Skip to content

Add `block_group_branch_modification` to security policies

Dominic Bauer requested to merge 420724-be-prevent-changes-in-group-level-protected-branches-when-policy-settings-are-enabled into master

What does this MR do and why?

Adds the approval_settings.block_group_branch_modification property to security policies.

See Implementation plan for the intended behaviour

Screenshots or screen recordings

How to set up and validate locally

  • Create a new top-level group and enable the feature flags:

    Feature.enable(:scan_result_policy_block_group_branch_modification, Group.last)
Feature.enable(:allow_protected_branches_for_group, Group.last)

  • Navigate to Settings > Repository and create a branch protection.

    type: scan_result_policy
name: 'Test'
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids: [1]
approval_settings:
  block_branch_modification: true

  • Verify that the previously created branch protection can not be deleted.

  • Verify that the branch protection cannot be deleted via API:

    curl --request DELETE --header "PRIVATE-TOKEN: <TOKEN>" "http://gdk.test:3000/api/v4/groups/<GROUP_ID>/protected_branches/<NAME>"
{"message":"403 Forbidden"}

  • Update the policy:

    type: scan_result_policy
name: 'Test'
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids: [1]
approval_settings:
  block_branch_modification: true
+ block_group_branch_modification: false

  • Verify that the branch protection can be deleted.

  • Update the policy:

    type: scan_result_policy
name: 'Test'
enabled: true
rules:
  - type: any_merge_request
    branch_type: protected
    commits: any
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids: [1]
approval_settings:
  block_branch_modification: true
- block_group_branch_modification: false
+ block_group_branch_modification:
+   enabled: true
+   exceptions: [<GROUP_NAME>]

  • Verify that the branch protection can be deleted.

  • Remove the group name from exceptions. Verify that the previously created branch protection can not be deleted.

Related to #420724 (closed)

Edited by Dominic Bauer

Merge request reports