Apply limits and restrict schema for pipeline execution policies
requested to merge 452381-backend-apply-policy-scope-and-limits-for-pipeline-execution-policy-type into master
What does this MR do and why?
This MR extends loading of pipeline execution policies and applies policy_scope and limits to allow up to 5 execution policy configs to run with a project pipeline after taking the policy scope into consideration.
It also restricts the schema to only allow for a remote CI file to be referenced from within policy. This allows us to roll out a simpler UI in the scope of MVC and forces the policy CI configs to be saved in a repository in a more organized way.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable the feature flag
echo "Feature.enable(:pipeline_execution_policy_type)" | rails c
- Create a group
- Create four new projects:
- Compliance project
- Test
- SPP project
- SPP group
- In the
Compliance project
, create a fileproject.yml
with the following content:policy project test: stage: test script: - echo "Policy project test."
- In the
Compliance project
, create a filegroup.yml
with the following content:policy group test: stage: test script: - echo "Policy group test."
- Go to the group and select Security & Compliance and Policies
- Select Edit policy project
- Select the
SPP group
as your security policy project and Save - Go to the
Test
project and select Security & Compliance and Policies - Select Edit policy project
- Select your security policy project
SPP project
and Save - In
SPP group
, create a new file.gitlab/security-policies/policy.yml
with content:--- pipeline_execution_policy: - name: Group policy 1 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: group.yml ref: main - name: Group policy 2 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: group.yml ref: main - name: Group policy 3 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: group.yml ref: main - name: Group policy 4 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: group.yml ref: main
- In
SPP project
, create a new file.gitlab/security-policies/policy.yml
with content:--- pipeline_execution_policy: - name: Project policy 1 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: project.yml ref: main - name: Project policy 2 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: project.yml ref: main - name: Project policy 3 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: project.yml ref: main - name: Project policy 4 description: '' enabled: true pipeline_config_strategy: inject_ci content: include: - project: <group-path>/compliance-project file: project.yml ref: main
- Go to the
Test
project and create.gitlab-ci.yml
:stages: - build - test - deploy build job: stage: build script: - echo "Compiling the code..." test job: stage: test script: - echo "Running unit tests... This will take about 60 seconds." - sleep 1 - echo "Code coverage is 90%"
- Go to Pipelines and run a new pipeline
- Verify that only 5 policy jobs are applied and that 4 are from the group (
policy group test
) and 1 is from the project (policy project test
) - Open
rails console
and run the following command to verify the exact configs that are loaded and their order (alternatively, we could have created separate configs with distinctive job names for each policy but it would have been more work to set it up):Gitlab::Security::Orchestration::ProjectPipelineExecutionPolicies.new(Project.find(<test_project_id>)).send(:applicable_execution_policies_by_hierarchy).first(5).reverse => [{:name=>"Project policy 1", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"project.yml", :ref=>"main"}}}, {:name=>"Group policy 4", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}}, {:name=>"Group policy 3", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}}, {:name=>"Group policy 2", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}}, {:name=>"Group policy 1", :description=>"", :enabled=>true, :pipeline_config_strategy=>"inject_ci", :content=>{:include=>{:project=>"gitlab-org/pep-limits/compliance-project", :file=>"group.yml", :ref=>"main"}}}]
Related to #452381 (closed)
Edited by Furkan Ayhan