Merge branch 'revert-9153ca42' into 'master'

Revert "Override scan-skipping env vars for policy scans"

See merge request !106045



Merged-by: Marius Bobin <mbobin@gitlab.com>
Approved-by: Dominic Bauer <dbauer@gitlab.com>
Approved-by: Marius Bobin <mbobin@gitlab.com>
Co-authored-by: Fabio Pitino <fpitino@gitlab.com>

ee/lib/ee/gitlab/ci/build/context/build.rb

-# frozen_string_literal: true
-
-module EE
-  module Gitlab
-    module Ci
-      module Build
-        module Context
-          module Build
-            extend ::Gitlab::Utils::Override
-
-            VARIABLE_OVERRIDES = ::Security::SecurityOrchestrationPolicies::ScanPipelineService::SCAN_VARIABLES
-                                   .values
-                                   .reduce({}, :merge)
-                                   .freeze
-
-            override :variables
-            def variables
-              collection = super
-
-              return collection unless sanitize?
-
-              sanitized_collection(collection)
-            end
-
-            private
-
-            def sanitize?
-              feature_available? && active_scan_policies?
-            end
-
-            def feature_available?
-              project&.feature_available?(:security_orchestration_policies)
-            end
-
-            def active_scan_policies?
-              project
-                &.security_orchestration_policy_configuration
-                &.active_scan_execution_policies
-                &.any?
-            end
-
-            def sanitized_collection(collection)
-              ::Gitlab::Ci::Variables::Collection.new(
-                collection.to_hash.merge(VARIABLE_OVERRIDES).compact.map do |k, v|
-                  { key: k, value: v }
-                end
-              )
-            end
-          end
-        end
-      end
-    end
-  end
-end

ee/spec/lib/gitlab/ci/build/context/build_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Gitlab::Ci::Build::Context::Build do
-  let(:pipeline)        { create(:ci_pipeline) }
-  let(:seed_attributes) { { 'name' => 'some-job' } }
-
-  let(:context) { described_class.new(pipeline, seed_attributes) }
-
-  describe "scan-variable sanitization" do
-    subject { context.variables.to_hash }
-
-    let(:project) { pipeline.project }
-    let(:overrides) { described_class::VARIABLE_OVERRIDES }
-
-    context "when project has scan-skipping CI variables configured" do
-      before do
-        project.variables.insert_all(overrides.map { |k, v| { key: k, value: "true" } }) if overrides.any?
-      end
-
-      context "with feature disabled" do
-        it "does not sanitize variables" do
-          expect(subject).to include("CONTAINER_SCANNING_DISABLED")
-        end
-      end
-
-      context "with feature enabled" do
-        before do
-          allow(project).to receive(:feature_available?).with(:security_orchestration_policies).and_return(true)
-        end
-
-        context "with active scan execution policies" do
-          let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
-
-          let(:policy_hash) do
-            { scan_execution_policy: [{ name: "Test policy",
-                                        description: "",
-                                        enabled: true,
-                                        actions: [{ scan: "secret_detection" }],
-                                        rules: [{ type: "pipeline", branches: ["*"] }] }] }
-          end
-
-          before do
-            allow(policy_configuration).to receive(:policy_hash).and_return(policy_hash)
-          end
-
-          it 'sanitizes variables' do
-            expect(subject).not_to include("CONTAINER_SCANNING_DISABLED")
-          end
-
-          it 'overrides variables' do
-            expect(subject).to include("SECRET_DETECTION_HISTORIC_SCAN" => "false")
-          end
-        end
-
-        context "without active scan execution policies" do
-          it "does not sanitize variables" do
-            expect(subject).to include("CONTAINER_SCANNING_DISABLED")
-          end
-        end
-      end
-    end
-  end
-end

ee/spec/services/security/security_orchestration_policies/variable_sanitzation_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe "Variable sanitzation" do
-  include ::UpdateOrchestrationPolicyConfiguration
-
-  let(:group) { create(:group) }
-
-  let(:project) do
-    create(:project,
-           :custom_repo,
-           group: group,
-           files: { ".gitlab-ci.yml" => gitlab_ci_yml })
-  end
-
-  let(:policy_management_project) do
-    create(:project,
-           :custom_repo,
-           files: { ".gitlab/security-policies/policy.yml" => policy_yml })
-  end
-
-  let(:policy_configuration) do
-    create(:security_orchestration_policy_configuration,
-           security_policy_management_project: policy_management_project,
-           project: project)
-  end
-
-  let(:current_user) { project.creator }
-  let(:builds) { project.builds.pluck(:name) }
-
-  let(:gitlab_ci_yml) { "" }
-  let(:policy_yml) { "" }
-
-  before do
-    stub_licensed_features(security_orchestration_policies: true, security_on_demand_scans: true)
-    project.add_owner(current_user)
-    policy_management_project.repository.create_branch("main", policy_management_project.default_branch)
-  end
-
-  describe "scheduled scans" do
-    let(:policy_yml) do
-      <<~YML
-      scan_execution_policy:
-      - name: Test
-        description: ''
-        enabled: true
-        actions:
-        - scan: container_scanning
-        - scan: sast
-        rules:
-        - type: schedule
-          cadence: '0 10 * * *'
-          branches:
-          - "*"
-      YML
-    end
-
-    before do
-      project.repository.commit_files(current_user,
-                                      message: "Add Gemfile in order to run brakeman-sast",
-                                      branch_name: "master",
-                                      actions: [{ action: :create, file_path: "Gemfile", contents: "" }])
-
-      update_policy_configuration(policy_configuration)
-
-      policy_configuration.rule_schedules.reload.each do |schedule|
-        service = Security::SecurityOrchestrationPolicies::RuleScheduleService.new(container: project,
-                                                                                   current_user: current_user)
-        service.execute(schedule)
-      end
-
-      project.all_pipelines.flat_map(&:bridges).each do |bridge|
-        Ci::CreateDownstreamPipelineService.new(project, current_user).execute(bridge)
-      end
-    end
-
-    describe ".gitlab-ci.yml with top-level YAML variables" do
-      let(:gitlab_ci_yml) do
-        <<~YML
-      variables:
-        CONTAINER_SCANNING_DISABLED: 'true'
-        SAST_DISABLED: 'true'
-        YML
-      end
-
-      specify do
-        expect(builds).to contain_exactly("container-scanning-0", "brakeman-sast")
-      end
-    end
-
-    describe "project-level CI variables" do
-      before do
-        project.variables.create!([{ key: "CONTAINER_SCANNING_DISABLED", value: "true" },
-                                   { key: "SAST_DISABLED", value: "true" }])
-      end
-
-      specify do
-        expect(builds).to contain_exactly("container-scanning-0", "brakeman-sast")
-      end
-    end
-
-    describe "group-level CI variables" do
-      before do
-        group.variables.create!([{ key: "CONTAINER_SCANNING_DISABLED", value: "true" },
-                                 { key: "SAST_DISABLED", value: "true" }])
-      end
-
-      specify do
-        expect(builds).to contain_exactly("container-scanning-0", "brakeman-sast")
-      end
-    end
-  end
-
-  describe "pipeline scans" do
-    let(:gitlab_ci_yml) do
-      <<~YML
-      variables:
-        CONTAINER_SCANNING_DISABLED: 'true'
-        SAST_DISABLED: 'true'
-      dummy_job:
-        stage: test
-        script: ":"
-      skipped_job:
-        script: ":"
-        rules:
-          - if: $CONTAINER_SCANNING_DISABLED
-            when: never
-      YML
-    end
-
-    let(:policy_yml) do
-      <<~YML
-      scan_execution_policy:
-      - name: Test
-        description: ''
-        enabled: true
-        actions:
-        - scan: container_scanning
-        - scan: sast
-        rules:
-        - type: pipeline
-          branches:
-          - "*"
-      YML
-    end
-
-    before do
-      project.repository.commit_files(current_user,
-                                      message: "Add Gemfile in order to run brakeman-sast",
-                                      branch_name: "master",
-                                      actions: [{ action: :create, file_path: "Gemfile", contents: "" }])
-
-      update_policy_configuration(policy_configuration)
-
-      Ci::CreatePipelineService.new(project, current_user, ref: project.repository.root_ref).execute(:web)
-
-      project.all_pipelines.flat_map(&:bridges).each do |bridge|
-        Ci::CreateDownstreamPipelineService.new(project, current_user).execute(bridge)
-      end
-    end
-
-    specify do
-      expect(builds).to contain_exactly("dummy_job", "container-scanning-0", "brakeman-sast")
-    end
-
-    describe "project-level CI variables" do
-      before do
-        project.variables.create!([{ key: "CONTAINER_SCANNING_DISABLED", value: "true" },
-                                   { key: "SAST_DISABLED", value: "true" }])
-      end
-
-      specify do
-        expect(builds).to contain_exactly("dummy_job", "container-scanning-0", "brakeman-sast")
-      end
-    end
-
-    describe "group-level CI variables" do
-      before do
-        group.variables.create!([{ key: "CONTAINER_SCANNING_DISABLED", value: "true" },
-                                 { key: "SAST_DISABLED", value: "true" }])
-      end
-
-      specify do
-        expect(builds).to contain_exactly("dummy_job", "container-scanning-0", "brakeman-sast")
-      end
-    end
-  end
-end

lib/gitlab/ci/build/context/build.rb

@@ -50,5 +50,3 @@ def ci_stage_attributes
     end
   end
 end
-
-Gitlab::Ci::Build::Context::Build.prepend_mod_with('Gitlab::Ci::Build::Context::Build')