Allow only one security policy bot per project
What does this MR do and why?
This MR adds a validation to ensure only one security policy bot is added to a project. When a security policy is added to a project or inherited through a group, a new bot user is created and added as a member to the project (ee/app/services/security/orchestration/create_bot_service.rb#L13-26.
The user is used to run pipelines triggered by security policies. We pick the first bot user from the project so there needs to be only one.
Do to workers running in parallel, it might happen that a project has more than one bot user. This shouldn't cause any problems, but this MR tries to prevent it to ensure consistent data.
How to set up and validate locally
- Create a project and copy the project ID.
- Start a rails console
rails console. - Create a bot user for the project:
project = Project.find(PROJECT_ID) user = User.first Security::Orchestration::CreateBotService.new(project, user).execute - Visit the project members page.
- There should now be a bot user.
- Try to create another bot user
::Users::AuthorizedCreateService.new( user, { name: 'GitLab Security Policy Bot', email: 'security_policy_bot@example.com', username: 'security_policy_bot_test', user_type: :security_policy_bot, skip_confirmation: true } ).execute - Refresh the project members page.
- There should still be only one bot user.
Note: The test described above creates two users, but only one is added as a member to the project. In a real use case there should only be one user created because user and member creations happen in one transaction.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #418013 (closed)