2025-08-15 21:39:00 +00:00 · 2022-11-18 09:08:21 +00:00
parent c2f65d6e6f
commit 1876696e87
9 changed files with 71 additions and 12 deletions
--- a/app/models/concerns/has_user_type.rb
+++ b/app/models/concerns/has_user_type.rb
@ -13,10 +13,11 @@ module HasUserType
    project_bot: 6,
    migration_bot: 7,
    security_bot: 8,
-    automation_bot: 9
+    automation_bot: 9,
+    security_policy_bot: 10
  }.with_indifferent_access.freeze

-  BOT_USER_TYPES = %w[alert_bot project_bot support_bot visual_review_bot migration_bot security_bot automation_bot].freeze
+  BOT_USER_TYPES = %w[alert_bot project_bot support_bot visual_review_bot migration_bot security_bot automation_bot security_policy_bot].freeze
  NON_INTERNAL_USER_TYPES = %w[human project_bot service_user].freeze
  INTERNAL_USER_TYPES = (USER_TYPES.keys - NON_INTERNAL_USER_TYPES).freeze

--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -896,6 +896,16 @@ class User < ApplicationRecord
      end
    end

+    def security_policy_bot
+      email_pattern = "security-policy-bot%s@#{Settings.gitlab.host}"
+
+      unique_internal(where(user_type: :security_policy_bot), 'security-policy-bot', email_pattern) do |u|
+        u.bio = 'System bot that creates pipelines for security orchestration policies'
+        u.name = 'GitLab Security Policy Bot'
+        u.avatar = bot_avatar(image: 'security-bot.png')
+      end
+    end
+
    # Return true if there is only single non-internal user in the deployment,
    # ghost user is ignored.
    def single_user?
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@ -27,6 +27,10 @@ class BasePolicy < DeclarativePolicy::Base
  with_options scope: :user, score: 0
  condition(:security_bot) { @user&.security_bot? }

+  desc "User is security policy bot"
+  with_options scope: :user, score: 0
+  condition(:security_policy_bot) { @user&.security_policy_bot? }
+
  desc "User is automation bot"
  with_options scope: :user, score: 0
  condition(:automation_bot) { @user&.automation_bot? }
--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@ -53,6 +53,10 @@ module PolicyActor
    false
  end

+  def security_policy_bot?
+    false
+  end
+
  def automation_bot?
    false
  end
--- a/doc/user/application_security/policies/scan-execution-policies.md
+++ b/doc/user/application_security/policies/scan-execution-policies.md
@ -97,6 +97,8 @@ GitLab supports the following types of CRON syntax for the `cadence` field:

 Other elements of the CRON syntax may work in the cadence field, however, GitLab does not officially test or support them. The CRON expression is evaluated in UTC by default. If you have a self-managed GitLab instance and have [changed the server timezone](../../../administration/timezone.md), the CRON expression is evaluated with the new timezone.

+The scan execution policy for the `schedule` rule type triggers the `GitLab Security Policy Bot` user to create a new pipeline. This user does not count toward the license limit count.
+
 ### `agent` schema

 Use this schema to define `agents` objects in the [`schedule` rule type](#schedule-rule-type).
--- a/lib/gitlab/ci/pipeline/chain/validate/abilities.rb
+++ b/lib/gitlab/ci/pipeline/chain/validate/abilities.rb
@ -14,7 +14,7 @@ module Gitlab
                return error('Project is deleted!')
              end

-              unless project.builds_enabled?
+              unless builds_enabled?
                return error('Pipelines are disabled!')
              end

@ -37,6 +37,10 @@ module Gitlab
              can?(current_user, :create_pipeline, project)
            end

+            def builds_enabled?
+              project.builds_enabled?
+            end
+
            def allowed_to_write_ref?
              access = Gitlab::UserAccess.new(current_user, container: project)

--- a/spec/lib/gitlab/ci/pipeline/chain/validate/abilities_spec.rb
+++ b/spec/lib/gitlab/ci/pipeline/chain/validate/abilities_spec.rb
@ -84,6 +84,36 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::Abilities do
    end
  end

+  context 'when CI/CD disabled' do
+    before do
+      project.project_feature.update_attribute(:builds_access_level, ProjectFeature::DISABLED)
+
+      step.perform!
+    end
+
+    it 'adds an error about disabled pipeline' do
+      expect(pipeline.errors.to_a).to include('Pipelines are disabled!')
+    end
+
+    it 'breaks the pipeline builder chain' do
+      expect(step.break?).to eq true
+    end
+  end
+
+  describe '#builds_enabled?' do
+    subject { step.send(:builds_enabled?) }
+
+    it { is_expected.to be_truthy }
+
+    context 'when CI/CD disabled' do
+      before do
+        project.project_feature.update_attribute(:builds_access_level, ProjectFeature::DISABLED)
+      end
+
+      it { is_expected.to be_falsey }
+    end
+  end
+
  describe '#allowed_to_write_ref?' do
    subject { step.send(:allowed_to_write_ref?) }

@ -100,7 +130,7 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::Abilities do
        it { is_expected.to be_truthy }
      end

-      context 'when the branch is protected' do
+      context 'when the branch is protected', :use_clean_rails_redis_caching do
        let!(:protected_branch) do
          create(:protected_branch, project: project, name: ref)
        end
@ -160,7 +190,7 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::Abilities do

      it { is_expected.to be_truthy }

-      context 'when the branch is protected' do
+      context 'when the branch is protected', :use_clean_rails_redis_caching do
        let!(:protected_branch) do
          create(:protected_branch, project: project, name: ref)
        end
--- a/spec/models/concerns/has_user_type_spec.rb
+++ b/spec/models/concerns/has_user_type_spec.rb
@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe User do
  specify 'types consistency checks', :aggregate_failures do
    expect(described_class::USER_TYPES.keys)
-      .to match_array(%w[human ghost alert_bot project_bot support_bot service_user security_bot visual_review_bot migration_bot automation_bot])
+      .to match_array(%w[human ghost alert_bot project_bot support_bot service_user security_bot visual_review_bot migration_bot automation_bot security_policy_bot])
    expect(described_class::USER_TYPES).to include(*described_class::BOT_USER_TYPES)
    expect(described_class::USER_TYPES).to include(*described_class::NON_INTERNAL_USER_TYPES)
    expect(described_class::USER_TYPES).to include(*described_class::INTERNAL_USER_TYPES)
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -6799,7 +6799,8 @@ RSpec.describe User do
            { user_type: :alert_bot },
            { user_type: :support_bot },
            { user_type: :security_bot },
-            { user_type: :automation_bot }
+            { user_type: :automation_bot },
+            { user_type: :security_policy_bot }
          ]
        end

@ -6881,11 +6882,12 @@ RSpec.describe User do
      using RSpec::Parameterized::TableSyntax

      where(:user_type, :expected_result) do
-        'human'             | true
-        'alert_bot'         | false
-        'support_bot'       | false
-        'security_bot'      | false
-        'automation_bot'    | false
+        'human'               | true
+        'alert_bot'           | false
+        'support_bot'         | false
+        'security_bot'        | false
+        'automation_bot'      | false
+        'security_policy_bot' | false
      end

      with_them do
@ -7034,10 +7036,12 @@ RSpec.describe User do
    it_behaves_like 'bot users', :security_bot
    it_behaves_like 'bot users', :ghost
    it_behaves_like 'bot users', :automation_bot
+    it_behaves_like 'bot users', :security_policy_bot

    it_behaves_like 'bot user avatars', :alert_bot, 'alert-bot.png'
    it_behaves_like 'bot user avatars', :support_bot, 'support-bot.png'
    it_behaves_like 'bot user avatars', :security_bot, 'security-bot.png'
+    it_behaves_like 'bot user avatars', :security_policy_bot, 'security-bot.png'
    it_behaves_like 'bot user avatars', :automation_bot, 'support-bot.png'

    context 'when bot is the support_bot' do