Fix `block_branch_modification` effects on protected branches
requested to merge 456499-settings-for-merge-request-approval-policy-with-multiple-rules-not-being-properly-enforced-1 into master
What does this MR do and why?
Fixes two bugs related to MR approval policies' block_branch_modification
property:
- protected branches are only blocked from deletion when backed by a git ref, since
PolicyBranchesService
reads from Gitaly - policy
branches
pattern matching behaves unexpectedly. Since our policies accept branch patterns, e.g.branches: [test-*]
, and protected branches are patterns, too, we have to treat one as strings for comparison, since we can't match a pattern against another pattern. Currently, we match policy branch spec (string) against the protected branch name (pattern). We want do the opposite
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Right-most Unprotect
button:
Before | After |
---|---|
How to set up and validate locally
-
Create a new group and a contained project
-
On the project level:
- Navigate to
Settings > Repository
and create the following branch protections:develop
foo*
test-123
unrelated
- Navigate to
-
On the group level:
- Navigate to
Security > Policies
and create the following MR approval policy:
- Navigate to
type: approval_policy
name: Block protected branches
enabled: true
rules:
- type: any_merge_request
branches:
- test-*
commits: any
- type: any_merge_request
branches:
- develop
commits: any
- type: any_merge_request
branches:
- foo*
commits: any
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
approval_settings:
block_branch_modification: true
-
On the project level, navigate to
Settings > Repository
and verify that the UI controls allow onlyunrelated
to be deleted. -
Verify none of the protected branches but
unrelated
can be deleted via API:
curl -X DELETE -H "PRIVATE-TOKEN: $GITLAB_TOKEN" "http://gdk.test:3000/api/v4/projects/$PROJECT_ID/protected_branches/develop"
Related to #456499 (closed)
Edited by Dominic Bauer