Enable security policy bots for group level policies
We added Security policy bot users in &10756.
Bots only get created when a project is directly linked to a security policy project. It doesn't work for group level security policy projects yet.
This is because the bot_user_id is stored with the SecurityOrchestrationPolicyConfiguration
. For a group level config, multiple bot users must be linked. One for each project.
To achieve this, we need to:
1. Trigger the bot user create worker for each project in the linked group
--- a/ee/app/services/security/orchestration/assign_service.rb
+++ b/ee/app/services/security/orchestration/assign_service.rb
@@ -104,9 +104,15 @@ def policy_project_id
end
def create_security_policy_project_bot(configuration)
- return unless container.is_a?(Project) && Feature.enabled?(:scan_execution_bot_users, container)
-
- Security::OrchestrationConfigurationCreateBotWorker.perform_async(configuration.id, current_user.id)
+ Feature.enabled?(:scan_execution_bot_users, container)
+
+ if container.is_a?(Project)
+ Security::OrchestrationConfigurationCreateBotWorker.perform_async(configuration.id, current_user.id)
+ elsif
+ container.all_projects.each do |project|
+ Security::OrchestrationConfigurationCreateBotWorker.perform_async(project.id, current_user.id)
+ end
+ end
end
end
end
2. Fetch bot user by scanning the project
--- a/ee/app/workers/security/orchestration_policy_rule_schedule_namespace_worker.rb
+++ b/ee/app/workers/security/orchestration_policy_rule_schedule_namespace_worker.rb
@@ -23,8 +23,10 @@ def perform(rule_schedule_id)
security_orchestration_policy_configuration.namespace.all_projects.find_in_batches.each do |projects|
projects.each do |project|
with_context(project: project, user: schedule.owner) do
+
+ user = project.security_policy_bot || schedule.owner
Security::SecurityOrchestrationPolicies::RuleScheduleService
- .new(container: project, current_user: schedule.owner)
+ .new(container: project, current_user: user)
.execute(schedule)
end
end
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1044,6 +1044,10 @@ def initialize(attributes = nil)
super
end
+ def security_policy_bot
+ users.where(user_type: :security_policy_bot).first
+ end
+
# Remove along with ProjectFeaturesCompatibility module
def set_project_feature_defaults
self.class.project_features_defaults.each do |attr, value|
Edited by Alishan Ladhani