search

Legit-Labs / legitify

Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
https://legitify.dev
Apache License 2.0
770 stars 63 forks source link

Unmet prerequisite: premium, but premium license is used #287

Closed rndmh3ro closed 10 months ago

rndmh3ro commented 10 months ago

TL;DR

Some checks are skipped because of Unmet prerequisite: premium.

We use Gitlab self-hosted and have a premium license. However the project I'm using legitify at, shows a default-plan.

Here's the namespace output (redacted):

> glab api /namespaces/34 | jq .
{
  "id": 34,
  "kind": "group",
  "parent_id": null,
  "plan": "default",
  "trial_ends_on": null,
  "trial": false
}

If I remove the premium-check from the rego-files, the checks work and show the correct result.

Expected behavior

The checks should not be skipped.

Observed behavior

No response

Version

from main branch

On which operating system are you using legitify?

Linux

Relevant log output

"missing_permissions": {},
  "skipped_policies": {
    "code_review_by_two_members_not_required": {
      "foo": "Unmet prerequisite: premium"
    },
Legitify Findings Summary:
+----+------------+--------------------------------+----------+--------+--------+---------+
| #  | Namespace  |             Policy             | Severity | Passed | Failed | Skipped |
+----+------------+--------------------------------+----------+--------+--------+---------+
| 1  | repository | Default Branch Should Require  | HIGH     | 0      | 0      | 1       |
|    |            | Code Review                    |          |        |        |         |
+----+------------+--------------------------------+----------+--------+--------+---------+

Additional information

No response

noamd-legit commented 10 months ago

Hi @rndmh3ro, thank you for opening this issue.

The test to check if the group is premium checks that the plan is not free, so it shouldn't be the reason for the results you see:

func (c *Client) IsGroupPremium(group *gitlab.Group) bool {
    plan, err := c.GroupPlan(group)
    if err != nil {
        log.Printf("failed to get namespace for group %s %v", group.FullPath, err)
        return false
    }

    return plan != "free"
}

Please provide the error.log and permission.log from the legitify run

rndmh3ro commented 10 months ago

Sure, here they are:

{
  "missing_permissions": {},
  "skipped_policies": {
    "code_review_by_two_members_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "code_review_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection_force_push": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "no_signed_commits": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_committer_approvals_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_overriding_approvers": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_dismiss_stale_reviews": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_require_code_owner_reviews_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    }
  }
}{
  "missing_permissions": {},
  "skipped_policies": {
    "code_review_by_two_members_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "code_review_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection_force_push": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "no_signed_commits": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_committer_approvals_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_overriding_approvers": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_dismiss_stale_reviews": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_require_code_owner_reviews_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    }
  }

2024/01/08 08:57:24 2024/01/08 08:57:24 total entities for namespace repository: 1
2024/01/08 08:57:25 2024/01/08 08:57:25 couldn't find group example-group/subgroup
noamd-legit commented 10 months ago

Thanks! The error log captures the problem. Since we can find the group, we cant determine if it is premium or not (by default, it is not)

Are you the admin of this group?

Could you add the output this API call:

gitlab_api_endpoint.XX/groups?owned=true
rndmh3ro commented 10 months ago

This is the relevant group. I'm not admin as far as I know. :)


  {
    "id": 34,
    "web_url": "https://git.example.com/groups/example-group",
    "name": "example-group",
    "path": "example-group",
    "description": "",
    "visibility": "private",
    "share_with_group_lock": false,
    "require_two_factor_authentication": false,
    "two_factor_grace_period": 48,
    "project_creation_level": "developer",
    "auto_devops_enabled": null,
    "subgroup_creation_level": "owner",
    "emails_disabled": false,
    "emails_enabled": true,
    "mentions_disabled": null,
    "lfs_enabled": true,
    "default_branch_protection": 2,
    "default_branch_protection_defaults": {
      "allowed_to_push": [
        {
          "access_level": 30
        }
      ],
      "allow_force_push": true,
      "allowed_to_merge": [
        {
          "access_level": 30
        }
      ]
    },
    "avatar_url": "https://git.example.com/uploads/-/system/group/avatar/34/example-group.png",
    "request_access_enabled": false,
    "full_name": "example-group",
    "full_path": "example-group",
    "created_at": "2019-07-09T10:33:41.438Z",
    "parent_id": null,
    "shared_runners_setting": "enabled",
    "ldap_cn": "----",
    "ldap_access": 50,
    "ldap_group_links": [
      {
        "cn": "----",
        "group_access": 50,
        "provider": "ldapmain",
        "filter": null
      },
      {
        "cn": "grp.example-group",
        "group_access": 50,
        "provider": "ldapmain",
        "filter": null
      },
      {
        "cn": "6008-all",
        "group_access": 20,
        "provider": "ldapmain",
        "filter": null
      },
      {
        "cn": null,
        "group_access": 20,
        "provider": "ldapmain",
        "filter": "(cn=fnu-cred-scan)"
      },
    ],
    "marked_for_deletion_on": null,
    "wiki_access_level": "enabled"
  },
``
noamd-legit commented 10 months ago

Thanks. It should be fixed in the main branch :)

rndmh3ro commented 10 months ago

Indeed it is, thanks! :)