Apply limits and restrict schema for pipeline execution policies (!155702) · Merge requests · GitLab.org / GitLab

Martin Čavoj requested to merge 452381-backend-apply-policy-scope-and-limits-for-pipeline-execution-policy-type into master Jun 07, 2024

What does this MR do and why?

This MR extends loading of pipeline execution policies and applies policy_scope and limits to allow up to 5 execution policy configs to run with a project pipeline after taking the policy scope into consideration.

It also restricts the schema to only allow for a remote CI file to be referenced from within policy. This allows us to roll out a simpler UI in the scope of MVC and forces the policy CI configs to be saved in a repository in a more organized way.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Enable the feature flag echo "Feature.enable(:pipeline_execution_policy_type)" | rails c
Create a group
Create four new projects:
- Compliance project
- Test
- SPP project
- SPP group

In the Compliance project, create a file project.yml with the following content:

policy project test:
  stage: test
  script:
    - echo "Policy project test."

In the Compliance project, create a file group.yml with the following content:

policy group test:
  stage: test
  script:
    - echo "Policy group test."

Go to the group and select Security & Compliance and Policies
Select Edit policy project
Select the SPP group as your security policy project and Save
Go to the Test project and select Security & Compliance and Policies
Select Edit policy project
Select your security policy project SPP project and Save

In SPP group, create a new file .gitlab/security-policies/policy.yml with content:

---
pipeline_execution_policy:
  - name: Group policy 1
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: group.yml
          ref: main
  - name: Group policy 2
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: group.yml
          ref: main
  - name: Group policy 3
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: group.yml
          ref: main
  - name: Group policy 4
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: group.yml
          ref: main

In SPP project, create a new file .gitlab/security-policies/policy.yml with content:

---
pipeline_execution_policy:
  - name: Project policy 1
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: project.yml
          ref: main
  - name: Project policy 2
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: project.yml
          ref: main
  - name: Project policy 3
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: project.yml
          ref: main
  - name: Project policy 4
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <group-path>/compliance-project
          file: project.yml
          ref: main

Go to the Test project and create .gitlab-ci.yml:

stages:
  - build
  - test
  - deploy

build job:
  stage: build
  script:
    - echo "Compiling the code..."

test job:
  stage: test
  script:
    - echo "Running unit tests... This will take about 60 seconds."
    - sleep 1
    - echo "Code coverage is 90%"

Go to Pipelines and run a new pipeline
Verify that only 5 policy jobs are applied and that 4 are from the group (policy group test) and 1 is from the project (policy project test)

Open rails console and run the following command to verify the exact configs that are loaded and their order (alternatively, we could have created separate configs with distinctive job names for each policy but it would have been more work to set it up):

Gitlab::Security::Orchestration::ProjectPipelineExecutionPolicies.new(Project.find(<test_project_id>)).send(:applicable_execution_policies_by_hierarchy).first(5).reverse
=> [{:name=>"Project policy 1", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"project.yml", :ref=>"main"}}},
 {:name=>"Group policy 4", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}},
 {:name=>"Group policy 3", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}},
 {:name=>"Group policy 2", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}},
 {:name=>"Group policy 1", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}}]

Related to #452381

Edited Jun 17, 2024 by Furkan Ayhan

Apply limits and restrict schema for pipeline execution policies

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports