Skip to content

Fix `block_branch_modification` effects on protected branches

Dominic Bauer requested to merge 456499-settings-for-merge-request-approval-policy-with-multiple-rules-not-being-properly-enforced-1 into master

What does this MR do and why?

Fixes two bugs related to MR approval policies' block_branch_modification property:

  • protected branches are only blocked from deletion when backed by a git ref, since PolicyBranchesService reads from Gitaly
  • policy branches pattern matching behaves unexpectedly. Since our policies accept branch patterns, e.g. branches: [test-*], and protected branches are patterns, too, we have to treat one as strings for comparison, since we can't match a pattern against another pattern. Currently, we match policy branch spec (string) against the protected branch name (pattern). We want do the opposite

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Right-most Unprotect button:

Before After

How to set up and validate locally

  • Create a new group and a contained project

  • On the project level:

    • Navigate to Settings > Repository and create the following branch protections:
      • develop
      • foo*
      • test-123
      • unrelated

  • On the group level:

    • Navigate to Security > Policies and create the following MR approval policy:
type: approval_policy
name: Block protected branches
enabled: true
rules:
  - type: any_merge_request
    branches:
      - test-*
    commits: any
  - type: any_merge_request
    branches:
      - develop
    commits: any
  - type: any_merge_request
    branches:
      - foo*
    commits: any
  - type: any_merge_request
    branch_type: protected
    commits: any
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - owner
approval_settings:
  block_branch_modification: true

  • On the project level, navigate to Settings > Repository and verify that the UI controls allow only unrelated to be deleted.

  • Verify none of the protected branches but unrelated can be deleted via API:

curl -X DELETE -H "PRIVATE-TOKEN: $GITLAB_TOKEN" "http://gdk.test:3000/api/v4/projects/$PROJECT_ID/protected_branches/develop"

Related to #456499 (closed)

Edited by Dominic Bauer

Merge request reports