Skip to content

Remove validation of scan execution policy yaml on saving

Alexander Turinske requested to merge 375191-allow-for-non-validated-yaml into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Remove validation of scan execution policy yaml

  • when moving from yaml mode to rule mode, validation needs to happen on the policy yaml to determine whether rule mode supports the inputted yaml
  • when saving a policy, no validation should occur on the frontend because the frontend does not have the official schema. Validation should happen on the backend
  • allow for skipping validation of the yaml when converting it to an object on save
  • update initial yaml parsing to use the same logic as when a policy gets updated to ensure parsing is consistent for new and existing policies
  • remove the redundant computed property "policyYaml" and update yamlEditorValue directly to have asingle source of truth for what the yaml is
  • update tests

Changelog: changed

EE: true

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Scenario Before After
Saving a new policy with soon to be supported attribute agent new_agent_-_b new_agent_-a-_480
Editing an existing policy with soon to be supported attribute agent Not possible editing_agent_-a-_480
Deleting an existing policy with soon to be supported attribute agent Not possible delete_agent_-a-_480
Saving a new policy with unsupported attributes new_unsupported_-b-_720 new_unsupported_-a-_480
Editing an existing policy with unsupported attributes Not possible editing_unsupported_-a-_480
Deleting an existing policy with unsupported attributes Not possible delete_unsupported_-a-_480

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Policy with soon to be supported attribute agent

  1. Upload a GitLab Ultimate license
  2. Turn on the :scan_execution_rule_mode feature flag
  3. Navigate to a project => Security & Compliance => Policies => New policy => Scan Execution Policy => yaml mode
  4. Copy/paste the below policy into the policy editor and save the policy
type: scan_execution_policy
name: "Enforce CIS"
description: "This policy is enforcing cluster image scanning test"
enabled: true
rules:
  - type: schedule
    cadence: "0 * * * *"
    agents:
      agent-name:
        namespaces:
          - default
actions:
  - scan: cluster_image_scanning

(NOTE: the inline policy editor validator may show a warning on the name being less than one character; that is a known other issue (Scan Execution yaml policy validation doesn't w... (#375205 - closed)))

  1. Navigate to rule mode
  • The rule mode should be disabled and the yaml should show in the preview
  1. Navigate back to yaml mode => Configure with merge request => Merge the MR => Navigate back to the project => Security & Compliance => Policies => Select the new policy => Edit policy
  • The rule mode should be disabled and the yaml should show in the preview
  1. Navigate to yaml mode
  • the policy should show as expect

Policy with unsupported attributes

  1. Upload a GitLab Ultimate license
  2. Turn on the :scan_execution_rule_mode feature flag
  3. Navigate to a project => Security & Compliance => Policies => New policy => Scan Execution Policy => yaml mode
  4. Copy/paste the below policy into the policy editor and save the policy
type: scan_execution_policy
name: "Policy with unsupported attribute"
description: ""
UNSUPPORTED: ATTRIBUTE
enabled: true
rules:
  - type: pipeline
    branches:
    - main
actions:
  - scan: sast

(NOTE: the inline policy editor validator may show a warning on the name being less than one character; that is a known other issue (Scan Execution yaml policy validation doesn't w... (#375205 - closed)))

  1. Navigate to rule mode
  • The rule mode should be disabled and the yaml should show in the preview
  1. Navigate back to yaml mode => Configure with merge request => Merge the MR => Navigate back to the project => Security & Compliance => Policies => Select the new policy => Edit policy
  • The rule mode should be disabled and the yaml should show in the preview
  1. Navigate to yaml mode
  • the policy should show as expect

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #375191 (closed)

Edited by Alexander Turinske

Merge request reports