Let scan result policies prevent changes to protected branches (!130653) · Merge requests · GitLab.org / GitLab

Dominic Bauer requested to merge 418745-be-prevent-changes-in-project-level-protected-branches-with-active-scan-result-policies into master Aug 31, 2023

What does this MR do and why?

We are introducing the approval_settings.block_unprotecting_branches attribute to scan result policies (&9705 (closed)). When a policy sets the attribute, projects that the policy applies to must reject deletion and modification of protected branches.

How to set up and validate locally

Setup

Create a new projectc and note its ID

Enable the feature flag for the project:

Feature.enable(:scan_result_policies_block_unprotecting_branches, Project.find(ID))

Navigate to Code > Branches and create the develop branch
Navigate to Settings > Repository > Protected branches and protect the develop branch

Navigate to Secure > Policies and create the following scan result policy:

type: scan_result_policy
name: Container Scanning
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners:
      - container_scanning
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 1
approval_settings:
  block_unprotecting_branches: true

Blocked API calls

Unprotect repository branches

% curl -X DELETE -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/protected_branches/develop"
{"message":"403 Forbidden"}

Update a protected branch

% curl -X PATCH -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/protected_branches/develop?allow_force_push=true"
{"message":"403 Forbidden"}

Unprotect a single branch (legacy)

% curl -X PUT -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/repository/branches/develop/unprotect"
{"message":"403 Forbidden"}

Protect a single branch (legacy)

This endpoint upserts existing branches which can now be blocked:

% curl -X PUT -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/repository/branches/develop/protect?developers_can_merge=true"
{"message":"403 Forbidden"}

Verify the endpoint can still create new protected branches:

% curl --request PUT --header "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/repository/branches/foobar/protect?developers_can_merge=true"
{"name":"foobar", ...

UI

Attempting to unprotect a branch from the UI leads to an error screen (with the feature enabled). We have #421623 (closed) for disabling the "Unprotect" button.

Database

See !130653 (comment 1554829040)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #418745 (closed)

Edited Sep 12, 2023 by Dominic Bauer

Let scan result policies prevent changes to protected branches