Eligible approvers not added to MR approval rules in specific conditions
Summary
Steps to reproduce
- Using
yaml
mode, create a Scan Result Policy with only one eligible approver who does not currently have access to the development project. - Create a merge request.
- Observe that the list of eligible approvers is empty and the approval rule is automatically checked/approved.
- Add the user to the project with Developer permissions or higher.
Wait 10 minutes.- Observe that the list of eligible approvers on the previously opened MR is still empty and that the approval rule is still automatically checked/approved. There is no way to now require approval from this user on this MR short of closing out the MR and creating an entirely new MR. Rerunning the pipeline or adding new commits does not help.
Note: A similar/related behavior is also observed when revoking a user's access from a project. If they were listed as an eligible approver before their permissions were revoked, they continue to be listed as an eligible approver even after their permissions are revoked.
Example Project
What is the current bug behavior?
What is the expected correct behavior?
After giving the eligible approver access to the project, it is expected that individual would be listed as an eligible approver for the approval rule on the already open MR (potentially after a 10 minute delay).
Alternatively, we could just always list the user as an eligible approver regardless of whether or not they have permissions to access the project.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation Plan
Ensure the project_authorizations
table gets updated after a project member change, synchronize approval rules for the policy configuration associated with the project which memberships were updated
diff --git a/ee/app/services/ee/authorized_project_update/project_recalculate_service.rb b/ee/app/services/ee/authorized_project_update/project_recalculate_service.rb
new file mode 100644
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module EE
+ module AuthorizedProjectUpdate
+ module ProjectRecalculateService
+ extend ::Gitlab::Utils::Override
+
+ private
+
+ override :refresh_authorizations
+ def refresh_authorizations
+ super
+
+ return unless project.security_orchestration_policy_configuration
+ return unless authorizations_to_create.any? { |autherization| autherization[:access_level] >= ::Member::DEVELOPER }
+
+ Security::SecurityOrchestrationPolicies::SyncScanResultPoliciesService
+ .new(project.security_orchestration_policy_configuration)
+ .execute
+ end
+ end
+ end
+end