Extend policy bypass checker with users, roles and groups
What does this MR do and why?
As a part of BE: Extend policy bypass option to include user... (#549797 - closed), we want to allow users/groups to bypass the approvals and branch protection enforced through security policy. This can be done at 2 levels:
-
Merge Request: An user/group can bypass the approvals by providing a
reasonfrom the MR UI. The reason will be persisted inapproval_policy_merge_request_bypass_eventsintroduced with !199151 (merged) -
Branch Push: An user can push to a branch with push protection (protected branch and branch protection from MR approval policy) through a git push options (something like
--push-option security_policy.bypass_reason='reason')
This MR adds the logic to check the users/groups/roles before bypassing the branch protection and processes the bypass reason from push option.
-
1️⃣ Add security policy bypass push option (!200025 - merged) -
2️⃣ 👉 Extend policy bypass checker with users, roles ... (!201001 - merged) -
3️⃣ Draft: Add MR bypass security policy graphql API (!202838 - closed)
References
Screenshots or screen recordings
Demo walkthrough
Users used in demo
| username | type | allowed_to_bypass |
|---|---|---|
| root | owner | false |
| reported_user_8 | group_user | true |
| reported_user_9 | group_user | true |
| reported_user_19 | custom_role | false |
| reported_user_20 | maintainer | false |
| reported_user_21 | maintainer | true |
| reported_user_22 | custom_role | true |
Error messages
User not allowed to bypass and push rejected
User allowed to bypass but without bypass reason push option
User not allowed to push to the repository
How to set up and validate locally
Script to manage and push to repository with multiple user SSH keys
To verify this feature with multiple users we need to configure SSH keys for multiple users to push to repository. To simplify testing this feature with multiple users, I've created verify_security_policy_bypass.rb with help from GitLab Duo.
$ bundle exec ruby verify_security_policy_bypass.rb -h
Loading GitLab Rails environment...
Rails environment loaded successfully!
Usage: verify_security_policy_bypass.rb [options]
-c, --command COMMAND Command to execute: generate, git, cleanup, or check-orphaned
-u, --usernames USERNAMES Comma-separated list of usernames (multiple supported for git operations)
-r, --repository REPO Repository URL for git commands
-f, --force Force cleanup without confirmation
-d, --delete-repo Delete cloned repository during cleanup
-h, --help Show this help messageThe script has 3 major commands:
-
generate: generate ssh keys and add them to the user settings in DB (keystable) -
git: generate shell script for each users to do git push to the given repository -
cleanup: cleanup the SSH keys and the reference in DB along the clone repository (with-dflag)
Steps
- Enable
security_policies_bypass_options_group_rolesFF - Create a group and invite multiple users, groups and roles with users
- Create an MR approval policy with users, groups and roles in the bypass settings under advanced section of the policy editor
- Create a project within the group
- Create
verify_security_policy_bypass.rbin the root directory of gitlab project. - Use the script to create SSH keys for the users configured in step 2:
bundle exec ruby verify_security_policy_bypass.rb -c generate -u <usernames>- Note the git clone SSH url of the project created in step 4 and create git commit scripts for each users with the repo:
bundle exec ruby verify_security_policy_bypass.rb -c git -u root,reported_user_8,reported_user_9,reported_user_19,reported_user_20,reported_user_21,reported_user_22 -r ssh://git@gdk.test:2222/user-role-bypass-settings/project-a.git- After the completion of the script, there will be individual shell scripts for each users generated with name
./git_#{username}.sh - Execute the script for each users with and without
bypass_reason:
./git_root.sh --bypass-reason "Hotfix"- Verify the error messages if the push is rejected due to missing bypass reason
- Cleanup the SSH keys after verifying the feature (
-dflag will delete the clone git repository):
bundle exec ruby verify_security_policy_bypass.rb -c cleanup -u root,reported_user_8,reported_user_9,reported_user_19,reported_user_20,reported_user_21,reported_user_22 -r ssh://git@gdk.test:2222/user-role-bypass-settings/project-a.git -dMR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #549797 (closed)
Edited by Sashi Kumar Kumaresan