Use project bot users to run scan execution policies pipelines
What does this MR do and why?
This MR adds a:
- Feature flag
scan_execution_bot_users
. - Column
bot_user_id
tosecurity_orchestration_policy_configurations
. - Bot user type
security_policy_bot
. - Worker to create bot users and add them as guest to a project.
- Change to run the worker whenever a new
Security::OrchestrationConfiguration
is assigned.
With the Feature flag scan_execution_bot_users
enabled. With every new security configuration is assigned to a project, it should create a bot user and add it as a guest to the project.
In the next iteration, we want to use the bot user to trigger scan execution pipelines. Currently, the last user that edited the security policy project is used as a triggerer for the pipelines.
Related issue #394958 (closed)
Screenshots or screen recordings
Screenrecording coming soon.
How to set up and validate locally
There are 4 cases to validate:
Preparation
- Switch to the
andysoiron/security-scan-results-policy-bots
branch - Run migrations
rails db:migrate
- Restart GDK
- Enable the feature flag
Feature.enable(:scan_execution_bot_users)
- Create a new project.
1. Assign a security policy project
- On the right sidebar, select Security and Compliance* and Policies.
- Select Edit policy project.
- Choose any project and select Save.
- On the right sidebar, select Project information* and Members.
- There should now be a
bot
member named GitLab Security Policy Bot.
2. Change the security policies project
- On the right sidebar, select Security and Compliance* and Policies.
- Select Edit policy project.
- Choose any project other and select Save.
- On the right sidebar, select Project information* and Members.
- The bot user should still be there GitLab Security Policy Bot.
- Select the username to get to the user page.
- Remember the user ID
- Find your project ID and copy it.
- Look up the Security::OrchestrationPolicyConfiguration for the project
Project.find(YOUR_PROJECT_ID).security_orchestration_policy_configuration
- The
bot_user_id
field should match the ID of the bot user.
3. Remove the security policies project
- On the right sidebar, select Security and Compliance* and Policies.
- Select Edit policy project.
- Select the trash can symbol next to the security policies project name.
- Select Save.
- On the right sidebar, select Project information* and Members.
- The GitLab Security Policy Bot user should be removed.
4. Remove a bot user member
- On the right sidebar, select Security and Compliance* and Policies.
- Select Edit policy project.
- Choose any project and select Save.
- On the right sidebar, select Project information* and Members.
- There should now be a
bot
member named GitLab Security Policy Bot. - Select the three dots (more actions) icon on the right side of the member entry.
- Select Remove Member.
- Select Remove Member from the popup window again.
- Find your project ID and copy it.
- Look up the Security::OrchestrationPolicyConfiguration for the project
Project.find(YOUR_PROJECT_ID).security_orchestration_policy_configuration
- The
bot_user_id
field should benil
.
Database
Rollback migrations:
rails db:migrate:down:main VERSION=20230419192748
rails db:migrate:down:ci VERSION=20230419192748
rails db:migrate:down:main VERSION=20230419193807
rails db:migrate:down:ci VERSION=20230419193807
rails db:migrate:down:main VERSION=20230425124907
rails db:migrate:down:ci VERSION=20230419193807
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Merge request reports
Activity
changed milestone to %16.0
added backend featureenhancement groupsecurity policies typefeature labels
assigned to @Andysoiron
added devopsgovern sectionsec labels
- A deleted user
added database databasereview pending feature flag labels
- Resolved by James Fargher
1 Warning featureaddition and featureenhancement merge requests normally have a documentation change. Consider adding a documentation update or confirming the documentation plan with the Technical Writer counterpart.
For more information, see:
- The Handbook page on merge request types.
- The definition of done documentation.
1 Message This merge request adds or changes files that require a review from the Database team. This merge request requires a database review. To make sure these changes are reviewed, take the following steps:
-
Ensure the merge request has database and databasereview pending labels. If the merge request modifies database files, Danger will do this for you.
-
Prepare your MR for database review according to the docs.
-
Assign and mention the database reviewer suggested by Reviewer Roulette.
-
Kick off the
db:gitlabcom-database-testing
manual job. This job can also be used before requesting review to test your migrations against production data.
The following files require a review from the Database team:
db/migrate/20230419192748_add_bot_user_id_to_security_orchestration_policy_configurations.rb
db/migrate/20230419193807_add_foreign_key_for_bot_user_id_to_security_orchestration_policy_configurations.rb
db/schema_migrations/20230419192748
db/schema_migrations/20230419193807
db/structure.sql
Reviewer roulette
Changes that require review have been detected!
Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:
Category Reviewer Maintainer backend Madelein van Niekerk (
@maddievn
) (UTC+8, 6 hours ahead of@Andysoiron
)Jan Provaznik (
@jprovaznik
) (UTC+2, same timezone as@Andysoiron
)database Vitali Tatarintev (
@ck3g
) (UTC+2, same timezone as@Andysoiron
)Michał Zając (
@Quintasan
) (UTC+2, same timezone as@Andysoiron
)~"migration" No reviewer available No maintainer available ~"Threat Insights backend" Reviewer review is optional for ~"Threat Insights backend" Zamir Martins Filho (
@zmartins
) (UTC+0, 2 hours behind@Andysoiron
)To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.
Sidekiq queue changes
This merge request contains changes to Sidekiq queues. Please follow the documentation on changing a queue's urgency.
These queues were added:
security_orchestration_configuration_create_bot
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Danger- A deleted user
added Data WarehouseImpact Check label
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@c29319fd
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@40324783
mentioned in commit gitlab-org-sandbox/gitlab-jh-validation@946aa289
Allure report
allure-report-publisher
generated test report!e2e-package-and-test:
test report for 290436d9expand test summary
+-----------------------------------------------------------------------+ | suites summary | +------------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +------------------+--------+--------+---------+-------+-------+--------+ | Create | 292 | 0 | 42 | 50 | 334 | ❗ | | Configure | 0 | 0 | 6 | 0 | 6 | ➖ | | Plan | 120 | 0 | 0 | 66 | 120 | ❗ | | Verify | 108 | 0 | 8 | 88 | 116 | ❗ | | Govern | 92 | 0 | 0 | 92 | 92 | ❗ | | Data Stores | 68 | 0 | 0 | 16 | 68 | ❗ | | Manage | 64 | 2 | 6 | 16 | 72 | ❌ | | Secure | 14 | 0 | 10 | 14 | 24 | ❗ | | Release | 12 | 0 | 0 | 8 | 12 | ❗ | | Analytics | 4 | 0 | 0 | 4 | 4 | ❗ | | Package | 0 | 0 | 6 | 0 | 6 | ➖ | | Monitor | 16 | 0 | 4 | 16 | 20 | ❗ | | Framework sanity | 0 | 0 | 2 | 0 | 2 | ➖ | | Fulfillment | 4 | 0 | 48 | 0 | 52 | ✅ | | ModelOps | 0 | 0 | 2 | 0 | 2 | ➖ | | Growth | 0 | 0 | 4 | 0 | 4 | ➖ | +------------------+--------+--------+---------+-------+-------+--------+ | Total | 794 | 2 | 138 | 370 | 934 | ❌ | +------------------+--------+--------+---------+-------+-------+--------+
Setting label(s) Category:Security Policy Management based on groupsecurity policies.
added Category:Security Policy Management label