Skip to content

Add update event handler for security policies

Sashi Kumar Kumaresan requested to merge sk/416262-handle-policy-update into master

What does this MR do and why?

This MR adds the event handlers for create and update Security::Policy to link or unlink the policy and its Security::ApprovalPolicyRule to projects.

Database queries

unlink_project!

Query Plan

DELETE 
FROM
    "security_policy_project_links" 
WHERE
    "security_policy_project_links"."security_policy_id" = 68 
    AND "security_policy_project_links"."project_id" = 115;

link_project!

Query Plan

BEGIN 

SELECT
    1 AS one 
FROM
    "security_policy_project_links" 
WHERE
    "security_policy_project_links"."security_policy_id" = 68 
    AND "security_policy_project_links"."project_id" = 115 LIMIT 1;

INSERT INTO
    "security_policy_project_links"
    ("project_id", "security_policy_id") 
VALUES
    (115, 68) RETURNING "id";

COMMIT

unlink_policy_rules_project!

Query Plan

DELETE FROM
    "approval_policy_rule_project_links" 
WHERE
    "approval_policy_rule_project_links"."project_id" = 115;

link_policy_rules_project! 

INSERT INTO
    "approval_policy_rule_project_links"
    ("approval_policy_rule_id","project_id") 
VALUES
    (41, 115) 
        ON CONFLICT ("approval_policy_rule_id",
    "project_id") DO NOTHING RETURNING "id";

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  • Enable security_policies_sync and security_policies_sync_group feature flags
  • Create an approval policy with multiple rules and a scan execution policy from Secure->Policies:
Policies 
name: Multi-rules Policy
description: ''
enabled: true
actions:
- type: require_approval
  approvals_required: 1
  role_approvers:
  - maintainer
- type: send_bot_message
  enabled: true
rules:
- type: scan_finding
  scanners: []
  vulnerabilities_allowed: 0
  severity_levels: []
  vulnerability_states: []
  branch_type: protected
- type: license_finding
  match_on_inclusion_license: true
  license_types:
  - MIT License
  license_states:
  - newly_detected
  branch_type: protected
- type: any_merge_request
  branch_type: protected
  commits: any
approval_settings:
  block_branch_modification: true
  prevent_pushing_and_force_pushing: true
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: false
fallback_behavior:
  fail: closed
name: Scan Execution Policy
description: ''
enabled: true
actions:
- scan: secret_detection
rules:
- type: pipeline
  branches:
  - "*"
  • After the policies are created, note the IDs of the Security::Policy by doing
Security::Policy.last(2).map {|p| [p.id, p.name] }
  • Verify that the policy has associated Security::ApprovalPolicyRule and Security::ScanExecutionPolicyRule are created by doing:
Security::Policy.last(2).map(&:rules)
  • Also verify that the policy and ApprovalPolicyRule has projects associated through security_policy_project_links and approval_policy_rule_project_links 
Security::Policy.last(2).map(&:projects)

Security::ApprovalPolicyRule.all.map(&:projects)
  • Now update the Multi-rules Policy to set enabled to false and merge the MR that updates the policy
  • Verify that the policy and the ApprovalPolicyRule are now not linked to the project:
Security::Policy.last(2).map(&:projects)

Security::ApprovalPolicyRule.all.map(&:projects)
Edited by Sashi Kumar Kumaresan

Merge request reports