Skip to content

Create audit events for restrictive warn-mode approval settings

Dominic Bauerrequested to merge
563867-create-audit-events-for-warn-mode-mrap-settings into master

What does this MR do and why?

We are working on warn mode for merge request approval policies (&15552). Violations associated to a policy that is in warn mode can be bypassed by users, and their approval_settings don't take effect.

This MR starts creating audit events when a warn-mode policy applies to a project, and the policy sets more restrictive approval_settings than the project does.

References

How to set up and validate locally

  1. Enable the security_policy_approval_warn_mode FF using the rails console: 
    Feature.enable :security_policy_approval_warn_mode
  2. Configure Audit event streaming for instances
  3. Create a new group
  4. Create three contained projects:
    1. alpha
    2. beta
    3. gamma
  5. On the project-level of alpha, navigate to Settings > Merge requests and under Approval settings, tick the following two checkboxes and click Save changes:
    • Prevent approvals by users who add commits
    • Require user re-authentication (password or SAML) to approve
  6. On the project-level of beta, navigate to Settings > Merge requests and under Approval settings, tick the following two checkboxes and click Save changes:
    • Prevent approvals by users who add commits
  7. On the group-level, navigate to Secure > Policies and create the following Merge request approval policy:
approval_policy:
  - name: Demo policy
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers: [owner]
      - type: send_bot_message
        enabled: true
    approval_settings:
      prevent_approval_by_commit_author: true
      require_password_to_approve: true
  1. Verify the following audit events were streamed:
    • alpha: No audit event
    • beta: A warn-mode security policy sets more restrictive merge request approval settings: Require user re-authentication (password or SAML) to approve
    • gamma: A warn-mode security policy sets more restrictive merge request approval settings: Prevent approvals by users who add commits, Require user re-authentication (password or SAML) to approve
  2. On the group-level, navigate to Secure > Policies and edit the existing Demo policy so that it excludes require_password_to_approve:
approval_policy:
  - name: Demo policy
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers: [owner]
      - type: send_bot_message
        enabled: true
    approval_settings:
      prevent_approval_by_commit_author: true
-     require_password_to_approve: true
  1. Verify that only gamma had a new audit event streamed: A warn-mode security policy sets more restrictive merge request approval settings: Prevent approvals by users who add commits
  2. On the group-level, navigate to Secure > Policies and edit the existing Demo policy so that its existing approval_settings remain unchanged:
approval_policy:
  - name: Demo policy
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
-       role_approvers: [owner]
+       role_approvers: [maintainer]
      - type: send_bot_message
        enabled: true
    approval_settings:
      prevent_approval_by_commit_author: true
  1. Verify no new audit events were streamed

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #563867

Edited by Dominic Bauer

Merge request reports