Add table to store Security Orchestration Policy Schedules

This change adds new model to store and manage scheduled security scans defined in Security Policies. Changelog: added

Add table to store Security Orchestration Policy Schedules
This change adds new model to store and manage scheduled security scans defined in Security Policies. Changelog: added
5f3e41b3 · Alan (Maciej) Paruszewski · Toon Claes · 91ce444c · 5f3e41b3 · 5f3e41b3
Commit 5f3e41b3 authored Apr 28, 2021 by Alan (Maciej) Paruszewski Committed by Toon Claes Apr 28, 2021
11 changed files
--- a/changelogs/unreleased/327584-security-orchestration-policy-schedule-tables.yml
+++ b/changelogs/unreleased/327584-security-orchestration-policy-schedule-tables.yml
+---
+title: Add table to store Security Orchestration Policy Schedules
+merge_request: 59842
+author:
+type: added
--- a/db/migrate/20210412111213_create_security_orchestration_policy_rule_schedule.rb
+++ b/db/migrate/20210412111213_create_security_orchestration_policy_rule_schedule.rb
+# frozen_string_literal: true
+
+class CreateSecurityOrchestrationPolicyRuleSchedule < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  INDEX_PREFIX = 'index_sop_schedules_'
+
+  disable_ddl_transaction!
+
+  def up
+    table_comment = { owner: 'group::container security', description: 'Schedules used to store relationship between project and security policy repository' }
+
+    create_table_with_constraints :security_orchestration_policy_rule_schedules, comment: table_comment.to_json do |t|
+      t.timestamps_with_timezone
+      t.datetime_with_timezone :next_run_at, null: true
+
+      t.references :security_orchestration_policy_configuration, null: false, foreign_key: { to_table: :security_orchestration_policy_configurations, on_delete: :cascade }, index: { name: INDEX_PREFIX + 'on_sop_configuration_id' }
+      t.references :user, null: false, foreign_key: { on_delete: :cascade }, index: { name: INDEX_PREFIX + 'on_user_id' }
+
+      t.integer :policy_index, null: false
+      t.text :cron, null: false
+
+      t.text_limit :cron, 255
+    end
+  end
+
+  def down
+    with_lock_retries do
+      drop_table :security_orchestration_policy_rule_schedules
+    end
+  end
+end
--- a/db/migrate/20210412172030_add_configured_at_to_security_orchestration_policy.rb
+++ b/db/migrate/20210412172030_add_configured_at_to_security_orchestration_policy.rb
+# frozen_string_literal: true
+
+class AddConfiguredAtToSecurityOrchestrationPolicy < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  def change
+    add_column :security_orchestration_policy_configurations, :configured_at, :datetime_with_timezone, null: true
+  end
+end
--- a/db/schema_migrations/20210412111213
+++ b/db/schema_migrations/20210412111213
+c75ab8ef4d6a4ff20109e1c5d054521bd8cd79680f96f4d9e55331d69bac73d6
\ No newline at end of file
--- a/db/schema_migrations/20210412172030
+++ b/db/schema_migrations/20210412172030
+063cfa0d8a4b9d3947aaf55f0587f6a2a9521866b6e10fc307c5cc82ca3a0623
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -17400,7 +17400,8 @@ CREATE TABLE security_orchestration_policy_configurations (
    project_id bigint NOT NULL,
    security_policy_management_project_id bigint NOT NULL,
    created_at timestamp with time zone NOT NULL,
-    updated_at timestamp with time zone NOT NULL
+    updated_at timestamp with time zone NOT NULL,
+    configured_at timestamp with time zone
 );

 COMMENT ON TABLE security_orchestration_policy_configurations IS '{"owner":"group::container security","description":"Configuration used to store relationship between project and security policy repository"}';
@@ -17414,6 +17415,29 @@ CREATE SEQUENCE security_orchestration_policy_configurations_id_seq

 ALTER SEQUENCE security_orchestration_policy_configurations_id_seq OWNED BY security_orchestration_policy_configurations.id;

+CREATE TABLE security_orchestration_policy_rule_schedules (
+    id bigint NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL,
+    next_run_at timestamp with time zone,
+    security_orchestration_policy_configuration_id bigint NOT NULL,
+    user_id bigint NOT NULL,
+    policy_index integer NOT NULL,
+    cron text NOT NULL,
+    CONSTRAINT check_915825a76e CHECK ((char_length(cron) <= 255))
+);
+
+COMMENT ON TABLE security_orchestration_policy_rule_schedules IS '{"owner":"group::container security","description":"Schedules used to store relationship between project and security policy repository"}';
+
+CREATE SEQUENCE security_orchestration_policy_rule_schedules_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE security_orchestration_policy_rule_schedules_id_seq OWNED BY security_orchestration_policy_rule_schedules.id;
+
 CREATE TABLE security_scans (
    id bigint NOT NULL,
    created_at timestamp with time zone NOT NULL,
@@ -19830,6 +19854,8 @@ ALTER TABLE ONLY security_findings ALTER COLUMN id SET DEFAULT nextval('security

 ALTER TABLE ONLY security_orchestration_policy_configurations ALTER COLUMN id SET DEFAULT nextval('security_orchestration_policy_configurations_id_seq'::regclass);

+ALTER TABLE ONLY security_orchestration_policy_rule_schedules ALTER COLUMN id SET DEFAULT nextval('security_orchestration_policy_rule_schedules_id_seq'::regclass);
+
 ALTER TABLE ONLY security_scans ALTER COLUMN id SET DEFAULT nextval('security_scans_id_seq'::regclass);

 ALTER TABLE ONLY self_managed_prometheus_alert_events ALTER COLUMN id SET DEFAULT nextval('self_managed_prometheus_alert_events_id_seq'::regclass);
@@ -21392,6 +21418,9 @@ ALTER TABLE ONLY security_findings
 ALTER TABLE ONLY security_orchestration_policy_configurations
    ADD CONSTRAINT security_orchestration_policy_configurations_pkey PRIMARY KEY (id);

+ALTER TABLE ONLY security_orchestration_policy_rule_schedules
+    ADD CONSTRAINT security_orchestration_policy_rule_schedules_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY security_scans
    ADD CONSTRAINT security_scans_pkey PRIMARY KEY (id);

@@ -24054,6 +24083,10 @@ CREATE UNIQUE INDEX index_sop_configs_on_project_id ON security_orchestration_po

 CREATE INDEX index_sop_configurations_project_id_policy_project_id ON security_orchestration_policy_configurations USING btree (security_policy_management_project_id, project_id);

+CREATE INDEX index_sop_schedules_on_sop_configuration_id ON security_orchestration_policy_rule_schedules USING btree (security_orchestration_policy_configuration_id);
+
+CREATE INDEX index_sop_schedules_on_user_id ON security_orchestration_policy_rule_schedules USING btree (user_id);
+
 CREATE INDEX index_spam_logs_on_user_id ON spam_logs USING btree (user_id);

 CREATE INDEX index_sprints_iterations_cadence_id ON sprints USING btree (iterations_cadence_id);
@@ -25642,6 +25675,9 @@ ALTER TABLE ONLY analytics_cycle_analytics_project_stages
 ALTER TABLE ONLY packages_build_infos
    ADD CONSTRAINT fk_rails_17a9a0dffc FOREIGN KEY (pipeline_id) REFERENCES ci_pipelines(id) ON DELETE SET NULL;

+ALTER TABLE ONLY security_orchestration_policy_rule_schedules
+    ADD CONSTRAINT fk_rails_17ade83f17 FOREIGN KEY (security_orchestration_policy_configuration_id) REFERENCES security_orchestration_policy_configurations(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY clusters_applications_jupyter
    ADD CONSTRAINT fk_rails_17df21c98c FOREIGN KEY (cluster_id) REFERENCES clusters(id) ON DELETE CASCADE;

@@ -26881,6 +26917,9 @@ ALTER TABLE ONLY label_priorities
 ALTER TABLE ONLY fork_network_members
    ADD CONSTRAINT fk_rails_efccadc4ec FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;

+ALTER TABLE ONLY security_orchestration_policy_rule_schedules
+    ADD CONSTRAINT fk_rails_efe1d9b133 FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY prometheus_alerts
    ADD CONSTRAINT fk_rails_f0e8db86aa FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;

--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -14,6 +14,11 @@ module Security
    belongs_to :project, inverse_of: :security_orchestration_policy_configuration
    belongs_to :security_policy_management_project, class_name: 'Project', foreign_key: 'security_policy_management_project_id'

+    has_many :rule_schedules,
+              class_name: 'Security::OrchestrationPolicyRuleSchedule',
+              foreign_key: :security_orchestration_policy_configuration_id,
+              inverse_of: :security_orchestration_policy_configuration
+
    validates :project, presence: true, uniqueness: true
    validates :security_policy_management_project, presence: true


--- a/ee/app/models/security/orchestration_policy_rule_schedule.rb
+++ b/ee/app/models/security/orchestration_policy_rule_schedule.rb
+# frozen_string_literal: true
+
+module Security
+  class OrchestrationPolicyRuleSchedule < ApplicationRecord
+    self.table_name = 'security_orchestration_policy_rule_schedules'
+
+    belongs_to :owner, class_name: 'User', foreign_key: 'user_id'
+    belongs_to :security_orchestration_policy_configuration,
+               class_name: 'Security::OrchestrationPolicyConfiguration',
+               foreign_key: 'security_orchestration_policy_configuration_id'
+
+    validates :owner, presence: true
+    validates :security_orchestration_policy_configuration, presence: true
+    validates :cron, presence: true
+    validates :policy_index, presence: true
+  end
+end
--- a/ee/spec/factories/security_orchestration_policy_rule_schedules.rb
+++ b/ee/spec/factories/security_orchestration_policy_rule_schedules.rb
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :security_orchestration_policy_rule_schedule, class: 'Security::OrchestrationPolicyRuleSchedule' do
+    owner { association(:user) }
+    security_orchestration_policy_configuration
+
+    policy_index { 0 }
+    cron { '*/10 * * * *' }
+  end
+end
--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
  describe 'associations' do
    it { is_expected.to belong_to(:project).inverse_of(:security_orchestration_policy_configuration) }
    it { is_expected.to belong_to(:security_policy_management_project).class_name('Project') }
+    it { is_expected.to have_many(:rule_schedules).class_name('Security::OrchestrationPolicyRuleSchedule').inverse_of(:security_orchestration_policy_configuration) }
  end

  describe 'validations' do

--- a/ee/spec/models/security/orchestration_policy_rule_schedule_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_rule_schedule_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Security::OrchestrationPolicyRuleSchedule do
+  describe 'associations' do
+    it { is_expected.to belong_to(:owner).class_name('User') }
+    it { is_expected.to belong_to(:security_orchestration_policy_configuration).class_name('Security::OrchestrationPolicyConfiguration') }
+  end
+
+  describe 'validations' do
+    subject { create(:security_orchestration_policy_rule_schedule) }
+
+    it { is_expected.to validate_presence_of(:owner) }
+    it { is_expected.to validate_presence_of(:security_orchestration_policy_configuration) }
+    it { is_expected.to validate_presence_of(:cron) }
+    it { is_expected.to validate_presence_of(:policy_index) }
+  end
+end