Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
7846c3b1
Commit
7846c3b1
authored
Oct 11, 2021
by
Zamir Martins
Committed by
Heinrich Lee Yu
Oct 11, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Create approval project rules
parent
f410d5e9
Changes
9
Show whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
146 additions
and
44 deletions
+146
-44
ee/app/models/approval_project_rule.rb
ee/app/models/approval_project_rule.rb
+21
-6
ee/app/models/ee/project.rb
ee/app/models/ee/project.rb
+1
-1
ee/app/services/security/security_orchestration_policies/process_rule_service.rb
...y/security_orchestration_policies/process_rule_service.rb
+0
-1
ee/app/workers/security/create_orchestration_policy_worker.rb
...pp/workers/security/create_orchestration_policy_worker.rb
+11
-0
ee/spec/factories/approval_rules.rb
ee/spec/factories/approval_rules.rb
+6
-0
ee/spec/models/approval_project_rule_spec.rb
ee/spec/models/approval_project_rule_spec.rb
+4
-3
ee/spec/models/project_spec.rb
ee/spec/models/project_spec.rb
+8
-0
ee/spec/services/security/security_orchestration_policies/process_rule_service_spec.rb
...urity_orchestration_policies/process_rule_service_spec.rb
+0
-2
ee/spec/workers/security/create_orchestration_policy_worker_spec.rb
...rkers/security/create_orchestration_policy_worker_spec.rb
+95
-31
No files found.
ee/app/models/approval_project_rule.rb
View file @
7846c3b1
...
...
@@ -20,6 +20,8 @@ class ApprovalProjectRule < ApplicationRecord
any_approver:
3
}
scope
:report_approver_without_scan_finding
,
->
{
report_approver
.
where
.
not
(
report_type: :scan_finding
)
}
alias_method
:code_owner
,
:code_owner?
validate
:validate_default_license_report_name
,
on: :update
,
if: :report_approver?
...
...
@@ -50,11 +52,8 @@ class ApprovalProjectRule < ApplicationRecord
end
def
apply_report_approver_rules_to
(
merge_request
)
rule
=
merge_request
.
approval_rules
.
report_approver
.
find_or_initialize_by
(
report_type:
report_type
)
rule
.
update!
(
attributes_to_apply_for
(
report_type
))
rule
=
merge_request_report_approver_rule
(
merge_request
)
rule
.
update!
(
report_approver_attributes
)
rule
end
...
...
@@ -68,7 +67,7 @@ class ApprovalProjectRule < ApplicationRecord
private
def
attributes_to_apply_for
(
report_type
)
def
report_approver_attributes
attributes
.
slice
(
'approvals_required'
,
'name'
)
.
merge
(
...
...
@@ -86,4 +85,20 @@ class ApprovalProjectRule < ApplicationRecord
errors
.
add
(
:name
,
_
(
"cannot be modified"
))
end
def
merge_request_report_approver_rule
(
merge_request
)
if
scan_finding?
merge_request
.
approval_rules
.
report_approver
.
joins
(
:approval_merge_request_rule_source
)
.
where
(
approval_merge_request_rule_source:
{
approval_project_rule_id:
self
.
id
})
.
first_or_initialize
else
merge_request
.
approval_rules
.
report_approver
.
find_or_initialize_by
(
report_type:
report_type
)
end
end
end
ee/app/models/ee/project.rb
View file @
7846c3b1
...
...
@@ -510,7 +510,7 @@ module EE
def
visible_approval_rules
(
target_branch:
nil
)
rules
=
strong_memoize
(
:visible_approval_rules
)
do
Hash
.
new
do
|
h
,
key
|
h
[
key
]
=
visible_user_defined_rules
(
branch:
key
)
+
approval_rules
.
report_approver
h
[
key
]
=
visible_user_defined_rules
(
branch:
key
)
+
approval_rules
.
report_approver
_without_scan_finding
end
end
...
...
ee/app/services/security/security_orchestration_policies/process_rule_service.rb
View file @
7846c3b1
...
...
@@ -12,7 +12,6 @@ module Security
def
execute
policy_configuration
.
delete_all_schedules
create_new_schedule_rules
policy_configuration
.
update!
(
configured_at:
Time
.
current
)
end
private
...
...
ee/app/workers/security/create_orchestration_policy_worker.rb
View file @
7846c3b1
...
...
@@ -25,6 +25,17 @@ module Security
.
new
(
policy_configuration:
configuration
,
policy_index:
policy_index
,
policy:
policy
)
.
execute
end
configuration
.
transaction
do
configuration
.
approval_rules
.
scan_finding
.
delete_all
configuration
.
active_scan_result_policies
.
each
do
|
policy
|
Security
::
SecurityOrchestrationPolicies
::
ProcessScanResultPolicyService
.
new
(
policy_configuration:
configuration
,
policy:
policy
)
.
execute
end
end
configuration
.
update!
(
configured_at:
Time
.
current
)
end
end
end
...
...
ee/spec/factories/approval_rules.rb
View file @
7846c3b1
...
...
@@ -79,5 +79,11 @@ FactoryBot.define do
rule_type
{
:report_approver
}
report_type
{
:code_coverage
}
end
trait
:scan_finding
do
sequence
(
:name
)
{
|
n
|
"Scan finding
#{
n
}
"
}
rule_type
{
:report_approver
}
report_type
{
:scan_finding
}
end
end
end
ee/spec/models/approval_project_rule_spec.rb
View file @
7846c3b1
...
...
@@ -128,6 +128,7 @@ RSpec.describe ApprovalProjectRule do
'Vulnerability-Check'
|
:vulnerability
'License-Check'
|
:license_scanning
'Coverage-Check'
|
:code_coverage
'Scan finding example'
|
:scan_finding
end
context
"when there is a project rule for each report type"
do
...
...
ee/spec/models/project_spec.rb
View file @
7846c3b1
...
...
@@ -3313,4 +3313,12 @@ RSpec.describe Project do
it
{
is_expected
.
to
eql
(
vuln_rule
)
}
end
end
describe
'#visible_approval_rules'
do
let
(
:scan_finding_rule
)
{
create
(
:approval_project_rule
,
project:
project
,
report_type: :scan_finding
)
}
subject
{
project
.
visible_approval_rules
}
it
{
is_expected
.
not_to
include
(
scan_finding_rule
)
}
end
end
ee/spec/services/security/security_orchestration_policies/process_rule_service_spec.rb
View file @
7846c3b1
...
...
@@ -32,7 +32,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
service
.
execute
new_schedule
=
Security
::
OrchestrationPolicyRuleSchedule
.
first
expect
(
policy_configuration
.
configured_at
).
not_to
be_nil
expect
(
Security
::
OrchestrationPolicyRuleSchedule
.
count
).
to
eq
(
1
)
expect
(
new_schedule
.
id
).
not_to
eq
(
schedule
.
id
)
expect
(
new_schedule
.
rule_index
).
to
eq
(
1
)
...
...
@@ -45,7 +44,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
it
'deletes schedules'
do
expect
{
service
.
execute
}.
to
change
(
Security
::
OrchestrationPolicyRuleSchedule
,
:count
).
by
(
-
1
)
expect
(
policy_configuration
.
configured_at
).
not_to
be_nil
end
end
end
...
...
ee/spec/workers/security/create_orchestration_policy_worker_spec.rb
View file @
7846c3b1
...
...
@@ -4,12 +4,13 @@ require 'spec_helper'
RSpec
.
describe
Security
::
CreateOrchestrationPolicyWorker
do
describe
'#perform'
do
let_it_be
(
:configuration
)
{
create
(
:security_orchestration_policy_configuration
)
}
let_it_be
(
:configuration
)
{
create
(
:security_orchestration_policy_configuration
,
configured_at:
nil
)
}
let_it_be
(
:schedule
)
{
create
(
:security_orchestration_policy_rule_schedule
,
security_orchestration_policy_configuration:
configuration
)
}
before
do
allow_next_instance_of
(
Repository
)
do
|
repository
|
allow
(
repository
).
to
receive
(
:blob_data_at
).
and_return
({
scan_execution_policy:
active_policies
}.
to_yaml
)
allow
(
repository
).
to
receive
(
:blob_data_at
).
and_return
(
active_policies
.
to_yaml
)
allow
(
repository
).
to
receive
(
:last_commit_for_path
)
end
end
...
...
@@ -17,6 +18,8 @@ RSpec.describe Security::CreateOrchestrationPolicyWorker do
context
'when policy is valid'
do
let
(
:active_policies
)
do
{
scan_execution_policy:
[
{
name:
'Scheduled DAST 1'
,
...
...
@@ -36,35 +39,96 @@ RSpec.describe Security::CreateOrchestrationPolicyWorker do
{
scan:
'dast'
,
site_profile:
'Site Profile'
,
scanner_profile:
'Scanner Profile'
}
]
}
],
scan_result_policy:
[
{
name:
'CS critical policy'
,
description:
'This policy with CS for critical policy'
,
enabled:
true
,
rules:
[{
type:
'scan_finding'
,
branches:
%w[production]
,
vulnerabilities_allowed:
0
,
severity_levels:
%w[critical]
,
scanners:
%w[container_scanning]
}],
actions:
[
{
type:
'require_approval'
,
approvals_required:
1
,
approvers:
%w[admin]
}
]
}
]
}
end
it
'executes
the process rule service
'
do
active_policies
.
each_with_index
do
|
policy
,
policy_index
|
it
'executes
process services for all policies
'
do
active_policies
[
:scan_execution_policy
]
.
each_with_index
do
|
policy
,
policy_index
|
expect_next_instance_of
(
Security
::
SecurityOrchestrationPolicies
::
ProcessRuleService
,
policy_configuration:
configuration
,
policy_index:
policy_index
,
policy:
policy
)
do
|
service
|
expect
(
service
).
to
receive
(
:execute
)
end
end
active_policies
[
:scan_result_policy
].
each
do
|
policy
|
expect_next_instance_of
(
Security
::
SecurityOrchestrationPolicies
::
ProcessScanResultPolicyService
,
policy_configuration:
configuration
,
policy:
policy
)
do
|
service
|
expect
(
service
).
to
receive
(
:execute
)
end
end
expect
(
configuration
.
configured_at
).
to
be_nil
expect
{
worker
.
perform
}.
not_to
change
(
Security
::
OrchestrationPolicyRuleSchedule
,
:count
)
expect
(
configuration
.
reload
.
configured_at
).
not_to
be_nil
end
context
'with existing project approval rules'
do
let!
(
:approval_rule
)
{
create
(
:approval_project_rule
,
:scan_finding
,
project:
configuration
.
project
)}
before
do
allow_next_instance_of
(
Security
::
SecurityOrchestrationPolicies
::
ProcessRuleService
)
do
|
rule_service
|
allow
(
rule_service
).
to
receive
(
:execute
)
end
allow_next_instance_of
(
Security
::
SecurityOrchestrationPolicies
::
ProcessScanResultPolicyService
)
do
|
rule_service
|
allow
(
rule_service
).
to
receive
(
:execute
)
end
end
it
'deletes all approval_rules'
do
expect
{
worker
.
perform
}.
to
change
(
configuration
.
approval_rules
,
:count
).
by
(
-
1
)
end
end
end
context
'when policy is invalid'
do
let
(
:active_policies
)
do
{
scan_execution_policy:
[
{
key:
'invalid'
,
label:
'invalid'
}
]
}
end
it
'does not execute process
rule service
'
do
it
'does not execute process
for any policy
'
do
expect
(
Security
::
SecurityOrchestrationPolicies
::
ProcessRuleService
).
not_to
receive
(
:new
)
expect
(
Security
::
SecurityOrchestrationPolicies
::
ProcessScanResultPolicyService
).
not_to
receive
(
:new
)
expect
{
worker
.
perform
}.
to
change
(
Security
::
OrchestrationPolicyRuleSchedule
,
:count
).
by
(
-
1
)
expect
(
configuration
.
reload
.
configured_at
).
to
be_nil
end
context
'with existing project approval rules'
do
let!
(
:approval_rule
)
{
create
(
:approval_project_rule
,
:scan_finding
,
project:
configuration
.
project
)}
before
do
allow_next_instance_of
(
Security
::
SecurityOrchestrationPolicies
::
ProcessRuleService
)
do
|
rule_service
|
allow
(
rule_service
).
to
receive
(
:execute
)
end
allow_next_instance_of
(
Security
::
SecurityOrchestrationPolicies
::
ProcessScanResultPolicyService
)
do
|
rule_service
|
allow
(
rule_service
).
to
receive
(
:execute
)
end
end
it
'does not delete the existing approval_rules'
do
expect
{
worker
.
perform
}.
not_to
change
(
configuration
.
approval_rules
,
:count
)
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment