Skip to content

Optimize sync of any_merge_request_rules

What does this MR do and why?

This MR optimizes how SyncAnyMergeRequestApprovalRulesWorker is called.

Before, it would call the worker twice when MR is created:

The first call could incorrectly remove required approvals before commits signature is evaluated, so it would create a window when it's possible to merge with a violating policy. This problem could be reproduced locally if we add sleep 15 in AfterCreateService

By moving the worker scheduling to RefreshService, we elimitate the double call when MR is created and it fixes the incorrect removal of required approvals.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable the feature flag
    Feature.enable(:scan_result_any_merge_request)
  2. Go to Secure -> Policies and create a policy. Example YAML:
    type: scan_result_policy
    name: Unsigned
    description: ''
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: unsigned
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 1
    approval_settings:
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: true
  3. Create MR with unsigned commit (for example from Web IDE)
  4. There shouldn't be any brief moment with optional approvals for this policy

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #418752 (closed)

Edited by Martin Čavoj

Merge request reports

Loading