Add support for setting CI variables in Security Policies

eee65ff6 · Alan (Maciej) Paruszewski · Igor Drozdov · 3bb0b5ab · eee65ff6 · eee65ff6
Commit eee65ff6 authored Dec 07, 2021 by Alan (Maciej) Paruszewski Committed by Igor Drozdov Dec 07, 2021
7 changed files
--- a/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
@@ -17,7 +17,7 @@ module Security
        when 'container_scanning', 'cluster_image_scanning'
          scan_configuration(action[:scan], ci_variables)
        when 'sast'
-          child_pipeline_configuration(action[:scan])
+          child_pipeline_configuration(action[:scan], ci_variables)
        else
          error_script('Invalid Scan type')
        end
@@ -47,8 +47,9 @@ module Security
          .except(:rules)
      end

-      def child_pipeline_configuration(template)
+      def child_pipeline_configuration(template, ci_variables)
        {
+          variables: ci_variables.compact,
          inherit: {
            variables: false
          },

--- a/ee/app/services/security/security_orchestration_policies/create_pipeline_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/create_pipeline_service.rb
@@ -10,6 +10,9 @@ module Security
        },
        'container_scanning' => {
          'CONTAINER_SCANNING_DISABLED' => nil
+        },
+        'sast' => {
+          'SAST_DISABLED' => nil
        }
      }.freeze

@@ -29,8 +32,9 @@ module Security
      private

      def ci_configuration
+        action_variables = action[:variables].to_h.stringify_keys
        ci_variables, ci_hidden_variables = scan_variables
-        ci_content = ::Security::SecurityOrchestrationPolicies::CiConfigurationService.new.execute(action, ci_variables)
+        ci_content = ::Security::SecurityOrchestrationPolicies::CiConfigurationService.new.execute(action, action_variables.merge(ci_variables))

        [{ "#{scan_type}" => ci_content }, ci_hidden_variables]
      end

--- a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb
@@ -10,6 +10,9 @@ module Security
        },
        container_scanning: {
          'CONTAINER_SCANNING_DISABLED' => nil
+        },
+        sast: {
+          'SAST_DISABLED' => nil
        }
      }.freeze

@@ -32,7 +35,11 @@ module Security
      end

      def scan_configuration(action)
-        ::Security::SecurityOrchestrationPolicies::CiConfigurationService.new.execute(action, scan_variables(action))
+        action_variables = action[:variables].to_h.stringify_keys
+
+        ::Security::SecurityOrchestrationPolicies::CiConfigurationService
+          .new
+          .execute(action, action_variables.merge(scan_variables(action)))
      end

      def scan_variables(action)

--- a/ee/app/validators/json_schemas/security_orchestration_policy.json
+++ b/ee/app/validators/json_schemas/security_orchestration_policy.json
@@ -132,6 +132,14 @@
                    "string",
                    "null"
                  ]
+                },
+                "variables": {
+                  "type": "object",
+                  "patternProperties": {
+                    "\\A[a-zA-Z_][a-zA-Z0-9_]*\\z": {
+                      "type": "string"
+                    }
+                  }
                }
              },
              "allOf": [
@@ -147,7 +155,7 @@
                    "required": [
                      "site_profile"
                    ],
-                    "maxProperties": 3
+                    "maxProperties": 4
                  }
                },
                {
@@ -159,7 +167,7 @@
                    }
                  },
                  "then": {
-                    "maxProperties": 1
+                    "maxProperties": 2
                  }
                },
                {
@@ -171,7 +179,7 @@
                    }
                  },
                  "then": {
-                    "maxProperties": 1
+                    "maxProperties": 2
                  }
                },
                {
@@ -183,7 +191,7 @@
                    }
                  },
                  "then": {
-                    "maxProperties": 1
+                    "maxProperties": 2
                  }
                },
                {
@@ -195,7 +203,7 @@
                    }
                  },
                  "then": {
-                    "maxProperties": 1
+                    "maxProperties": 2
                  }
                }
              ],

--- a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
@@ -118,15 +118,16 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d

      context 'when scan type is sast' do
        let_it_be(:action) { { scan: 'sast' } }
-        let_it_be(:ci_variables) { {} }
+        let_it_be(:ci_variables) { { 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'SAST_DISABLED' => nil } }

        it 'returns prepared CI configuration for SAST' do
          expected_configuration = {
            inherit: { variables: false },
+            variables: { 'SAST_EXCLUDED_ANALYZERS' => 'semgrep' },
            trigger: { include: [{ template: 'Security/SAST.gitlab-ci.yml' }] }
          }

-          expect(subject.deep_symbolize_keys).to eq(expected_configuration)
+          expect(subject).to eq(expected_configuration)
        end
      end
    end

--- a/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb
@@ -134,6 +134,18 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CreatePipelineService do

            expect(build.name).to eq('sast')
          end
+
+          context 'when action contains variables' do
+            let(:action) { { scan: 'sast', variables: { SAST_EXCLUDED_ANALYZERS: 'semgrep' } } }
+
+            it 'parses variables from the action and applies them in configuration service' do
+              expect_next_instance_of(::Security::SecurityOrchestrationPolicies::CiConfigurationService) do |ci_configuration_service|
+                expect(ci_configuration_service).to receive(:execute).once.with(action, 'SAST_DISABLED' => nil, 'SAST_EXCLUDED_ANALYZERS' => 'semgrep').and_call_original
+              end
+
+              subject
+            end
+          end
        end
      end
    end

--- a/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb
@@ -32,6 +32,18 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ScanPipelineService do
      it_behaves_like 'creates scan jobs', 1, [:'secret-detection-0']
    end

+    context 'when action contains variables' do
+      let(:actions) { [{ scan: 'sast', variables: { SAST_EXCLUDED_ANALYZERS: 'semgrep' } }] }
+
+      it 'parses variables from the action and applies them in configuration service' do
+        expect_next_instance_of(::Security::SecurityOrchestrationPolicies::CiConfigurationService) do |ci_configuration_service|
+          expect(ci_configuration_service).to receive(:execute).once.with(actions.first, 'SAST_DISABLED' => nil, 'SAST_EXCLUDED_ANALYZERS' => 'semgrep').and_call_original
+        end
+
+        subject
+      end
+    end
+
    context 'when there are multiple actions' do
      let(:actions) do
        [