Disable deleting approval rules from scan result policies
What does this MR do and why?
Addresses #420335 (closed)
This MR fixes a bug in showing and deleting MR approval rules in settings page where approval rules created from :license_finding
scan result policy are allowed to be deleted from UI. This change fixes the behaviour by not exposing the approval rules created from scan result policy in the list API and not allowing the approval rules to be deleted/updated from PUT/DELETE API.
Database query plan
Query
SELECT
"approval_project_rules".*
FROM
"approval_project_rules"
WHERE
"approval_project_rules"."project_id" = 48135606
AND (
"approval_project_rules"."report_type" IS NULL
OR "approval_project_rules"."report_type" NOT IN (
4, 2
)
)
AND "approval_project_rules"."id" = 18298464 LIMIT 1
Plan
Limit (cost=0.42..3.45 rows=1 width=182) (actual time=7.264..7.264 rows=0 loops=1)
Buffers: shared read=4
I/O Timings: read=7.192 write=0.000
-> Index Scan using index_approval_project_rules_on_project_id on public.approval_project_rules (cost=0.42..3.45 rows=1 width=182) (actual time=7.262..7.262 rows=0 loops=1)
Index Cond: (approval_project_rules.project_id = 48135606)
Filter: (((approval_project_rules.report_type IS NULL) OR (approval_project_rules.report_type <> ALL ('{4,2}'::integer[]))) AND (approval_project_rules.id = 18298464))
Rows Removed by Filter: 1
Buffers: shared read=4
I/O Timings: read=7.192 write=0.000
Time: 9.777 ms
- planning: 2.414 ms
- execution: 7.363 ms
- I/O read: 7.192 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 0 from the buffer pool
- reads: 4 (~32.00 KiB) from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Create a scan result policy that contains both
license_finding
andscan_finding
rules in a same policy
type: scan_result_policy
name: Scan
description: ''
enabled: true
rules:
- type: license_finding
match_on_inclusion: true
license_types:
- GNU General Public License v2.0 or later
- GNU Affero General Public License v3.0
license_states:
- newly_detected
branches:
- main
- type: scan_finding
scanners:
- dependency_scanning
- dast
- sast
vulnerabilities_allowed: 0
severity_levels:
- critical
vulnerability_states:
- newly_detected
branches:
- main
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 22
- Go to Settings -> Merge Requests -> Merge request approvals and verify that approval rules from policy are not listed
- Try calling the API to delete the approval rule and verify if it returns 404
curl 'http://gdk.test:3000/api/v4/projects/<project_id>/approval_rules/<approval_rule_id>' \
-X 'DELETE' \
-H 'Accept: application/json, text/plain, */*' \
--compressed \
--insecure
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Sashi Kumar Kumaresan