Use project organization for security_policy_bot namespace
What does this MR do and why?
As part of cell projects, we are working on introducing Organizations. All Namespaces will have an organization. This means we need to assign an Organization when we create a namespace.
This MR is part the effort of adding Organization to User Namespaces (also known as Personal Namespaces). User namespaces are created using the User.assign_personal_namespace
method.
In a previous MR, we added a new optional Organization parameter to that method. And as a follow up, we need to update all code paths that are creating users to specify what Organization should be assigned.
This MR is related to the logic for user bots of type security_policy_bot
. These bots are scoped to a project: there is at most one of them. The actual creation is done in a worker and all the code paths that create such bots are using that worker.
Since the security_policy_bot
is scoped to the project, we can use the Organization of a Project during creation of the User bot
Related issue #443494 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
Using GDK, we can validate this by creating a new organization, assign that to a project and run the worker. This can be done only once: if the project already has a security_policy_bot
user, it won't create a new one.
Example script for rails console:
current_user = User.find_by(username: 'root')
# Create an organization
random_name = SecureRandom.hex
name = "Organization #{random_name}"
org = Organizations::Organization.create!(name: name, path: random_name)
# Assign organization to project
project = Project.find_by(name: 'Flight')
project.update(organization: org)
# Test the change: the worker happens to return a Project Member
result = Security::OrchestrationConfigurationCreateBotWorker.new.perform(project.id, current_user.id )
# This should match the Created organization
pp result.user.namespace.organization
# The worker won't create a new bot if it already has one
Related to #443494 (closed)