Merge branch 'limit-policy-to-file' into 'master'

Limit security policy to a file See merge request gitlab-org/gitlab!57736

Merge branch 'limit-policy-to-file' into 'master'
Limit security policy to a file See merge request gitlab-org/gitlab!57736
8165db74 · Markus Koller · a1519664 · b7e3049d · 8165db74 · 8165db74
Commit 8165db74 authored Mar 31, 2021 by Markus Koller
3 changed files
--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -6,7 +6,8 @@ module Security
    self.table_name = 'security_orchestration_policy_configurations'
-    POLICIES_BASE_PATH = '.gitlab/security-policies/'
+    POLICY_PATH = '.gitlab/security-policies/policy.yml'
+    POLICY_LIMIT = 5
    ON_DEMAND_SCANS = %w[dast].freeze
@@ -23,12 +24,7 @@ module Security
    def active_policies
      return [] unless enabled?
-      security_policy_management_project
+      scan_execution_policy_at(POLICY_PATH).select { |config| config[:enabled] }.first(POLICY_LIMIT)
-        .repository
-        .ls_files(security_policy_management_project.default_branch_or_master)
-        .grep(/\A#{Regexp.escape(POLICIES_BASE_PATH)}.+\.(yml|yaml)\z/)
-        .map { |path| policy_at(path) }
-        .select { |config| config[:enabled] }
    end
    def on_demand_scan_actions(branch)
@@ -48,6 +44,14 @@ module Security
    private
+    def policy_repo
+      security_policy_management_project.repository
+    end
+    def default_branch_or_master
+      security_policy_management_project.default_branch_or_master
+    end
    def active_policy_names_with_dast_profiles
      strong_memoize(:active_policy_names_with_dast_profiles) do
        profiles = { site_profiles: Hash.new { Set.new }, scanner_profiles: Hash.new { Set.new } }
@@ -65,11 +69,9 @@ module Security
      end
    end
-    def policy_at(path)
+    def scan_execution_policy_at(path)
-      security_policy_management_project
+      policy_repo.blob_data_at(default_branch_or_master, path)
-        .repository
+        .then { |config| Gitlab::Config::Loader::Yaml.new(config).load!.fetch(:scan_execution_policy, []) }
-        .blob_data_at(security_policy_management_project.default_branch_or_master, path)
-        .then { |config| Gitlab::Config::Loader::Yaml.new(config).load! }
    end
    def applicable_for_branch?(policy, ref)

--- a/ee/spec/fixtures/security_orchestration.yml
+++ b/ee/spec/fixtures/security_orchestration.yml
+scan_execution_policy:
+  - name: Run DAST in every pipeline
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "production"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v1
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Disabled policy
+    description: This policy is disabled
+    enabled: false
+    rules: []
+    actions: []
+  - name: Disabled policy_v2
+    description: This policy is disabled v2
+    enabled: false
+    rules: []
+    actions: []
+  - name: Run DAST in every pipeline_v3
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v4
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v5
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v6
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
\ No newline at end of file
--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb