Skip to content

Block ip-restricted requests from everything

drew stachon requested to merge strictest-ip-enforcement into master

What does this MR do and why?

This MR introduces a more complete prevention of all DeclarativePolicy concepts when ip-based restriction is being enforced.

The issues being resolved are https://gitlab.com/gitlab-org/gitlab/-/issues/363745 and https://gitlab.com/gitlab-org/gitlab/-/issues/364075

There is a very lengthy discussion of alternative approaches in !107425 (closed), for the sake of SSoT I'll link to that MR (to be closed if this is merged) from here instead of trying to copy everything over. But if you're looking for the strategy and thought process behind this change, you'll find it in there.

The feature flag will be tracked in: and switch to enabled by default in !112756 (merged)

How to set up and validate locally

The specific practical use case being resolved here is covered in the specs - prevent :read_project, as a policy, was not enough to stop ip-restricted users from creating pipelines via the API. This closes that permissions gap, and I have added test coverage specifically to that effect.

In general, this is also a more complete solution for preventing any permissions from being enabled, articulated in https://gitlab.com/gitlab-org/gitlab/-/issues/364075.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by drew stachon

Merge request reports

Loading