Skip to content

Add ping_enabled field support for external controls

Nate Rosandichrequested to merge
feature/external-control-ping-optional-backend into master

What does this MR do?

This MR implements the backend changes to support making external control ping optional, as described in issue #538898 (closed).

Changes included:

Model Updates

  • Add ping_enabled scope to ComplianceRequirementsControl model
  • Update validations and factory

Worker Updates

  • Filter external controls by ping_enabled: true in ProjectComplianceEvaluatorWorker
  • Only trigger external control service for ping-enabled controls

Service Updates

  • Add ping_enabled parameter support to CreateService

GraphQL Updates

  • Add ping_enabled field to ComplianceRequirementsControlType
  • Add ping_enabled argument to ComplianceRequirementsControlInputType

Related to

Closes #538898 (closed)

Database changes

The migration was already merged in !203613 (merged)

This MR adds the scope scope :ping_enabled, -> { where(ping_enabled: true) }

Raw SQL Query

-- Query generated by ComplianceRequirementsControl.ping_enabled scope
SELECT "compliance_requirements_controls".* 
FROM "compliance_requirements_controls" 
WHERE "compliance_requirements_controls"."ping_enabled" = true;

Query Plan

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/43430/commands/132590

How to validate locally

  1. Create a compliance framework with a requirement
  2. Add an external control to the requirement via GraphQl. Make sure to create one with pingEnabled: true, false and parameter not present
    1. You can get the complianceRequirementId from step 3 below
mutation {
  createComplianceRequirementsControl(input: {
    complianceRequirementId: "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/24",
    params: {
      name: "external_control",
      externalControlName: "External control",
      controlType: "external",
      externalUrl: "https://www.google.com/123",
      secretToken: "DASDAS"
      pingEnabled: true 
      pingEnabled: false
      # pingEnabled not specified - should default to true
    }
  }) {
    errors
    clientMutationId,
    requirementsControl{
      name,
      expression,
      id,
      controlType
    }
  }
}
  1. Query group for compliance frameworks and check for Controls to check ping_enabled 
query GetComplianceFrameworkControls {
  group(fullPath: "gitlab-org") {
    complianceFrameworks {
      nodes {
        id
        name
        complianceRequirements {
          nodes {
            id
            name
            complianceRequirementsControls {
              nodes {
                id
                name
                controlType
                externalControlName
                externalUrl
                pingEnabled
                complianceRequirement {
                  name
                }
              }
            }
          }
        }
      }
    }
  }
}
  1. Update existing control's ping_enabled status
mutation UpdateComplianceControl {
  complianceRequirementsControlUpdate(input: {
    id: "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirementsControl/123"
    pingEnabled: false
  }) {
    complianceRequirementsControl {
      id
      name
      pingEnabled
    }
    errors
  }
}
  1. Go to Secure → Compliance center → Violations or Standards adherence
  2. Verify that only ping-enabled external controls are being evaluated. This runs every 12 hours
Edited by Nate Rosandich

Merge request reports