Let scan result policies prevent changes to protected branches
What does this MR do and why?
We are introducing the approval_settings.block_unprotecting_branches
attribute to scan result policies (&9705 (closed)). When a policy sets the attribute, projects that the policy applies to must reject deletion and modification of protected branches.
How to set up and validate locally
Setup
-
Create a new projectc and note its ID
-
Enable the feature flag for the project:
Feature.enable(:scan_result_policies_block_unprotecting_branches, Project.find(ID))
-
Navigate to
Code > Branches
and create thedevelop
branch -
Navigate to
Settings > Repository > Protected branches
and protect thedevelop
branch -
Navigate to
Secure > Policies
and create the following scan result policy:type: scan_result_policy name: Container Scanning description: '' enabled: true rules: - type: scan_finding scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1 approval_settings: block_unprotecting_branches: true
Blocked API calls
Unprotect repository branches
% curl -X DELETE -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/protected_branches/develop"
{"message":"403 Forbidden"}
Update a protected branch
% curl -X PATCH -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/protected_branches/develop?allow_force_push=true"
{"message":"403 Forbidden"}
Unprotect a single branch (legacy)
% curl -X PUT -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/repository/branches/develop/unprotect"
{"message":"403 Forbidden"}
Protect a single branch (legacy)
This endpoint upserts existing branches which can now be blocked:
% curl -X PUT -H "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/repository/branches/develop/protect?developers_can_merge=true"
{"message":"403 Forbidden"}
Verify the endpoint can still create new protected branches:
% curl --request PUT --header "PRIVATE-TOKEN: <token>" "http://gdk.test:3000/api/v4/projects/<project_id>/repository/branches/foobar/protect?developers_can_merge=true"
{"name":"foobar", ...
UI
Attempting to unprotect a branch from the UI leads to an error screen (with the feature enabled). We have #421623 (closed) for disabling the "Unprotect" button.
![](/-/project/278964/uploads/b2b6c1bdf009a3b1e912a0f8ae49bdfd/Screenshot_2023-09-01_at_12.01.17.png)
Database
See !130653 (comment 1554829040)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #418745 (closed)