Skip to content

Extend GraphQL approval rules with indication of invalid rules

Martin Čavoj requested to merge 389905-fail-closed-for-invalid-security-policy-approval-checks into master

What does this MR do and why?

This MR extends ApprovalRuleType GraphQL type, adding two fields:

  • invalid
  • allow_merge_when_invalid

It changes the behavior of security policy approvals only. In case the rules become invalid, the approvals will fail closed, instead of failing open.

Screenshots or screen recordings

The MR affects the following: CleanShot_2023-04-11_at_16.23.31_2x

How to set up and validate locally

  1. Create a new security policy with secret detection and require approval from one user
  2. Configure with merge request & Merge
  3. Open an MR which adds a leaked secret, thus violating the policy
  4. Block the user used in the security policy
  5. Use GraphiQL to query the new fields. invalid should be true, approved should be true and allowMergeWhenInvalid should be true for the secret detection rule. 
    {
  project(fullPath: "<project-path>") {
    id
    mergeRequest(iid: "<MR-iid>") {
      id
      approvalState {
        invalidApproversRules {
          id
        }
        rules {
          id
          type
          approved
          approvalsRequired
          name
          section
          invalid
          allowMergeWhenInvalid
        }
      }
    }
  }
}
  6. Enable the new feature flag: 
    Feature.enable(:invalid_scan_result_policy_prevents_merge)
  7. invalid should be true, approved should be false and allowMergeWhenInvalid should be false for the secret detection rule

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #389905 (closed)

Edited by Martin Čavoj

Merge request reports