Merge branch 'add_limit_for_number_of_rules_per_policy' into 'master'

Limit the amount of rules per policy to 5 See merge request gitlab-org/gitlab!78136

Merge branch 'add_limit_for_number_of_rules_per_policy' into 'master'
Limit the amount of rules per policy to 5 See merge request gitlab-org/gitlab!78136
356703d0 · Alex Kalderimis · fa5f54e2 · 86775169 · 356703d0 · 356703d0
Commit 356703d0 authored Jan 14, 2022 by Alex Kalderimis
3 changed files
--- a/ee/app/services/security/security_orchestration_policies/process_scan_result_policy_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/process_scan_result_policy_service.rb
@@ -27,7 +27,7 @@ module Security
        action_info = policy[:actions].find { |action| action[:type] == Security::ScanResultPolicy::REQUIRE_APPROVAL }
        return unless action_info

-        policy[:rules].each_with_index do |rule, rule_index|
+        policy[:rules].first(Security::ScanResultPolicy::LIMIT).each_with_index do |rule, rule_index|
          next if rule[:type] != Security::ScanResultPolicy::SCAN_FINDING

          ::ApprovalRules::CreateService.new(project, author, rule_params(rule, rule_index, action_info)).execute

--- a/ee/app/validators/json_schemas/security_orchestration_policy.json
+++ b/ee/app/validators/json_schemas/security_orchestration_policy.json
@@ -238,6 +238,7 @@
          },
          "rules": {
            "type": "array",
+            "maxItems": 5,
            "additionalItems": false,
            "items": {
              "type": "object",

--- a/ee/spec/services/security/security_orchestration_policies/process_scan_result_policy_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/process_scan_result_policy_service_spec.rb
@@ -77,6 +77,41 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessScanResultPolicyS
      it_behaves_like 'create approval rule with specific approver'
    end

+    context 'with a specific number of rules' do
+      using RSpec::Parameterized::TableSyntax
+
+      let(:rule) do
+        {
+          type: 'scan_finding',
+          branches: %w[master],
+          scanners: %w[container_scanning],
+          vulnerabilities_allowed: 0,
+          severity_levels: %w[critical],
+          vulnerability_states: %w[detected]
+        }
+      end
+
+      let(:rules) { [rule] * rules_count }
+
+      let(:policy) { build(:scan_result_policy, name: 'Test Policy', rules: rules) }
+
+      where(:rules_count, :expected_rules_count) do
+        [
+         [Security::ScanResultPolicy::LIMIT - 1, Security::ScanResultPolicy::LIMIT - 1],
+         [Security::ScanResultPolicy::LIMIT, Security::ScanResultPolicy::LIMIT],
+         [Security::ScanResultPolicy::LIMIT + 1, Security::ScanResultPolicy::LIMIT]
+        ]
+      end
+
+      with_them do
+        it 'creates approval rules up to limit' do
+          subject
+
+          expect(project.approval_rules.count).to be expected_rules_count
+        end
+      end
+    end
+
    it 'sets project approval rules names based on policy name', :aggregate_failures do
      subject