Rebuild MR report approval rules on access changes
What does this MR do and why?
Currently, when a policy references a user that doesn't have project access, when the user is added to the project's group, the merge request approvers list is not updated. Hence, the added user cannot approve the merge requests for which they are listed as an approver.
Initially, this MR would add back the changes introduced by MR !113681 (merged), delaying the ProcessScanResultPolicyWorker
call. However, after the suggestion on this thread we opted to use Gitlab::EventStore
to publish a domain event and have our Security::
domain reacts to that event and re-create the approval rules from all the policies to update the MR approvers.
The same fix is required when a user is added/removed from a project. But this fix is outside the scope of this MR. The changes made on this MR only update the MR approvals list when a user is added or removed from a Group.
Related to #359278 (closed)
Screenshots or screen recordings
Before: Approvals rules are not updated when a user is added to a group.
After: Approvals rules are updated when a user is added to a group.
How to set up and validate locally
Group Updates
- Create a new public group
- Create a new public subgroup
- Create a new public project in the subgroup
- Go to
/-/security/policies.
- Click on New Policy.
- Select Scan result policy.
- Change to yaml mode and copy the content below, one of the user ids should be from a user that does not have access to the group and the project.
type: scan_result_policy
name: Test eligible approvers
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners:
- container_scanning
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
- medium
- low
- unknown
- info
vulnerability_states: []
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 49
- 1
- Create a new MR and verify that the list of eligible approvers is empty and that the approval rule cannot be approved.
- Add the user used as
user_approvers
in the policy as a developer to the group - Wait for the execution
ProcessScanResultPolicyWorker
. - Verify that the list of eligible approvers is not empty and it has the expected approver.
- Remove the user from the group
- Wait for the execution
ProcessScanResultPolicyWorker
. - Verify the list of eligible approvers is empty and that the approval rule cannot be approved.
Project Updates
After following the steps for the Group updates:
- Add the user used as
user_approvers
in the policy as a developer to the project - Wait for the execution
ProcessScanResultPolicyWorker
. - Verify that the list of eligible approvers is not empty and it has the expected approver.
- Remove the user from the project
- Wait for the execution
ProcessScanResultPolicyWorker
. - Verify the list of eligible approvers is empty and that the approval rule cannot be approved.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.