FR: Merge Request Approval Policies | Require reauthentication
Release notes
Problem to solve
Our problem is that require_password_to_approve: true is impossible for us to use, given that we don't log into gitlab with passwords in our company.
Proposal
I would like to make an FR please - this one is for a new approval_setting for merge request approval policies.
We have two merge request approval policies in every group:
- Protected branch approval (every MR targeting a protected branch requires 1 approval from someone who is at least developer)
- Critical vulnerability approval (every MR that introduces a critical vulnerability requires an approval from someone on a set list of critical approvers)
This works well, but we want to add a requirement for reauthentication to the critical vulnerability approval specifically.
Now, this is already sort of possible using require_password_to_approve from approval settings. BUT, the problem is we do not use passwords to login to gitlab since we are a self-managed instance and everyone is SSO'd in. So we literally do not have passwords (or least not passwords every dev knows) to authenticate these approvals.
This is the relevant policy.yml:
approval_policy:
- name: Critical vulnerability approval
description: Critical vulnerability detected requiring an approval to merge.
enabled: true
rules:
- type: scan_finding
branches: []
scanners: []
vulnerabilities_allowed: 0
severity_levels:
- critical
vulnerability_states:
- new_needs_triage
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 484
- 2556
- 31
- 3864
- type: "send_bot_message"
enabled: false
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: false
prevent_approval_by_author: false
prevent_approval_by_commit_author: false
remove_approvals_with_new_commit: false
require_password_to_approve: true
fallback_behavior:
fail: open
- name: Protected branch approval
description: Merge requests into protected branches require an approval.
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
- maintainer
- owner
- type: "send_bot_message"
enabled: falseTo be clear, the logic of these policies works well and we have no issues with it. Our problem is that require_password_to_approve: true is impossible for us to use, given that we don't log into gitlab with passwords in our company.
Ideally then, we'd either like a new approval_setting added - something like require_reautentication_to_approve - or require_password_to_approve to support SAML.
I know gitlab already has the functionality for this working in other areas - for example in Merge request approval settings where requiring reauthentication can be either password or SAML. If this same logic was applied to the Merge request approval policy approval_settings that would be perfect and very much appreciated.