Merge branch 'sk/334418-update-policy-schema' into 'master'

Add secret_detection to security_orchestration_policy JSON schema See merge request gitlab-org/gitlab!67124

Merge branch 'sk/334418-update-policy-schema' into 'master'
Add secret_detection to security_orchestration_policy JSON schema See merge request gitlab-org/gitlab!67124
b6040853 · Matthias Käppler · 509daefb · a08527c5 · b6040853 · b6040853
Commit b6040853 authored Aug 02, 2021 by Matthias Käppler
2 changed files
--- a/ee/app/validators/json_schemas/security_orchestration_policy.json
+++ b/ee/app/validators/json_schemas/security_orchestration_policy.json
@@ -71,14 +71,14 @@
                      "additionalItems": false,
                      "items": {
                          "required": [
-                              "scan",
-                              "site_profile"
+                              "scan"
                          ],
                          "type": "object",
                          "properties": {
                              "scan": {
                                  "enum": [
-                                      "dast"
+                                      "dast",
+                                      "secret_detection"
                                  ],
                                  "type": "string"
                              },
@@ -92,6 +92,35 @@
                                  ]
                              }
                          },
+                          "allOf": [
+                            {
+                              "if": {
+                                "properties": {
+                                  "scan": {
+                                    "const": "dast"
+                                  }
+                                }
+                              },
+                              "then": {
+                                "required": [
+                                  "site_profile"
+                                ],
+                                "maxProperties": 3
+                              }
+                            },
+                            {
+                              "if": {
+                                "properties": {
+                                  "scan": {
+                                    "const": "secret_detection"
+                                  }
+                                }
+                              },
+                              "then": {
+                                "maxProperties": 1
+                              }
+                            }
+                          ],
                          "additionalProperties": false
                      }
                  }

--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -191,6 +191,41 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do

      it { is_expected.to eq(true) }
    end
+
+    context 'when policy is passed as argument' do
+      let_it_be(:policy_yaml) { nil }
+      let_it_be(:policy) do
+        {
+          scan_execution_policy: [
+            {
+              name: 'Run Scan in every pipeline',
+              description: 'This policy enforces to security scan for every pipeline within the project',
+              enabled: true,
+              rules: [{ type: 'pipeline', branches: %w[production] }],
+              actions: [
+                { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
+              ]
+            }
+          ]
+        }
+      end
+
+      context 'when scan type is secret_detection' do
+        it 'returns false if extra fields are present' do
+          invalid_policy = policy.deep_dup
+          invalid_policy[:scan_execution_policy][0][:actions][0][:scan] = 'secret_detection'
+
+          expect(security_orchestration_policy_configuration.policy_configuration_valid?(invalid_policy)).to be_falsey
+        end
+
+        it 'returns true if extra fields are not present' do
+          valid_policy = policy.deep_dup
+          valid_policy[:scan_execution_policy][0][:actions][0] = { scan: 'secret_detection' }
+
+          expect(security_orchestration_policy_configuration.policy_configuration_valid?(valid_policy)).to be_truthy
+        end
+      end
+    end
  end

  describe '#active_policies' do