Allow CSP frameworks to factor into policy validation check

Jean van der Waltrequested to merge
557602-allow-csp-frameworks-to-factor-into-policy-validation-check into master

What does this MR do and why?

Makes the CSP frameworks visible to other top-level groups so that they can then be enforced in projects later.

How to set up and validate locally

Ensure you have a local setup with an ultimate license, and at least two top level groups.

Setup Group with CSP flag.

  1. Enable the feature flags:

    Feature.enable(:security_policies_csp)
Feature.enable(:include_csp_frameworks)

  2. Create a top-level group and assign it as a CSP using rails console:

    Security::PolicySetting.instance.update! csp_namespace: Group.find(<group_id>)

Now navigate to your CSP Group(example for gitlab-org/gitlab-test) to the Compliance Frameworks page and create a new framework. Making sure to at least supply a name name, description and color.

When finished click on "Create Framework".

Now navigate to the Compliance Center, new policy(e.g. http://gitlab.localdev:3000/groups/gitlab-org/-/security/policies/new?type=approval_policy), for a different group that is not the CSP Group.

During the policy creation process when scoping your new policy choose "projects with compliance frameworks", and choose the CSP framework you created earlier.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #557602 (closed)

Edited by Jean van der Walt

Merge request reports