Limit security policy to a file

Allow only 5 policy to be enabled

Limit security policy to a file
Allow only 5 policy to be enabled
b7e3049d · Can Eldem · Markus Koller · 2516aeb2 · b7e3049d · b7e3049d
Commit b7e3049d authored Mar 31, 2021 by Can Eldem Committed by Markus Koller Mar 31, 2021
3 changed files
--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -6,7 +6,8 @@ module Security

    self.table_name = 'security_orchestration_policy_configurations'

-    POLICIES_BASE_PATH = '.gitlab/security-policies/'
+    POLICY_PATH = '.gitlab/security-policies/policy.yml'
+    POLICY_LIMIT = 5

    ON_DEMAND_SCANS = %w[dast].freeze

@@ -23,12 +24,7 @@ module Security
    def active_policies
      return [] unless enabled?

-      security_policy_management_project
-        .repository
-        .ls_files(security_policy_management_project.default_branch_or_master)
-        .grep(/\A#{Regexp.escape(POLICIES_BASE_PATH)}.+\.(yml|yaml)\z/)
-        .map { |path| policy_at(path) }
-        .select { |config| config[:enabled] }
+      scan_execution_policy_at(POLICY_PATH).select { |config| config[:enabled] }.first(POLICY_LIMIT)
    end

    def on_demand_scan_actions(branch)
@@ -48,6 +44,14 @@ module Security

    private

+    def policy_repo
+      security_policy_management_project.repository
+    end
+
+    def default_branch_or_master
+      security_policy_management_project.default_branch_or_master
+    end
+
    def active_policy_names_with_dast_profiles
      strong_memoize(:active_policy_names_with_dast_profiles) do
        profiles = { site_profiles: Hash.new { Set.new }, scanner_profiles: Hash.new { Set.new } }
@@ -65,11 +69,9 @@ module Security
      end
    end

-    def policy_at(path)
-      security_policy_management_project
-        .repository
-        .blob_data_at(security_policy_management_project.default_branch_or_master, path)
-        .then { |config| Gitlab::Config::Loader::Yaml.new(config).load! }
+    def scan_execution_policy_at(path)
+      policy_repo.blob_data_at(default_branch_or_master, path)
+        .then { |config| Gitlab::Config::Loader::Yaml.new(config).load!.fetch(:scan_execution_policy, []) }
    end

    def applicable_for_branch?(policy, ref)

--- a/ee/spec/fixtures/security_orchestration.yml
+++ b/ee/spec/fixtures/security_orchestration.yml
+scan_execution_policy:
+  - name: Run DAST in every pipeline
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "production"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v1
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Disabled policy
+    description: This policy is disabled
+    enabled: false
+    rules: []
+    actions: []
+  - name: Disabled policy_v2
+    description: This policy is disabled v2
+    enabled: false
+    rules: []
+    actions: []
+  - name: Run DAST in every pipeline_v3
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v4
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v5
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
+  - name: Run DAST in every pipeline_v6
+    description: This policy enforces to run DAST for every pipeline within the project
+    enabled: true
+    rules:
+    - type: pipeline
+      branches:
+      - "master"
+    actions:
+    - scan: dast
+      site_profile: Site Profile
+      scanner_profile: Scanner Profile
\ No newline at end of file
--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb