Skip to content

Rebuild MR report approval rules on access changes

Marcos Rocha requested to merge mc_rocha-add-delay-process-scan-resul-policy-worker-359278 into master

What does this MR do and why?

Currently, when a policy references a user that doesn't have project access, when the user is added to the project's group, the merge request approvers list is not updated. Hence, the added user cannot approve the merge requests for which they are listed as an approver.

Initially, this MR would add back the changes introduced by MR !113681 (merged), delaying the ProcessScanResultPolicyWorker call. However, after the suggestion on this thread we opted to use Gitlab::EventStore to publish a domain event and have our Security:: domain reacts to that event and re-create the approval rules from all the policies to update the MR approvers.

The same fix is required when a user is added/removed from a project. But this fix is outside the scope of this MR. The changes made on this MR only update the MR approvals list when a user is added or removed from a Group.

Related to #359278 (closed)

Screenshots or screen recordings

Before: Approvals rules are not updated when a user is added to a group.

Screenshot_2023-07-05_at_10.29.27_AM

After: Approvals rules are updated when a user is added to a group.

Screenshot_2023-05-05_at_11.41.40_AM

How to set up and validate locally

Group Updates

  1. Create a new public group
  2. Create a new public subgroup
  3. Create a new public project in the subgroup
  4. Go to /-/security/policies.
  5. Click on New Policy.
  6. Select Scan result policy.
  7. Change to yaml mode and copy the content below, one of the user ids should be from a user that does not have access to the group and the project.
type: scan_result_policy
name: Test eligible approvers
description: ''
enabled: true
rules:
  - type: scan_finding
    branches: []
    scanners:
      - container_scanning
    vulnerabilities_allowed: 0
    severity_levels:
      - critical
      - high
      - medium
      - low
      - unknown
      - info
    vulnerability_states: []
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 49
      - 1
  1. Create a new MR and verify that the list of eligible approvers is empty and that the approval rule cannot be approved.
  2. Add the user used as user_approvers in the policy as a developer to the group
  3. Wait for the execution ProcessScanResultPolicyWorker.
  4. Verify that the list of eligible approvers is not empty and it has the expected approver.
  5. Remove the user from the group
  6. Wait for the execution ProcessScanResultPolicyWorker.
  7. Verify the list of eligible approvers is empty and that the approval rule cannot be approved.

Project Updates

After following the steps for the Group updates:

  1. Add the user used as user_approvers in the policy as a developer to the project
  2. Wait for the execution ProcessScanResultPolicyWorker.
  3. Verify that the list of eligible approvers is not empty and it has the expected approver.
  4. Remove the user from the project
  5. Wait for the execution ProcessScanResultPolicyWorker.
  6. Verify the list of eligible approvers is empty and that the approval rule cannot be approved.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports