Persist all policy types for security policies
What does this MR do and why?
This MR updates security_policies
table to add content
jsonb field and removes actions
& approval_settings
columns as they are not generic for all policy types. This change also updates the persistence logic to persist pipeline_execution_policy
too.
Since the the table security_policies
is not used yet and is still behind feature flag (#454828 & #446102), removing the columns is safe.
Migration output
main: == [advisory_lock_connection] object_id: 140680, pg_backend_pid: 41562
main: == 20240718114210 AddContentColumnToSecurityPolicies: migrating ===============
main: -- add_column(:security_policies, :content, :jsonb, {:default=>{}, :null=>false})
main: -> 0.0026s
main: == 20240718114210 AddContentColumnToSecurityPolicies: migrated (0.0078s) ======
main: == [advisory_lock_connection] object_id: 140680, pg_backend_pid: 41562
main: == [advisory_lock_connection] object_id: 500440, pg_backend_pid: 41675
main: == 20240718130949 RemoveActionsAndApprovalSettingsFromSecurityPolicies: migrating
main: -- remove_column(:security_policies, :actions, :jsonb)
main: -> 0.0016s
main: -- remove_column(:security_policies, :approval_settings, :jsonb)
main: -> 0.0007s
main: == 20240718130949 RemoveActionsAndApprovalSettingsFromSecurityPolicies: migrated (0.0085s)
main: == [advisory_lock_connection] object_id: 500440, pg_backend_pid: 41675
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a project/group and enable
security_policies_sync
andsecurity_policies_sync_group
feature flag
Feature.enable(:security_policies_sync)
Feature.enable(:security_policies_sync_group)
- Create a security policy for the group/project by going to
Secure
->Policies
- After the security policy project is created, update
.gitlab/security-policies/policy.yml
with this policy content:
policy.yml
---
approval_policy:
- name: MR Approval Policy
description: ''
enabled: true
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 22
- type: send_bot_message
enabled: false
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
scan_execution_policy:
- name: Run secret detection in every pipeline
description: This policy enforces to run secret_detection for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches: []
policy_scope: {}
actions:
- scan: secret_detection
ci_component_sources_policy:
- name: Allow publishing of CI Components to catalog
description: This policy enforces an allowlist of projects and groups that can publish CI components
enabled: true
allowed_sources:
projects:
- path: 'project-path'
namespaces:
- path: 'namespace-path'
policy_scope: {}
pipeline_execution_policy:
- name: Run custom pipeline configuration
description: This policy enforces to run custom pipeline configuration
enabled: true
pipeline_config_strategy: inject_ci
content:
include:
- project: compliance-project
file: group.yml
ref: main
policy_scope: {}
- Go to rails console and verify that the
Security::Policy
records are created:
Security::Policy.count
=> 4
Security::Policy.all.map(&:content)
=> [{"actions"=>[{"type"=>"require_approval", "approvals_required"=>1, "group_approvers_ids"=>[22]}, {"type"=>"send_bot_message", "enabled"=>false}],
"approval_settings"=>
{"block_branch_modification"=>true,
"prevent_approval_by_author"=>true,
"require_password_to_approve"=>false,
"remove_approvals_with_new_commit"=>true,
"prevent_approval_by_commit_author"=>true,
"prevent_pushing_and_force_pushing"=>true},
"fallback_behavior"=>{"fail"=>"closed"}},
{"actions"=>[{"scan"=>"secret_detection"}]},
{"allowed_sources"=>{"projects"=>[{"path"=>"project-path"}], "namespaces"=>[{"path"=>"namespace-path"}]}},
{"content"=>{"include"=>[{"ref"=>"main", "file"=>"group.yml", "project"=>"compliance-project"}]},
"pipeline_config_strategy"=>"inject_ci"}]
Edited by Sashi Kumar Kumaresan