Skip to content

Validate compliance framework id in security policy

Sashi Kumar Kumaresan requested to merge sk/428491-validate-id into master

What does this MR do and why?

This MR adds validation to compliance framework ids when a security policy is created with policy_scope.

Addresses #428491 (closed)

Database

SELECT
    COUNT(*) 
FROM
    "compliance_management_frameworks" 
WHERE
    "compliance_management_frameworks"."namespace_id" = 148 
    AND "compliance_management_frameworks"."id" IN (1, 2, 3)

Query Plan 

 Aggregate  (cost=13.92..13.93 rows=1 width=8) (actual time=16.054..16.056 rows=1 loops=1)
   Buffers: shared hit=16 read=11
   I/O Timings: read=15.784 write=0.000
   ->  Index Scan using compliance_management_frameworks_pkey on public.compliance_management_frameworks  (cost=0.28..13.91 rows=1 width=0) (actual time=7.635..16.031 rows=8 loops=1)
         Index Cond: (compliance_management_frameworks.id = ANY ('{3405,3489,3406,4283,3407,3997,3807,4078}'::bigint[]))
         Filter: (compliance_management_frameworks.namespace_id = 7490175)
         Rows Removed by Filter: 0
         Buffers: shared hit=16 read=11
         I/O Timings: read=15.784 write=0.000

Time: 17.319 ms
  - planning: 1.158 ms
  - execution: 16.161 ms
    - I/O read: 15.784 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 16 (~128.00 KiB) from the buffer pool
  - reads: 11 (~88.00 KiB) from the OS file cache, including disk I/O
  - dirtied: 0
  - writes: 0

Screenshots or screen recordings

Screenshot_2023-11-15_at_3.39.30_PM

How to set up and validate locally

  1. Create a new top level group and create compliance framework from [Settings -> General -> Compliance Framework] and make note of its ID

  2. Create an another top level group and create compliance framework and make note of its ID

  3. Create new Policy for the the first top level group [Secure -> Policies -> Create new]

  4. Choose YAML-mode in the Policy Editor

  5. Add policy_scope:

    ...
policy_scope:
  compliance_frameworks:
  - id:<ID of the other group's compliance framework>
...

  6. Verify that the policy cannot be created and an error is returned

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports