[go: up one dir, main page]
Skip to content

Show warning message during MR creation to prevent invalid rules

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem

This issue was created from the Discussion for #374602 Situation 4 invalid approver configurations.

Updated Apr 3, 2023 based on thread.

The current behavior of an invalid MR policy/rule is that it will fail open when it is invalid. When a policy/rule becomes invalid, the policy will automatically pass. This is a problem for the security team because fail-open invalid security creates potential security leaks, harming the company. This issue is an effort to prevent users from creating an MR for a security policy project with invalid rules. When updating policies in a security policy project using the policy editor, we can prevent invalid rules from being created through validation. Our validation in the editor is fairly decent today, but we will be continually improving it. However, users can also update the policy.yml directly through an MR and they would not have validation to prevent invalid rules from being creatd.

Note: invalid rules can still happen after MR is created, regardless of using the policy editor or by directly updating the policy.yml file; this solution can't cover that. We have other issues (primarily this issue) to fail-closed for users to cover the other case when invalid happens after MR creation.

Solution

1. When creating an MR for a security policy project, we check if the policy is still valid; if not, we tell the user why it is invalid and prevent a user from creating the MR until they fix the policy. For designs, please see the design area. (Note: removing this option based on discussion below)

  1. We can continue to improve the validation we already have in the Policy UI. We already validate a lot of things and it actually is getting pretty good at this point. There may still be a few gaps to improve on though.

  2. We can can encourage users to use the policy UI to create their policies if they want the yaml to be validated. We can add a note in our docs that MRs opened directly in the security policy project or force-pushed in won't go through validation and may not work.

  3. We can improve our messaging in the merge request to better direct users on how to fix the problem when a policy is invalid. We already have good designs and plans for this in this issue.

Edited by 🤖 GitLab Bot 🤖