Using group_approvers with project path results in invalid approval rules
Summary
When using the Rule mode to add Group approvers for a Scan Result policy, the Group's id is added to the group_approvers_id
YAML array. However, if you edit the rule to add the group_approvers
array instead, with the Group's full path, it results in an invalid MR approval rule.
The docs suggest that group_approvers
can be used, and accepts an array of string
with Path of one or more groups
.
https://docs.gitlab.com/ee/user/application_security/policies/scan-result-policies.html#require_approval-action-type
Related to issue: #378234 (closed)
Steps to reproduce
- Create a new project based on Maven Spring template
- Start creating a Scan Result policy for Container scanner to find more than 0 vulnerabilities for all branches
- When adding an approver, add
group_approvers
with the path to the Group you want as the approver - Create the policy.
- Create an MR ensuring that the container scan job runs in a merge request context
Example Project
What is the current bug behavior?
Step 5: MR Approval rule created by the policy is invalid, approval is not required, MR can be merged despite vulnerabilities
What is the expected correct behavior?
Step 5: MR approval rule created by the policy is valid (if the Group path is valid), approval is required by direct members of the group, MR can't be merged until approved by the Group (if there are vulnerabilities)
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
-
backend Update by_ids_or_paths
scope to joinroutes
table:
diff --git a/app/models/group.rb b/app/models/group.rb
index f33b4fe2942..9ee351011b8 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -165,7 +165,12 @@ def of_ancestors_and_self
scope :by_id, ->(groups) { where(id: groups) }
- scope :by_ids_or_paths, -> (ids, paths) { by_id(ids).or(where(path: paths)) }
+ scope :by_ids_or_paths, -> (ids, paths) do
+ joins(:route)
+ .by_id(ids)
+ .or(where('routes.path IN (?)', paths))
+ .or(where(path: paths))
+ end
scope :for_authorized_group_members, -> (user_ids) do
joins(:group_members)