Legit-Labs/legitify

Unmet prerequisite: premium, but premium license is used

rndmh3ro opened this issue · 6 comments

TL;DR

Some checks are skipped because of Unmet prerequisite: premium.

We use Gitlab self-hosted and have a premium license. However the project I'm using legitify at, shows a default-plan.

Here's the namespace output (redacted):

> glab api /namespaces/34 | jq .
{
  "id": 34,
  "kind": "group",
  "parent_id": null,
  "plan": "default",
  "trial_ends_on": null,
  "trial": false
}

If I remove the premium-check from the rego-files, the checks work and show the correct result.

Expected behavior

The checks should not be skipped.

Observed behavior

No response

Version

from main branch

On which operating system are you using legitify?

Linux

Relevant log output

"missing_permissions": {},
  "skipped_policies": {
    "code_review_by_two_members_not_required": {
      "foo": "Unmet prerequisite: premium"
    },
Legitify Findings Summary:
+----+------------+--------------------------------+----------+--------+--------+---------+
| #  | Namespace  |             Policy             | Severity | Passed | Failed | Skipped |
+----+------------+--------------------------------+----------+--------+--------+---------+
| 1  | repository | Default Branch Should Require  | HIGH     | 0      | 0      | 1       |
|    |            | Code Review                    |          |        |        |         |
+----+------------+--------------------------------+----------+--------+--------+---------+

Additional information

No response

Hi @rndmh3ro, thank you for opening this issue.

The test to check if the group is premium checks that the plan is not free, so it shouldn't be the reason for the results you see:

func (c *Client) IsGroupPremium(group *gitlab.Group) bool {
	plan, err := c.GroupPlan(group)
	if err != nil {
		log.Printf("failed to get namespace for group %s %v", group.FullPath, err)
		return false
	}

	return plan != "free"
}

Please provide the error.log and permission.log from the legitify run

Sure, here they are:

{
  "missing_permissions": {},
  "skipped_policies": {
    "code_review_by_two_members_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "code_review_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection_force_push": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "no_signed_commits": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_committer_approvals_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_overriding_approvers": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_dismiss_stale_reviews": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_require_code_owner_reviews_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    }
  }
}{
  "missing_permissions": {},
  "skipped_policies": {
    "code_review_by_two_members_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "code_review_not_required": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "missing_default_branch_protection_force_push": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "no_signed_commits": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_committer_approvals_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_allows_overriding_approvers": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_dismiss_stale_reviews": {
      "repo-azure": "Unmet prerequisite: premium"
    },
    "repository_require_code_owner_reviews_policy": {
      "repo-azure": "Unmet prerequisite: premium"
    }
  }

2024/01/08 08:57:24 2024/01/08 08:57:24 total entities for namespace repository: 1
2024/01/08 08:57:25 2024/01/08 08:57:25 couldn't find group example-group/subgroup

Thanks!
The error log captures the problem. Since we can find the group, we cant determine if it is premium or not (by default, it is not)

Are you the admin of this group?

Could you add the output this API call:

gitlab_api_endpoint.XX/groups?owned=true

This is the relevant group. I'm not admin as far as I know. :)

  {
    "id": 34,
    "web_url": "https://git.example.com/groups/example-group",
    "name": "example-group",
    "path": "example-group",
    "description": "",
    "visibility": "private",
    "share_with_group_lock": false,
    "require_two_factor_authentication": false,
    "two_factor_grace_period": 48,
    "project_creation_level": "developer",
    "auto_devops_enabled": null,
    "subgroup_creation_level": "owner",
    "emails_disabled": false,
    "emails_enabled": true,
    "mentions_disabled": null,
    "lfs_enabled": true,
    "default_branch_protection": 2,
    "default_branch_protection_defaults": {
      "allowed_to_push": [
        {
          "access_level": 30
        }
      ],
      "allow_force_push": true,
      "allowed_to_merge": [
        {
          "access_level": 30
        }
      ]
    },
    "avatar_url": "https://git.example.com/uploads/-/system/group/avatar/34/example-group.png",
    "request_access_enabled": false,
    "full_name": "example-group",
    "full_path": "example-group",
    "created_at": "2019-07-09T10:33:41.438Z",
    "parent_id": null,
    "shared_runners_setting": "enabled",
    "ldap_cn": "----",
    "ldap_access": 50,
    "ldap_group_links": [
      {
        "cn": "----",
        "group_access": 50,
        "provider": "ldapmain",
        "filter": null
      },
      {
        "cn": "grp.example-group",
        "group_access": 50,
        "provider": "ldapmain",
        "filter": null
      },
      {
        "cn": "6008-all",
        "group_access": 20,
        "provider": "ldapmain",
        "filter": null
      },
      {
        "cn": null,
        "group_access": 20,
        "provider": "ldapmain",
        "filter": "(cn=fnu-cred-scan)"
      },
    ],
    "marked_for_deletion_on": null,
    "wiki_access_level": "enabled"
  },
``

Thanks. It should be fixed in the main branch :)

Indeed it is, thanks! :)