Merge branch 'mc_rocha-test-scan-create-pipeline' into 'master'

Draft: Allow scan execution policies to create pipelines See merge request gitlab-org/gitlab!121087 Merged-by: Marcos Rocha <mrocha@gitlab.com>

Merge branch 'mc_rocha-test-scan-create-pipeline' into 'master'
34670740 · Marcos Rocha · e1856fc4 · 966a1f48 · 34670740 · 34670740
Commit 34670740 authored 1 year ago by Marcos Rocha
--- a/app/models/concerns/enums/ci/pipeline.rb
+++ b/app/models/concerns/enums/ci/pipeline.rb
@@ -81,7 +81,8 @@ def self.config_sources
          external_project_source: 5,
          bridge_source: 6,
          parameter_source: 7,
-          compliance_source: 8
+          compliance_source: 8,
+          security_policy_source: 9
        }
      end
    end

--- a/config/feature_flags/development/scan_execution_policy_pipelines.yml
+++ b/config/feature_flags/development/scan_execution_policy_pipelines.yml
+---
+name: scan_execution_policy_pipelines
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121087
+rollout_issue_url:
+milestone: '16.1'
+type: development
+group: group::security policies
+default_enabled: false
--- a/ee/lib/gitlab/ci/project_config/security_policy.rb
+++ b/ee/lib/gitlab/ci/project_config/security_policy.rb
+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    class ProjectConfig
+      class SecurityPolicy < Gitlab::Ci::ProjectConfig::Source
+        def content
+          return {} unless custom_content.present?
+
+          custom_content
+        end
+        strong_memoize_attr :content
+
+        def source
+          :security_policy
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -132,6 +132,19 @@
        end
      end
    end
+
+    context 'when the config is empty' do
+      let(:config) { {} }
+
+      it 'does not include scan-policies stage' do
+        expect(subject[:stages]).to eq(%w[.pre build test deploy .post dast])
+      end
+
+      it 'extends config with additional jobs' do
+        expect(subject.keys).to include(expected_jobs)
+        expect(subject.values).to include(expected_configuration)
+      end
+    end
  end

  shared_examples 'when policy is invalid' do

--- a/lib/gitlab/ci/pipeline/chain/config/content.rb
+++ b/lib/gitlab/ci/pipeline/chain/config/content.rb
@@ -11,10 +11,20 @@ class Content < Chain::Base

            def perform!
              if pipeline_config&.exists?
-                @pipeline.build_pipeline_config(content: pipeline_config.content)
-                @command.config_content = pipeline_config.content
-                @pipeline.config_source = pipeline_config.source
-                @command.pipeline_config = pipeline_config
+                config = pipeline_config
+                config = merge_security_policies(config) if security_policies_enabled?
+                build_pipeline_config(config)
+              elsif security_policies_enabled?
+                security_policies_content = {}
+                security_policies_content = merge_security_policies(security_policies_content)
+
+                security_policies_config = ::Gitlab::Ci::ProjectConfig::SecurityPolicy.new(project,
+                  @pipeline.sha,
+                  security_policies_content,
+                  @command.source,
+                  @command.bridge)
+
+                build_pipeline_config(security_policies_config)
              else
                error('Missing CI config file')
              end
@@ -26,6 +36,25 @@ def break?

            private

+            def build_pipeline_config(pipeline_config)
+              @pipeline.build_pipeline_config(content: pipeline_config.content)
+              @command.config_content = pipeline_config.content
+              @pipeline.config_source = pipeline_config.source
+              @command.pipeline_config = pipeline_config
+            end
+
+            def security_policies_enabled?
+              Feature.enabled?(:scan_execution_policy_pipelines, project) && Gitlab.ee? &&
+                project&.feature_available?(:security_orchestration_policies)
+            end
+
+            def merge_security_policies(config)
+              ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config,
+                project,
+                @pipeline&.source_ref_path,
+                @command.source).perform
+            end
+
            def pipeline_config
              strong_memoize(:pipeline_config) do
                ::Gitlab::Ci::ProjectConfig.new(