BE: Update GraphQL API to list Scan Execution Policies
Why are we doing this work
We want to be able to list Scan Execution Policies defined in the project through GraphQL API to allow users to manage policies easily.
This new field in project
should have fields:
-
name
string, -
description
string, -
enabled
boolean, -
yaml
string -
updatedAt
timestamp
As we are currently storing all policies in YAML file in Security Policy Project, to present these fields we will have to prepare service that will read YAML file and commit information from the repository and then prepares entity to be presented in the API.
Relevant links
Non-functional requirements
-
Documentation: add GraphQL documentation for new fields, -
Feature flag: security_orchestration_policies_configuration
the feature and new GraphQL API will be hidden behind feature flag, -
Performance: look for potential N+1 queries (similarly to #324382 (closed)) -
Testing: - test if GraphQL API is available only when feature flag is enabled,
- test if GraphQL API is returning empty list when YAML files are not valid or missing,
- test if GraphQL API is returning all values properly from YAML file
Implementation plan
-
backend prepare new service to fetch list of policies from the repository of Security Policy Project, The logic could be done in the resolver itselfSecurity::SecurityOrchestrationPolicies::FindResourceService
-
backend prepare ScanExecutionPolicyResolver
that will use mentioned service to fetch policies from repository and provide them in the format acceptable by GraphQL type, -
backend add new field to ProjectType
(ee
only):scanExecutionPolicies
as[ScanExecutionPolicyType]
(null: false, resolver: ::Resolvers::ScanExecutionPolicyResolver
) with fields:-
name
GraphQL::STRING_TYPE, null: false
, -
description
GraphQL::STRING_TYPE, null: false
, -
enabled
GraphQL::BOOLEAN_TYPE, null: false, -
yaml
GraphQL::STRING_TYPE, null: false
, -
updatedAt
Types::TimeType, null: false
-
Edited by Sashi Kumar Kumaresan