Extend pipeline configuration only when policy is valid

e925cc5c · Alan (Maciej) Paruszewski · Kerri Miller · 4e8139cd · e925cc5c · e925cc5c
Commit e925cc5c authored May 06, 2021 by Alan (Maciej) Paruszewski Committed by Kerri Miller May 06, 2021
2 changed files
--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -16,6 +16,7 @@ module Gitlab
          def perform
            return @config unless project&.feature_available?(:security_orchestration_policies)
            return @config unless security_orchestration_policy_configuration&.enabled?
+            return @config unless security_orchestration_policy_configuration.policy_configuration_valid?
            return @config unless extend_configuration?

            merged_config = @config.deep_merge(on_demand_scans_template)

--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -46,6 +46,29 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
    end
  end

+  shared_examples 'when policy is invalid' do
+    let_it_be(:policy_yml) do
+      <<-EOS
+      scan_execution_policy:
+        -  name: Run DAST in every pipeline
+           description: This policy enforces to run DAST for every pipeline within the project
+           enabled: true
+           rules:
+           - type: pipeline
+             branches: "production"
+           actions:
+           - scan: dast
+             site_profile: Site Profile
+             scanner_profile: Scanner Profile
+      EOS
+    end
+
+    it 'does not modify the config', :aggregate_failures do
+      expect(config).not_to receive(:deep_merge)
+      expect(subject).to eq(config)
+    end
+  end
+
  context 'when feature is not licensed' do
    it 'does not modify the config' do
      expect(subject).to eq(config)
@@ -91,6 +114,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
        end

        it_behaves_like 'with pipeline source applicable for CI'
+        it_behaves_like 'when policy is invalid'

        context 'when DAST profiles are found' do
          let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
@@ -133,6 +157,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
          end

          it_behaves_like 'with pipeline source applicable for CI'
+          it_behaves_like 'when policy is invalid'
        end
      end
    end