Skip to content

Add check if user can push to protected branch with active policy

What does this MR do and why?

This MR improves check when user can push to protected branch with active policy. With this MR we are not only preventing Force Pushing, but also regular pushes when policy is active and prevent_force_pushing approval setting is set to true.

Screenshots or screen recordings

Scenario Screenshot
Protected branch not covered by security policy protected_branch_not_specified_in_policy
Protected branch covered by security policy protected_branch_specified_in_policy

How to set up and validate locally

  1. Upload a GitLab Ultimate license
  2. Add gitlab-org to have an Ultimate license (https://gdk.test:3443/admin/groups/gitlab-org)
  3. Turn on the feature flag
echo "Feature.enable(:scan_result_policies_block_force_push)" | rails c
  1. Navigate to a project => Code => Branches
  2. Create a new branch called spooky-stuff (if you use the GDK project http://gdk.test:3443/gitlab-org/gitlab-test, it will already have it)
  3. Ensure there is a branch called 100%branch (if you use the GDK project http://gdk.test:3443/gitlab-org/gitlab-test, it will already have it)
  4. Within the project navigate to Settings => Repository => Protected branches
  5. Protect the branches spooky-stuff and 100%branch. (Enable Allowed to push and merge and Allowed to force push settings for your user role)
  6. NOTE: The branch names don't really matter here as long as you create two branches and protect both of them and update the test steps with the branch names you have chosen
  7. Navigate to "Secure" sidebar menu => Click the "Policies" sub-menu item
  8. Click the "New policy" button on the Policies list page
  9. Click "Select policy" is button name within the "Scan result policy" section
  10. You can either create the policy below using rule mode or click the "yaml mode" toggle button at the top of the policy editor page and copy/paste in the below yaml. The policy is applying the settings override to all protected branches except the 100%branch (as well as the required approval for any MRs with vulnerabilities, but that is not important for this MR)
type: scan_result_policy
name: Prevent all vulnerabilities
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
    branch_exceptions:
      - 100%branch
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
approval_settings:
  prevent_pushing_and_force_pushing: true
  1. Save the policy using the "Configure with a merge request" button and merge the corresponding merge request.
  2. You will be in a different project now (the policies are saved in separate project usually), so navigate back to your original project
  3. Clone the project locally
  4. Checkout the spooky-stuff branch
  5. Create a new commit by modifying any file
  6. Attempt to push and force-push the commit to the protected branch that is not an exception in the policy
  7. Verify a user gets the following error:
remote: GitLab: Push is blocked by settings overridden by a security policy
To ssh://gdk.test:2222/root/test-project-settings.git
! [remote rejected] second-branch -> second-branch (pre-receive hook declined)
  1. Checkout the 100%branch (the branch that was the exception in the policy)
  2. Verify that a user can create a new commit and push/force-push changes for that new branch with no issues
  3. Create/checkout a new, non-protected branch
  4. Verify that a user can create a new commit and push/force-push changes for that new branch with no issues
  5. Turn off the feature flag
  6. Checkout the spooky-stuff branch and verify that a user can create a new commit and push changes for any protected branch with no issues
  7. Re-enable the feature flag
  8. Disable the policy (Secure => Policies => Select policy from list => Click "Edit policy" in the drawer, change enabled to false => Save the change)
  9. Checkout the spooky-stuff branch and verify that a user can create a new commit and push changes for any protected branch with no issues

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #420629 (closed)

Edited by Alexander Turinske

Merge request reports

Loading