From 9933fc83545e88644cfd3e3b54dccdefa877de67 Mon Sep 17 00:00:00 2001 From: nrosandich Date: Fri, 9 May 2025 11:41:21 +1200 Subject: [PATCH 1/4] Add PEP policy source to job options Add `config_sha` and `config_uri` to PEP-triggered jobs `options`. --- .../build_metadata_config_options.json | 6 ++++ .../orchestration_policy_configuration.rb | 19 +++++++++-- .../pipeline_execution_policy/config.rb | 2 +- .../pipeline_context.rb | 4 ++- .../pipeline_execution_policy_configs.rb | 4 +++ .../gitlab/ci/yaml_processor/result_spec.rb | 8 +++-- .../pipeline_context_spec.rb | 5 ++- ee/spec/lib/gitlab/ci/yaml_processor_spec.rb | 2 ++ ...orchestration_policy_configuration_spec.rb | 34 +++++++++++++++++++ 9 files changed, 75 insertions(+), 9 deletions(-) diff --git a/app/validators/json_schemas/build_metadata_config_options.json b/app/validators/json_schemas/build_metadata_config_options.json index d9ba1c3c26045b..df94c814e03d58 100644 --- a/app/validators/json_schemas/build_metadata_config_options.json +++ b/app/validators/json_schemas/build_metadata_config_options.json @@ -360,6 +360,12 @@ }, "variables_override": { "$ref": "#/definitions/executionPolicyVariablesOverrideDefinition" + }, + "config_uri": { + "type": "string" + }, + "config_sha": { + "type": "string" } } }, diff --git a/ee/app/models/security/orchestration_policy_configuration.rb b/ee/app/models/security/orchestration_policy_configuration.rb index 1c0aee3b443390..d2b59552fa1af1 100644 --- a/ee/app/models/security/orchestration_policy_configuration.rb +++ b/ee/app/models/security/orchestration_policy_configuration.rb @@ -75,6 +75,15 @@ def self.policy_management_project?(project_id) self.exists?(security_policy_management_project_id: project_id) end + def configuration_uri + configuration_ref = Gitlab::Git::BRANCH_REF_PREFIX + default_branch_or_main + "#{Gitlab.config.gitlab.url}/#{security_policy_management_project.full_path}/#{POLICY_PATH}@#{configuration_ref}" + end + + def configuration_sha + policy_last_commit&.id + end + def policy_hash Rails.cache.fetch(policy_cache_key, expires_in: CACHE_DURATION) do policy_yaml @@ -109,14 +118,18 @@ def policy_last_updated_by end end - def policy_last_updated_at - strong_memoize(:policy_last_updated_at) do + def policy_last_commit + strong_memoize(:policy_last_commit) do capture_git_error(:last_commit_for_path) do - policy_repo.last_commit_for_path(default_branch_or_main, POLICY_PATH)&.committed_date + policy_repo.last_commit_for_path(default_branch_or_main, POLICY_PATH) end end end + def policy_last_updated_at + policy_last_commit&.committed_date + end + def latest_commit_before_configured_at return if configured_at.nil? diff --git a/ee/app/models/security/pipeline_execution_policy/config.rb b/ee/app/models/security/pipeline_execution_policy/config.rb index 29eb7442f421ed..df307bfef44065 100644 --- a/ee/app/models/security/pipeline_execution_policy/config.rb +++ b/ee/app/models/security/pipeline_execution_policy/config.rb @@ -15,7 +15,7 @@ class Config attr_reader :content, :config_strategy, :suffix_strategy, :policy_project_id, :policy_index, :name, :skip_ci_strategy, :variables_override_strategy, :policy_config - delegate :experiment_enabled?, to: :policy_config + delegate :experiment_enabled?, :configuration_uri, :configuration_sha, to: :policy_config def initialize(policy:, policy_config:, policy_index:) @content = policy.fetch(:content).to_yaml diff --git a/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb b/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb index 0e4a2af1df53a9..dde744fa0a149c 100644 --- a/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb +++ b/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb @@ -163,7 +163,9 @@ def job_options { name: current_policy.name, variables_override: current_policy.variables_override_strategy, - pre_succeeds: current_policy.experiment_enabled?(:ensure_pipeline_policy_pre_succeeds) + pre_succeeds: current_policy.experiment_enabled?(:ensure_pipeline_policy_pre_succeeds), + config_uri: current_policy.configuration_uri, + config_sha: current_policy.configuration_sha }.compact_blank end diff --git a/ee/spec/factories/security/pipeline_execution_policy_configs.rb b/ee/spec/factories/security/pipeline_execution_policy_configs.rb index 54fa0450324288..ab0d1bec2c1d6a 100644 --- a/ee/spec/factories/security/pipeline_execution_policy_configs.rb +++ b/ee/spec/factories/security/pipeline_execution_policy_configs.rb @@ -16,6 +16,10 @@ new(policy: policy, policy_config: attributes[:policy_config], policy_index: attributes[:policy_index]) end + after(:build) do |config| + allow(config.policy_config).to receive_messages(configuration_sha: 'config_sha', configuration_uri: 'config_uri') + end + trait :override_project_ci do policy factory: [:pipeline_execution_policy, :override_project_ci] end diff --git a/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb b/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb index 59a4b9cf036042..499d02017bbad2 100644 --- a/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb +++ b/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb @@ -34,8 +34,10 @@ include_context 'with pipeline policy context' let(:creating_policy_pipeline) { true } + let(:pipeline) { FactoryBot.build(:ci_empty_pipeline, ref: 'master') } let(:ci_config) do - Gitlab::Ci::Config.new(config_content, user: user, pipeline_policy_context: pipeline_policy_context) + Gitlab::Ci::Config.new(config_content, user: user, pipeline_policy_context: pipeline_policy_context, + pipeline: pipeline) end let(:config_content) do @@ -44,8 +46,8 @@ ) end - it 'saves the policy name in :options' do - expect(build.dig(:options, :policy, :name)).to eq 'Policy' + it 'saves the policy data in :options' do + expect(build.dig(:options, :policy)).to eq(name: 'Policy', config_sha: 'config_sha', config_uri: 'config_uri') end context 'when creating_policy_pipeline? is false' do diff --git a/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb b/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb index 4930a817e3dd45..727c61f7c177b1 100644 --- a/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb +++ b/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb @@ -649,7 +649,10 @@ end it 'includes policy-specific options' do - expect(job_options).to eq(name: 'My policy', variables_override: { allowed: false }) + expect(job_options).to eq( + name: 'My policy', config_sha: 'config_sha', config_uri: 'config_uri', + variables_override: { allowed: false } + ) end describe 'experiments' do diff --git a/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb b/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb index aa7af6c7764d16..e3c11a5e1a6405 100644 --- a/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb +++ b/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb @@ -554,6 +554,8 @@ script: ['rspec'], policy: { name: 'My policy', + config_uri: 'config_uri', + config_sha: 'config_sha', variables_override: { allowed: false } } })]) diff --git a/ee/spec/models/security/orchestration_policy_configuration_spec.rb b/ee/spec/models/security/orchestration_policy_configuration_spec.rb index efb30899acc4cb..872a41abfdc880 100644 --- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb +++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb @@ -331,6 +331,40 @@ end end + describe '#configuration_sha' do + let(:last_commit) { instance_double(Commit, id: 'abc123') } + + subject(:configuration_sha) { security_orchestration_policy_configuration.configuration_sha } + + before do + allow(security_orchestration_policy_configuration).to receive(:policy_last_commit).and_return(last_commit) + end + + it 'returns the SHA of the last commit to the policy file' do + expect(configuration_sha).to eq('abc123') + end + + context 'when policy_last_commit is nil' do + let(:last_commit) { nil } + + it { is_expected.to be_nil } + end + end + + describe '#configuration_uri' do + subject(:configuration_uri) { security_orchestration_policy_configuration.configuration_uri } + + before do + allow(security_orchestration_policy_configuration).to receive(:default_branch_or_main).and_return('main') + allow(Gitlab.config.gitlab).to receive(:url).and_return('https://gitlab.example.com') + end + + it 'returns the URI to the policy file' do + expected_uri = "https://gitlab.example.com/#{security_policy_management_project.full_path}/#{Security::OrchestrationPolicyConfiguration::POLICY_PATH}@refs/heads/main" + expect(configuration_uri).to eq(expected_uri) + end + end + describe '#policy_configuration_exists?' do subject { security_orchestration_policy_configuration.policy_configuration_exists? } -- GitLab From cf974f32d69742a1dca3d22e7613f8c3f5dfc3a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20C=CC=8Cavoj?= Date: Fri, 24 Oct 2025 12:51:29 +0200 Subject: [PATCH 2/4] Move mocks from the factory --- .../pipeline_execution_policy_configs.rb | 4 ---- .../apply_policies_spec.rb | 10 ++++++++++ .../ee/gitlab/ci/yaml_processor/result_spec.rb | 3 ++- .../pipeline_context_spec.rb | 18 +++++++++++++++++- ee/spec/lib/gitlab/ci/yaml_processor_spec.rb | 4 ++-- ...ipeline_execution_policy_shared_examples.rb | 7 +++++++ 6 files changed, 38 insertions(+), 8 deletions(-) diff --git a/ee/spec/factories/security/pipeline_execution_policy_configs.rb b/ee/spec/factories/security/pipeline_execution_policy_configs.rb index ab0d1bec2c1d6a..54fa0450324288 100644 --- a/ee/spec/factories/security/pipeline_execution_policy_configs.rb +++ b/ee/spec/factories/security/pipeline_execution_policy_configs.rb @@ -16,10 +16,6 @@ new(policy: policy, policy_config: attributes[:policy_config], policy_index: attributes[:policy_index]) end - after(:build) do |config| - allow(config.policy_config).to receive_messages(configuration_sha: 'config_sha', configuration_uri: 'config_uri') - end - trait :override_project_ci do policy factory: [:pipeline_execution_policy, :override_project_ci] end diff --git a/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb b/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb index 265fd73fad2c9e..fc0680e506ca07 100644 --- a/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb +++ b/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb @@ -18,6 +18,8 @@ end let(:policy_configs) { execution_policy_pipelines.map(&:policy_config) } + let(:policy_config_sha) { 'config_sha' } + let(:policy_config_uri) { 'config_uri' } let(:command) do Gitlab::Ci::Pipeline::Chain::Command.new( project: project, @@ -42,6 +44,11 @@ stub_ci_pipeline_yaml_file(YAML.dump(config)) if config allow(command.pipeline_policy_context.pipeline_execution_context) .to receive_messages(policies: policy_configs, policy_pipelines: execution_policy_pipelines) + + policy_configs.each do |policy_config| + allow(policy_config) + .to receive_messages(configuration_sha: policy_config_sha, configuration_uri: policy_config_uri) + end end describe '#perform!' do @@ -435,6 +442,9 @@ before do allow(command.pipeline_policy_context.pipeline_execution_context) .to receive(:current_policy).and_return(execution_policy_config) + + allow(execution_policy_config) + .to receive_messages(configuration_sha: policy_config_sha, configuration_uri: policy_config_uri) end it 'does not change pipeline stages' do diff --git a/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb b/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb index 499d02017bbad2..062e690093ec30 100644 --- a/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb +++ b/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb @@ -47,7 +47,8 @@ end it 'saves the policy data in :options' do - expect(build.dig(:options, :policy)).to eq(name: 'Policy', config_sha: 'config_sha', config_uri: 'config_uri') + expect(build.dig(:options, :policy)) + .to eq(name: 'Policy', config_sha: policy_config_sha, config_uri: policy_config_uri) end context 'when creating_policy_pipeline? is false' do diff --git a/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb b/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb index 727c61f7c177b1..315021782432c4 100644 --- a/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb +++ b/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb @@ -63,10 +63,18 @@ let(:policy_configs) { [project_config, namespace_config] } + let(:policy_config_sha) { 'config_sha' } + let(:policy_config_uri) { 'config_uri' } + before do allow_next_instance_of(::Gitlab::Security::Orchestration::ProjectPipelineExecutionPolicies) do |instance| allow(instance).to receive(:configs).and_return(policy_configs) end + + allow(project_config).to receive_messages(configuration_sha: policy_config_sha, + configuration_uri: policy_config_uri) + allow(namespace_config).to receive_messages(configuration_sha: policy_config_sha, + configuration_uri: policy_config_uri) end end @@ -648,9 +656,17 @@ policy: build(:pipeline_execution_policy, :variables_override_disallowed, name: 'My policy')) end + let(:policy_config_sha) { 'config_sha' } + let(:policy_config_uri) { 'config_uri' } + + before do + allow(current_policy).to receive_messages(configuration_sha: policy_config_sha, + configuration_uri: policy_config_uri) + end + it 'includes policy-specific options' do expect(job_options).to eq( - name: 'My policy', config_sha: 'config_sha', config_uri: 'config_uri', + name: 'My policy', config_sha: policy_config_sha, config_uri: policy_config_uri, variables_override: { allowed: false } ) end diff --git a/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb b/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb index e3c11a5e1a6405..e7b8a8901b078a 100644 --- a/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb +++ b/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb @@ -554,8 +554,8 @@ script: ['rspec'], policy: { name: 'My policy', - config_uri: 'config_uri', - config_sha: 'config_sha', + config_uri: policy_config_uri, + config_sha: policy_config_sha, variables_override: { allowed: false } } })]) diff --git a/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb b/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb index 71b33309dc3658..a65692f40381f1 100644 --- a/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb +++ b/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb @@ -37,6 +37,8 @@ end let(:execution_policy_pipelines) { [] } + let(:policy_config_sha) { 'config_sha' } + let(:policy_config_uri) { 'config_uri' } before do allow(pipeline_policy_context.pipeline_execution_context).to receive_messages( @@ -44,6 +46,11 @@ policy_pipelines: execution_policy_pipelines, current_policy: creating_policy_pipeline ? current_policy : nil ) + + allow(current_policy).to receive_messages( + configuration_sha: policy_config_sha, + configuration_uri: policy_config_uri + ) end end -- GitLab From 8505f79e9487d62070a207aedf049a667a265e54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20C=CC=8Cavoj?= Date: Mon, 17 Nov 2025 16:03:15 +0100 Subject: [PATCH 3/4] Remove configuration_uri and delegation The project full_path may change by the time we use it in JWT claims. We store only the policy project ID and will calculate the URI later. --- .../orchestration_policy_configuration.rb | 5 ---- .../pipeline_execution_policy/config.rb | 6 ++-- .../pipeline_context.rb | 4 +-- .../pipeline_execution_policy_configs.rb | 4 ++- .../apply_policies_spec.rb | 10 ------- .../gitlab/ci/yaml_processor/result_spec.rb | 2 +- .../pipeline_context_spec.rb | 30 +++++++------------ ee/spec/lib/gitlab/ci/yaml_processor_spec.rb | 6 ++-- ...orchestration_policy_configuration_spec.rb | 14 --------- .../pipeline_execution_policy/config_spec.rb | 12 ++++++++ ...peline_execution_policy_shared_examples.rb | 9 ++---- 11 files changed, 37 insertions(+), 65 deletions(-) diff --git a/ee/app/models/security/orchestration_policy_configuration.rb b/ee/app/models/security/orchestration_policy_configuration.rb index d2b59552fa1af1..38fa2965ad567f 100644 --- a/ee/app/models/security/orchestration_policy_configuration.rb +++ b/ee/app/models/security/orchestration_policy_configuration.rb @@ -75,11 +75,6 @@ def self.policy_management_project?(project_id) self.exists?(security_policy_management_project_id: project_id) end - def configuration_uri - configuration_ref = Gitlab::Git::BRANCH_REF_PREFIX + default_branch_or_main - "#{Gitlab.config.gitlab.url}/#{security_policy_management_project.full_path}/#{POLICY_PATH}@#{configuration_ref}" - end - def configuration_sha policy_last_commit&.id end diff --git a/ee/app/models/security/pipeline_execution_policy/config.rb b/ee/app/models/security/pipeline_execution_policy/config.rb index df307bfef44065..c75b704c17b094 100644 --- a/ee/app/models/security/pipeline_execution_policy/config.rb +++ b/ee/app/models/security/pipeline_execution_policy/config.rb @@ -13,9 +13,9 @@ class Config POLICY_JOB_SUFFIX = ':policy' attr_reader :content, :config_strategy, :suffix_strategy, :policy_project_id, :policy_index, :name, - :skip_ci_strategy, :variables_override_strategy, :policy_config + :skip_ci_strategy, :variables_override_strategy, :policy_config, :policy_sha - delegate :experiment_enabled?, :configuration_uri, :configuration_sha, to: :policy_config + delegate :experiment_enabled?, to: :policy_config def initialize(policy:, policy_config:, policy_index:) @content = policy.fetch(:content).to_yaml @@ -27,6 +27,8 @@ def initialize(policy:, policy_config:, policy_index:) @name = policy.fetch(:name) @skip_ci_strategy = policy[:skip_ci].presence || DEFAULT_SKIP_CI_STRATEGY @variables_override_strategy = policy[:variables_override] + # Don't delegate to policy_config to ensure it doesn't change while building the pipeline + @policy_sha = policy_config.configuration_sha end def strategy_override_project_ci? diff --git a/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb b/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb index dde744fa0a149c..fe7693de8d9595 100644 --- a/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb +++ b/ee/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context.rb @@ -164,8 +164,8 @@ def job_options name: current_policy.name, variables_override: current_policy.variables_override_strategy, pre_succeeds: current_policy.experiment_enabled?(:ensure_pipeline_policy_pre_succeeds), - config_uri: current_policy.configuration_uri, - config_sha: current_policy.configuration_sha + project_id: current_policy.policy_project_id, + sha: current_policy.policy_sha }.compact_blank end diff --git a/ee/spec/factories/security/pipeline_execution_policy_configs.rb b/ee/spec/factories/security/pipeline_execution_policy_configs.rb index 54fa0450324288..812e678b1ed448 100644 --- a/ee/spec/factories/security/pipeline_execution_policy_configs.rb +++ b/ee/spec/factories/security/pipeline_execution_policy_configs.rb @@ -13,7 +13,9 @@ initialize_with do policy = attributes[:policy] policy[:content] = attributes[:content] if attributes[:content].present? - new(policy: policy, policy_config: attributes[:policy_config], policy_index: attributes[:policy_index]) + policy_config = attributes[:policy_config] + allow(policy_config).to receive(:configuration_sha).and_return(attributes[:policy_sha] || 'policy_sha') + new(policy: policy, policy_config: policy_config, policy_index: attributes[:policy_index]) end trait :override_project_ci do diff --git a/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb b/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb index fc0680e506ca07..265fd73fad2c9e 100644 --- a/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb +++ b/ee/spec/lib/ee/gitlab/ci/pipeline/chain/pipeline_execution_policies/apply_policies_spec.rb @@ -18,8 +18,6 @@ end let(:policy_configs) { execution_policy_pipelines.map(&:policy_config) } - let(:policy_config_sha) { 'config_sha' } - let(:policy_config_uri) { 'config_uri' } let(:command) do Gitlab::Ci::Pipeline::Chain::Command.new( project: project, @@ -44,11 +42,6 @@ stub_ci_pipeline_yaml_file(YAML.dump(config)) if config allow(command.pipeline_policy_context.pipeline_execution_context) .to receive_messages(policies: policy_configs, policy_pipelines: execution_policy_pipelines) - - policy_configs.each do |policy_config| - allow(policy_config) - .to receive_messages(configuration_sha: policy_config_sha, configuration_uri: policy_config_uri) - end end describe '#perform!' do @@ -442,9 +435,6 @@ before do allow(command.pipeline_policy_context.pipeline_execution_context) .to receive(:current_policy).and_return(execution_policy_config) - - allow(execution_policy_config) - .to receive_messages(configuration_sha: policy_config_sha, configuration_uri: policy_config_uri) end it 'does not change pipeline stages' do diff --git a/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb b/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb index 062e690093ec30..1ed1b5d47288ea 100644 --- a/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb +++ b/ee/spec/lib/ee/gitlab/ci/yaml_processor/result_spec.rb @@ -48,7 +48,7 @@ it 'saves the policy data in :options' do expect(build.dig(:options, :policy)) - .to eq(name: 'Policy', config_sha: policy_config_sha, config_uri: policy_config_uri) + .to eq(name: 'Policy', sha: policy_config_sha, project_id: policy_project_id) end context 'when creating_policy_pipeline? is false' do diff --git a/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb b/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb index 315021782432c4..31d3b4223b5941 100644 --- a/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb +++ b/ee/spec/lib/gitlab/ci/pipeline/pipeline_execution_policies/pipeline_context_spec.rb @@ -56,25 +56,21 @@ shared_context 'with mocked policy configs' do let(:namespace_content) { { job: { script: 'namespace script' } } } - let(:namespace_config) { build(:pipeline_execution_policy_config, content: namespace_content) } + let(:namespace_config) do + build(:pipeline_execution_policy_config, content: namespace_content, config_sha: 'namespace_sha') + end let(:project_content) { { job: { script: 'project script' } } } - let(:project_config) { build(:pipeline_execution_policy_config, :suffix_never, content: project_content) } + let(:project_config) do + build(:pipeline_execution_policy_config, :suffix_never, content: project_content, config_sha: 'project_sha') + end let(:policy_configs) { [project_config, namespace_config] } - let(:policy_config_sha) { 'config_sha' } - let(:policy_config_uri) { 'config_uri' } - before do allow_next_instance_of(::Gitlab::Security::Orchestration::ProjectPipelineExecutionPolicies) do |instance| allow(instance).to receive(:configs).and_return(policy_configs) end - - allow(project_config).to receive_messages(configuration_sha: policy_config_sha, - configuration_uri: policy_config_uri) - allow(namespace_config).to receive_messages(configuration_sha: policy_config_sha, - configuration_uri: policy_config_uri) end end @@ -652,21 +648,15 @@ context 'when building policy pipeline' do let(:current_policy) do - build(:pipeline_execution_policy_config, + build(:pipeline_execution_policy_config, policy_sha: 'my_policy_sha', policy: build(:pipeline_execution_policy, :variables_override_disallowed, name: 'My policy')) end - let(:policy_config_sha) { 'config_sha' } - let(:policy_config_uri) { 'config_uri' } - - before do - allow(current_policy).to receive_messages(configuration_sha: policy_config_sha, - configuration_uri: policy_config_uri) - end - it 'includes policy-specific options' do expect(job_options).to eq( - name: 'My policy', config_sha: policy_config_sha, config_uri: policy_config_uri, + name: 'My policy', + sha: 'my_policy_sha', + project_id: current_policy.policy_config.security_policy_management_project_id, variables_override: { allowed: false } ) end diff --git a/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb b/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb index e7b8a8901b078a..1e770a63a1a286 100644 --- a/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb +++ b/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb @@ -533,7 +533,7 @@ include_context 'with pipeline policy context' let(:current_policy) do - build(:pipeline_execution_policy_config, + build(:pipeline_execution_policy_config, policy_sha: 'my_policy_sha', policy: build(:pipeline_execution_policy, :variables_override_disallowed, name: 'My policy')) end @@ -554,8 +554,8 @@ script: ['rspec'], policy: { name: 'My policy', - config_uri: policy_config_uri, - config_sha: policy_config_sha, + project_id: policy_project_id, + sha: 'my_policy_sha', variables_override: { allowed: false } } })]) diff --git a/ee/spec/models/security/orchestration_policy_configuration_spec.rb b/ee/spec/models/security/orchestration_policy_configuration_spec.rb index 872a41abfdc880..d00aa44de73f96 100644 --- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb +++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb @@ -351,20 +351,6 @@ end end - describe '#configuration_uri' do - subject(:configuration_uri) { security_orchestration_policy_configuration.configuration_uri } - - before do - allow(security_orchestration_policy_configuration).to receive(:default_branch_or_main).and_return('main') - allow(Gitlab.config.gitlab).to receive(:url).and_return('https://gitlab.example.com') - end - - it 'returns the URI to the policy file' do - expected_uri = "https://gitlab.example.com/#{security_policy_management_project.full_path}/#{Security::OrchestrationPolicyConfiguration::POLICY_PATH}@refs/heads/main" - expect(configuration_uri).to eq(expected_uri) - end - end - describe '#policy_configuration_exists?' do subject { security_orchestration_policy_configuration.policy_configuration_exists? } diff --git a/ee/spec/models/security/pipeline_execution_policy/config_spec.rb b/ee/spec/models/security/pipeline_execution_policy/config_spec.rb index e921d7e66d964e..70d88eb57e6445 100644 --- a/ee/spec/models/security/pipeline_execution_policy/config_spec.rb +++ b/ee/spec/models/security/pipeline_execution_policy/config_spec.rb @@ -10,6 +10,10 @@ let(:config) { described_class.new(**params) } let(:params) { { policy_config: security_orchestration_policy_configuration, policy_index: 1, policy: policy } } + before do + allow(security_orchestration_policy_configuration).to receive(:configuration_sha).and_return('config_sha') + end + describe '#strategy_override_project_ci?' do subject { config.strategy_override_project_ci? } @@ -140,4 +144,12 @@ it { is_expected.to be(false) } end end + + describe '#policy_sha' do + subject { config.policy_sha } + + let(:policy) { build(:pipeline_execution_policy) } + + it { is_expected.to eq('config_sha') } + end end diff --git a/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb b/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb index a65692f40381f1..ab8cbb7f0eac7f 100644 --- a/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb +++ b/ee/spec/support/shared_examples/ci/pipeline_execution_policy_shared_examples.rb @@ -32,13 +32,13 @@ let_it_be(:project) { create(:project, :repository) } let(:creating_policy_pipeline) { false } let(:current_policy) do - FactoryBot.build(:pipeline_execution_policy_config, + FactoryBot.build(:pipeline_execution_policy_config, policy_sha: policy_config_sha, policy: FactoryBot.build(:pipeline_execution_policy, name: 'Policy')) end let(:execution_policy_pipelines) { [] } let(:policy_config_sha) { 'config_sha' } - let(:policy_config_uri) { 'config_uri' } + let(:policy_project_id) { current_policy.policy_config.security_policy_management_project_id } before do allow(pipeline_policy_context.pipeline_execution_context).to receive_messages( @@ -46,11 +46,6 @@ policy_pipelines: execution_policy_pipelines, current_policy: creating_policy_pipeline ? current_policy : nil ) - - allow(current_policy).to receive_messages( - configuration_sha: policy_config_sha, - configuration_uri: policy_config_uri - ) end end -- GitLab From b9d5ebd3ebef531a83e3cc2e0649de45f3592a77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20C=CC=8Cavoj?= Date: Wed, 3 Dec 2025 16:31:31 +0100 Subject: [PATCH 4/4] Fix build_metadata schema --- .../json_schemas/build_metadata_config_options.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/validators/json_schemas/build_metadata_config_options.json b/app/validators/json_schemas/build_metadata_config_options.json index df94c814e03d58..bba5ebc78526eb 100644 --- a/app/validators/json_schemas/build_metadata_config_options.json +++ b/app/validators/json_schemas/build_metadata_config_options.json @@ -361,10 +361,10 @@ "variables_override": { "$ref": "#/definitions/executionPolicyVariablesOverrideDefinition" }, - "config_uri": { - "type": "string" + "project_id": { + "type": "integer" }, - "config_sha": { + "sha": { "type": "string" } } -- GitLab