Commit dfb7b68d authored by Alan (Maciej) Paruszewski's avatar Alan (Maciej) Paruszewski Committed by Toon Claes

Add Security Orchestration Policy Configuration

This change adds new model to database to store relationship between
Project and Security Orchestration Policy Project where we will store
policies as YAML file in repository.
parent 91ce0ccf
---
title: Add Security Orchestration Policy Configuration
merge_request: 53743
author:
type: added
# frozen_string_literal: true
class CreateSecurityOrchestrationPolicyConfigurations < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
INDEX_PREFIX = 'index_sop_configs_'
def up
table_comment = { owner: 'group::container security', description: 'Configuration used to store relationship between project and security policy repository' }
create_table_with_constraints :security_orchestration_policy_configurations, comment: table_comment.to_json do |t|
t.references :project, null: false, foreign_key: { to_table: :projects, on_delete: :cascade }, index: { name: INDEX_PREFIX + 'on_project_id', unique: true }
t.references :security_policy_management_project, null: false, foreign_key: { to_table: :projects, on_delete: :restrict }, index: { name: INDEX_PREFIX + 'on_security_policy_management_project_id', unique: true }
t.timestamps_with_timezone
end
end
def down
with_lock_retries do
drop_table :security_orchestration_policy_configurations, force: :cascade
end
end
end
601d67a2911c461881064ec18a2246ef9e5b2835eb0fdf40e701c9360e19eca4
\ No newline at end of file
...@@ -16931,6 +16931,25 @@ CREATE SEQUENCE security_findings_id_seq ...@@ -16931,6 +16931,25 @@ CREATE SEQUENCE security_findings_id_seq
ALTER SEQUENCE security_findings_id_seq OWNED BY security_findings.id; ALTER SEQUENCE security_findings_id_seq OWNED BY security_findings.id;
CREATE TABLE security_orchestration_policy_configurations (
id bigint NOT NULL,
project_id bigint NOT NULL,
security_policy_management_project_id bigint NOT NULL,
created_at timestamp with time zone NOT NULL,
updated_at timestamp with time zone NOT NULL
);
COMMENT ON TABLE security_orchestration_policy_configurations IS '{"owner":"group::container security","description":"Configuration used to store relationship between project and security policy repository"}';
CREATE SEQUENCE security_orchestration_policy_configurations_id_seq
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
ALTER SEQUENCE security_orchestration_policy_configurations_id_seq OWNED BY security_orchestration_policy_configurations.id;
CREATE TABLE security_scans ( CREATE TABLE security_scans (
id bigint NOT NULL, id bigint NOT NULL,
created_at timestamp with time zone NOT NULL, created_at timestamp with time zone NOT NULL,
...@@ -19233,6 +19252,8 @@ ALTER TABLE ONLY scim_oauth_access_tokens ALTER COLUMN id SET DEFAULT nextval('s ...@@ -19233,6 +19252,8 @@ ALTER TABLE ONLY scim_oauth_access_tokens ALTER COLUMN id SET DEFAULT nextval('s
ALTER TABLE ONLY security_findings ALTER COLUMN id SET DEFAULT nextval('security_findings_id_seq'::regclass); ALTER TABLE ONLY security_findings ALTER COLUMN id SET DEFAULT nextval('security_findings_id_seq'::regclass);
ALTER TABLE ONLY security_orchestration_policy_configurations ALTER COLUMN id SET DEFAULT nextval('security_orchestration_policy_configurations_id_seq'::regclass);
ALTER TABLE ONLY security_scans ALTER COLUMN id SET DEFAULT nextval('security_scans_id_seq'::regclass); ALTER TABLE ONLY security_scans ALTER COLUMN id SET DEFAULT nextval('security_scans_id_seq'::regclass);
ALTER TABLE ONLY self_managed_prometheus_alert_events ALTER COLUMN id SET DEFAULT nextval('self_managed_prometheus_alert_events_id_seq'::regclass); ALTER TABLE ONLY self_managed_prometheus_alert_events ALTER COLUMN id SET DEFAULT nextval('self_managed_prometheus_alert_events_id_seq'::regclass);
...@@ -20736,6 +20757,9 @@ ALTER TABLE ONLY scim_oauth_access_tokens ...@@ -20736,6 +20757,9 @@ ALTER TABLE ONLY scim_oauth_access_tokens
ALTER TABLE ONLY security_findings ALTER TABLE ONLY security_findings
ADD CONSTRAINT security_findings_pkey PRIMARY KEY (id); ADD CONSTRAINT security_findings_pkey PRIMARY KEY (id);
ALTER TABLE ONLY security_orchestration_policy_configurations
ADD CONSTRAINT security_orchestration_policy_configurations_pkey PRIMARY KEY (id);
ALTER TABLE ONLY security_scans ALTER TABLE ONLY security_scans
ADD CONSTRAINT security_scans_pkey PRIMARY KEY (id); ADD CONSTRAINT security_scans_pkey PRIMARY KEY (id);
...@@ -23288,6 +23312,10 @@ CREATE INDEX index_software_licenses_on_spdx_identifier ON software_licenses USI ...@@ -23288,6 +23312,10 @@ CREATE INDEX index_software_licenses_on_spdx_identifier ON software_licenses USI
CREATE UNIQUE INDEX index_software_licenses_on_unique_name ON software_licenses USING btree (name); CREATE UNIQUE INDEX index_software_licenses_on_unique_name ON software_licenses USING btree (name);
CREATE UNIQUE INDEX index_sop_configs_on_project_id ON security_orchestration_policy_configurations USING btree (project_id);
CREATE UNIQUE INDEX index_sop_configs_on_security_policy_management_project_id ON security_orchestration_policy_configurations USING btree (security_policy_management_project_id);
CREATE INDEX index_sprints_on_description_trigram ON sprints USING gin (description gin_trgm_ops); CREATE INDEX index_sprints_on_description_trigram ON sprints USING gin (description gin_trgm_ops);
CREATE INDEX index_sprints_on_due_date ON sprints USING btree (due_date); CREATE INDEX index_sprints_on_due_date ON sprints USING btree (due_date);
...@@ -24710,6 +24738,9 @@ ALTER TABLE ONLY ci_subscriptions_projects ...@@ -24710,6 +24738,9 @@ ALTER TABLE ONLY ci_subscriptions_projects
ALTER TABLE ONLY trending_projects ALTER TABLE ONLY trending_projects
ADD CONSTRAINT fk_rails_09feecd872 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE; ADD CONSTRAINT fk_rails_09feecd872 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
ALTER TABLE ONLY security_orchestration_policy_configurations
ADD CONSTRAINT fk_rails_0a22dcd52d FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
ALTER TABLE ONLY project_deploy_tokens ALTER TABLE ONLY project_deploy_tokens
ADD CONSTRAINT fk_rails_0aca134388 FOREIGN KEY (deploy_token_id) REFERENCES deploy_tokens(id) ON DELETE CASCADE; ADD CONSTRAINT fk_rails_0aca134388 FOREIGN KEY (deploy_token_id) REFERENCES deploy_tokens(id) ON DELETE CASCADE;
...@@ -25049,6 +25080,9 @@ ALTER TABLE ONLY epic_issues ...@@ -25049,6 +25080,9 @@ ALTER TABLE ONLY epic_issues
ALTER TABLE ONLY ci_refs ALTER TABLE ONLY ci_refs
ADD CONSTRAINT fk_rails_4249db8cc3 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE; ADD CONSTRAINT fk_rails_4249db8cc3 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
ALTER TABLE ONLY security_orchestration_policy_configurations
ADD CONSTRAINT fk_rails_42ed6c25ec FOREIGN KEY (security_policy_management_project_id) REFERENCES projects(id) ON DELETE RESTRICT;
ALTER TABLE ONLY ci_resources ALTER TABLE ONLY ci_resources
ADD CONSTRAINT fk_rails_430336af2d FOREIGN KEY (resource_group_id) REFERENCES ci_resource_groups(id) ON DELETE CASCADE; ADD CONSTRAINT fk_rails_430336af2d FOREIGN KEY (resource_group_id) REFERENCES ci_resource_groups(id) ON DELETE CASCADE;
......
...@@ -105,6 +105,8 @@ module EE ...@@ -105,6 +105,8 @@ module EE
has_many :incident_management_oncall_schedules, class_name: 'IncidentManagement::OncallSchedule', inverse_of: :project has_many :incident_management_oncall_schedules, class_name: 'IncidentManagement::OncallSchedule', inverse_of: :project
has_many :incident_management_oncall_rotations, class_name: 'IncidentManagement::OncallRotation', through: :incident_management_oncall_schedules, source: :rotations has_many :incident_management_oncall_rotations, class_name: 'IncidentManagement::OncallRotation', through: :incident_management_oncall_schedules, source: :rotations
has_one :security_orchestration_policy_configuration, class_name: 'Security::OrchestrationPolicyConfiguration', foreign_key: :project_id, inverse_of: :project
elastic_index_dependant_association :issues, on_change: :visibility_level elastic_index_dependant_association :issues, on_change: :visibility_level
scope :with_shared_runners_limit_enabled, -> do scope :with_shared_runners_limit_enabled, -> do
......
# frozen_string_literal: true
module Security
class OrchestrationPolicyConfiguration < ApplicationRecord
self.table_name = 'security_orchestration_policy_configurations'
belongs_to :project, inverse_of: :security_orchestration_policy_configuration
belongs_to :security_policy_management_project, class_name: 'Project', foreign_key: 'security_policy_management_project_id'
validates :project, presence: true, uniqueness: true
validates :security_policy_management_project, presence: true, uniqueness: true
end
end
# frozen_string_literal: true
FactoryBot.define do
factory :security_orchestration_policy_configuration, class: 'Security::OrchestrationPolicyConfiguration' do
project
security_policy_management_project { association(:project) }
end
end
...@@ -30,6 +30,7 @@ RSpec.describe Project do ...@@ -30,6 +30,7 @@ RSpec.describe Project do
it { is_expected.to have_one(:compliance_management_framework).class_name('ComplianceManagement::Framework') } it { is_expected.to have_one(:compliance_management_framework).class_name('ComplianceManagement::Framework') }
it { is_expected.to have_one(:security_setting).class_name('ProjectSecuritySetting') } it { is_expected.to have_one(:security_setting).class_name('ProjectSecuritySetting') }
it { is_expected.to have_one(:vulnerability_statistic).class_name('Vulnerabilities::Statistic') } it { is_expected.to have_one(:vulnerability_statistic).class_name('Vulnerabilities::Statistic') }
it { is_expected.to have_one(:security_orchestration_policy_configuration).class_name('Security::OrchestrationPolicyConfiguration').inverse_of(:project) }
it { is_expected.to have_many(:path_locks) } it { is_expected.to have_many(:path_locks) }
it { is_expected.to have_many(:vulnerability_feedback) } it { is_expected.to have_many(:vulnerability_feedback) }
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Security::OrchestrationPolicyConfiguration do
describe 'associations' do
it { is_expected.to belong_to(:project).inverse_of(:security_orchestration_policy_configuration) }
it { is_expected.to belong_to(:security_policy_management_project).class_name('Project') }
end
describe 'validations' do
subject { create(:security_orchestration_policy_configuration) }
it { is_expected.to validate_presence_of(:project) }
it { is_expected.to validate_presence_of(:security_policy_management_project) }
it { is_expected.to validate_uniqueness_of(:project) }
it { is_expected.to validate_uniqueness_of(:security_policy_management_project) }
end
end
...@@ -564,6 +564,7 @@ project: ...@@ -564,6 +564,7 @@ project:
- incident_management_oncall_rotations - incident_management_oncall_rotations
- debian_distributions - debian_distributions
- merge_request_metrics - merge_request_metrics
- security_orchestration_policy_configuration
award_emoji: award_emoji:
- awardable - awardable
- user - user
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment