Improve scan execution policy permission checks when creating pipelines
Why are we doing this work
Currently, scan execution policies use Ci::CreatePipelineService
in order to create new pipelines.
The service performs these checks, which need to pass for a pipeline to be created:
- The project is not currently being deleted
- The project has CI/CD enabled in the settings
- The current user is allowed to create pipelines on the project (developer or higher)
- The current user is allowed to write to the branch that the pipeline is running for (protected branch settings are taken into account for this)
The last person to make a commit on the security policy is used as the current user (1, 2).
There's a few problems how these checks are currently performed.
- Maintainers can disable CI / CD in the settings in order to prevent scan execution policies from being run
- The person who last edited the security policy may not have sufficient permissions in all the places which scans should run (ex: Protected branch pipeline on a project which they don't maintain). Security personnel shouldn't need to have excessive permissions added to their account in order for the scan execution policies to work.
- When a user leaves the organization, the policies will stop working unless someone else makes an edit to the security policies.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend Add a new user type( security_policy_bot
) toHasUserType
and addsecurity_policy_bot
method inapp/models/user.rb
def security_policy_bot
email_pattern = "security_policy%s@#{Settings.gitlab.host}"
unique_internal(where(user_type: :security_policy_bot), 'security-policy-bot', email_pattern) do |u|
u.bio = 'The GitLab Security Policy Bot'
u.name = 'GitLab Security Policy Bot'
u.avatar = bot_avatar(image: 'security-policy-bot.png')
end
end
-
backend Use this user instead of schedule.owner
inSecurity::OrchestrationPolicyRuleScheduleNamespaceWorker
andSecurity::OrchestrationPolicyRuleScheduleWorker
-
backend Update allowed_to_create_pipeline?
method inGitlab::Ci::Pipeline::Chain::Validate::Abilities
to check if the user issecurity_policy_bot
def allowed_to_create_pipeline?
current_user.security_policy_bot? || can?(current_user, :create_pipeline, project)
end
-
backend Add a method( ignores_ci_settings?
) toCi::Pipeline
and updateGitlab::Ci::Pipeline::Chain::Validate::Abilities
to remove the checkproject.builds_enabled?
and create a methodbuilds_enabled?
and override that inee/lib/ee/gitlab/ci/pipeline/chain/validate/abilities.rb
to callignores_ci_settings?
method inCi::Pipeline
:
def ignores_ci_settings?
source == :security_orchestration_policy
end
def builds_enabled?
project.builds_enabled? || @pipeline.source == :security_orchestration_policy
end
-
documentation Update documentation to reflect the security_policy_bot
user type
Verification steps
Edited by Sashi Kumar Kumaresan