Security Policy Creation error "Project was created and assigned as security policy project, but failed adding users to the project" leads to cascade of errors.
Summary
- When attempting to create a security policy, the following error is received:
Project was created and assigned as security policy project, but failed adding users to the project.
Being new user to this - I have no idea where it tried to create that.
- When I try again, I get the error: Security Policy project already exists.
Then on the policies page I clicked "Edit policy project" and hit the garbage can icon next to the default name.
I received the warning: Unlinking a security project removes all policies stored in the linked security project. Save to confirm this action.
-
I took the action anyway, thinking I'd try creating it from scratch.
-
However, upon attempting to create a new one, I receive the error "Project namespace name has already been taken,Name has already been taken,Path has already been taken"
From start to finish it has been quite confusing and the UI error messages are not informative of where one might go in the back end to make changes or why the first error happened.
Steps to reproduce
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
GitLab.com
Results of GitLab application Check
GitLab.com
Possible fixes
As suggested here
- Improve the error message when the policy project already exists
- Fail fast without creating security policy project
===================================================================
diff --git a/ee/app/services/security/security_orchestration_policies/project_create_service.rb b/ee/app/services/security/security_orchestration_policies/project_create_service.rb
--- a/ee/app/services/security/security_orchestration_policies/project_create_service.rb (revision c1e6c11a6ea4e42fdc9b9224afedee0e77716449)
+++ b/ee/app/services/security/security_orchestration_policies/project_create_service.rb (date 1697055996288)
@@ -8,7 +8,8 @@
def execute
return error(s_('User does not have permission to create a Security Policy project.')) unless can_create_projects_in_container?
- return error(s_('Security Policy project already exists.')) if container.security_orchestration_policy_configuration.present?
+ return error(s_('Security Policy project already exists but is not linked.')) if container.security_orchestration_policy_configuration.present?
+ return error(s_('User does not have permission to add members to the security policy project.')) unless can_add_members_to_policy_project?
policy_project = ::Projects::CreateService.new(current_user, create_project_params).execute
@@ -94,6 +95,12 @@
def can_create_projects_in_container?
current_user.can?(:create_projects, project_container? ? container.namespace : container)
end
+
+ def can_add_members_to_policy_project?
+ policy_project = Project.new(create_project_params.except(:initialize_with_readme, :readme_template, :security_policy_target_project_id, :security_policy_target_namespace_id))
+
+ Ability.allowed?(current_user, :admin_project_member, policy_project)
+ end
end
end
end
===================================================================
diff --git a/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb
--- a/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb (revision c1e6c11a6ea4e42fdc9b9224afedee0e77716449)
+++ b/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb (date 1697052302169)
@@ -91,6 +91,26 @@
end
end
+ context 'when users does not have permission to security policy project' do
+ let(:current_user) { project.first_owner }
+
+ before_all do
+ project.add_maintainer(maintainer)
+ end
+
+ before do
+ allow(Ability).to receive(:allowed?).with(current_user, :create_projects, anything).and_call_original
+ allow(Ability).to receive(:allowed?).with(current_user, :admin_project_member, an_instance_of(Project)).and_return(false)
+ end
+
+ it 'returns error' do
+ response = service.execute
+
+ expect(response[:status]).to eq(:error)
+ expect(response[:message]).to eq('User does not have permission to add members to the security policy project.')
+ end
+ end
+
context 'when project creation fails' do
let(:error_message) { "Path can't be blank" }