Skip to content

Refactor assigning compliance framework to a project

Jarka Košanová requested to merge 411502-refactor-compliance-assignement into master

What does this MR do and why?

It refactors assignment of compliance framework to a project.

Why

Right now when we assign a compliance framework to a project we do it using Projects::UpdateService called from multiple places. That service is huge and does not contain any permission checks (which itself should probably be fixed).

In Add "Manage Compliance Framework" as a customiz... (#411502 - closed) we are adding managing compliance frameworks as a custom ability. That includes also assigning a compliance framework to a project.

We could update Projects::UpdateService, add various permission checks there and allow updating only compliance framework if a user has permission to do so based on custom ability. It, however, feels as a security risk. As the service is already very comples, making the prsmission checks right is not trivial. And missing just one place could lead to a serious vulnerability. Additionally we would be increasing the complexity of the service that is already very complex.

Solution

I decided to create a new path to update the compliance framework. When this path is used a new service (ComplianceManagement::Frameworks::AssignProjectService) is called. The service is used also on other places where we are using Projects::UpdateService to update compliance framework for a project now.

Usage of the new path and the service is behind a feature flag. Until the FF is enabled, nothing changes.

Feature flag removal

When we remove the feature flag we should also clean up the ProjectsController and Projects::UpdateService. There are comments in the code to do so. The FF removal issue will be linked.

Rollout issue: #442302 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  • with feature flag disabled
  • with feature flag enabled (Feature.enable(:assign_compliance_project_service) from rails console):
  1. Play around with compliance project assignment
  • using project settings (Project - Settings - General - Compliance Framework)
  • GraphQL mutation, example:
mutation {
  projectSetComplianceFramework(input: { 
    projectId: "gid://gitlab/Project/7",
    complianceFrameworkId: "gid://gitlab/ComplianceManagement::Framework/4"
  }) {
    project {
      id
    }
  }
}
  • creation of new project which should also assign a default compliance framework

Related to #411502 (closed)

Edited by Jarka Košanová

Merge request reports