Create warn mode approval audit events
What does this MR do and why?
We are working on warn mode for merge request approval policies (&15552 (closed)). Violations associated to a policy that is in warn mode can be bypassed by users, and their approval_settings don't take effect.
This MR starts creates audit events when a user approves a merge request, but their approval would have been prevented by a warn-mode policy, if that policy would have been default-enforced.
References
How to set up and validate locally
- Enable the feature flag:
echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c - Create a new project
- Navigate to
Settings > Merge requestsand underApproval settings, uncheckPrevent approval by merge request creatorandSave changes - Navigate to
Secure > Policiesand create the following Merge request approval policies:
approval_policy:
- name: Warn Mode Policy
enforcement_type: warn
enabled: true
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
approval_settings:
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
require_password_to_approve: trueapproval_policy:
- name: Enforced Policy
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
approval_settings:
require_password_to_approve: true- Open a merge request targeting the default branch and check that the commit is attributed to your current user.
- Approve the merge request with your current user. Verify the following 2 audit events were created:
- A user has approved a merge request that they committed to, which would have been prevented by the following warn-mode security policies: Warn Mode Policy
- The merge request author has approved their own merge request, which would have been prevented by the following warn-mode security policies: Warn Mode Policy
- Navigate to
Secure > Policiesand edit the Warn mode policy:
approval_policy:
- name: Warn Mode Policy
enforcement_type: warn
enabled: true
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
approval_settings:
prevent_approval_by_author: true
- prevent_approval_by_commit_author: true
require_password_to_approve: true- Revoke your approval on the merge request and re-approve it. Verify only the following audit event was created:
- The merge request author has approved their own merge request, which would have been prevented by the following warn-mode security policies: Warn Mode Policy
- Navigate to
Secure > Policiesand edit the Warn mode policy:
approval_policy:
- name: Warn Mode Policy
enforcement_type: warn
enabled: true
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
approval_settings:
- prevent_approval_by_author: true
require_password_to_approve: true- Revoke your approval on the merge request and re-approve it. Verify no audit event was created.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #563867 (closed)
Edited by Dominic Bauer