Persist scan execution policies (!148854) · Merge requests · GitLab.org / GitLab

Dominic Bauer requested to merge 416260-create-db-tables-to-store-all-policy-yaml-content into master Apr 08, 2024

What does this MR do and why?

Persists scan execution policies that are stored in repos as YAML to the database, as we're moving reads off Gitaly and to the database. We already persist MR approval policies (!146504 (merged)).

Motivation

Security policies can be configured by users through a policy UI. These policies are persisted to a security policy project's repository as a YAML data structure (see e.g. the monolith's policy.yml). This means that in order to enforce policies, we currently incur the penalty of reading it from Gitaly first. Primarily for performance reasons, we are working on persisting policies to the database.

We currently have two types of security policies but are working on new policy type(s) already. In (!146504 (merged)) we started persisting MR approval policies. This MR adds support for persisting scan execution policies.

The service for persisting policies avoids the recreation of policies in the database by checksumming them, since a newly added policy does not alter the policy contents of other policies which only had their relative position in policy.yml altered.

Database

Table schema

See the ER diagram related to this change.

Changed query

SELECT
	"security_policies".*
FROM
	"security_policies"
WHERE
	"security_policies"."security_orchestration_policy_configuration_id" = 58
+	AND "security_policies"."type" = 1;

| Index Scan using index_security_policies_on_unique_config_type_policy_index on security_policies  (cost=0.15..2.17 rows=1 width=237) (actual time=0.010..0.010 rows=1 loops=1) |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|   Index Cond: ((security_orchestration_policy_configuration_id = 58) AND (type = 1))                                                                                           |
|   Buffers: shared hit=2                                                                                                                                                        |
| Planning Time: 0.056 ms                                                                                                                                                        |
| Execution Time: 0.022 ms                                                                                                                                                       |

We currently accept up to 20 approval policies and up to 5 scan execution policies.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Validating projects

Enable the feature flag:
```
Feature.enable(:security_policies_sync)
```
Create a new project
Navigate to Secure > Policies and create a scan execution policy
Try adding/editing/deleting policies and verify the state of the security_policies and scan_execution_policy_rules tables
Repeat the above by creating a group instead and enabling the security_policies_sync_group feature flag.

Related to #416260

Edited May 13, 2024 by Dominic Bauer

Persist scan execution policies