Persist and update the PEP CI config link

Martin Cavojrequested to merge
498624-account-for-configured-pipeline-execution-policies-when-scan-is-missing-in-merge-request-2 into master

What does this MR do and why?

Persist and update the PEP CI config link

  • Update links to PEP config projects when:
    • policy is created
    • policy is updated

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Database

-- From security_pipeline_execution_policy_config_link&.destroy!
SELECT "security_pipeline_execution_policy_config_links".* FROM "security_pipeline_execution_policy_config_links" WHERE "security_pipeline_execution_policy_config_links"."security_policy_id" = 215 LIMIT 1 
DELETE FROM "security_pipeline_execution_policy_config_links" WHERE "security_pipeline_execution_policy_config_links"."id" = 2 

-- From create_security_pipeline_execution_policy_config_link!(project: config_project)
SELECT 1 AS one FROM "security_pipeline_execution_policy_config_links" WHERE "security_pipeline_execution_policy_config_links"."security_policy_id" = 215 AND "security_pipeline_execution_policy_config_links"."project_id" = 2351 LIMIT 1
INSERT INTO "security_pipeline_execution_policy_config_links" ("project_id", "security_policy_id") VALUES (2351, 215) RETURNING "id"

Verification steps

  1. Enable feature flag pipeline_execution_policy_analyze_configs
  2. Create a project SPP
  3. In the project, create policy-ci.yml: 
    include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

policy-test-job:
  stage: test
  script:
    - echo 'Policy test job 1'
  4. Create another project
  5. In this project, go to Secure -> Policies and link the project SPP from step 2. as a policy project
  6. Create a new pipeline execution policy: 
    pipeline_execution_policy:
  - name: Enforced scans
    description: ''
    enabled: true
    pipeline_config_strategy: inject_ci
    content:
      include:
        - project: <path-to-spp-project>
          file: policy-ci.yml
  7. Save the policy
  8. Verify using rails console that it has been created together with the link to the SPP project: 
    Security::Policy.last
Security::Policy.last.security_pipeline_execution_policy_config_link
  9. Update the policy to link to another project
  10. Verify that the old link gets removed and new is created to the new project

The plans from local (there is no data on production and the tables are not present in the replica on postgres.ai yet):

Related to #498624 (closed)

Edited by Martin Cavoj

Merge request reports