Prevent DAST profiles to be modified or deleted when are referenced by active policy
Why are we doing this work
As a part of the related Epic it is required to prohibit users from being able to edit or delete any Scan Profiles or Site Profiles that are referenced by an active policy. This issue addresses that requirement.
Non-functional requirements
-
Documentation: Add information note to https://docs.gitlab.com/ee/user/application_security/dast/#site-profile and https://docs.gitlab.com/ee/user/application_security/dast/#scanner-profile with explanation that these profiles cannot be modified/deleted if they are referenced by Security Policy
-
Feature flag: when feature flag is disabled we should not perform this check, -
[-] Performance:
-
Testing: -
Test you can create/modify/delete DAST Site Profile and DAST Scanner Profile that is not referenced by Security Policy -
Test you can create DAST Site Profile and DAST Scanner Profile that is referenced by Security Policy if it was not created before, -
Test you cannot modify/delete DAST Site Profile and DAST Scanner Profile that is referenced by Security Policy
-
Implementation plan
-
backend extract logic responsible for deletion in Mutations::DastSiteProfiles::Delete
to separate service:DastSiteProfiles::DestroyService
, -
backend extend Dast::Profiles::UpdateService
,Dast::Profiles::DestroyService
,::DastSiteProfiles::UpdateService
,::DastSiteProfiles::DestroyService
with logic to check if it is referenced by policy (proposed logic to do the check -> it is recommended to first extendSecurity::OrchestrationPolicyConfiguration
with methodsdast_profile_referenced?(profile_name)
anddast_site_profile_referenced?(profile_name)
to check if profile with given name was referenced by any policy and then use that logic like below):
def referenced_by_policy?
return false unless feature_enabled?(:security_orchestration_policy_configuration)
return false unless profile.project.security_orchestration_policy_configuration
profile.project.security_orchestration_policy_configuration.active_policies.any? do |policy|
policy[:actions].any? { |action| action[:site_profile] == profile.name }
end
end
-
backend Extend Types::DastSiteProfileType
andTypes::DastScannerProfileType
with fieldreferencedInPolicies
as array of strings with policies names where selected profile is referenced
Edited by Alan (Maciej) Paruszewski