Skip to content

GitLab

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Sign in or sign up before continuing. Don't have an account yet? Register now to get started.

BE: Prevent changes in project-level protected branches with active Scan Result Policies

Why are we doing this work

This work can be done in parallel to work made in Allow users to define branch exceptions to enfo... (&9567 - closed), although the feature flag for it should not be enabled before releasing Allow users to define branch exceptions to enfo... (&9567 - closed) first.

In the scope of this issue, we would like to secure Protected Branches from modification or removal when the Scan Result Policy is enabled with the block_unprotecting_branches setting enabled for matching branch.

Changes needed for this include:

modifications of services (used in both APIs (ProtectedBranches::ApiService) and regular endpoints ProtectedBranches::UpdateService/ProtectedBranches::DestroyService) to respond with a proper error with information when the policy is enforced for protected branches,
data sent to frontend to allow to disable UI to modify Protected Branch,

Relevant links

Epic
Design
Related Epic

Non-functional requirements

Documentation: changes should be documented in Protected Branches and Scan Result Policies sections of the documentation,
Feature flag: this feature should be released behind feature flag
Performance:
Testing:
- test that you are not able to modify/delete a protected branch when block_unprotecting_branches is set to true for policy, the Scan Result Policy is configured on the Project-level for protected branches,
- test if you are able to modify/delete a protected branch when block_unprotecting_branches is set to false for policy, the Scan Result Policy is configured on the Project-level for protected branches,
- test if you are able to modify/delete a protected branch when block_unprotecting_branches is set to true for policy, the Scan Result Policy is configured on the Project-level for selected protected branches, but you are modifying not-selected branch,
- etc.

Implementation plan

MR1:
- backend Modify ee/app/validators/json_schemas/security_orchestration_policy.json to include changes defined in &9705 (comment 1472476706),
MR2:
- backend Modify ProtectedBranches::ApiService to block any changes when enabled Scan Result Policy is matching selected protected branch and block_unprotecting_branches setting is explicitly enabled for policy,
- backend Modify ProtectedBranches::UpdateService to block any changes when enabled Scan Result Policy is matching selected protected branch and block_unprotecting_branches setting is explicitly enabled for policy,
- backend Modify ProtectedBranches::DestroyService to block any changes when enabled Scan Result Policy is matching selected protected branch and block_unprotecting_branches setting is explicitly enabled for policy,
- backend Modify ProtectedBranches::LegacyApiUpdateService to block any changes when enabled Scan Result Policy is matching selected protected branch and block_unprotecting_branches setting is explicitly enabled for policy,

Verification steps

Create a new project
Create a new Scan Result Policy for this project that should be applied to protected branches (make sure block_unprotecting_branches is set to true)
See if you can modify Protected Branches in Project's Repository Settings (you should not be able to do it)

Edited Jul 17, 2023 by Alan (Maciej) Paruszewski

Assignee Loading

Time tracking Loading