Skip to content

Persist all policy types for security policies

Sashi Kumar Kumaresan requested to merge sk/416262-persist-other-policies into master

What does this MR do and why?

This MR updates security_policies table to add content jsonb field and removes actions & approval_settings columns as they are not generic for all policy types. This change also updates the persistence logic to persist pipeline_execution_policy too.

Since the the table security_policies is not used yet and is still behind feature flag (#454828 & #446102), removing the columns is safe.

Migration output

main: == [advisory_lock_connection] object_id: 140680, pg_backend_pid: 41562
main: == 20240718114210 AddContentColumnToSecurityPolicies: migrating ===============
main: -- add_column(:security_policies, :content, :jsonb, {:default=>{}, :null=>false})
main:    -> 0.0026s
main: == 20240718114210 AddContentColumnToSecurityPolicies: migrated (0.0078s) ======
main: == [advisory_lock_connection] object_id: 140680, pg_backend_pid: 41562

main: == [advisory_lock_connection] object_id: 500440, pg_backend_pid: 41675
main: == 20240718130949 RemoveActionsAndApprovalSettingsFromSecurityPolicies: migrating 
main: -- remove_column(:security_policies, :actions, :jsonb)
main:    -> 0.0016s
main: -- remove_column(:security_policies, :approval_settings, :jsonb)
main:    -> 0.0007s
main: == 20240718130949 RemoveActionsAndApprovalSettingsFromSecurityPolicies: migrated (0.0085s) 
main: == [advisory_lock_connection] object_id: 500440, pg_backend_pid: 41675

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  • Create a project/group and enable security_policies_sync and security_policies_sync_group feature flag
Feature.enable(:security_policies_sync)
Feature.enable(:security_policies_sync_group)
  • Create a security policy for the group/project by going to Secure -> Policies
  • After the security policy project is created, update .gitlab/security-policies/policy.yml with this policy content:
policy.yml 
---
approval_policy:
- name: MR Approval Policy
  description: ''
  enabled: true
  rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
  actions:
  - type: require_approval
    approvals_required: 1
    group_approvers_ids:
    - 22
  - type: send_bot_message
    enabled: false
  approval_settings:
    block_branch_modification: true
    prevent_pushing_and_force_pushing: true
    prevent_approval_by_author: true
    prevent_approval_by_commit_author: true
    remove_approvals_with_new_commit: true
    require_password_to_approve: false
  fallback_behavior:
    fail: closed
scan_execution_policy:
- name: Run secret detection in every pipeline
  description: This policy enforces to run secret_detection for every pipeline within the project
  enabled: true
  rules:
  - type: pipeline
    branches: []
  policy_scope: {}
  actions:
  - scan: secret_detection
ci_component_sources_policy:
- name: Allow publishing of CI Components to catalog
  description: This policy enforces an allowlist of projects and groups that can publish CI components
  enabled: true
  allowed_sources:
    projects:
      - path: 'project-path'
    namespaces:
      - path: 'namespace-path'
  policy_scope: {}
pipeline_execution_policy:
- name: Run custom pipeline configuration
  description: This policy enforces to run custom pipeline configuration
  enabled: true
  pipeline_config_strategy: inject_ci
  content:
    include:
    - project: compliance-project
      file: group.yml
      ref: main
  policy_scope: {}
  • Go to rails console and verify that the Security::Policy records are created:
Security::Policy.count
=> 4
Security::Policy.all.map(&:content)
=> [{"actions"=>[{"type"=>"require_approval", "approvals_required"=>1, "group_approvers_ids"=>[22]}, {"type"=>"send_bot_message", "enabled"=>false}],
  "approval_settings"=>
   {"block_branch_modification"=>true,
    "prevent_approval_by_author"=>true,
    "require_password_to_approve"=>false,
    "remove_approvals_with_new_commit"=>true,
    "prevent_approval_by_commit_author"=>true,
    "prevent_pushing_and_force_pushing"=>true},
  "fallback_behavior"=>{"fail"=>"closed"}},
 {"actions"=>[{"scan"=>"secret_detection"}]},
 {"allowed_sources"=>{"projects"=>[{"path"=>"project-path"}], "namespaces"=>[{"path"=>"namespace-path"}]}},
 {"content"=>{"include"=>[{"ref"=>"main", "file"=>"group.yml", "project"=>"compliance-project"}]},
  "pipeline_config_strategy"=>"inject_ci"}]
Edited by Sashi Kumar Kumaresan

Merge request reports