Create warn mode approval audit events

What does this MR do and why?

We are working on warn mode for merge request approval policies (&15552 (closed)). Violations associated to a policy that is in warn mode can be bypassed by users, and their approval_settings don't take effect.

This MR starts creates audit events when a user approves a merge request, but their approval would have been prevented by a warn-mode policy, if that policy would have been default-enforced.

References

How to set up and validate locally

  1. Enable the feature flag: echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c
  2. Create a new project
  3. Navigate to Settings > Merge requests and under Approval settings, uncheck Prevent approval by merge request creator and Save changes
  4. Navigate to Secure > Policies and create the following Merge request approval policies:
approval_policy:
  - name: Warn Mode Policy
    enforcement_type: warn
    enabled: true
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    approval_settings:
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      require_password_to_approve: true
approval_policy:
  - name: Enforced Policy
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      require_password_to_approve: true
  1. Open a merge request targeting the default branch and check that the commit is attributed to your current user.
  2. Approve the merge request with your current user. Verify the following 2 audit events were created:
    • A user has approved a merge request that they committed to, which would have been prevented by the following warn-mode security policies: Warn Mode Policy
    • The merge request author has approved their own merge request, which would have been prevented by the following warn-mode security policies: Warn Mode Policy
  3. Navigate to Secure > Policies and edit the Warn mode policy:
approval_policy:
  - name: Warn Mode Policy
    enforcement_type: warn
    enabled: true
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    approval_settings:
      prevent_approval_by_author: true
-     prevent_approval_by_commit_author: true
      require_password_to_approve: true
  1. Revoke your approval on the merge request and re-approve it. Verify only the following audit event was created:
    • The merge request author has approved their own merge request, which would have been prevented by the following warn-mode security policies: Warn Mode Policy
  2. Navigate to Secure > Policies and edit the Warn mode policy:
approval_policy:
  - name: Warn Mode Policy
    enforcement_type: warn
    enabled: true
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
      - type: send_bot_message
        enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    approval_settings:
-     prevent_approval_by_author: true
      require_password_to_approve: true
  1. Revoke your approval on the merge request and re-approve it. Verify no audit event was created.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #563867 (closed)

Edited by Dominic Bauer

Merge request reports

Loading