Skip to content

Association change for supporting multiple frameworks for a project

Hitesh Raghuvanshi requested to merge 420976-association-changes into master

What does this MR do and why?

Currently only one compliance framework label is supported per project, we need to support multiple compliance framework labels per project. For this we need to change the existing has_one association between project and its framework to has_many.

Changes

  1. This MR primarily makes change in the ee/app/models/ee/project.rb file, where the association between project with compliance_framework_settings and compliance_management_frameworks is changed.
  2. The other changes are made in such a way that they support the new association.
  3. The code at other places assumes that even if there could be multiple compliance frameworks with the project but as of now there can be only one, hence the usage of .first and [0] is being done for accessing only the first item.
  4. For actually supporting multiple compliance frameworks, there will be another subsequent MR. This MR makes sure all the current functionalities keep working as expected presently.

Note: Since the major change in this MR is only the following association change, the other changes are dependent on that and hence we can't break this MR in multiple as that will break the existing functionalities.

image

How to set up and validate locally

Firstly create several compliance frameworks for a group, for that follow the steps mentioned in https://docs.gitlab.com/ee/user/compliance/compliance_center/compliance_frameworks_report.html#create-a-new-compliance-framework.

For testing this MR, there are multiple functionalities which we need to check:

Associate project with compliance framework:

You can associate a project with any of the compliance frameworks which are present for its parent group.

Via UI

  1. For adding the framework to project, follow the steps mentioned in https://docs.gitlab.com/ee/user/compliance/compliance_center/compliance_projects_report.html#apply-a-compliance-framework-to-projects-in-a-group.
  2. For removing a framework from the project, follow https://docs.gitlab.com/ee/user/compliance/compliance_center/compliance_frameworks_report.html#delete-a-compliance-framework.

Via GraphQL API

  1. Assuming you have created a group, atleast two compliance frameworks under the group and have atleast one project in the group.
  2. Open http://gitlab.localdev:3000/-/graphql-explorer for running graphql mutations.
  3. Run following mutation by replacing the project and framework id to associate project with the framework.
mutation projectSetComplianceFramework {
  projectSetComplianceFramework(input: {projectId: "gid://gitlab/Project/<id>", 
    complianceFrameworkId: "gid://gitlab/ComplianceManagement::Framework/<id>"}) {
    errors
    project {
     id
     name
    }
  }
}
  1. Now visit the dashboard of the project used in step 3, the framework should be associated with it and framework name should be visible near the name of the project, for example hello2 framework is associated with Flight project. image
  2. Now let's replace the framework with another. For this just use the framework id of other non-associated framework present in the project's group by using the same mutation as in step 3.
mutation projectSetComplianceFramework {
  projectSetComplianceFramework(input: {projectId: "gid://gitlab/Project/<id>", 
    complianceFrameworkId: "gid://gitlab/ComplianceManagement::Framework/<other_framework_id>"}) {
    errors
    project {
     id
     name
    }
  }
}
  1. For removing the framework from the project, run following mutation:
mutation projectSetComplianceFramework {
  projectSetComplianceFramework(input: {projectId: "gid://gitlab/Project/<id>", 
    complianceFrameworkId: null }) {
    errors
    project {
     id
     name
    }
  }
}

Check framework association with project

  1. Visit the group's dashboard, for example http://gitlab.localdev:3000/twitter and the project names should appear with the associated framework names, if any. For example: image
  2. Visit the project's dashboard and the framework name should appear there too, for example image
  3. Visit the compliance center for the group, for example http://gitlab.localdev:3000/groups/twitter/-/security/compliance_dashboard/projects, and the projects should appear with their respective compliance framework labels.

Compliance pipeline

  1. Configure compliance pipeline with one of the frameworks of the group by following steps mentioned in https://docs.gitlab.com/ee/user/group/compliance_pipelines.html#configure-a-compliance-pipeline, you can create a basic pipeline with sample configuration.
  2. Now associate this framework with a project if not already associated with any and then push some change in the repository of the project, the change should trigger the pipeline for the project which will be the compliance framework pipeline.

Export and import a project

  1. For exporting follow steps in https://docs.gitlab.com/ee/user/project/settings/import_export.html#export-a-project-and-its-data for exporting a project.
  2. For importing a project follow steps in https://docs.gitlab.com/ee/user/project/settings/import_export.html#import-a-project-and-its-data.

Related to #464158

Edited by Hitesh Raghuvanshi

Merge request reports