Skip to content

Apply limits and restrict schema for pipeline execution policies

What does this MR do and why?

This MR extends loading of pipeline execution policies and applies policy_scope and limits to allow up to 5 execution policy configs to run with a project pipeline after taking the policy scope into consideration.

It also restricts the schema to only allow for a remote CI file to be referenced from within policy. This allows us to roll out a simpler UI in the scope of MVC and forces the policy CI configs to be saved in a repository in a more organized way.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable the feature flag echo "Feature.enable(:pipeline_execution_policy_type)" | rails c
  2. Create a group
  3. Create four new projects:
    • Compliance project
    • Test
    • SPP project
    • SPP group
  4. In the Compliance project, create a file project.yml with the following content:
    policy project test:
      stage: test
      script:
        - echo "Policy project test."
  5. In the Compliance project, create a file group.yml with the following content:
    policy group test:
      stage: test
      script:
        - echo "Policy group test."
  6. Go to the group and select Security & Compliance and Policies
  7. Select Edit policy project
  8. Select the SPP group as your security policy project and Save
  9. Go to the Test project and select Security & Compliance and Policies
  10. Select Edit policy project
  11. Select your security policy project SPP project and Save
  12. In SPP group, create a new file .gitlab/security-policies/policy.yml with content:
    ---
    pipeline_execution_policy:
      - name: Group policy 1
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: group.yml
              ref: main
      - name: Group policy 2
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: group.yml
              ref: main
      - name: Group policy 3
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: group.yml
              ref: main
      - name: Group policy 4
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: group.yml
              ref: main
  13. In SPP project, create a new file .gitlab/security-policies/policy.yml with content:
    ---
    pipeline_execution_policy:
      - name: Project policy 1
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: project.yml
              ref: main
      - name: Project policy 2
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: project.yml
              ref: main
      - name: Project policy 3
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: project.yml
              ref: main
      - name: Project policy 4
        description: ''
        enabled: true
        pipeline_config_strategy: inject_ci
        content:
          include:
            - project: <group-path>/compliance-project
              file: project.yml
              ref: main
  14. Go to the Test project and create .gitlab-ci.yml:
    stages:
      - build
      - test
      - deploy
    
    build job:
      stage: build
      script:
        - echo "Compiling the code..."
    
    test job:
      stage: test
      script:
        - echo "Running unit tests... This will take about 60 seconds."
        - sleep 1
        - echo "Code coverage is 90%"
  15. Go to Pipelines and run a new pipeline
  16. Verify that only 5 policy jobs are applied and that 4 are from the group (policy group test) and 1 is from the project (policy project test)
  17. Open rails console and run the following command to verify the exact configs that are loaded and their order (alternatively, we could have created separate configs with distinctive job names for each policy but it would have been more work to set it up):
    Gitlab::Security::Orchestration::ProjectPipelineExecutionPolicies.new(Project.find(<test_project_id>)).send(:applicable_execution_policies_by_hierarchy).first(5).reverse
    => [{:name=>"Project policy 1", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"project.yml", :ref=>"main"}}},
     {:name=>"Group policy 4", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}},
     {:name=>"Group policy 3", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}},
     {:name=>"Group policy 2", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}},
     {:name=>"Group policy 1", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}}]

Related to #452381

Edited by Furkan Ayhan

Merge request reports