BE: Add GraphQL API to list policies for selected Compliance Framework
Why are we doing this work
In the scope of Security Policy Scopes (&5510 - closed), we would like to allow users to save Policy YAML with policy scope in it. Based on designs and descriptions from the Epic, we would like to be able to specify policy scope based on:
- assigned compliance frameworks,
- list with included projects,
- list with excluded projects.
policy_scope:
compliance_frameworks:
- id: 12345
- id: 23456
projects:
including:
- id: 12345
- id: 23456
excluding:
- id: 34567
- id: 45678
In the scope of this issue, we want to add the logic needed to display the list of policies in GraphQL API when a given policy is configured with policy_scope
with the selected Compliance Framework. We need to ensure that these policies are only listed in GraphQL when the given API user has permission to see these policies.
In scope of this issue we want to add new fields to ComplianceManagement::ComplianceFrameworkType
:
field :scan_execution_policies,
::Types::SecurityOrchestration::ScanExecutionPolicyType.connection_type,
calls_gitaly: true,
null: true,
description: 'Scan Execution Policies of the compliance framework.',
resolver: ::Resolvers::SecurityOrchestration::ScanExecutionPolicyResolver
field :scan_result_policies,
::Types::SecurityOrchestration::ScanResultPolicyType.connection_type,
calls_gitaly: true,
null: true,
description: 'Scan Result Policies of the compliance framework',
resolver: ::Resolvers::SecurityOrchestration::ScanResultPolicyResolver
Relevant links
Non-functional requirements
-
Documentation: updated -
Feature flag: we should only do list policies when we have security_policies_policy_scope
feature flag enabled, -
Performance: Verify performance impact with policies configured across many projects/subgroups within the group, -
Testing:
Implementation plan
-
backend Create a new finder that queries compliance_framework_security_policies
byframework_id
and get all policies bypolicy_id
andsecurity_orchestration_policy_configuration_id
-
backend Use the finder in ComplianceManagement::ComplianceFrameworkType
forscan_result_policies
andscan_execution_policies
Verification steps
TBD
Edited by Sashi Kumar Kumaresan