Jobs from scan execution policies are still running after downgrading to Premium
Summary
During an Ultimate trial a Gitlab.com customer implemented scan execution policies. The trial is now over and they reverted to Premium. The security policy project has been deleted. However, the jobs defined via policies are still being executed.
Steps to reproduce
I do not have more information other than this is happening in some projects, not all. In the shared example, the customer implemented secret detection via a scan execution policy. This job is still included by default in some projects.
I can share the link to the customer project privately.
What is the expected correct behavior?
After downgrading to Premium from an Ultimate trial, jobs defined via security policies should no longer be running in the project´s pipelines.
Implementation Plan
diff --git a/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb b/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb
index f723b4e0826c..a5929024fcab 100644
--- a/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb
+++ b/ee/app/workers/security/orchestration_policy_rule_schedule_worker.rb
@@ -17,7 +17,11 @@ def perform
Security::OrchestrationPolicyRuleSchedule.with_configuration_and_project_or_namespace.with_owner.with_security_policy_bots.runnable_schedules.find_in_batches do |schedules|
schedules.each do |schedule|
with_context(project: schedule.security_orchestration_policy_configuration.project, user: schedule.owner) do
- if schedule.security_orchestration_policy_configuration.project?
+ config = schedule.security_orchestration_policy_configuration
+
+ next unless security_policy_feature_available?(config)
+
+ if config.project?
schedule_rules(schedule)
else
Security::OrchestrationPolicyRuleScheduleNamespaceWorker.perform_async(schedule.id)
@@ -29,6 +33,16 @@ def perform
private
+ def security_policy_feature_available?(config)
+ actor = if config.project?
+ config.project
+ else
+ config.namespace
+ end
+
+ actor.licensed_feature_available?(:security_orchestration_policies)
+ end
+
def schedule_rules(schedule)
project = schedule.security_orchestration_policy_configuration.project
return if project.marked_for_deletion?
Edited by Dominic Bauer