Add Security Orchestration Policy Configuration

This change adds new model to database to store relationship between Project and Security Orchestration Policy Project where we will store policies as YAML file in repository.

Add Security Orchestration Policy Configuration
This change adds new model to database to store relationship between Project and Security Orchestration Policy Project where we will store policies as YAML file in repository.
dfb7b68d · Alan (Maciej) Paruszewski · Toon Claes · 91ce0ccf · dfb7b68d · dfb7b68d
Commit dfb7b68d authored Feb 12, 2021 by Alan (Maciej) Paruszewski Committed by Toon Claes Feb 12, 2021
10 changed files
--- a/changelogs/unreleased/300220-add-security-orchestration-policy-configuration-model.yml
+++ b/changelogs/unreleased/300220-add-security-orchestration-policy-configuration-model.yml
+---
+title: Add Security Orchestration Policy Configuration
+merge_request: 53743
+author:
+type: added
--- a/db/migrate/20210209160510_create_security_orchestration_policy_configurations.rb
+++ b/db/migrate/20210209160510_create_security_orchestration_policy_configurations.rb
+# frozen_string_literal: true
+
+class CreateSecurityOrchestrationPolicyConfigurations < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  INDEX_PREFIX = 'index_sop_configs_'
+
+  def up
+    table_comment = { owner: 'group::container security', description: 'Configuration used to store relationship between project and security policy repository' }
+
+    create_table_with_constraints :security_orchestration_policy_configurations, comment: table_comment.to_json do |t|
+      t.references :project, null: false, foreign_key: { to_table: :projects, on_delete: :cascade }, index: { name: INDEX_PREFIX + 'on_project_id', unique: true }
+      t.references :security_policy_management_project, null: false, foreign_key: { to_table: :projects, on_delete: :restrict }, index: { name: INDEX_PREFIX + 'on_security_policy_management_project_id', unique: true }
+
+      t.timestamps_with_timezone
+    end
+  end
+
+  def down
+    with_lock_retries do
+      drop_table :security_orchestration_policy_configurations, force: :cascade
+    end
+  end
+end
--- a/db/schema_migrations/20210209160510
+++ b/db/schema_migrations/20210209160510
+601d67a2911c461881064ec18a2246ef9e5b2835eb0fdf40e701c9360e19eca4
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -16931,6 +16931,25 @@ CREATE SEQUENCE security_findings_id_seq

 ALTER SEQUENCE security_findings_id_seq OWNED BY security_findings.id;

+CREATE TABLE security_orchestration_policy_configurations (
+    id bigint NOT NULL,
+    project_id bigint NOT NULL,
+    security_policy_management_project_id bigint NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL
+);
+
+COMMENT ON TABLE security_orchestration_policy_configurations IS '{"owner":"group::container security","description":"Configuration used to store relationship between project and security policy repository"}';
+
+CREATE SEQUENCE security_orchestration_policy_configurations_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE security_orchestration_policy_configurations_id_seq OWNED BY security_orchestration_policy_configurations.id;
+
 CREATE TABLE security_scans (
    id bigint NOT NULL,
    created_at timestamp with time zone NOT NULL,
@@ -19233,6 +19252,8 @@ ALTER TABLE ONLY scim_oauth_access_tokens ALTER COLUMN id SET DEFAULT nextval('s

 ALTER TABLE ONLY security_findings ALTER COLUMN id SET DEFAULT nextval('security_findings_id_seq'::regclass);

+ALTER TABLE ONLY security_orchestration_policy_configurations ALTER COLUMN id SET DEFAULT nextval('security_orchestration_policy_configurations_id_seq'::regclass);
+
 ALTER TABLE ONLY security_scans ALTER COLUMN id SET DEFAULT nextval('security_scans_id_seq'::regclass);

 ALTER TABLE ONLY self_managed_prometheus_alert_events ALTER COLUMN id SET DEFAULT nextval('self_managed_prometheus_alert_events_id_seq'::regclass);
@@ -20736,6 +20757,9 @@ ALTER TABLE ONLY scim_oauth_access_tokens
 ALTER TABLE ONLY security_findings
    ADD CONSTRAINT security_findings_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY security_orchestration_policy_configurations
+    ADD CONSTRAINT security_orchestration_policy_configurations_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY security_scans
    ADD CONSTRAINT security_scans_pkey PRIMARY KEY (id);

@@ -23288,6 +23312,10 @@ CREATE INDEX index_software_licenses_on_spdx_identifier ON software_licenses USI

 CREATE UNIQUE INDEX index_software_licenses_on_unique_name ON software_licenses USING btree (name);

+CREATE UNIQUE INDEX index_sop_configs_on_project_id ON security_orchestration_policy_configurations USING btree (project_id);
+
+CREATE UNIQUE INDEX index_sop_configs_on_security_policy_management_project_id ON security_orchestration_policy_configurations USING btree (security_policy_management_project_id);
+
 CREATE INDEX index_sprints_on_description_trigram ON sprints USING gin (description gin_trgm_ops);

 CREATE INDEX index_sprints_on_due_date ON sprints USING btree (due_date);
@@ -24710,6 +24738,9 @@ ALTER TABLE ONLY ci_subscriptions_projects
 ALTER TABLE ONLY trending_projects
    ADD CONSTRAINT fk_rails_09feecd872 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;

+ALTER TABLE ONLY security_orchestration_policy_configurations
+    ADD CONSTRAINT fk_rails_0a22dcd52d FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY project_deploy_tokens
    ADD CONSTRAINT fk_rails_0aca134388 FOREIGN KEY (deploy_token_id) REFERENCES deploy_tokens(id) ON DELETE CASCADE;

@@ -25049,6 +25080,9 @@ ALTER TABLE ONLY epic_issues
 ALTER TABLE ONLY ci_refs
    ADD CONSTRAINT fk_rails_4249db8cc3 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;

+ALTER TABLE ONLY security_orchestration_policy_configurations
+    ADD CONSTRAINT fk_rails_42ed6c25ec FOREIGN KEY (security_policy_management_project_id) REFERENCES projects(id) ON DELETE RESTRICT;
+
 ALTER TABLE ONLY ci_resources
    ADD CONSTRAINT fk_rails_430336af2d FOREIGN KEY (resource_group_id) REFERENCES ci_resource_groups(id) ON DELETE CASCADE;


--- a/ee/app/models/ee/project.rb
+++ b/ee/app/models/ee/project.rb
@@ -105,6 +105,8 @@ module EE
      has_many :incident_management_oncall_schedules, class_name: 'IncidentManagement::OncallSchedule', inverse_of: :project
      has_many :incident_management_oncall_rotations, class_name: 'IncidentManagement::OncallRotation', through: :incident_management_oncall_schedules, source: :rotations

+      has_one :security_orchestration_policy_configuration, class_name: 'Security::OrchestrationPolicyConfiguration', foreign_key: :project_id, inverse_of: :project
+
      elastic_index_dependant_association :issues, on_change: :visibility_level

      scope :with_shared_runners_limit_enabled, -> do

--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
+# frozen_string_literal: true
+
+module Security
+  class OrchestrationPolicyConfiguration < ApplicationRecord
+    self.table_name = 'security_orchestration_policy_configurations'
+
+    belongs_to :project, inverse_of: :security_orchestration_policy_configuration
+    belongs_to :security_policy_management_project, class_name: 'Project', foreign_key: 'security_policy_management_project_id'
+
+    validates :project, presence: true, uniqueness: true
+    validates :security_policy_management_project, presence: true, uniqueness: true
+  end
+end
--- a/ee/spec/factories/security_orchestration_policy_configurations.rb
+++ b/ee/spec/factories/security_orchestration_policy_configurations.rb
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :security_orchestration_policy_configuration, class: 'Security::OrchestrationPolicyConfiguration' do
+    project
+    security_policy_management_project { association(:project) }
+  end
+end
--- a/ee/spec/models/project_spec.rb
+++ b/ee/spec/models/project_spec.rb
@@ -30,6 +30,7 @@ RSpec.describe Project do
    it { is_expected.to have_one(:compliance_management_framework).class_name('ComplianceManagement::Framework') }
    it { is_expected.to have_one(:security_setting).class_name('ProjectSecuritySetting') }
    it { is_expected.to have_one(:vulnerability_statistic).class_name('Vulnerabilities::Statistic') }
+    it { is_expected.to have_one(:security_orchestration_policy_configuration).class_name('Security::OrchestrationPolicyConfiguration').inverse_of(:project) }

    it { is_expected.to have_many(:path_locks) }
    it { is_expected.to have_many(:vulnerability_feedback) }

--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Security::OrchestrationPolicyConfiguration do
+  describe 'associations' do
+    it { is_expected.to belong_to(:project).inverse_of(:security_orchestration_policy_configuration) }
+    it { is_expected.to belong_to(:security_policy_management_project).class_name('Project') }
+  end
+
+  describe 'validations' do
+    subject { create(:security_orchestration_policy_configuration) }
+
+    it { is_expected.to validate_presence_of(:project) }
+    it { is_expected.to validate_presence_of(:security_policy_management_project) }
+
+    it { is_expected.to validate_uniqueness_of(:project) }
+    it { is_expected.to validate_uniqueness_of(:security_policy_management_project) }
+  end
+end
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -564,6 +564,7 @@ project:
 - incident_management_oncall_rotations
 - debian_distributions
 - merge_request_metrics
+- security_orchestration_policy_configuration
 award_emoji:
 - awardable
 - user