranchesDeletionCheckService.new(project: project)
        protected_from_deletion = service.execute([protected_branch])
        protected_branch.in?(protected_from_deletion)
        end
        end
        end
        end
        ......@@ -4,7 +4,6 @@ module EE
        module ProtectedBranches
        module LegacyApiUpdateService
        extend ::Gitlab::Utils::Override
        prepend BlockedByPolicy
        private
        ......
        ......@@ -3,8 +3,6 @@
        module EE
        module ProtectedBranches
        module UpdateService
        prepend BlockedByPolicy
        def after_execute(protected_branch:, old_merge_access_levels:, old_push_access_levels:)
        super
        ......
        ......@@ -30,19 +30,6 @@
        expect(json_response['name']).to eq(protected_branch.name)
        expect(protected_branch.reload.push_access_levels.pluck(:access_level)).to include(Gitlab::Access::NO_ACCESS)
        end
        context 'with blocking scan result policy' do
        include_context 'with scan result policy blocking protected branches' do
        let(:branch_name) { protected_branch.name }
        let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: protected_branch.project) }
        it 'blocks unprotecting branches' do
        protect
        expect(response).to have_gitlab_http_status(:forbidden)
        end
        end
        end
        end
        end
        ......
        ......@@ -36,22 +36,6 @@
        it 'adds security audit event entries' do
        expect { service.execute(protected_branch) }.to change(::AuditEvent, :count).by(2)
        end
        context 'with blocking scan result policy' do
        before do
        project.repository.add_branch(user, protected_branch.name, 'master')
        end
        include_context 'with scan result policy blocking protected branches' do
        let(:policy_configuration) do
        create(:security_orchestration_policy_configuration, project: protected_branch.project)
        end
        end
        it 'blocks unprotecting branches' do
        expect { service.execute(protected_branch) }.to raise_error(Gitlab::Access::AccessDeniedError)
        end
        end
        end
        end
        end
        0% Loading or .
        You are about to add 0 people to the discussion. Proceed with caution.
        Finish editing this message first!
        Please register or to comment