Skip to content

Use project organization for security_policy_bot namespace

Rutger Wessels requested to merge 443494-security-orchestration-bot-creation into master

What does this MR do and why?

As part of cell projects, we are working on introducing Organizations. All Namespaces will have an organization. This means we need to assign an Organization when we create a namespace.

This MR is part the effort of adding Organization to User Namespaces (also known as Personal Namespaces). User namespaces are created using the User.assign_personal_namespace method.

In a previous MR, we added a new optional Organization parameter to that method. And as a follow up, we need to update all code paths that are creating users to specify what Organization should be assigned.

This MR is related to the logic for user bots of type security_policy_bot. These bots are scoped to a project: there is at most one of them. The actual creation is done in a worker and all the code paths that create such bots are using that worker.

Since the security_policy_bot is scoped to the project, we can use the Organization of a Project during creation of the User bot

Related issue #443494 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Using GDK, we can validate this by creating a new organization, assign that to a project and run the worker. This can be done only once: if the project already has a security_policy_bot user, it won't create a new one.

Example script for rails console:

current_user = User.find_by(username: 'root')

# Create an organization
random_name = SecureRandom.hex
name = "Organization #{random_name}"
org = Organizations::Organization.create!(name: name, path: random_name)

# Assign organization to project
project = Project.find_by(name: 'Flight')
project.update(organization: org)

# Test the change: the worker happens to return a Project Member
result = Security::OrchestrationConfigurationCreateBotWorker.new.perform(project.id, current_user.id )

# This should match the Created organization
pp result.user.namespace.organization

# The worker won't create a new bot if it already has one

Related to #443494 (closed)

Edited by Rutger Wessels

Merge request reports