Merge branch '299215-do-not-extend-config-when-policy-is-invalid' into 'master'

Extend pipeline configuration only when policy is valid

See merge request gitlab-org/gitlab!61093

ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb

@@ -16,6 +16,7 @@ module Gitlab
           def perform
             return @config unless project&.feature_available?(:security_orchestration_policies)
             return @config unless security_orchestration_policy_configuration&.enabled?
+            return @config unless security_orchestration_policy_configuration.policy_configuration_valid?
             return @config unless extend_configuration?
 
             merged_config = @config.deep_merge(on_demand_scans_template)

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -46,6 +46,29 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
     end
   end
 
+  shared_examples 'when policy is invalid' do
+    let_it_be(:policy_yml) do
+      <<-EOS
+      scan_execution_policy:
+        -  name: Run DAST in every pipeline
+           description: This policy enforces to run DAST for every pipeline within the project
+           enabled: true
+           rules:
+           - type: pipeline
+             branches: "production"
+           actions:
+           - scan: dast
+             site_profile: Site Profile
+             scanner_profile: Scanner Profile
+      EOS
+    end
+
+    it 'does not modify the config', :aggregate_failures do
+      expect(config).not_to receive(:deep_merge)
+      expect(subject).to eq(config)
+    end
+  end
+
   context 'when feature is not licensed' do
     it 'does not modify the config' do
       expect(subject).to eq(config)
@@ -91,6 +114,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
         end
 
         it_behaves_like 'with pipeline source applicable for CI'
+        it_behaves_like 'when policy is invalid'
 
         context 'when DAST profiles are found' do
           let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
@@ -133,6 +157,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
           end
 
           it_behaves_like 'with pipeline source applicable for CI'
+          it_behaves_like 'when policy is invalid'
         end
       end
     end