Create warn mode audit events for block_group_branch_modification

Dominic Bauerrequested to merge
580966-be-add-audit-event-for-block_group_branch_modification into master

What does this MR do and why?

We are working on warn mode for merge request approval policies (&15552). Violations associated to a policy that is in warn mode can be bypassed by users, and their approval_settings don't take effect.

When a group-level warn mode merge request approval policy is created or updated on a top-level group, or on the CSP group, this MR starts writing audit events for all top-level groups whose protected branches are affected by the policy.

References

How to set up and validate locally

Configuring the streaming destination

Navigate to Admin > Monitoring > Audit events and configure a streaming destination for the Policy warn mode group protected branch modification override

Policy on non-CSP group-level

  1. Create a new top-level group
  2. On the group-level, navigate to Settings > Repository and create a group-level protected branch.
  3. On the group-level, navigate to Secure > Policies and create the following MR approval policy:
approval_policy:
  - name: Block group branch modification (Warn Mode)
    enabled: true
    enforcement_type: warn
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers: [owner]
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_group_branch_modification: true
  1. Verify that an audit event was streamed to the destination attributed to:
    • Target: The warn mode policy
    • Entity path: The policy's security policy management project
    • Author: The policy project's security policy bot

Policy on CSP group-level

  1. Create another group and likewise create a group-level protected branch.
  2. Navigate to Admin > Settings > Security and compliance and under Compliance and security policy group, select the previously created group and click Save changes
  3. On the CSP group-level, navigate to Secure > Policies and change the name of the previously created policy Block group branch modification (Warn Mode)
  4. Verify two audit events, one for each group was streamed for the updated policy
  5. Navigate to the group and under Secure > Policies and create the following MR approval policy
approval_policy:
  - name: Block group branch modification (Enforced)
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers: [owner]
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_group_branch_modification: true
  1. Verify no audit events were streamed

Database queries

#collect_csp_top_level_group_ids_in_batches

Batch:

-- https://console.postgres.ai/gitlab/gitlab-production-main/sessions/45743/commands/140084
SELECT
	"namespaces"."id"
FROM
	"namespaces"
WHERE
	"namespaces"."type" = 'Group'
	AND "namespaces"."parent_id" IS NULL
	AND "namespaces"."organization_id" = 1
ORDER BY
	"namespaces"."id" ASC
LIMIT 1000;

.for_management_project_and_name_tuples

Note: Maximum of 5 merge request approval policies per configuration (Restrictions)

-- https://console.postgres.ai/gitlab/gitlab-production-main/sessions/45743/commands/140101
SELECT
	"security_policies".*
FROM
	"security_policies"
WHERE ((security_orchestration_policy_configuration_id, name) IN ((1, 'security-policy-1'), (1, '2-ycilop-ytiruces')));

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #580966

Edited by Dominic Bauer

Merge request reports