►
Description
In this video we discuss the backend implementation around the Security Approvals in Merge Requests MVC.
https://gitlab.com/gitlab-org/gitlab-ee/issues/9928
A
Okay,
hi
everyone,
so
the
feature
we're
talking
about
today
is
security
approvals
and
merge
requests.
This
has
been
also
called
security
dates:
I,
don't
love
the
term
security
gates
because
it's
kind
of
point
isn't
to
make
security
a
blocker,
it's
providing
a
place
for
other
routines
to
collaborate.
So
the
basic
idea
with
what
we
were
working
on
before
so
first
I'll
start
with
a
agenda.
Doc
should
be
on
the
invite.
A
A
The
basic
idea
with
this
is
that
we
were
looking
at
for
a
way
to
hand
leverage
a
new
approval
system
where
a
security
team,
that's
defined
by
a
user
on
a
project,
can
add
their
approvals
to
before
a
merge
request,
gets
merged
and
cheating.
So
we
wanted
to
leverage
our
existing
security
reports
and
pipelines.
A
So
with
the
proposal,
II
idea
is
that
requiring
an
ultimate
license?
You
go
into
your
product
settings.
You
create
a
special
approval
group
with
a
in
this
case
of
predefined
name.
Ideally,
this
would
be
more
of
a
state
toggle
on
the
rule
type
any
7a
approval
count
of
greater
than
1
and
right
now
it
needs
to
be
named
exactly
this
and
we'll
get
into
how
that
works
in
a
second.
A
A
So
there's
also
a
lot
of
legacy.
Support
around
the
idea
of
them
approvals
before
approval
rules
were
a
thing.
So
you'll
see
this
row
right
here,
all
members
with
developer
role
or
higher.
If
I
set
this,
then
that
adds
a
require
approval
to
the
project,
but
there
is
no
real
approval
rule.
This
is
kind
of
a
like
a
shim
that
is
it's
a
project
setting.
So
it's
not
an
actual
database
instance
or
database
record
for
an
approval-
maybe
that's
too
granular,
but
that
kind
of
is
important
later.
A
Okay,
so
we
add
the
approver
it's
out
here
with
this
handy
tool
tip
and
then
once
you
actually
add
it
here,
MRR
shows
up
right
here
and
I
am
the
approver
in
this
approval
rule,
and
there
is
one
required
approval
now.
That
would
just
be
how
approval
rules
work,
but
in
this
case
the
important
thing
is
that
this
number
right
here
changes
according
to
the
results
of
a
security
report.
A
A
A
Here
is
a
overly
complicated
flowchart
for
all
the
conditions.
The
reason
I
want
to
touch
on
this
is
because
life
cycle
is,
we
need
to.
We
looked
at
different
ways.
We
could
set
up
this
gate
and
the
basic
idea
is
that
we
need
to
require
by
default.
So
if
your
pipeline
never
runs
the
default
stage
should
be
an
approval
is
required,
so
we
need
to
toggle
the
approval
state
off
at
the
end
of
the
pipeline
execution
rather
than
on
at
the
end
of
a
pipeline
execution.
A
So
in
the
case
of
a
high
severity
vulnerability,
there
are
two
directions:
one
is
opening
an
M
R
before
the
pipeline
finishes
and
the
other
one
is
opening
an
M
are
after
a
pipeline
finishes,
and
those
have
slightly
different
life
cycles,
but
high
severity
vulnerabilities
should
always
require
approval,
missing
vulnerability
report.
So
there's
no
report
at
all
that
should
also
require
approval,
low
severity
or
medium
severity
should
remove
the
approval
or
what
we
call
is
make
it
optional.
So
you
lower
the
approval,
is
required
count
and
an
empty
vulnerability
report
also
makes
approvals
optional.
A
So
this
is
important
because
we
wanted
to
understand
that
at
the
beginning,
when
you
start
a
pipeline,
if
an
approval
was
added
and
then
someone
changes
code,
we
need
to
reset
to
the
original
count.
So
there's
essentially
two
life
cycle
stages,
there's
sinking
to
the
original
state
and
then
there's
decrementing
the
approvals
required
if
necessary.
And
if
you
look
at
I'll
zoom
in
here
to
okay,
maybe
I
can't
zoom
in.
A
Assuming
people
can
read
this,
there's
two
slightly
different
paths
here
pipeline
finishes:
we
open
an
mr
when
we're
opening
an
mr.
We
copy
project
rules
to
the
mr
and
we
run
sync
report:
approver
approval
rules,
which
is
essentially
the
the
job
that
Cotton's
the
rules
and
then
sync
security
reports
to
report
approval
rules
which
syncs
the
approval
rules
to
the
contents
in
the
security
report.
A
C
D
A
That's
right,
there's
one
other
part
of
the
life
cycle
that
we
need
to
pay
attention
to
as
well,
which
is
when
you
delete
a
project
approval
rule
because
we're
again
we're
talking
about
the
two
data
models.
Here
we
have
project
rules
and
then
we
have
merge,
request
rules
and
this
first
worker
copies
the
project
rules
to
the
M
R.
A
So
if
you
delete
a
project
rule
should
that
task
agent
emerge
across,
we
said
yes,
although
that's
a
question
that
we
we
had
to
go
back
with
product
on
and
if
you
add
a
rule,
does
that
cascade
to
merge
across
as
well,
but
a
so
that's
what
these
two
extra
boxes
are
delete,
a
product
rule.
It
does
nothing,
so
it
doesn't
revoke
approvals
required
on
all
outstanding,
merge
across
and
then
over.
D
A
A
The
approval
rule
like
that
creates
parity
between
the
approval
project
rule
in
the
approval,
merge
request
rule
model
as
such
the
approval
rules
require
a
source
rule.
So
if
you're
a
merge
request
rule
here,
your
source
rule
will
be
where,
where
this
was
generated
from
it
will
be
the
project
rule.
Currently,
project
rules
have
no
source
rule,
but
it
could
make
sense
to
add
them
at
the
group
level
later
on.
A
A
This
executes
it
starts
it,
fires
off
and
it
basically
just
sinks
the
merge
across
to
the
pipeline.
Then
we
update
the
head
pipeline
for
merge
request
and
this
basically
says
what
shot
is
this
merge
across
point
and
it
links
it
to
the
pipeline
when
pushing
changes
to
a
branch
with
an
open?
Mr
then,
a
number
of
I
believe
18
workers
fire,
but
the
only
two
we
really
care
about
is
this
update,
merging
press
worker
and
update
head
pipeline,
and
this
only
occurs
for
openmrs.
So
this
is
why
this
part
is
important.
A
If
there
is
no
open,
mr
then
we
have
to
plug
into
a
different
point
to
actually
sync
I
say:
I've
merged
I
have
the
reefer
or
service
listed
here,
because
the
Refresh
service
is
really
what
handles
the
bulk
of
that
interaction
and
that's
the
same
thing
that
gets
fired
from
the
numerous
requests.
So,
let's
take
a
look
at
this
refresh
service.
A
Now
this
is
overriding
a
for
the
non
è
é
refresh
service.
We
don't
really
care
about
here,
but
we'll
just
look
at
it
quickly.
To
give
you
an
idea
of
what
this
is
doing,
refresh
merge
requests,
it
realized
my
do
cross
it
out
gates,
suggestions,
refreshes
pipelines
marks
pending
to
use
done
a
lot
of
just
standard
behavior.
For
what
happens
every
time
you
need
to
refresh
a
merge
request
from
a
code
change.
A
The
EE
version
is
the
one
that's
on
top
of
that
and
it
has
the
East
Pacific
behavior.
So
we
override
the
Refresh
merge,
request
service
that
main
method,
and
we
add
on
one
additional
behavior.
We
call
super,
we
update
the
approvers
and
then
we
reset
approvals
for
merging
quest
the
resetting
happens.
If
it's
a
new
merging
quest
or
if
it's
existing
one,
if
it's
new,
then
we
don't
care,
it
doesn't
really
do
anything,
and
if
it's
the
existing
one,
this
would
increase
the
approvers
required
back
to
what
whatever
the
approval
project
number
is.
A
A
With
approval
is
required
of
2
from
their
pipeline
runs
and
it
decreases.
The
approval
is
required
to
zero
because
there's
no
security
vulnerabilities
and
then
you
push
code
and
on
pushing
code.
It
caused
this
refresh
service,
which
resyncs
rules
and
resets
approval
is
required
to
so
that's
the
flow.
What
we're
talking
about
here.
A
So
what
we
do
is
we
grab
the
branch
name.
We
find
all
the
merger
quests
for
this
branch
and
these
would
be
siblings
from
our
current
merge
request.
If
there's
multiple,
then
we
need
to
sync
all
of
them.
Freeze
merge
requests.
We
find
the
target
project
because
this
merger
press
could
go
across
projects
and
then
we
reset
the
approvals
and
we
delete
all
existing
approvals
on
the
merger
quest
update,
Cooper's.
A
Murder
quest
for
source
branch,
so
fine
I'll,
merge
requests
for
the
source
branch.
We
sync
her
down
rolls
and
we
sync
what
we're
calling
report
approver
rules.
So
a
reporter
approvers
currently
is
all
security
report.
A
perverse,
but
it's
kind
of
a
generic
model
for,
like
I,
said
a
code
quality
or
another
report.
Approval
toad.
A
A
In
this
case,
all
we
care
has
a
report,
approver
scope,
and
then
we
find
the
report
approval
rule.
So
we
first
are
initialized
on
that,
and
this
would
vary
if
we
have
more
than
one
report
approver.
Currently
we
don't
and
we
update
it
with
the
standard
attributes
which
basically
says
reset
it
to
the
project
rules,
settings,
and
this
would
also
sink
it.
If
you
change
the
user
group,
the
users
or
groups
on
the
project
rule
during
the
sync,
it
would
read,
it
would
update
users,
the
groups
and
the
approval
is
required,
counts.
A
D
A
So
so
we
currently,
we
call
the
security
I
think
it
could
very
well
be
the
same.
It
could
be
a
security
type,
the
so
what
we
would
really
need
to
change
if
we
we
can
call
compliance
if
we
wanted
to
change
that,
but
this
worker
it's
should
sync
all
report
approver
rules,
regardless
of
what
they
are.
The
only
thing
is
this
part
is
currently
hard-coded,
so
we
should
change
that,
but
I
think
that
this
should
be
fairly
minimal
in
terms
of
the
change,
because
they're
just
they're
just
approval
straight.
A
So
so
there's
a
couple
things
in
in
one
case:
we
need
we
need
extra
behavior
to
occur,
and
so
we
haven't.
We
looked
at
a
rule
that
copyist
project
rules
to
merge
request,
but
we
haven't
yet
looked
at
the
service
that
lowers
the
approvals
required
count.
So
we
need
to
distinguish
the
rule
right
there,
but
the
other
one
is
this:
you
like
it's
pretty
complicated
here,
because
let
me
use
a
different
one.
So
here
here
is
a
plain
project
and.
A
Let
this
take
its
time
loading,
but
the
current
UI
remember
I
mentioned
that
fallback
rule,
so
I'll
just
use
the
screenshot.
Instead,
this
here
is
I.
They
call
it
a
fallback
rule,
it's
not
an
actual
rule.
So
if
you
change
this
number
right
here,
this
changes
a
thing
called
like
projects,
settings
approvals
required
count
and
it's
a
project
setting
and
if
you
change
this
number
you're
actually
creating
a
new
database
record.
A
So
we
need
a
way
to
render
this.
We
only
render
this
row
if
there
are
no
existing
regular
approval
rules,
and
this,
like
Sam,
was
getting
into
this,
because
this
is
kind
of
complicated.
What
you
need
to
do
is
you
say:
are
there
any
regular
rules,
if
not
render
this
row
if
there
are
render
those?
Are
there?
A
E
E
A
E
A
Originally,
there
wasn't
really
any
state
on
the
report
approval
rules,
so
we
have
a
lot
of
like
kind
of
scary
things
and
they're
like
looking
at
the
name,
vulnerability
check
and
determining
if
it's
a
security
rule
according
to
the
name.
That
is
just
like
a
lot
of
code
dead,
so
introducing
a
single
state
state
machine
seemed
like
the
the
most
explicit
way
of
showing
that
does.
That
answer.
Your
question
yeah.
A
The
sync
security
report-
super
rules
is
called
during
the
pipeline
life
cycle,
so
that's
occurs
right
here,
so
in
our
CI
pipeline,
when
the
status
transitions
to
a
completed
state.
This
is
the
same
place
that
we
sync
our
security
reports.
So
in
the
same
place
that
we
process
our
security
reports,
we
now
sync
our
reports
to
the
approval
rules
as
well,
and
since
this
occurs
on
all
states,
it
doesn't
need
the
default
branch
condition
that
we
currently
use.
A
There
there
is
a
possibility
of
that
part.
Part
of
the
part
of
the
design,
for
this
is
that
it's
always
secure
by
default.
So
any
condition
that
fails
to
sync.
The
reports
ensures
that
there
is
an
approval
by
default,
so
that
should
keep
things
safe
if
this
is
a
pipeline
completed,
but
the
security
report
here
was
not
done
processing
that
won't
really
affect
this
one.
Since
these
sync
security
reports
worker
a.