[Spike] Investigate how to use bot user for security policies
Timebox: 3 days
Current scenario
We reverted !105557 (merged) since the security policy bot did not have permission to access registry. Currently, the security scan job is triggered by the user who last updated the policy. This causes permission issue when the user does not have permission to create pipeline. There is already an issue similar to this for scan result policy: #383593 (closed)
Goal
The goal of this spike is to figure out a way to use a bot user with restrictive permissions to create pipeline and approval rules for scan result policies, and based on this prepare issue with implementation plan.
Steps to reproduce the original bug
- Set up runners.
- Create a project with a working
.gitlab-ci.yml
file as the development project. - Create another project as the security policies project.
- If you are logged in as
root
pick a different user and add it as owner to both projects - Impersonate the other user
- On the development project go to Security and Compliance > Policies.
- Select Edit policy project.
- Select your security policies project.
- Select Save.
- Select New Policy.
- Select Scan execution policy
- Choose a Name.
- As Conditions Select IF Schedule actions for the branch
main
daily at 00:00. - As Actions choose SAST.
- Select Configure with a Merge Request.
- Merge the new MR
- To avoid waiting for the next day until the execution runs
- Open a rails console
- Reset the timers by
Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: Time.now - 1.day)
- Run the schedule worker
Security::OrchestrationPolicyRuleScheduleWorker.new.perform
- A new pipeline should be started on the development project and the triggerer should be the user that created the scan execution policy.
- Stop the user impersonation.
- Change the user access for the development prject to Guest
- Run the steps to execute the schedule worker again
- There should not be a new pipeline in the development project because the user doesn't have access anymore.
Edited by Andy Schoenen