Merge branch '329885-extend-pipeline-with-policies-for-selected-pipelines' into 'master'

Extend pipeline with security jobs for selected pipelines only See merge request gitlab-org/gitlab!60984

Merge branch '329885-extend-pipeline-with-policies-for-selected-pipelines' into 'master'
Extend pipeline with security jobs for selected pipelines only See merge request gitlab-org/gitlab!60984
d78df37c · Heinrich Lee Yu · 03090652 · 92ee5945 · d78df37c · d78df37c
Commit d78df37c authored May 06, 2021 by Heinrich Lee Yu
6 changed files
--- a/ee/lib/ee/gitlab/ci/config_ee.rb
+++ b/ee/lib/ee/gitlab/ci/config_ee.rb
@@ -25,7 +25,7 @@ module EE
        end

        def process_security_orchestration_policy_includes(config)
-          ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref).perform
+          ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref, source).perform
        end
      end
    end

--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -5,16 +5,18 @@ module Gitlab
    class Config
      module SecurityOrchestrationPolicies
        class Processor
-          def initialize(config, project, ref)
+          def initialize(config, project, ref, source)
            @config = config
            @project = project
            @ref = ref
+            @source = source
            @start = Time.current
          end

          def perform
            return @config unless project&.feature_available?(:security_orchestration_policies)
            return @config unless security_orchestration_policy_configuration&.enabled?
+            return @config unless extend_configuration?

            merged_config = @config.deep_merge(on_demand_scans_template)
            observe_processing_duration(Time.current - @start)
@@ -39,6 +41,12 @@ module Gitlab
              .pipeline_security_orchestration_policy_processing_duration_histogram
              .observe({}, duration.seconds)
          end
+
+          def extend_configuration?
+            return false if @source.nil?
+
+            Enums::Ci::Pipeline.ci_branch_sources.key?(@source.to_sym)
+          end
        end
      end
    end

--- a/ee/spec/lib/ee/gitlab/ci/config_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/config_spec.rb
@@ -36,6 +36,8 @@ RSpec.describe Gitlab::Ci::Config do
  end

  describe 'with security orchestration policy' do
+    let(:source) { 'push' }
+
    let_it_be(:ref) { 'master' }
    let_it_be_with_refind(:project) { create(:project, :repository) }

@@ -59,7 +61,7 @@ RSpec.describe Gitlab::Ci::Config do
      EOS
    end

-    subject(:config) { described_class.new(ci_yml, ref: ref, project: project) }
+    subject(:config) { described_class.new(ci_yml, ref: ref, project: project, source: source) }

    before do
      allow_next_instance_of(Repository) do |repository|
@@ -147,6 +149,14 @@ RSpec.describe Gitlab::Ci::Config do
            it 'extends config with additional jobs' do
              expect(config.to_hash).to include(expected_configuration)
            end
+
+            context 'when source is ondemand_dast_scan' do
+              let(:source) { 'ondemand_dast_scan' }
+
+              it 'does not modify the config' do
+                expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
+              end
+            end
          end
        end
      end

--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -3,11 +3,13 @@
 require 'spec_helper'

 RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
-  subject { described_class.new(config, project, ref).perform }
+  subject { described_class.new(config, project, ref, source).perform }

  let_it_be(:config) { { image: 'ruby:3.0.1' } }

-  let_it_be(:ref) { 'master' }
+  let(:ref) { 'master' }
+  let(:source) { 'pipeline' }
+
  let_it_be_with_refind(:project) { create(:project, :repository) }

  let_it_be(:policies_repository) { create(:project, :repository) }
@@ -36,6 +38,14 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
    end
  end

+  shared_examples 'with pipeline source applicable for CI' do
+    let_it_be(:source) { 'ondemand_dast_scan' }
+
+    it 'does not modify the config' do
+      expect(subject).to eq(config)
+    end
+  end
+
  context 'when feature is not licensed' do
    it 'does not modify the config' do
      expect(subject).to eq(config)
@@ -80,6 +90,8 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
          end
        end

+        it_behaves_like 'with pipeline source applicable for CI'
+
        context 'when DAST profiles are found' do
          let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
          let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
@@ -119,6 +131,8 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
          it 'extends config with additional jobs' do
            expect(subject).to include(expected_configuration)
          end
+
+          it_behaves_like 'with pipeline source applicable for CI'
        end
      end
    end

--- a/lib/gitlab/ci/config.rb
+++ b/lib/gitlab/ci/config.rb
@@ -17,13 +17,14 @@ module Gitlab
        Config::Yaml::Tags::TagError
      ].freeze

-      attr_reader :root, :context, :ref
+      attr_reader :root, :context, :ref, :source

-      def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil)
+      def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil, source: nil)
        @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline)
        @context.set_deadline(TIMEOUT_SECONDS)

        @ref = ref
+        @source = source

        @config = expand_config(config)


--- a/lib/gitlab/ci/pipeline/chain/config/process.rb
+++ b/lib/gitlab/ci/pipeline/chain/config/process.rb
@@ -16,6 +16,7 @@ module Gitlab
                  project: project,
                  ref: @pipeline.ref,
                  sha: @pipeline.sha,
+                  source: @pipeline.source,
                  user: current_user,
                  parent_pipeline: parent_pipeline
                }