BE: Prevent changes in project-level protected branches with active Scan Result Policies
Why are we doing this work
This work can be done in parallel to work made in Allow users to define branch exceptions to enfo... (&9567 - closed), although the feature flag for it should not be enabled before releasing Allow users to define branch exceptions to enfo... (&9567 - closed) first.
In the scope of this issue, we would like to secure Protected Branches from modification or removal when the Scan Result Policy is enabled with the block_unprotecting_branches
setting enabled for matching branch.
Changes needed for this include:
- modifications of services (used in both APIs (
ProtectedBranches::ApiService
) and regular endpointsProtectedBranches::UpdateService
/ProtectedBranches::DestroyService
) to respond with a proper error with information when the policy is enforced for protected branches, - data sent to frontend to allow to disable UI to modify Protected Branch,
Relevant links
Non-functional requirements
-
Documentation: changes should be documented in Protected Branches and Scan Result Policies sections of the documentation, -
Feature flag: this feature should be released behind feature flag -
Performance: -
Testing: - test that you are not able to modify/delete a protected branch when
block_unprotecting_branches
is set totrue
for policy, the Scan Result Policy is configured on the Project-level for protected branches, - test if you are able to modify/delete a protected branch when
block_unprotecting_branches
is set tofalse
for policy, the Scan Result Policy is configured on the Project-level for protected branches, - test if you are able to modify/delete a protected branch when
block_unprotecting_branches
is set totrue
for policy, the Scan Result Policy is configured on the Project-level for selected protected branches, but you are modifying not-selected branch, - etc.
- test that you are not able to modify/delete a protected branch when
Implementation plan
-
MR1: -
backend Modify ee/app/validators/json_schemas/security_orchestration_policy.json
to include changes defined in &9705 (comment 1472476706),
-
-
MR2: -
backend Modify ProtectedBranches::ApiService
to block any changes when enabled Scan Result Policy is matching selected protected branch andblock_unprotecting_branches
setting is explicitly enabled for policy, -
backend Modify ProtectedBranches::UpdateService
to block any changes when enabled Scan Result Policy is matching selected protected branch andblock_unprotecting_branches
setting is explicitly enabled for policy, -
backend Modify ProtectedBranches::DestroyService
to block any changes when enabled Scan Result Policy is matching selected protected branch andblock_unprotecting_branches
setting is explicitly enabled for policy, -
backend Modify ProtectedBranches::LegacyApiUpdateService
to block any changes when enabled Scan Result Policy is matching selected protected branch andblock_unprotecting_branches
setting is explicitly enabled for policy,
-
Verification steps
- Create a new project
- Create a new Scan Result Policy for this project that should be applied to protected branches (make sure
block_unprotecting_branches
is set totrue
) - See if you can modify Protected Branches in Project's Repository Settings (you should not be able to do it)
Edited by Alan (Maciej) Paruszewski