Merge branch '300220-add-security-orchestration-policy-configuration-model' into 'master'

Add Security Orchestration Policy Configuration See merge request gitlab-org/gitlab!53743

Merge branch '300220-add-security-orchestration-policy-configuration-model' into 'master'
Add Security Orchestration Policy Configuration See merge request gitlab-org/gitlab!53743
93f4c907 · Toon Claes · ce2fd9a8 · dfb7b68d · 93f4c907 · 93f4c907
Commit 93f4c907 authored Feb 12, 2021 by Toon Claes
10 changed files
--- a/changelogs/unreleased/300220-add-security-orchestration-policy-configuration-model.yml
+++ b/changelogs/unreleased/300220-add-security-orchestration-policy-configuration-model.yml
+---
+title: Add Security Orchestration Policy Configuration
+merge_request: 53743
+author:
+type: added
--- a/db/migrate/20210209160510_create_security_orchestration_policy_configurations.rb
+++ b/db/migrate/20210209160510_create_security_orchestration_policy_configurations.rb
+# frozen_string_literal: true
+
+class CreateSecurityOrchestrationPolicyConfigurations < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  INDEX_PREFIX = 'index_sop_configs_'
+
+  def up
+    table_comment = { owner: 'group::container security', description: 'Configuration used to store relationship between project and security policy repository' }
+
+    create_table_with_constraints :security_orchestration_policy_configurations, comment: table_comment.to_json do |t|
+      t.references :project, null: false, foreign_key: { to_table: :projects, on_delete: :cascade }, index: { name: INDEX_PREFIX + 'on_project_id', unique: true }
+      t.references :security_policy_management_project, null: false, foreign_key: { to_table: :projects, on_delete: :restrict }, index: { name: INDEX_PREFIX + 'on_security_policy_management_project_id', unique: true }
+
+      t.timestamps_with_timezone
+    end
+  end
+
+  def down
+    with_lock_retries do
+      drop_table :security_orchestration_policy_configurations, force: :cascade
+    end
+  end
+end
--- a/db/schema_migrations/20210209160510
+++ b/db/schema_migrations/20210209160510
+601d67a2911c461881064ec18a2246ef9e5b2835eb0fdf40e701c9360e19eca4
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -16971,6 +16971,25 @@ CREATE SEQUENCE security_findings_id_seq

 ALTER SEQUENCE security_findings_id_seq OWNED BY security_findings.id;

+CREATE TABLE security_orchestration_policy_configurations (
+    id bigint NOT NULL,
+    project_id bigint NOT NULL,
+    security_policy_management_project_id bigint NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL
+);
+
+COMMENT ON TABLE security_orchestration_policy_configurations IS '{"owner":"group::container security","description":"Configuration used to store relationship between project and security policy repository"}';
+
+CREATE SEQUENCE security_orchestration_policy_configurations_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE security_orchestration_policy_configurations_id_seq OWNED BY security_orchestration_policy_configurations.id;
+
 CREATE TABLE security_scans (
    id bigint NOT NULL,
    created_at timestamp with time zone NOT NULL,
@@ -19289,6 +19308,8 @@ ALTER TABLE ONLY scim_oauth_access_tokens ALTER COLUMN id SET DEFAULT nextval('s

 ALTER TABLE ONLY security_findings ALTER COLUMN id SET DEFAULT nextval('security_findings_id_seq'::regclass);

+ALTER TABLE ONLY security_orchestration_policy_configurations ALTER COLUMN id SET DEFAULT nextval('security_orchestration_policy_configurations_id_seq'::regclass);
+
 ALTER TABLE ONLY security_scans ALTER COLUMN id SET DEFAULT nextval('security_scans_id_seq'::regclass);

 ALTER TABLE ONLY self_managed_prometheus_alert_events ALTER COLUMN id SET DEFAULT nextval('self_managed_prometheus_alert_events_id_seq'::regclass);
@@ -20794,6 +20815,9 @@ ALTER TABLE ONLY scim_oauth_access_tokens
 ALTER TABLE ONLY security_findings
    ADD CONSTRAINT security_findings_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY security_orchestration_policy_configurations
+    ADD CONSTRAINT security_orchestration_policy_configurations_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY security_scans
    ADD CONSTRAINT security_scans_pkey PRIMARY KEY (id);

@@ -23353,6 +23377,10 @@ CREATE INDEX index_software_licenses_on_spdx_identifier ON software_licenses USI

 CREATE UNIQUE INDEX index_software_licenses_on_unique_name ON software_licenses USING btree (name);

+CREATE UNIQUE INDEX index_sop_configs_on_project_id ON security_orchestration_policy_configurations USING btree (project_id);
+
+CREATE UNIQUE INDEX index_sop_configs_on_security_policy_management_project_id ON security_orchestration_policy_configurations USING btree (security_policy_management_project_id);
+
 CREATE INDEX index_sprints_on_description_trigram ON sprints USING gin (description gin_trgm_ops);

 CREATE INDEX index_sprints_on_due_date ON sprints USING btree (due_date);
@@ -24780,6 +24808,9 @@ ALTER TABLE ONLY ci_subscriptions_projects
 ALTER TABLE ONLY trending_projects
    ADD CONSTRAINT fk_rails_09feecd872 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;

+ALTER TABLE ONLY security_orchestration_policy_configurations
+    ADD CONSTRAINT fk_rails_0a22dcd52d FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY project_deploy_tokens
    ADD CONSTRAINT fk_rails_0aca134388 FOREIGN KEY (deploy_token_id) REFERENCES deploy_tokens(id) ON DELETE CASCADE;

@@ -25119,6 +25150,9 @@ ALTER TABLE ONLY epic_issues
 ALTER TABLE ONLY ci_refs
    ADD CONSTRAINT fk_rails_4249db8cc3 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;

+ALTER TABLE ONLY security_orchestration_policy_configurations
+    ADD CONSTRAINT fk_rails_42ed6c25ec FOREIGN KEY (security_policy_management_project_id) REFERENCES projects(id) ON DELETE RESTRICT;
+
 ALTER TABLE ONLY ci_resources
    ADD CONSTRAINT fk_rails_430336af2d FOREIGN KEY (resource_group_id) REFERENCES ci_resource_groups(id) ON DELETE CASCADE;


--- a/ee/app/models/ee/project.rb
+++ b/ee/app/models/ee/project.rb
@@ -105,6 +105,8 @@ module EE
      has_many :incident_management_oncall_schedules, class_name: 'IncidentManagement::OncallSchedule', inverse_of: :project
      has_many :incident_management_oncall_rotations, class_name: 'IncidentManagement::OncallRotation', through: :incident_management_oncall_schedules, source: :rotations

+      has_one :security_orchestration_policy_configuration, class_name: 'Security::OrchestrationPolicyConfiguration', foreign_key: :project_id, inverse_of: :project
+
      elastic_index_dependant_association :issues, on_change: :visibility_level

      scope :with_shared_runners_limit_enabled, -> do

--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
+# frozen_string_literal: true
+
+module Security
+  class OrchestrationPolicyConfiguration < ApplicationRecord
+    self.table_name = 'security_orchestration_policy_configurations'
+
+    belongs_to :project, inverse_of: :security_orchestration_policy_configuration
+    belongs_to :security_policy_management_project, class_name: 'Project', foreign_key: 'security_policy_management_project_id'
+
+    validates :project, presence: true, uniqueness: true
+    validates :security_policy_management_project, presence: true, uniqueness: true
+  end
+end
--- a/ee/spec/factories/security_orchestration_policy_configurations.rb
+++ b/ee/spec/factories/security_orchestration_policy_configurations.rb
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :security_orchestration_policy_configuration, class: 'Security::OrchestrationPolicyConfiguration' do
+    project
+    security_policy_management_project { association(:project) }
+  end
+end
--- a/ee/spec/models/project_spec.rb
+++ b/ee/spec/models/project_spec.rb
@@ -30,6 +30,7 @@ RSpec.describe Project do
    it { is_expected.to have_one(:compliance_management_framework).class_name('ComplianceManagement::Framework') }
    it { is_expected.to have_one(:security_setting).class_name('ProjectSecuritySetting') }
    it { is_expected.to have_one(:vulnerability_statistic).class_name('Vulnerabilities::Statistic') }
+    it { is_expected.to have_one(:security_orchestration_policy_configuration).class_name('Security::OrchestrationPolicyConfiguration').inverse_of(:project) }

    it { is_expected.to have_many(:path_locks) }
    it { is_expected.to have_many(:vulnerability_feedback) }

--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Security::OrchestrationPolicyConfiguration do
+  describe 'associations' do
+    it { is_expected.to belong_to(:project).inverse_of(:security_orchestration_policy_configuration) }
+    it { is_expected.to belong_to(:security_policy_management_project).class_name('Project') }
+  end
+
+  describe 'validations' do
+    subject { create(:security_orchestration_policy_configuration) }
+
+    it { is_expected.to validate_presence_of(:project) }
+    it { is_expected.to validate_presence_of(:security_policy_management_project) }
+
+    it { is_expected.to validate_uniqueness_of(:project) }
+    it { is_expected.to validate_uniqueness_of(:security_policy_management_project) }
+  end
+end
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -564,6 +564,7 @@ project:
 - incident_management_oncall_rotations
 - debian_distributions
 - merge_request_metrics
+- security_orchestration_policy_configuration
 award_emoji:
 - awardable
 - user