Commit 705218f2 authored by Alexander Turinske's avatar Alexander Turinske

Remove orchestration policies feature flag

- remove :security_orchestration_policies_configuration
  feature flag
- update tests

Changelog: changed
EE: true
parent bffcb1df
---
name: security_orchestration_policies_configuration
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54220
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321258
milestone: '13.9'
type: development
group: group::container security
default_enabled: true
...@@ -8,11 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -8,11 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5329) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10. Deployed behind a feature flag, disabled by default. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5329) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10. Deployed behind a feature flag, disabled by default.
> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.3. > - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.3.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in GitLab 14.4.
FLAG:
On self-managed GitLab, by default this feature is available. To hide the feature,
ask an administrator to [disable the `security_orchestration_policies_configuration` flag](../../../administration/feature_flags.md).
On GitLab.com, this feature is available.
Policies in GitLab provide security teams a way to require scans of their choice to be run Policies in GitLab provide security teams a way to require scans of their choice to be run
whenever a project pipeline runs according to the configuration specified. Security teams can whenever a project pipeline runs according to the configuration specified. Security teams can
......
...@@ -8,11 +8,6 @@ module Projects ...@@ -8,11 +8,6 @@ module Projects
before_action :authorize_security_orchestration_policies! before_action :authorize_security_orchestration_policies!
before_action :validate_policy_configuration, only: :edit before_action :validate_policy_configuration, only: :edit
before_action do
push_frontend_feature_flag(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
check_feature_flag!
end
feature_category :security_orchestration feature_category :security_orchestration
def index def index
...@@ -89,10 +84,6 @@ module Projects ...@@ -89,10 +84,6 @@ module Projects
def policy_configuration def policy_configuration
@policy_configuration ||= project.security_orchestration_policy_configuration @policy_configuration ||= project.security_orchestration_policy_configuration
end end
def check_feature_flag!
render_404 if Feature.disabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
end end
end end
end end
...@@ -23,7 +23,6 @@ module Mutations ...@@ -23,7 +23,6 @@ module Mutations
def resolve(args) def resolve(args)
project = authorized_find!(args[:project_path]) project = authorized_find!(args[:project_path])
raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
policy_project = find_policy_project(args[:security_policy_project_id]) policy_project = find_policy_project(args[:security_policy_project_id])
raise_resource_not_available_error! unless policy_project.present? raise_resource_not_available_error! unless policy_project.present?
...@@ -43,10 +42,6 @@ module Mutations ...@@ -43,10 +42,6 @@ module Mutations
::Gitlab::Graphql::Lazy.force(GitlabSchema.object_from_id(id, expected_type: Project)) ::Gitlab::Graphql::Lazy.force(GitlabSchema.object_from_id(id, expected_type: Project))
end end
def allowed?(project)
Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def assign_project(project, policy_project) def assign_project(project, policy_project)
::Security::Orchestration::AssignService ::Security::Orchestration::AssignService
.new(project, current_user, policy_project_id: policy_project.id) .new(project, current_user, policy_project_id: policy_project.id)
......
...@@ -31,7 +31,6 @@ module Mutations ...@@ -31,7 +31,6 @@ module Mutations
def resolve(args) def resolve(args)
project = authorized_find!(args[:project_path]) project = authorized_find!(args[:project_path])
raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
result = commit_policy(project, args[:policy_yaml], args[:operation_mode]) result = commit_policy(project, args[:policy_yaml], args[:operation_mode])
error_message = result[:status] == :error ? result[:message] : nil error_message = result[:status] == :error ? result[:message] : nil
...@@ -44,10 +43,6 @@ module Mutations ...@@ -44,10 +43,6 @@ module Mutations
private private
def allowed?(project)
Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def commit_policy(project, policy_yaml, operation_mode) def commit_policy(project, policy_yaml, operation_mode)
::Security::SecurityOrchestrationPolicies::PolicyCommitService ::Security::SecurityOrchestrationPolicies::PolicyCommitService
.new(project: project, current_user: current_user, params: { policy_yaml: policy_yaml, operation: Types::MutationOperationModeEnum.enum.key(operation_mode).to_sym }) .new(project: project, current_user: current_user, params: { policy_yaml: policy_yaml, operation: Types::MutationOperationModeEnum.enum.key(operation_mode).to_sym })
......
...@@ -21,7 +21,6 @@ module Mutations ...@@ -21,7 +21,6 @@ module Mutations
def resolve(args) def resolve(args)
project = authorized_find!(args[:project_path]) project = authorized_find!(args[:project_path])
raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
result = create_project(project) result = create_project(project)
...@@ -35,10 +34,6 @@ module Mutations ...@@ -35,10 +34,6 @@ module Mutations
private private
def allowed?(project)
Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def create_project(project) def create_project(project)
::Security::SecurityOrchestrationPolicies::ProjectCreateService ::Security::SecurityOrchestrationPolicies::ProjectCreateService
.new(project: project, current_user: current_user) .new(project: project, current_user: current_user)
......
...@@ -10,7 +10,7 @@ module Resolvers ...@@ -10,7 +10,7 @@ module Resolvers
alias_method :project, :object alias_method :project, :object
def resolve(**args) def resolve(**args)
return [] unless enabled_and_valid? return [] unless valid?
authorize! authorize!
...@@ -37,8 +37,8 @@ module Resolvers ...@@ -37,8 +37,8 @@ module Resolvers
@policy_configuration ||= project.security_orchestration_policy_configuration @policy_configuration ||= project.security_orchestration_policy_configuration
end end
def enabled_and_valid? def valid?
policy_configuration.present? && policy_configuration.enabled? && policy_configuration.policy_configuration_valid? policy_configuration.present? && policy_configuration.policy_configuration_valid?
end end
end end
end end
...@@ -26,8 +26,6 @@ module Security ...@@ -26,8 +26,6 @@ module Security
end end
def active_scan_execution_policies def active_scan_execution_policies
return [] unless enabled?
scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT) scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT)
end end
......
...@@ -28,10 +28,6 @@ module Security ...@@ -28,10 +28,6 @@ module Security
self.exists?(security_policy_management_project_id: project_id) self.exists?(security_policy_management_project_id: project_id)
end end
def enabled?
::Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def policy_hash def policy_hash
strong_memoize(:policy_hash) do strong_memoize(:policy_hash) do
next if policy_blob.blank? next if policy_blob.blank?
......
...@@ -65,8 +65,6 @@ module EE ...@@ -65,8 +65,6 @@ module EE
return unless security_policy_target_project_id.present? return unless security_policy_target_project_id.present?
if (security_policy_target_project = ::Project.find(security_policy_target_project_id)) if (security_policy_target_project = ::Project.find(security_policy_target_project_id))
return unless ::Feature.enabled?(:security_orchestration_policies_configuration, security_policy_target_project, default_enabled: :yaml)
::Security::Orchestration::AssignService ::Security::Orchestration::AssignService
.new(security_policy_target_project, current_user, policy_project_id: project.id) .new(security_policy_target_project, current_user, policy_project_id: project.id)
.execute .execute
......
...@@ -20,8 +20,6 @@ module Security ...@@ -20,8 +20,6 @@ module Security
attr_reader :policy_configuration, :policy_index, :policy attr_reader :policy_configuration, :policy_index, :policy
def create_new_schedule_rules def create_new_schedule_rules
return unless policy_configuration.enabled?
policy[:rules].each_with_index do |rule, rule_index| policy[:rules].each_with_index do |rule, rule_index|
next if rule[:type] != Security::ScanExecutionPolicy::RULE_TYPES[:schedule] next if rule[:type] != Security::ScanExecutionPolicy::RULE_TYPES[:schedule]
......
...@@ -13,7 +13,7 @@ module EE ...@@ -13,7 +13,7 @@ module EE
override :perform! override :perform!
def perform! def perform!
return unless project&.feature_available?(:security_orchestration_policies) return unless project&.feature_available?(:security_orchestration_policies)
return unless security_orchestration_policy_configuration&.enabled? return unless security_orchestration_policy_configuration
if !security_orchestration_policy_configuration.policy_configuration_exists? if !security_orchestration_policy_configuration.policy_configuration_exists?
warning(_('scan-execution-policy: policy not applied, %{policy_path} file is missing') % { policy_path: ::Security::OrchestrationPolicyConfiguration::POLICY_PATH }) warning(_('scan-execution-policy: policy not applied, %{policy_path} file is missing') % { policy_path: ::Security::OrchestrationPolicyConfiguration::POLICY_PATH })
......
...@@ -143,8 +143,7 @@ module EE ...@@ -143,8 +143,7 @@ module EE
end end
def scan_policies_menu_item def scan_policies_menu_item
if ::Feature.disabled?(:security_orchestration_policies_configuration, context.project, default_enabled: :yaml) || unless can?(context.current_user, :security_orchestration_policies, context.project)
!can?(context.current_user, :security_orchestration_policies, context.project)
return ::Sidebars::NilMenuItem.new(item_id: :scan_policies) return ::Sidebars::NilMenuItem.new(item_id: :scan_policies)
end end
......
...@@ -15,8 +15,7 @@ module Gitlab ...@@ -15,8 +15,7 @@ module Gitlab
def perform def perform
return @config unless project&.feature_available?(:security_orchestration_policies) return @config unless project&.feature_available?(:security_orchestration_policies)
return @config unless security_orchestration_policy_configuration&.enabled? return @config unless security_orchestration_policy_configuration&.policy_configuration_valid?
return @config unless security_orchestration_policy_configuration.policy_configuration_valid?
return @config unless extend_configuration? return @config unless extend_configuration?
merged_config = @config merged_config = @config
......
...@@ -16,10 +16,9 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do ...@@ -16,10 +16,9 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
subject { mutation.resolve(project_path: project.full_path, security_policy_project_id: policy_project_id) } subject { mutation.resolve(project_path: project.full_path, security_policy_project_id: policy_project_id) }
context 'when feature is enabled and permission is set for user' do context 'when permission is set for user' do
before do before do
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end end
context 'when user is an owner of the project' do context 'when user is an owner of the project' do
...@@ -53,17 +52,6 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do ...@@ -53,17 +52,6 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
end end
end end
context 'when feature is disabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when feature is not licensed' do context 'when feature is not licensed' do
before do before do
stub_licensed_features(security_orchestration_policies: false) stub_licensed_features(security_orchestration_policies: false)
......
...@@ -14,12 +14,11 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do ...@@ -14,12 +14,11 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) } subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) }
context 'when feature is enabled and permission is set for user' do context 'when permission is set for user' do
before do before do
project.add_maintainer(user) project.add_maintainer(user)
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end end
it 'returns branch name' do it 'returns branch name' do
...@@ -30,17 +29,6 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do ...@@ -30,17 +29,6 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
end end
end end
context 'when feature is disabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when permission is not enabled' do context 'when permission is not enabled' do
before do before do
stub_licensed_features(security_orchestration_policies: false) stub_licensed_features(security_orchestration_policies: false)
......
...@@ -13,10 +13,9 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do ...@@ -13,10 +13,9 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do
subject { mutation.resolve(project_path: project.full_path) } subject { mutation.resolve(project_path: project.full_path) }
context 'when feature is enabled and permission is set for user' do context 'when permission is set for user' do
before do before do
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end end
context 'when user is an owner of the project' do context 'when user is an owner of the project' do
...@@ -43,17 +42,6 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do ...@@ -43,17 +42,6 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do
end end
end end
context 'when feature is disabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when feature is not licensed' do context 'when feature is not licensed' do
before do before do
stub_licensed_features(security_orchestration_policies: false) stub_licensed_features(security_orchestration_policies: false)
......
...@@ -62,16 +62,6 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do ...@@ -62,16 +62,6 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
expect { resolve_scan_policies }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) expect { resolve_scan_policies }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end end
end end
context 'when feature flag is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'returns empty list' do
expect(resolve_scan_policies).to eq([])
end
end
end end
end end
end end
...@@ -67,77 +67,61 @@ RSpec.describe Gitlab::Ci::Config do ...@@ -67,77 +67,61 @@ RSpec.describe Gitlab::Ci::Config do
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
end end
context 'when feature is not enabled' do context 'when policy is not applicable on branch from the pipeline' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not modify the config' do it 'does not modify the config' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] }) expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
end end
end end
context 'when feature is enabled' do context 'when policy is not applicable on branch from the pipeline' do
before do let_it_be(:ref) { 'refs/heads/production' }
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when policy is not applicable on branch from the pipeline' do context 'when DAST profiles are not found' do
it 'does not modify the config' do it 'adds a job with error message' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] }) expect(config.to_hash).to eq(
sample_job: { script: ["echo 'test'"] },
'dast-on-demand-0': { allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' }
)
end end
end end
context 'when policy is not applicable on branch from the pipeline' do context 'when DAST profiles are found' do
let_it_be(:ref) { 'refs/heads/production' } let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
context 'when DAST profiles are not found' do
it 'adds a job with error message' do let(:expected_configuration) do
expect(config.to_hash).to eq( {
sample_job: { script: ["echo 'test'"] }, sample_job: {
'dast-on-demand-0': { allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' } script: ["echo 'test'"]
) },
end 'dast-on-demand-0': {
end stage: 'dast',
image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
context 'when DAST profiles are found' do variables: {
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') } DAST_VERSION: 2,
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') } SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
GIT_STRATEGY: 'none'
let(:expected_configuration) do
{
sample_job: {
script: ["echo 'test'"]
}, },
'dast-on-demand-0': { allow_failure: true,
stage: 'dast', script: ['/analyze'],
image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' }, artifacts: { reports: { dast: 'gl-dast-report.json' } },
variables: { dast_configuration: {
DAST_VERSION: 2, site_profile: dast_site_profile.name,
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix, scanner_profile: dast_scanner_profile.name
GIT_STRATEGY: 'none'
},
allow_failure: true,
script: ['/analyze'],
artifacts: { reports: { dast: 'gl-dast-report.json' } },
dast_configuration: {
site_profile: dast_site_profile.name,
scanner_profile: dast_scanner_profile.name
}
} }
} }
end }
end
it 'extends config with additional jobs' do it 'extends config with additional jobs' do
expect(config.to_hash).to include(expected_configuration) expect(config.to_hash).to include(expected_configuration)
end end
context 'when source is ondemand_dast_scan' do context 'when source is ondemand_dast_scan' do
let(:source) { 'ondemand_dast_scan' } let(:source) { 'ondemand_dast_scan' }
it 'does not modify the config' do it 'does not modify the config' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] }) expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
end
end end
end end
end end
......
...@@ -54,62 +54,44 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::SecurityOrchestrationPolic ...@@ -54,62 +54,44 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::SecurityOrchestrationPolic
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
end end
context 'when policy is disabled' do context 'when policy file is missing' do
before do before do
allow(security_orchestration_policy_configuration).to receive(:enabled?).and_return(false) allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(false)
end end
it 'does not return warning' do it 'returns warning' do
step.perform! step.perform!
expect(warning_messages).to be_empty expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is missing')
end end
end end
context 'when policy is enabled' do context 'when policy file is present' do
before do before do
allow(security_orchestration_policy_configuration).to receive(:enabled?).and_return(true) allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(true)
end end
context 'when policy file is missing' do context 'when policy file is invalid' do
before do before do
allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(false) allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(false)
end end
it 'returns warning' do it 'returns warning' do
step.perform! step.perform!
expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is missing') expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is invalid')
end end
end end
context 'when policy file is present' do context 'when policy file is valid' do
before do before do
allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(true) allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(true)
end end
context 'when policy file is invalid' do it 'does not return warning' do
before do step.perform!
allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(false)
end
it 'returns warning' do
step.perform!
expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is invalid')
end
end
context 'when policy file is valid' do
before do
allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(true)
end
it 'does not return warning' do
step.perform!
expect(warning_messages).to be_empty expect(warning_messages).to be_empty
end
end end
end end
end end
......
...@@ -196,27 +196,16 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do ...@@ -196,27 +196,16 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do
describe 'Policies' do describe 'Policies' do
let(:item_id) { :scan_policies } let(:item_id) { :scan_policies }
context 'when feature flag :security_orchestration_policies_configuration is enabled' do before do
before do stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true) end
stub_licensed_features(security_orchestration_policies: true)
end
context 'when user can access policies tab' do
it { is_expected.not_to be_nil }
end
context 'when user cannot access policies tab' do
let(:user) { nil }
it { is_expected.to be_nil } context 'when user can access policies tab' do
end it { is_expected.not_to be_nil }
end end
context 'when feature flag :security_orchestration_policies_configuration is disabled' do context 'when user cannot access policies tab' do
before do let(:user) { nil }
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it { is_expected.to be_nil } it { is_expected.to be_nil }
end end
......
...@@ -68,117 +68,101 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do ...@@ -68,117 +68,101 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
end end
context 'when feature is not enabled' do context 'when policy is not applicable on branch from the pipeline' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not modify the config' do it 'does not modify the config' do
expect(subject).to eq(config) expect(subject).to eq(config)
end end
end end
context 'when feature is enabled' do context 'when ref is a tag' do
before do let_it_be(:ref) { 'refs/tags/v1.1.0' }
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when policy is not applicable on branch from the pipeline' do it 'does not modify the config' do
it 'does not modify the config' do expect(subject).to eq(config)
expect(subject).to eq(config)
end
end end
end
context 'when ref is a tag' do context 'when policy is not applicable on branch from the pipeline' do
let_it_be(:ref) { 'refs/tags/v1.1.0' } let_it_be(:ref) { 'refs/heads/production' }
context 'when DAST profiles are not found' do
it 'does not modify the config' do it 'does not modify the config' do
expect(subject).to eq(config) expect(subject[:'dast-on-demand-0']).to eq({ allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' })
end end
end end
context 'when policy is not applicable on branch from the pipeline' do it_behaves_like 'with pipeline source applicable for CI'
let_it_be(:ref) { 'refs/heads/production' } it_behaves_like 'when policy is invalid'
context 'when DAST profiles are not found' do context 'when DAST profiles are found' do
it 'does not modify the config' do let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
expect(subject[:'dast-on-demand-0']).to eq({ allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' }) let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
end
end it_behaves_like 'with different scan type' do
let(:expected_configuration) do
it_behaves_like 'with pipeline source applicable for CI' {
it_behaves_like 'when policy is invalid' image: 'ruby:3.0.1',
'dast-on-demand-0': {
context 'when DAST profiles are found' do stage: 'dast',
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') } image: {
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') } name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION'
},
it_behaves_like 'with different scan type' do variables: {
let(:expected_configuration) do DAST_VERSION: 2,
{ SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
image: 'ruby:3.0.1', GIT_STRATEGY: 'none'
'dast-on-demand-0': { },
stage: 'dast', allow_failure: true,
image: { script: ['/analyze'],
name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' artifacts: {
}, reports: {
variables: { dast: 'gl-dast-report.json'
DAST_VERSION: 2,
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
GIT_STRATEGY: 'none'
},
allow_failure: true,
script: ['/analyze'],
artifacts: {
reports: {
dast: 'gl-dast-report.json'
}
},
dast_configuration: {
site_profile: dast_site_profile.name,
scanner_profile: dast_scanner_profile.name
} }
},
dast_configuration: {
site_profile: dast_site_profile.name,
scanner_profile: dast_scanner_profile.name
} }
} }
end }
end end
it_behaves_like 'with pipeline source applicable for CI'
it_behaves_like 'when policy is invalid'
end end
context 'when scan type is secret_detection' do it_behaves_like 'with pipeline source applicable for CI'
it_behaves_like 'with different scan type' do it_behaves_like 'when policy is invalid'
let(:expected_configuration) do end
{
'secret-detection-0': { context 'when scan type is secret_detection' do
rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }], it_behaves_like 'with different scan type' do
script: let(:expected_configuration) do
['if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi', {
'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi', 'secret-detection-0': {
'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME', rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt', script:
'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt', ['if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi',
'/analyzer run', 'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi',
'rm "$CI_COMMIT_SHA"_commit_list.txt'], 'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME',
stage: 'test', 'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt',
image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION', 'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt',
services: [], '/analyzer run',
allow_failure: true, 'rm "$CI_COMMIT_SHA"_commit_list.txt'],
artifacts: { stage: 'test',
reports: { image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
secret_detection: 'gl-secret-detection-report.json' services: [],
} allow_failure: true,
}, artifacts: {
variables: { reports: {
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers', secret_detection: 'gl-secret-detection-report.json'
SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false'
} }
},
variables: {
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false'
} }
} }
end }
end end
end end
end end
......
...@@ -81,26 +81,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do ...@@ -81,26 +81,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end end
end end
describe '#enabled?' do
subject { security_orchestration_policy_configuration.enabled? }
context 'when feature is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
end
it { is_expected.to eq(true) }
end
context 'when feature is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it { is_expected.to eq(false) }
end
end
describe '#policy_configuration_exists?' do describe '#policy_configuration_exists?' do
subject { security_orchestration_policy_configuration.policy_configuration_exists? } subject { security_orchestration_policy_configuration.policy_configuration_exists? }
...@@ -216,16 +196,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do ...@@ -216,16 +196,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
it 'returns only enabled policies' do it 'returns only enabled policies' do
expect(active_scan_execution_policies).to eq(expected_active_policies) expect(active_scan_execution_policies).to eq(expected_active_policies)
end end
context 'when feature is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'returns empty array' do
expect(active_scan_execution_policies).to eq([])
end
end
end end
describe '#on_demand_scan_actions' do describe '#on_demand_scan_actions' do
......
...@@ -25,21 +25,6 @@ RSpec.describe 'Create scan execution policy for a project' do ...@@ -25,21 +25,6 @@ RSpec.describe 'Create scan execution policy for a project' do
graphql_mutation_response(:scan_execution_policy_commit) graphql_mutation_response(:scan_execution_policy_commit)
end end
context 'when feature is disabled' do
before do
project.add_maintainer(current_user)
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not create branch' do
post_graphql_mutation(mutation, current_user: current_user)
expect(graphql_errors).to include(a_hash_including('message' => 'Feature disabled'))
end
end
context 'when security_orchestration_policies_configuration already exists for project' do context 'when security_orchestration_policies_configuration already exists for project' do
let_it_be(:security_policy_management_project) { create(:project, :repository, namespace: current_user.namespace) } let_it_be(:security_policy_management_project) { create(:project, :repository, namespace: current_user.namespace) }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: security_policy_management_project) } let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: security_policy_management_project) }
...@@ -49,7 +34,6 @@ RSpec.describe 'Create scan execution policy for a project' do ...@@ -49,7 +34,6 @@ RSpec.describe 'Create scan execution policy for a project' do
security_policy_management_project.add_developer(current_user) security_policy_management_project.add_developer(current_user)
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end end
it 'creates a branch with commit' do it 'creates a branch with commit' do
......
...@@ -13,13 +13,11 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do ...@@ -13,13 +13,11 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
let_it_be(:index) { project_security_policies_url(project) } let_it_be(:index) { project_security_policies_url(project) }
let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) } let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) }
let_it_be(:new) { new_project_security_policy_url(project) } let_it_be(:new) { new_project_security_policy_url(project) }
let_it_be(:feature_enabled) { true } let_it_be(:feature_enabled) { true }
before do before do
project.add_developer(user) project.add_developer(user)
sign_in(user) sign_in(user)
stub_feature_flags(security_orchestration_policies_configuration: feature_enabled)
stub_licensed_features(security_orchestration_policies: feature_enabled) stub_licensed_features(security_orchestration_policies: feature_enabled)
allow_next_instance_of(Repository) do |repository| allow_next_instance_of(Repository) do |repository|
allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml) allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml)
...@@ -205,18 +203,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do ...@@ -205,18 +203,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
describe 'GET #new' do describe 'GET #new' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:feature_flag, :license, :status) do where(:license, :status) do
true | true | :ok true | :ok
false | false | :not_found false | :not_found
false | true | :not_found
true | false | :not_found
end end
subject(:request) { get new, params: { namespace_id: project.namespace, project_id: project } } subject(:request) { get new, params: { namespace_id: project.namespace, project_id: project } }
with_them do with_them do
before do before do
stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
stub_licensed_features(security_orchestration_policies: license) stub_licensed_features(security_orchestration_policies: license)
end end
...@@ -231,18 +226,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do ...@@ -231,18 +226,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
describe 'GET #index' do describe 'GET #index' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:feature_flag, :license, :status) do where(:license, :status) do
true | true | :ok true | :ok
false | false | :not_found false | :not_found
false | true | :not_found
true | false | :not_found
end end
subject(:request) { get index, params: { namespace_id: project.namespace, project_id: project } } subject(:request) { get index, params: { namespace_id: project.namespace, project_id: project } }
with_them do with_them do
before do before do
stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
stub_licensed_features(security_orchestration_policies: license) stub_licensed_features(security_orchestration_policies: license)
end end
......
...@@ -363,38 +363,13 @@ RSpec.describe Projects::CreateService, '#execute' do ...@@ -363,38 +363,13 @@ RSpec.describe Projects::CreateService, '#execute' do
before do before do
opts[:security_policy_target_project_id] = security_policy_target_project.id opts[:security_policy_target_project_id] = security_policy_target_project.id
stub_licensed_features(security_orchestration_policies: feature_enabled) stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: feature_enabled)
end end
context 'when feature flag is enabled globally' do it 'creates security policy configuration for the project' do
let_it_be(:feature_enabled) { true } expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
it 'creates security policy configuration for the project' do create_project(user, opts)
expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
create_project(user, opts)
end
end
context 'when feature flag is disabled globally' do
let_it_be(:feature_enabled) { false }
it 'does not create security policy configuration' do
expect(::Security::Orchestration::AssignService).not_to receive(:new)
create_project(user, opts)
end
end
context 'when feature flag is enabled only for target project' do
let_it_be(:feature_enabled) { security_policy_target_project }
it 'creates security policy configuration' do
expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
create_project(user, opts)
end
end end
end end
......
...@@ -27,7 +27,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do ...@@ -27,7 +27,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
allow(policy_configuration).to receive(:policy_last_updated_by).and_return(owner) allow(policy_configuration).to receive(:policy_last_updated_by).and_return(owner)
end end
context 'when security_orchestration_policies_configuration feature is enabled and policy is scheduled' do context 'when security_orchestration_policies_configuration policy is scheduled' do
it 'creates new schedule' do it 'creates new schedule' do
service.execute service.execute
...@@ -40,17 +40,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do ...@@ -40,17 +40,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
end end
end end
context 'when security_orchestration_policies_configuration feature is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'deletes schedules' do
expect { service.execute }.to change(Security::OrchestrationPolicyRuleSchedule, :count).by(-1)
expect(policy_configuration.configured_at).not_to be_nil
end
end
context 'when policy is not of type scheduled' do context 'when policy is not of type scheduled' do
let(:policy) { build(:scan_execution_policy) } let(:policy) { build(:scan_execution_policy) }
......
...@@ -7,7 +7,6 @@ RSpec.describe "projects/security/policies/index", type: :view do ...@@ -7,7 +7,6 @@ RSpec.describe "projects/security/policies/index", type: :view do
let(:project) { create(:project) } let(:project) { create(:project) }
before do before do
stub_feature_flags(security_orchestration_policies_configuration: true)
sign_in(user) sign_in(user)
render template: 'projects/security/policies/index', locals: { project: project } render template: 'projects/security/policies/index', locals: { project: project }
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment