Create warn mode merge request audit events
What does this MR do and why?
We are working on warn mode for merge request approval policies (&15552). Violations associated to a policy that is in warn mode can be bypassed by users, and their approval_settings don't take effect.
This MR starts streaming audit events after a MR was evaluated and there are warn mode policy violations that would set more restrictive approval_settings for the merge request if they were default-enforced.
References
How to set up and validate locally
- Enable the feature flag:
echo "Feature.enable(:security_policy_approval_warn_mode)" | rails c - Navigate to
Admin > Monitoring > Audit events > Streamsand configure a streaming destination for thePolicy warn mode merge request approval settings overridesevent - Create a new top-level group
- On the group-level, navigate to
Secure > Policiesand create the following Merge request approval policy:
approval_policy:
- name: Group-level warn mode policy
enabled: true
enforcement_type: warn
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers: [maintainer]
- type: send_bot_message
enabled: true
approval_settings:
prevent_approval_by_author: true- Create a new contained project
- Navigate to
Settings > Merge requestsand beneathApproval settings:- untick
Prevent approval by merge request creatorandSave changes - select
Keep approvalsradio box - click
Save changes
- untick
- Navigate to
Code > Branchesand create thefoobarbranch - On the project-level, navigate to
Secure > Policiesand create the following Merge request approval policies:
approval_policy:
- name: Project-level warn mode policy (mismatching)
enabled: true
enforcement_type: warn
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branches: [foobar]
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
approval_settings:
remove_approvals_with_new_commit: true
require_password_to_approve: trueapproval_policy:
- name: Project-level warn mode policy (matching)
enabled: true
enforcement_type: warn
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
approval_settings:
prevent_approval_by_commit_author: true
require_password_to_approve: trueapproval_policy:
- name: Project-level enforced policy (matching)
enabled: true
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branches: [main]
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
approval_settings:
require_password_to_approve: true- Open an MR targeting
main - Verify that the following two audit events were streamed:
- A merge request's target branch is affected by a warn mode policy that sets more restrictive
approval_settings: Prevent approval by merge request creator (target: Group-level warn mode policy) - A merge request's target branch is affected by a warn mode policy that sets more restrictive
approval_settings: Prevent approvals by users who add commits (target: Project-level warn mode policy (matching))
- A merge request's target branch is affected by a warn mode policy that sets more restrictive
- On the project-level, navigate to
Secure > Policiesand edit theProject-level warn mode policy (matching):
approval_policy:
- name: Project-level warn mode policy (matching)
enabled: true
enforcement_type: warn
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- type: send_bot_message
enabled: true
approval_settings:
prevent_approval_by_commit_author: true
require_password_to_approve: true
+ remove_approvals_with_new_commit: true- Close and reopen the merge request. Verify that you have received the previous two audit events again, in addition to: A merge request's target branch is affected by a warn mode policy that sets more restrictive
approval_settings: When a commit is added: Remove all approvals (target: Project-level warn mode policy (matching))
Database queries
CreateWarnModeMergeRequestAuditEventsWorker#eligible_to_run?
Note: Can't provide a query plan for running violations since I don't have read access to the full postgres.ai snapshot, but this reads and filters from index_scan_result_policy_violations_on_merge_request_id and the PK index as expected.
-- https://console.postgres.ai/gitlab/gitlab-production-main/sessions/45586/commands/139747
SELECT
1 AS one
FROM
"scan_result_policy_violations"
WHERE
"scan_result_policy_violations"."merge_request_id" = 123
AND "scan_result_policy_violations"."status" = 0
LIMIT 1;
CreateWarnModeMergeRequestAuditEventService#violated_approval_policies
-- https://console.postgres.ai/gitlab/gitlab-production-main/sessions/45586/commands/139764
SELECT
"security_policies".*
FROM
"security_policies"
INNER JOIN "approval_policy_rules" ON "security_policies"."id" = "approval_policy_rules"."security_policy_id"
INNER JOIN "scan_result_policy_violations" ON "approval_policy_rules"."id" = "scan_result_policy_violations"."approval_policy_rule_id"
WHERE
"scan_result_policy_violations"."merge_request_id" = 123
AND "security_policies"."type" = 0;MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #580797
Edited by Dominic Bauer