Add security policy bot access level
What does this MR do and why?
This introduces a new access level for security policy bot members. It also introduces a new type of member access level.
The new access level should not be selectable by users, but also not be hidden. So that users can see a member has the security policy bot access, but they cannot create or update a member to have security policy bot access. This can only be done by the system when a security policy is added to a project.
The MR changes three things:
- Introduce the new access level
SECURITY_POLICY_BOT
. - Make sure the access level is visible in the UI but cannot be selected for members.
- Allow the access level to be used when creating security policy bot members by system.
In the next steps I will
- Create a data migration to update all existing memberships of security policy bots to have the new access level
- Base the policy exceptions on the new access level instead of
user_type
Why is the new access level needed?
Security policy bots are used to trigger pipelines and should have the minimal permissions to do so. We previously handled this by adding policy exceptions if the user is of type security_policy_bot
but it will be easier to handle if there is a dedicated access level for security policy bots.
The new access level will improve:
- Security, by preventing users of
security_policy_bot
type to get hidden permissions as group or project member - Performance, because we don't need to look up
user_type
on theusers
table and can relay only on the members table - Quality, because we can enforce validations with a database constraint.
Screenshots or screen recordings
Security policy bot role is displayed in UI |
---|
User can't select security policy bot role |
---|
How to set up and validate locally
Verify it's not possible to invite users as security policy bot member
- On any project, open Manage -> Members
- Select Invite members
- In the Select role dropdown, it should not be possible to select Security policy bot
Verify security policy bots can not be added via API
- Find a project and a user that is not already a member of the projct and note the IDs
- Replace
PROJECT_ID
,ACCESS_TOKEN
andUSER_ID
run the following command:
curl --location 'http://gdk.test:3000/api/v4/projects/PROJECT_ID/members' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ACCESS_TOKEN' \
--data '{
"user_id": USER_ID,
"access_level": 21
}'
- This should return a
400
response with body:
{
"message": {
"access_level": [
"is not included in the list"
]
}
}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #426271