Add update event handler for security policies
What does this MR do and why?
This MR adds the event handlers for create and update Security::Policy
to link or unlink the policy and its Security::ApprovalPolicyRule
to projects.
Database queries
unlink_project!
DELETE
FROM
"security_policy_project_links"
WHERE
"security_policy_project_links"."security_policy_id" = 68
AND "security_policy_project_links"."project_id" = 115;
link_project!
BEGIN
SELECT
1 AS one
FROM
"security_policy_project_links"
WHERE
"security_policy_project_links"."security_policy_id" = 68
AND "security_policy_project_links"."project_id" = 115 LIMIT 1;
INSERT INTO
"security_policy_project_links"
("project_id", "security_policy_id")
VALUES
(115, 68) RETURNING "id";
COMMIT
unlink_policy_rules_project!
DELETE FROM
"approval_policy_rule_project_links"
WHERE
"approval_policy_rule_project_links"."project_id" = 115;
link_policy_rules_project!
INSERT INTO
"approval_policy_rule_project_links"
("approval_policy_rule_id","project_id")
VALUES
(41, 115)
ON CONFLICT ("approval_policy_rule_id",
"project_id") DO NOTHING RETURNING "id";
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable
security_policies_sync
andsecurity_policies_sync_group
feature flags - Create an approval policy with multiple rules and a scan execution policy from
Secure
->Policies
:
Policies
name: Multi-rules Policy
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- type: send_bot_message
enabled: true
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states: []
branch_type: protected
- type: license_finding
match_on_inclusion_license: true
license_types:
- MIT License
license_states:
- newly_detected
branch_type: protected
- type: any_merge_request
branch_type: protected
commits: any
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
name: Scan Execution Policy
description: ''
enabled: true
actions:
- scan: secret_detection
rules:
- type: pipeline
branches:
- "*"
- After the policies are created, note the IDs of the
Security::Policy
by doing
Security::Policy.last(2).map {|p| [p.id, p.name] }
- Verify that the policy has associated
Security::ApprovalPolicyRule
andSecurity::ScanExecutionPolicyRule
are created by doing:
Security::Policy.last(2).map(&:rules)
- Also verify that the policy and ApprovalPolicyRule has projects associated through
security_policy_project_links
andapproval_policy_rule_project_links
Security::Policy.last(2).map(&:projects)
Security::ApprovalPolicyRule.all.map(&:projects)
- Now update the
Multi-rules Policy
to setenabled
to false and merge the MR that updates the policy - Verify that the policy and the ApprovalPolicyRule are now not linked to the project:
Security::Policy.last(2).map(&:projects)
Security::ApprovalPolicyRule.all.map(&:projects)
Edited by Sashi Kumar Kumaresan