From b242f88729c465f17f99f3b2ee563f5fda69bcb6 Mon Sep 17 00:00:00 2001 From: mc_rocha Date: Mon, 18 Aug 2025 15:09:56 -0400 Subject: [PATCH 1/3] Send a audit event when scheduled sep policy can not be enforced Changelog: added EE: true --- config/sidekiq_queues.yml | 2 + doc/user/compliance/audit_event_types.md | 1 + ee/app/workers/all_queues.yml | 10 ++ ...heduled_scans_not_enforced_audit_worker.rb | 36 ++++++ .../create_pipeline_worker.rb | 9 ++ ...ty_policy_scheduled_scans_not_enforced.yml | 10 ++ ...urity_policy_not_enforced_audit_events.yml | 10 ++ .../scheduled_scans_not_enforced_auditor.rb | 70 ++++++++++++ ...heduled_scans_not_enforced_auditor_spec.rb | 104 ++++++++++++++++++ ...ed_scans_not_enforced_audit_worker_spec.rb | 76 +++++++++++++ .../create_pipeline_worker_spec.rb | 19 ++++ 11 files changed, 347 insertions(+) create mode 100644 ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb create mode 100644 ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml create mode 100644 ee/config/feature_flags/beta/collect_scheduled_security_policy_not_enforced_audit_events.yml create mode 100644 ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb create mode 100644 ee/spec/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor_spec.rb create mode 100644 ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml index 5b79f954397035..84cbf015a16e96 100644 --- a/config/sidekiq_queues.yml +++ b/config/sidekiq_queues.yml @@ -977,6 +977,8 @@ - 1 - - security_policies_project_transfer - 1 +- - security_policies_scheduled_scans_not_enforced_audit + - 1 - - security_policies_skip_pipelines_audit - 1 - - security_process_scan_result_policy diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 34a17e5824a5e2..287651e5eb904c 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -546,6 +546,7 @@ Audit event types belong to the following product categories. | [`security_policy_merge_request_merged_with_policy_violations`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195775) | A merge request merged with security policy violations | {{< icon name="check-circle" >}} Yes | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/work_items/549813) | Project | | [`security_policy_pipeline_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196628) | A pipeline with security policy jobs failed | {{< icon name="dotted-circle" >}} No | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/539232) | Project | | [`security_policy_pipeline_skipped`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195325) | A security policy pipeline is skipped | {{< icon name="dotted-circle" >}} No | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/issues/539232) | Project | +| [`security_policy_scheduled_scans_not_enforced`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201822) | A scheduled pipeline with security policy could not be created | {{< icon name="dotted-circle" >}} No | GitLab [18.4](https://gitlab.com/gitlab-org/gitlab/-/issues/539232) | Project | | [`security_policy_service_account_push_bypass`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196249) | Branch push that is blocked by a security policy is bypassed for configured service account | {{< icon name="check-circle" >}} Yes | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/issues/549644) | Project | | [`security_policy_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192797) | A security policy is updated | {{< icon name="check-circle" >}} Yes | GitLab [18.1](https://gitlab.com/gitlab-org/gitlab/-/issues/539230) | Project | | [`security_policy_violations_detected`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193482) | Security policy violation is detected in the merge request | {{< icon name="dotted-circle" >}} No | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/work_items/549811) | Project | diff --git a/ee/app/workers/all_queues.yml b/ee/app/workers/all_queues.yml index 333f04d915329b..4e687b14e2ccb3 100644 --- a/ee/app/workers/all_queues.yml +++ b/ee/app/workers/all_queues.yml @@ -3714,6 +3714,16 @@ :idempotent: true :tags: [] :queue_namespace: +- :name: security_policies_scheduled_scans_not_enforced_audit + :worker_name: Security::Policies::ScheduledScansNotEnforcedAuditWorker + :feature_category: :security_policy_management + :has_external_dependencies: true + :urgency: :low + :resource_boundary: :unknown + :weight: 1 + :idempotent: true + :tags: [] + :queue_namespace: - :name: security_policies_skip_pipelines_audit :worker_name: Security::Policies::SkipPipelinesAuditWorker :feature_category: :security_policy_management diff --git a/ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb b/ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb new file mode 100644 index 00000000000000..ac03e07b11a145 --- /dev/null +++ b/ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +module Security + module Policies + class ScheduledScansNotEnforcedAuditWorker + include ApplicationWorker + + data_consistency :sticky + + feature_category :security_policy_management + urgency :low + idempotent! + deduplicate :until_executed + defer_on_database_health_signal :gitlab_main, [:project_audit_events], 1.minute + + # Audit stream to external destination with HTTP request if configured + worker_has_external_dependencies! + + def perform(project_id, current_user_id, schedule_id, branch) + project = Project.find_by_id(project_id) + return unless project + return unless project.licensed_feature_available?(:security_orchestration_policies) + + schedule = Security::OrchestrationPolicyRuleSchedule.find_by_id(schedule_id) + return unless schedule + + current_user = User.find_by_id(current_user_id) + + ::Security::SecurityOrchestrationPolicies::ScheduledScansNotEnforcedAuditor.new(project: project, + author: current_user, + schedule: schedule, + branch: branch).audit + end + end + end +end diff --git a/ee/app/workers/security/scan_execution_policies/create_pipeline_worker.rb b/ee/app/workers/security/scan_execution_policies/create_pipeline_worker.rb index eeffddcfd99066..60922464315461 100644 --- a/ee/app/workers/security/scan_execution_policies/create_pipeline_worker.rb +++ b/ee/app/workers/security/scan_execution_policies/create_pipeline_worker.rb @@ -35,6 +35,10 @@ def perform(project_id, current_user_id, schedule_id, branch) return unless service_result[:status] == :error log_error(current_user, schedule, service_result[:message]) + + return if ::Feature.disabled?(:collect_scheduled_security_policy_not_enforced_audit_events, project) + + track_scan_not_enforced_event(project_id, current_user_id, schedule_id, branch) end private @@ -74,6 +78,11 @@ def log_error(current_user, schedule, message) ) ) end + + def track_scan_not_enforced_event(project_id, current_user_id, schedule_id, branch) + ::Security::Policies::ScheduledScansNotEnforcedAuditWorker.perform_async(project_id, current_user_id, + schedule_id, branch) + end end end end diff --git a/ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml b/ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml new file mode 100644 index 00000000000000..66b6ba8842636e --- /dev/null +++ b/ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml @@ -0,0 +1,10 @@ +--- +name: security_policy_scheduled_scans_not_enforced +description: A scheduled pipeline with security policy could not be created +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/539232 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201822 +feature_category: security_policy_management +milestone: '18.4' +saved_to_database: false +streamed: true +scope: [Project] diff --git a/ee/config/feature_flags/beta/collect_scheduled_security_policy_not_enforced_audit_events.yml b/ee/config/feature_flags/beta/collect_scheduled_security_policy_not_enforced_audit_events.yml new file mode 100644 index 00000000000000..5787ad77ffaa73 --- /dev/null +++ b/ee/config/feature_flags/beta/collect_scheduled_security_policy_not_enforced_audit_events.yml @@ -0,0 +1,10 @@ +--- +name: collect_scheduled_security_policy_not_enforced_audit_events +description: Collects audit events for scheduled security policies that could not be enforced +feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/561047 +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201822 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/562207 +milestone: '18.4' +group: group::security policies +type: beta +default_enabled: false diff --git a/ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb b/ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb new file mode 100644 index 00000000000000..5d0c4b2092f659 --- /dev/null +++ b/ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb @@ -0,0 +1,70 @@ +# frozen_string_literal: true + +module Security + module SecurityOrchestrationPolicies + class ScheduledScansNotEnforcedAuditor + include Gitlab::Utils::StrongMemoize + + def initialize(project:, author:, schedule:, branch:) + @project = project + @author = author + @schedule = schedule + @branch = branch + end + + def audit + return unless schedule && project + + ::Gitlab::Audit::Auditor.audit(audit_context) + end + + private + + attr_reader :project, :author, :schedule, :branch + + def audit_context + { + name: event_name, + author: schedule_author, + scope: security_policy_management_project, + target: schedule, + target_details: schedule.id.to_s, + message: event_message, + additional_details: additional_details + } + end + + def event_name + 'security_policy_scheduled_scans_not_enforced' + end + + def event_message + "Schedule: #{schedule.id} created by security policies could not be enforced" + end + + def security_policy_management_project + schedule.security_orchestration_policy_configuration.security_policy_management_project + end + + def additional_details + { + target_branch: branch, + project_id: project.id, + project_name: project.name, + project_full_path: project.full_path, + skipped_policy: skipped_policy + }.compact + end + + def skipped_policy + # binding.pry + { name: schedule.policy&.dig(:name), policy_type: schedule.policy_type } + end + + def schedule_author + author || Gitlab::Audit::DeletedAuthor.new(id: -4, name: 'Unknown User') + end + strong_memoize_attr :schedule_author + end + end +end diff --git a/ee/spec/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor_spec.rb b/ee/spec/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor_spec.rb new file mode 100644 index 00000000000000..5e859d151b4603 --- /dev/null +++ b/ee/spec/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor_spec.rb @@ -0,0 +1,104 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Security::SecurityOrchestrationPolicies::ScheduledScansNotEnforcedAuditor, feature_category: :security_policy_management do + describe '#audit' do + let_it_be(:project) { create(:project) } + let_it_be(:author) { create(:user) } + let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) } + let_it_be(:schedule) do + create(:security_orchestration_policy_rule_schedule, + security_orchestration_policy_configuration: policy_configuration) + end + + let_it_be(:branch) { 'main' } + + subject(:audit) { described_class.new(project: project, author: author, schedule: schedule, branch: branch).audit } + + shared_examples 'does not call Gitlab::Audit::Auditor' do + specify do + expect(::Gitlab::Audit::Auditor).not_to receive(:audit) + + audit + end + end + + shared_examples 'calls Gitlab::Audit::Auditor.audit with the expected context' do + specify do + expect(::Gitlab::Audit::Auditor).to receive(:audit).with( + hash_including( + { + name: 'security_policy_scheduled_scans_not_enforced', + author: expected_author, + scope: policy_configuration.security_policy_management_project, + target: schedule, + target_details: schedule.id.to_s, + message: "Schedule: #{schedule.id} created by security policies could not be enforced", + additional_details: { + target_branch: branch, + project_id: project.id, + project_name: project.name, + project_full_path: project.full_path, + skipped_policy: { name: expected_policy_name, policy_type: schedule.policy_type } + } + } + ) + ) + + audit + end + end + + context 'when the schedule is nil' do + let(:schedule) { nil } + + it_behaves_like 'does not call Gitlab::Audit::Auditor' + end + + context 'when the schedule is present' do + context 'when project is nil' do + let_it_be(:project) { nil } + + it_behaves_like 'does not call Gitlab::Audit::Auditor' + end + + context 'when project is present' do + let(:policy) do + { + name: 'Scheduled DAST 1', + description: 'This policy runs DAST for every 20 mins', + enabled: true, + rules: [{ type: 'schedule', branches: %w[production], cadence: '*/20 * * * *' }], + actions: [ + { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' } + ] + } + end + + let(:expected_policy_name) { policy[:name] } + let(:expected_author) { author } + + before do + allow(schedule).to receive(:policy).and_return(policy) + end + + it_behaves_like 'calls Gitlab::Audit::Auditor.audit with the expected context' + + context 'when the schedule author is nil' do + let_it_be(:author) { nil } + let(:expected_author) { a_kind_of(::Gitlab::Audit::DeletedAuthor) } + + it_behaves_like 'calls Gitlab::Audit::Auditor.audit with the expected context' + end + + context 'when the policy is nil' do + let_it_be(:policy) { nil } + let(:expected_policy_name) { nil } + + it_behaves_like 'calls Gitlab::Audit::Auditor.audit with the expected context' + end + end + end + end +end diff --git a/ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb b/ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb new file mode 100644 index 00000000000000..80b2a7552bef46 --- /dev/null +++ b/ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Security::Policies::ScheduledScansNotEnforcedAuditWorker, feature_category: :security_policy_management do + describe '#perform' do + let_it_be(:project) { create(:project) } + let_it_be(:current_user) { create(:user) } + let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) } + let_it_be(:schedule) do + create(:security_orchestration_policy_rule_schedule, + security_orchestration_policy_configuration: policy_configuration) + end + + let(:project_id) { project.id } + let(:current_user_id) { current_user.id } + let(:schedule_id) { schedule.id } + let_it_be(:branch) { 'main' } + + subject(:run_worker) { described_class.new.perform(project_id, current_user_id, schedule_id, branch) } + + shared_examples_for 'does not call ScheduledScansNotEnforcedAuditor' do + specify do + expect(Security::SecurityOrchestrationPolicies::ScheduledScansNotEnforcedAuditor).not_to receive(:new) + + run_worker + end + end + + context 'when project is not found' do + let(:project_id) { non_existing_record_id } + + it_behaves_like 'does not call ScheduledScansNotEnforcedAuditor' + end + + context 'when project exist' do + let(:project_id) { project.id } + + context 'when security_orchestration_policies feature is not available' do + before do + stub_licensed_features(security_orchestration_policies: false) + end + + it_behaves_like 'does not call ScheduledScansNotEnforcedAuditor' + end + + context 'when security_orchestration_policies feature is available' do + before do + stub_licensed_features(security_orchestration_policies: true) + end + + context 'when the scheduled is not found' do + let(:schedule_id) { non_existing_record_id } + + it_behaves_like 'does not call ScheduledScansNotEnforcedAuditor' + end + + it 'calls ScheduledScansNotEnforcedAuditor' do + expect_next_instance_of(Security::SecurityOrchestrationPolicies::ScheduledScansNotEnforcedAuditor, + project: project, + author: current_user, + schedule: schedule, + branch: branch) do |auditor| + expect(auditor).to receive(:audit) + end + + run_worker + end + + it_behaves_like 'an idempotent worker' do + let(:job_args) { [project_id, current_user_id, schedule_id, branch] } + end + end + end + end +end diff --git a/ee/spec/workers/security/scan_execution_policies/create_pipeline_worker_spec.rb b/ee/spec/workers/security/scan_execution_policies/create_pipeline_worker_spec.rb index 8d1621dbfd0c37..4ffe52a131ad83 100644 --- a/ee/spec/workers/security/scan_execution_policies/create_pipeline_worker_spec.rb +++ b/ee/spec/workers/security/scan_execution_policies/create_pipeline_worker_spec.rb @@ -135,6 +135,25 @@ run_worker end + context 'when the feature flag `collect_scheduled_security_policy_not_enforced_audit_events` is disabled' do + before do + stub_feature_flags(collect_scheduled_security_policy_not_enforced_audit_events: false) + end + + it 'does not calls ScheduledScansNotEnforcedAuditWorker' do + expect(::Security::Policies::ScheduledScansNotEnforcedAuditWorker).not_to receive(:perform_async) + + run_worker + end + end + + it 'calls ScheduledScansNotEnforcedAuditWorker' do + expect(::Security::Policies::ScheduledScansNotEnforcedAuditWorker).to receive(:perform_async).with(project_id, + current_user_id, schedule_id, branch) + + run_worker + end + context 'when the schedule defines the time_window' do before do allow_next_found_instance_of(Security::OrchestrationPolicyRuleSchedule) do |instance| -- GitLab From daab3f40d018bec6ec3e4804d6712e3ac722a214 Mon Sep 17 00:00:00 2001 From: mc_rocha Date: Wed, 20 Aug 2025 13:25:15 -0400 Subject: [PATCH 2/3] Address reviewer comment --- doc/user/compliance/audit_event_types.md | 2 +- .../types/security_policy_scheduled_scans_not_enforced.yml | 2 +- .../scheduled_scans_not_enforced_auditor.rb | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 287651e5eb904c..16816f03c6da52 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -546,7 +546,7 @@ Audit event types belong to the following product categories. | [`security_policy_merge_request_merged_with_policy_violations`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195775) | A merge request merged with security policy violations | {{< icon name="check-circle" >}} Yes | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/work_items/549813) | Project | | [`security_policy_pipeline_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196628) | A pipeline with security policy jobs failed | {{< icon name="dotted-circle" >}} No | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/539232) | Project | | [`security_policy_pipeline_skipped`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/195325) | A security policy pipeline is skipped | {{< icon name="dotted-circle" >}} No | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/issues/539232) | Project | -| [`security_policy_scheduled_scans_not_enforced`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201822) | A scheduled pipeline with security policy could not be created | {{< icon name="dotted-circle" >}} No | GitLab [18.4](https://gitlab.com/gitlab-org/gitlab/-/issues/539232) | Project | +| [`security_policy_scheduled_scans_not_enforced`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201822) | A scheduled pipeline with security policy could not be created | {{< icon name="dotted-circle" >}} No | GitLab [18.4](https://gitlab.com/gitlab-org/gitlab/-/issues/561047) | Project | | [`security_policy_service_account_push_bypass`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/196249) | Branch push that is blocked by a security policy is bypassed for configured service account | {{< icon name="check-circle" >}} Yes | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/issues/549644) | Project | | [`security_policy_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/192797) | A security policy is updated | {{< icon name="check-circle" >}} Yes | GitLab [18.1](https://gitlab.com/gitlab-org/gitlab/-/issues/539230) | Project | | [`security_policy_violations_detected`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193482) | Security policy violation is detected in the merge request | {{< icon name="dotted-circle" >}} No | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/work_items/549811) | Project | diff --git a/ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml b/ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml index 66b6ba8842636e..d42d9a4cabff8e 100644 --- a/ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml +++ b/ee/config/audit_events/types/security_policy_scheduled_scans_not_enforced.yml @@ -1,7 +1,7 @@ --- name: security_policy_scheduled_scans_not_enforced description: A scheduled pipeline with security policy could not be created -introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/539232 +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/561047 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/201822 feature_category: security_policy_management milestone: '18.4' diff --git a/ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb b/ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb index 5d0c4b2092f659..7afa85bd486fc9 100644 --- a/ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb +++ b/ee/lib/security/security_orchestration_policies/scheduled_scans_not_enforced_auditor.rb @@ -57,7 +57,6 @@ def additional_details end def skipped_policy - # binding.pry { name: schedule.policy&.dig(:name), policy_type: schedule.policy_type } end -- GitLab From 6a393fa5dc26dbc7679e23a9009f22268c378fae Mon Sep 17 00:00:00 2001 From: mc_rocha Date: Tue, 2 Sep 2025 17:01:19 -0400 Subject: [PATCH 3/3] Address reviewer comments --- .../scheduled_scans_not_enforced_audit_worker.rb | 9 +++------ .../scheduled_scans_not_enforced_audit_worker_spec.rb | 6 ++++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb b/ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb index ac03e07b11a145..d54abdcea74be3 100644 --- a/ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb +++ b/ee/app/workers/security/policies/scheduled_scans_not_enforced_audit_worker.rb @@ -17,14 +17,11 @@ class ScheduledScansNotEnforcedAuditWorker worker_has_external_dependencies! def perform(project_id, current_user_id, schedule_id, branch) - project = Project.find_by_id(project_id) - return unless project + project = Project.find_by_id(project_id) || return return unless project.licensed_feature_available?(:security_orchestration_policies) - schedule = Security::OrchestrationPolicyRuleSchedule.find_by_id(schedule_id) - return unless schedule - - current_user = User.find_by_id(current_user_id) + schedule = Security::OrchestrationPolicyRuleSchedule.find_by_id(schedule_id) || return + current_user = User.find_by_id(current_user_id) || return ::Security::SecurityOrchestrationPolicies::ScheduledScansNotEnforcedAuditor.new(project: project, author: current_user, diff --git a/ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb b/ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb index 80b2a7552bef46..683ff1d7c99b17 100644 --- a/ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb +++ b/ee/spec/workers/security/policies/scheduled_scans_not_enforced_audit_worker_spec.rb @@ -55,6 +55,12 @@ it_behaves_like 'does not call ScheduledScansNotEnforcedAuditor' end + context 'when the current_user is not found' do + let(:current_user_id) { non_existing_record_id } + + it_behaves_like 'does not call ScheduledScansNotEnforcedAuditor' + end + it 'calls ScheduledScansNotEnforcedAuditor' do expect_next_instance_of(Security::SecurityOrchestrationPolicies::ScheduledScansNotEnforcedAuditor, project: project, -- GitLab