diff --git a/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml b/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml
index 6561809fdebc259732718ed3bc0ee13850701b53..be7f4db3c65e5e5f5e9de893e99e39ece1c19dae 100644
--- a/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml
+++ b/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml
@@ -437,7 +437,6 @@ Layout/LineEndStringConcatenationIndentation:
- 'ee/spec/services/phone_verification/users/verify_code_service_spec.rb'
- 'ee/spec/services/product_analytics/cube_data_query_service_spec.rb'
- 'ee/spec/services/protected_environments/update_service_spec.rb'
- - 'ee/spec/services/security/security_orchestration_policies/ci_action/custom_spec.rb'
- 'ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb'
- 'ee/spec/services/security/token_revocation_service_spec.rb'
- 'ee/spec/support/llm.rb'
diff --git a/.rubocop_todo/rspec/example_wording.yml b/.rubocop_todo/rspec/example_wording.yml
index c676927be92fa5af54afcec0ec1e365be5f5ec93..1323dcd854a36ebfa3a7b0513de09b4a8566505f 100644
--- a/.rubocop_todo/rspec/example_wording.yml
+++ b/.rubocop_todo/rspec/example_wording.yml
@@ -25,7 +25,6 @@ RSpec/ExampleWording:
- 'ee/spec/services/merge_requests/reset_approvals_service_spec.rb'
- 'ee/spec/services/quick_actions/interpret_service_spec.rb'
- 'ee/spec/services/security/ingestion/schedule_mark_dropped_as_resolved_service_spec.rb'
- - 'ee/spec/services/security/security_orchestration_policies/ci_action/custom_spec.rb'
- 'ee/spec/workers/ai/store_repository_xray_worker_spec.rb'
- 'qa/spec/specs/helpers/context_selector_spec.rb'
- 'spec/controllers/projects/milestones_controller_spec.rb'
diff --git a/app/models/namespace_setting.rb b/app/models/namespace_setting.rb
index 55e4cddb326609c6b699598e3b6ef60f33a1b9c0..146de9f9fa9d482c5584ae50d516bd4688ac8908 100644
--- a/app/models/namespace_setting.rb
+++ b/app/models/namespace_setting.rb
@@ -10,8 +10,8 @@ class NamespaceSetting < ApplicationRecord
ignore_column :code_suggestions, remove_with: '17.0', remove_after: '2024-05-16'
ignore_column :toggle_security_policies_policy_scope, remove_with: '17.0', remove_after: '2024-05-16'
ignore_column :lock_toggle_security_policies_policy_scope, remove_with: '17.2', remove_after: '2024-07-12'
+ ignore_columns %i[toggle_security_policy_custom_ci lock_toggle_security_policy_custom_ci], remove_with: '17.5', remove_after: '2024-08-15'
- cascading_attr :toggle_security_policy_custom_ci
cascading_attr :math_rendering_limits_enabled
scope :for_namespaces, ->(namespaces) { where(namespace: namespaces) }
diff --git a/ee/app/helpers/ee/security_orchestration_helper.rb b/ee/app/helpers/ee/security_orchestration_helper.rb
index e5b65201ee844bc14a0cc6b6094f01e6c6d1614b..af0a1dccce6696323d8b690f553ce8a6ae703393 100644
--- a/ee/app/helpers/ee/security_orchestration_helper.rb
+++ b/ee/app/helpers/ee/security_orchestration_helper.rb
@@ -77,14 +77,9 @@ def pipeline_execution_policy_enabled?(container)
end
end
- def custom_ci_toggle_enabled?(container)
- if container.is_a?(::Project)
- return false unless container.group
-
- container.group.namespace_settings.toggle_security_policy_custom_ci?
- else
- container.namespace_settings.toggle_security_policy_custom_ci?
- end
+ def custom_ci_toggle_enabled?(_container)
+ # TODO: Remove when code is removed from frontend: https://gitlab.com/gitlab-org/gitlab/-/issues/473243
+ false
end
def security_policies_path(container)
diff --git a/ee/app/services/security/security_orchestration_policies/ci_action/custom.rb b/ee/app/services/security/security_orchestration_policies/ci_action/custom.rb
deleted file mode 100644
index d342ffb8b62253c06d78e1cacebf95abd1e0e49a..0000000000000000000000000000000000000000
--- a/ee/app/services/security/security_orchestration_policies/ci_action/custom.rb
+++ /dev/null
@@ -1,49 +0,0 @@
-# frozen_string_literal: true
-
-module Security
- module SecurityOrchestrationPolicies
- module CiAction
- class Custom < Base
- def config
- @ci_config = Gitlab::Ci::Config.new(yaml_config, inject_edge_stages: false, user: @context.user)
-
- job_names = parse_job_names
-
- @ci_config = @ci_config.to_hash
-
- assign_default_stage(job_names)
-
- @ci_config.delete(:stages)
-
- @ci_config
- rescue Gitlab::Ci::Config::ConfigError => e
- {
- generate_job_name_with_index('security_policy_ci') => {
- 'script' => "echo \"Error parsing security policy CI configuration: #{e.message}\" && false",
- 'allow_failure' => true
- }
- }
- end
-
- private
-
- def parse_job_names
- @ci_config.jobs.present? ? @ci_config.jobs.keys : []
- end
-
- def assign_default_stage(job_names)
- job_names.each do |name|
- unless @ci_config[name].key?(:stage)
- @ci_config[name][:stage] =
- ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor::DEFAULT_POLICY_TEST_STAGE
- end
- end
- end
-
- def yaml_config
- action[:ci_configuration] || { include: action[:ci_configuration_path] }.to_yaml
- end
- end
- end
- end
-end
diff --git a/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb b/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
index 1b722c846bd7168a0c8b7f2d43b1544edd925a7a..d233d4043f7380b726cfc9ba937852dcba77d224 100644
--- a/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
@@ -8,8 +8,7 @@ class CiConfigurationService < ::BaseService
'container_scanning' => CiAction::Template,
'sast' => CiAction::Template,
'sast_iac' => CiAction::Template,
- 'dependency_scanning' => CiAction::Template,
- 'custom' => CiAction::Custom
+ 'dependency_scanning' => CiAction::Template
}.freeze
def execute(action, ci_variables, context, index = 0)
diff --git a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb
index 463baa7e887b01ac1e3fd68cc221ad65ce0469a9..009aea0d1d28a04ba76497e925f5d48b4845442c 100644
--- a/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/scan_pipeline_service.rb
@@ -25,21 +25,19 @@ class ScanPipelineService
}
}.freeze
- attr_reader :project, :base_variables, :context, :custom_ci_yaml_allowed
+ attr_reader :project, :base_variables, :context
- def initialize(context, base_variables: {}, custom_ci_yaml_allowed: false)
+ def initialize(context, base_variables: {})
default_scan_variables = allow_restricted_variables? ? SCAN_VARIABLES_WITH_RESTRICTED_VARIABLES : SCAN_VARIABLES
@project = context.project
@context = context
@base_variables = default_scan_variables.deep_merge(base_variables)
- @custom_ci_yaml_allowed = custom_ci_yaml_allowed
end
def execute(actions)
actions = actions.select do |action|
- (valid_scan_type?(action[:scan]) && pipeline_scan_type?(action[:scan].to_s)) ||
- custom_scan?(action)
+ valid_scan_type?(action[:scan]) && pipeline_scan_type?(action[:scan].to_s)
end
on_demand_scan_actions, other_actions = actions.partition do |action|
@@ -66,9 +64,8 @@ def execute(actions)
def collect_config_variables(actions, configs)
actions.zip(configs).each_with_object({}) do |(action, config), hash|
variables = scan_variables_with_action_variables(action, fallback: action_variables(action))
- jobs = custom_scan?(action) ? Gitlab::Ci::Config.new(config.to_yaml).jobs : config
- jobs&.each_key do |key|
+ config&.each_key do |key|
hash[key] = variables
end
end
@@ -86,10 +83,6 @@ def valid_scan_type?(scan_type)
Security::ScanExecutionPolicy.valid_scan_type?(scan_type)
end
- def custom_scan?(action)
- custom_ci_yaml_enabled? && action[:scan] == 'custom'
- end
-
def prepare_on_demand_policy_configuration(actions)
return {} if actions.blank?
@@ -99,7 +92,7 @@ def prepare_on_demand_policy_configuration(actions)
end
def prepare_policy_configuration(action, index)
- return unless valid_scan_type?(action[:scan]) || custom_scan?(action)
+ return unless valid_scan_type?(action[:scan])
variables = scan_variables_with_action_variables(action, fallback: scan_variables(action))
@@ -123,25 +116,9 @@ def scan_variables_with_action_variables(action, fallback: {})
scan_variables(action).merge(action_variables(action))
end
- def custom_ci_yaml_enabled?
- return false if project.group.nil?
-
- custom_ci_yaml_allowed && compliance_pipeline_in_policies_enabled? && custom_ci_experiment_enabled?
- end
-
- def compliance_pipeline_in_policies_enabled?
- Feature.enabled?(:compliance_pipeline_in_policies, project)
- end
-
def allow_restricted_variables?
Feature.enabled?(:allow_restricted_variables_at_policy_level, project, type: :beta)
end
-
- def custom_ci_experiment_enabled?
- return false if project.group.nil?
-
- project.group.namespace_settings.toggle_security_policy_custom_ci?
- end
end
end
end
diff --git a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
index 852fbc3b9d78bc5298ee8db5e35c2d7c10119f21..38ed2a379531ec286275e75f0217ab3df68b92b5 100644
--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -5,15 +5,13 @@ module Ci
class Config
module SecurityOrchestrationPolicies
class Processor
+ include Gitlab::Utils::StrongMemoize
+
DEFAULT_ON_DEMAND_STAGE = 'dast'
DEFAULT_SECURITY_JOB_STAGE = 'test'
DEFAULT_BUILD_STAGE = 'build'
DEFAULT_SCAN_POLICY_STAGE = 'scan-policies'
- DEFAULT_POLICY_PRE_STAGE = '.pipeline-policy-pre'
- DEFAULT_POLICY_TEST_STAGE = '.pipeline-policy-test'
- DEFAULT_POLICY_POST_STAGE = '.pipeline-policy-post'
- RESERVED_STAGES = [DEFAULT_POLICY_PRE_STAGE, DEFAULT_POLICY_TEST_STAGE, DEFAULT_POLICY_POST_STAGE].freeze
DEFAULT_STAGES = Gitlab::Ci::Config::Entry::Stages.default
def initialize(config, context, ref, source)
@@ -33,15 +31,6 @@ def perform
@config[:workflow] = { rules: [{ when: 'always' }] } if @config.empty?
merged_config = @config.deep_merge(merged_security_policy_config)
-
- if custom_scan_actions_enabled? && active_scan_custom_actions.any?
- merged_config = clean_up_reserved_stages_jobs(merged_config)
-
- merged_config = merged_config.deep_merge(scan_custom_actions[:pipeline_scan])
-
- merged_config[:stages] = insert_custom_scan_stages(merged_config[:stages])
- end
-
merged_config[:stages] = cleanup_stages(merged_config[:stages])
merged_config.delete(:stages) if merged_config[:stages].blank?
@@ -54,15 +43,6 @@ def perform
attr_reader :project, :ref, :context
- def custom_scan_actions_enabled?
- return false if project.group.nil?
-
- Feature.enabled?(
- :compliance_pipeline_in_policies,
- project
- ) && project.group.namespace_settings.toggle_security_policy_custom_ci?
- end
-
def cleanup_stages(stages)
stages.uniq!
@@ -94,12 +74,6 @@ def scan_templates
.execute(active_scan_template_actions)
end
- def scan_custom_actions
- @scan_custom_actions ||= ::Security::SecurityOrchestrationPolicies::ScanPipelineService
- .new(context, custom_ci_yaml_allowed: true)
- .execute(active_scan_custom_actions)
- end
-
## Add `dast` to the end of stages if `dast` is not in stages already
## For other scan types, add `scan-policies` stage after `build` stage if `test` stage is not defined
def merge_policies_with_stages(config)
@@ -140,22 +114,6 @@ def merge_pipeline_scan_template(merged_config, defined_stages)
end
end
- def clean_up_reserved_stages_jobs(config)
- jobs_to_reject = config.except(*Config::Entry::Root.reserved_nodes_names).select do |_, content|
- RESERVED_STAGES.include?(content[:stage])
- end.keys
-
- config.except(*jobs_to_reject)
- end
-
- def insert_custom_scan_stages(config_stages)
- config_stages.append(DEFAULT_POLICY_POST_STAGE)
-
- insert_stage_after_or_prepend(config_stages, DEFAULT_POLICY_TEST_STAGE, %w[test build .pre])
-
- config_stages.unshift(DEFAULT_POLICY_PRE_STAGE)
- end
-
def insert_stage_after_or_prepend(stages, insert_stage_name, after_stages)
stage_index = after_stages.filter_map { |stage| stages.index(stage) }.max
@@ -177,27 +135,14 @@ def insert_stage_before_or_append(stages, insert_stage_name, before_stages)
end
def active_scan_template_actions
- @active_scan_template_actions ||= active_scan_actions.reject { |action| action[:scan] == 'custom' }
- end
-
- def active_scan_custom_actions
- @active_scan_custom_actions ||= active_scan_actions.select { |action| action[:scan] == 'custom' }
- end
-
- def active_scan_actions
- scan_actions do |configuration|
- configuration.active_policies_pipeline_scan_actions_for_project(ref, project)
- end
- end
-
- def scan_actions
return [] if valid_security_orchestration_policy_configurations.blank?
valid_security_orchestration_policy_configurations
- .flat_map do |security_orchestration_policy_configuration|
- yield(security_orchestration_policy_configuration)
+ .flat_map do |configuration|
+ configuration.active_policies_pipeline_scan_actions_for_project(ref, project)
end.compact.uniq
end
+ strong_memoize_attr :active_scan_template_actions
def observe_processing_duration(duration)
::Gitlab::Ci::Pipeline::Metrics
diff --git a/ee/spec/helpers/ee/security_orchestration_helper_spec.rb b/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
index f2ee5991493aeac04bddffa1d65c6d36e0919d62..2ac67b7b0c283b25e4f40fd01632553d15678058 100644
--- a/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
+++ b/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
@@ -177,20 +177,6 @@
describe 'custom_ci_toggle_enabled' do
it { is_expected.to match(base_data.merge(custom_ci_toggle_enabled: 'false')) }
-
- context 'when toggle_security_policy_custom_ci is enabled for the group' do
- before_all do
- project.group.namespace_settings.update!(toggle_security_policy_custom_ci: true)
- end
-
- it { is_expected.to match(base_data.merge(custom_ci_toggle_enabled: 'true')) }
- end
-
- context "when project's group is nil" do
- let_it_be_with_reload(:project) { create(:project) }
-
- it { is_expected.to match(base_data.merge(custom_ci_toggle_enabled: 'false')) }
- end
end
end
@@ -296,14 +282,6 @@
it { is_expected.not_to have_key(:max_active_pipeline_execution_policies_reached) }
it { is_expected.not_to have_key(:max_pipeline_execution_policies_allowed) }
end
-
- context 'when toggle_security_policy_custom_ci is enabled' do
- before_all do
- namespace.namespace_settings.update!(toggle_security_policy_custom_ci: true)
- end
-
- it { is_expected.to match(base_data.merge(custom_ci_toggle_enabled: 'true')) }
- end
end
end
diff --git a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
index 73c96183878813dfcfd279f0b346cb103c9313d8..eed6ba7339f5d0eec08813c6520f81f4ba4afb0f 100644
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -394,141 +394,6 @@
end
end
end
-
- context 'when action is custom' do
- let_it_be(:ci_configuration) do
- <<~CI_CONFIG
- custom_job:
- stage: .pipeline-policy-test
- script:
- - echo "Defined in security policy"
- CI_CONFIG
- end
-
- let_it_be(:policy) do
- build(
- :scan_execution_policy,
- actions: [
- {
- scan: 'custom',
- ci_configuration: ci_configuration
- }
- ]
- )
- end
-
- let_it_be(:policy_yaml) { build(:orchestration_policy_yaml, scan_execution_policy: [policy]) }
-
- context 'when compliance_pipeline_in_policies feature is disabled' do
- before do
- stub_feature_flags(compliance_pipeline_in_policies: false)
- end
-
- it 'does not includes the custom job' do
- expect(perform_service[:custom_job]).to be_nil
- end
-
- context 'and project has jobs in reserved stages' do
- let(:config) do
- {
- stages: %w[.pipeline-policy-test],
- reserved_stage_test_job: {
- stage: '.pipeline-policy-test',
- script: [
- 'echo "Hello World"'
- ]
- }
- }
- end
-
- it 'does not remove the reserved stages and jobs', :aggregate_failures do
- expect(perform_service[:reserved_stage_test_job]).to eq(
- {
- script: ['echo "Hello World"'],
- stage: ".pipeline-policy-test"
- }
- )
- expect(perform_service[:stages]).to include('.pipeline-policy-test')
- end
- end
- end
-
- it 'does not include the custom job' do
- expect(perform_service[:custom_job]).to be_nil
- end
-
- context 'when toggle_security_policy_custom_ci is enabled for the group' do
- before_all do
- namespace.namespace_settings.update!(toggle_security_policy_custom_ci: true)
- end
-
- it 'includes the custom job' do
- expect(perform_service[:custom_job]).to eq(
- {
- stage: '.pipeline-policy-test',
- script: ['echo "Defined in security policy"']
- }
- )
- end
-
- context 'and project has jobs in reserved stages' do
- let(:config) do
- {
- stages: %w[.pipeline-policy-test],
- test_job: {
- stage: '.pipeline-policy-test',
- script: [
- 'echo "Hello World"'
- ]
- }
- }
- end
-
- it 'removes project jobs in reserved stages' do
- expect(perform_service.key?(:test_job)).to eq(false)
- end
- end
-
- context 'when test stage does not exist' do
- let(:config) { { stages: %w[build deploy] } }
-
- it 'injects .pipeline-policy-test after build' do
- expect(perform_service[:stages]).to eq(
- %w[.pipeline-policy-pre build .pipeline-policy-test scan-policies deploy .pipeline-policy-post]
- )
- end
-
- context 'when the build stage does not exist' do
- let(:config) { { stages: %w[deploy] } }
-
- it 'injects .pipeline-policy-test at the beginning' do
- expect(perform_service[:stages]).to eq(
- %w[.pipeline-policy-pre .pipeline-policy-test scan-policies deploy .pipeline-policy-post]
- )
- end
- end
- end
-
- context 'when custom stages are defined in the security policy config' do
- let_it_be(:ci_configuration) do
- <<~CI_CONFIG
- stages:
- - custom_stage
- custom_job:
- stage: custom_stage
- script:
- - echo "Defined in security policy"
- CI_CONFIG
- end
-
- it 'ignores custom stages' do
- expect(perform_service[:stages]).to eq(
- %w[.pipeline-policy-pre .pre build test .pipeline-policy-test deploy .post .pipeline-policy-post]
- )
- end
- end
- end
- end
end
end
end
diff --git a/ee/spec/services/security/security_orchestration_policies/ci_action/custom_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_action/custom_spec.rb
deleted file mode 100644
index 7ec726c6186a54c6ec9c10aa885cccae979456a1..0000000000000000000000000000000000000000
--- a/ee/spec/services/security/security_orchestration_policies/ci_action/custom_spec.rb
+++ /dev/null
@@ -1,222 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Security::SecurityOrchestrationPolicies::CiAction::Custom,
- :yaml_processor_feature_flag_corectness,
- feature_category: :security_policy_management do
- describe '#config' do
- subject { described_class.new(action, ci_variables, ci_context, 0).config }
-
- let_it_be(:ci_variables) do
- { 'SECRET_DETECTION_HISTORIC_SCAN' => 'false', 'SECRET_DETECTION_DISABLED' => nil }
- end
-
- let(:ci_context) { Gitlab::Ci::Config::External::Context.new(user: user) }
- let(:user) { create(:user) }
-
- let(:ci_configuration) do
- <<~CI_CONFIG
- image: busybox:latest
- custom:
- stage: test
- script:
- - echo "Defined in security policy"
- CI_CONFIG
- end
-
- let(:action) { { scan: 'custom', ci_configuration: ci_configuration } }
-
- context 'with ci_configuration' do
- let(:action) { { scan: 'custom', ci_configuration: ci_configuration } }
-
- it do
- is_expected.to eq(
- {
- custom: {
- script: [
- "echo \"Defined in security policy\""
- ],
- stage: "test"
- },
- image: "busybox:latest"
- }
- )
- end
-
- context 'with invalid ci_configuration' do
- let(:ci_configuration) do
- <<~CI_CONFIG
- image: busybox:latest
- custom:
- stage: build
- script:
- - echo "Defined in security policy"
- sdfsdfsdfsdf
- CI_CONFIG
- end
-
- let(:expected_ci_config) do
- {
- 'security-policy-ci-0': {
- 'script' => "echo \"Error parsing security policy CI configuration: (<unknown>): could " \
- "not find expected ':' while scanning a simple key at line 6 column 3\" && false",
- 'allow_failure' => true
- }
- }
- end
-
- it { is_expected.to eq(expected_ci_config) }
- end
-
- context 'when including a file from a private project' do
- let(:project) do
- create(
- :project,
- :custom_repo,
- files: {
- 'ci-file.yaml' => 'image: "busybox:latest"'
- }
- )
- end
-
- let(:ci_configuration) do
- <<~CI_CONFIG
- include:
- - project: #{project.full_path}
- file: ci-file.yaml
- ref: master
- CI_CONFIG
- end
-
- let(:action) { { scan: 'custom', ci_configuration: ci_configuration } }
-
- before do
- project.add_owner(user)
- end
-
- it { is_expected.to eq(image: 'busybox:latest') }
- end
-
- context 'when custom stages are defined' do
- let(:ci_configuration) do
- <<~CI_CONFIG
- stages:
- - custom_stage
- custom:
- stage: test
- script:
- - echo "Defined in security policy"
- CI_CONFIG
- end
-
- it 'removes custom stage definitions' do
- is_expected.to eq(
- {
- custom: {
- script: [
- "echo \"Defined in security policy\""
- ],
- stage: "test"
- }
- }
- )
- end
- end
-
- context 'when the job is not assigned to a stage' do
- let(:ci_configuration) do
- <<~CI_CONFIG
- custom:
- script:
- - echo "Defined in security policy"
- CI_CONFIG
- end
-
- it 'will be assigned to the .pipeline-policy-test stage' do
- is_expected.to eq(
- {
- custom: {
- script: [
- "echo \"Defined in security policy\""
- ],
- stage: ".pipeline-policy-test"
- }
- }
- )
- end
- end
- end
-
- context 'with ci_configuration_path' do
- let(:project) do
- create(
- :project,
- :custom_repo,
- :public,
- files: {
- 'ci-file.yaml' => ci_configuration.to_s
- }
- )
- end
-
- let(:action) do
- {
- scan: 'custom',
- ci_configuration_path: { project: project.full_path, file: 'ci-file.yaml', ref: 'master' }
- }
- end
-
- it do
- is_expected.to eq(
- {
- custom: {
- script: [
- "echo \"Defined in security policy\""
- ],
- stage: "test"
- },
- image: "busybox:latest"
- }
- )
- end
- end
-
- context 'when project is private' do
- let(:project) do
- create(
- :project,
- :custom_repo,
- files: {
- 'ci-file.yaml' => ci_configuration.to_s
- }
- )
- end
-
- let(:action) do
- {
- scan: 'custom',
- ci_configuration_path: { project: project.full_path, file: 'ci-file.yaml', ref: 'master' }
- }
- end
-
- before do
- project.add_owner(user)
- end
-
- it do
- is_expected.to eq(
- {
- custom: {
- script: [
- "echo \"Defined in security policy\""
- ],
- stage: "test"
- },
- image: "busybox:latest"
- }
- )
- end
- end
- end
-end
diff --git a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
index 30466cd58c7107a3e5f07228f4530f072399262d..f0583d589822c9446f11e972c97812257a57dce5 100644
--- a/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_configuration_service_spec.rb
@@ -111,24 +111,6 @@
it_behaves_like 'a template scan'
end
- context 'with custom scan action' do
- let(:scan_type) { 'custom' }
-
- it 'configures a custom scan' do
- expect_next_instance_of(Security::SecurityOrchestrationPolicies::CiAction::Custom,
- action,
- ci_variables,
- context,
- index,
- opts
- ) do |instance|
- expect(instance).to receive(:config)
- end
-
- execute_service
- end
- end
-
context 'with unknown action' do
let(:scan_type) { anything }
diff --git a/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb
index 6b4380cb379a3da79ae3fb64efb7fe3e04efd050..bd33355c159c1dedcbec60c96610d4ca924acbef 100644
--- a/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/scan_pipeline_service_spec.rb
@@ -189,93 +189,5 @@
it_behaves_like 'creates scan jobs', pipeline_scan_job_templates: %w[Jobs/Secret-Detection], variables: { 'secret-detection-0': { 'SECRET_DETECTION_HISTORIC_SCAN' => 'false', 'SECRET_DETECTION_EXCLUDED_PATHS' => '' } }
end
end
-
- context 'with custom scan type' do
- let(:custom_ci_yaml_allowed) { true }
- let(:service) { described_class.new(context, custom_ci_yaml_allowed: custom_ci_yaml_allowed) }
- let(:actions) do
- [
- { scan: 'custom', ci_configuration: ci_configuration, variables: { 'CUSTOM_VARIABLE' => 'test' } }
- ]
- end
-
- let(:ci_configuration) do
- <<~CI_CONFIG
- image: busybox:latest
- custom:
- stage: build
- script:
- - echo "Defined in security policy"
- CI_CONFIG
- end
-
- context 'with the compliance_pipeline_in_policies feature disabled' do
- before do
- stub_feature_flags(compliance_pipeline_in_policies: false)
- end
-
- it { is_expected.to eq({ pipeline_scan: {}, on_demand: {}, variables: {} }) }
- end
-
- it { is_expected.to eq({ pipeline_scan: {}, on_demand: {}, variables: {} }) }
-
- context 'when toggle_security_policy_custom_ci is enabled for the group' do
- before_all do
- group.namespace_settings.update!(toggle_security_policy_custom_ci: true)
- end
-
- it { is_expected.to eq({ pipeline_scan: { image: "busybox:latest", custom: { stage: "build", script: ["echo \"Defined in security policy\""] } }, on_demand: {}, variables: { custom: { 'CUSTOM_VARIABLE' => 'test' } } }) }
-
- context 'when custom yaml is not allowed from configuration' do
- let(:custom_ci_yaml_allowed) { false }
-
- it { is_expected.to eq({ pipeline_scan: {}, on_demand: {}, variables: {} }) }
- end
-
- context 'with external CI file' do
- let(:external_project) do
- create(
- :project,
- :custom_repo,
- :public,
- files: {
- 'ci-file.yaml' => ci_configuration.to_s
- }
- )
- end
-
- let(:actions) do
- [
- {
- scan: 'custom',
- ci_configuration_path: {
- project: external_project.full_path,
- file: 'ci-file.yaml',
- ref: 'master'
- },
- variables: {
- 'CUSTOM_VARIABLE' => 'test'
- }
- }
- ]
- end
-
- it { is_expected.to eq({ pipeline_scan: { image: "busybox:latest", custom: { stage: "build", script: ["echo \"Defined in security policy\""] } }, on_demand: {}, variables: { custom: { 'CUSTOM_VARIABLE' => 'test' } } }) }
- end
- end
-
- context 'when CI does not define jobs' do
- let(:ci_configuration) do
- <<~CI_CONFIG
- variables:
- CUSTOM_VARIABLE: test
- CI_CONFIG
- end
-
- specify do
- expect { subject }.not_to raise_error
- end
- end
- end
end
end
diff --git a/spec/helpers/namespaces_helper_spec.rb b/spec/helpers/namespaces_helper_spec.rb
index b5eb8d8682be4286c79d1f7afff92a0654b4fb3a..2f90f251a04a9180aa7fa1a6e145712caf99f40d 100644
--- a/spec/helpers/namespaces_helper_spec.rb
+++ b/spec/helpers/namespaces_helper_spec.rb
@@ -43,7 +43,7 @@
end
describe '#cascading_namespace_settings_popover_data' do
- attribute = :toggle_security_policy_custom_ci
+ attribute = :math_rendering_limits_enabled
subject do
helper.cascading_namespace_settings_popover_data(
@@ -94,7 +94,7 @@
end
describe '#cascading_namespace_setting_locked?' do
- let(:attribute) { :toggle_security_policy_custom_ci }
+ let(:attribute) { :math_rendering_limits_enabled }
context 'when `group` argument is `nil`' do
it 'returns `false`' do
@@ -110,13 +110,13 @@
context 'when `*_locked?` method does exist' do
before do
- allow(admin_group.namespace_settings).to receive(:toggle_security_policy_custom_ci_locked?).and_return(true)
+ allow(admin_group.namespace_settings).to receive(:"#{attribute}_locked?").and_return(true)
end
it 'calls corresponding `*_locked?` method' do
helper.cascading_namespace_setting_locked?(attribute, admin_group, include_self: true)
- expect(admin_group.namespace_settings).to have_received(:toggle_security_policy_custom_ci_locked?).with(include_self: true)
+ expect(admin_group.namespace_settings).to have_received(:"#{attribute}_locked?").with(include_self: true)
end
end
end
diff --git a/spec/models/namespace_setting_spec.rb b/spec/models/namespace_setting_spec.rb
index 57828a8a68014fa941212a160ffb5f046f0f0fae..5306b705ad462a82f1ea31d806d0c6c1f20dc130 100644
--- a/spec/models/namespace_setting_spec.rb
+++ b/spec/models/namespace_setting_spec.rb
@@ -436,10 +436,6 @@
end
end
- describe '#toggle_security_policy_custom_ci' do
- it_behaves_like 'a cascading namespace setting boolean attribute', settings_attribute_name: :toggle_security_policy_custom_ci
- end
-
describe '#math_rendering_limits_enabled' do
it_behaves_like 'a cascading namespace setting boolean attribute', settings_attribute_name: :math_rendering_limits_enabled
end