Refactor assigning compliance framework to a project
What does this MR do and why?
It refactors assignment of compliance framework to a project.
Why
Right now when we assign a compliance framework to a project we do it using
Projects::UpdateService
called from multiple places. That service is huge
and does not contain any permission checks (which itself should probably be
fixed).
In Add "Manage Compliance Framework" as a customiz... (#411502 - closed) we are adding managing compliance frameworks as a custom ability. That includes also assigning a compliance framework to a project.
We could update Projects::UpdateService
, add various permission checks there
and allow updating only compliance framework if a user has permission to do
so based on custom ability. It, however, feels as a security risk. As the service
is already very comples, making the prsmission checks right is not trivial. And
missing just one place could lead to a serious vulnerability. Additionally we would
be increasing the complexity of the service that is already very complex.
Solution
I decided to create a new path to update the compliance framework. When this path is
used a new service (ComplianceManagement::Frameworks::AssignProjectService
) is
called. The service is used also on other places where we are using
Projects::UpdateService
to update compliance framework for a project now.
Usage of the new path and the service is behind a feature flag. Until the FF is enabled, nothing changes.
Feature flag removal
When we remove the feature flag we should also clean up the ProjectsController
and Projects::UpdateService
. There are comments in the code to do so. The FF
removal issue will be linked.
Rollout issue: #442302 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- with feature flag disabled
- with feature flag enabled (
Feature.enable(:assign_compliance_project_service)
from rails console):
- Play around with compliance project assignment
- using project settings (Project - Settings - General - Compliance Framework)
- GraphQL mutation, example:
mutation {
projectSetComplianceFramework(input: {
projectId: "gid://gitlab/Project/7",
complianceFrameworkId: "gid://gitlab/ComplianceManagement::Framework/4"
}) {
project {
id
}
}
}
- creation of new project which should also assign a default compliance framework
Related to #411502 (closed)