feat:[PLG-621] Update severity for CMK policies

[ershad-paladin]

Description

• update severity for cmk policies from critical to medium, because for all cloud provider have default platform managed key for encryption.
• Deleting the recently created new policy 'Encrypt OS and Data Disk' because it is encrypted by default with platform managed key

Problem

Solution

Fixes # (issue if any)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Chore (no code changes)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also
list any relevant details for your test configuration

• Run the db scripts and verify the policy severity

Checklist:

• My code follows the style guidelines of this project
• My commit message/PR follows the contribution guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

Other Information:

List any documentation updates that are needed for the Wiki

Summary by CodeRabbit

• New Features
  • Enhanced policy management with updated severity levels for multiple policies.
  • Streamlined management of policy parameters by removing unnecessary entries for specific policies.
• Bug Fixes
  • Removed outdated and redundant policy entries to improve clarity and compliance.

[coderabbitai]

Important

Review skipped

Review was skipped as selected files did not have any reviewable changes.

Files selected but had no reviewable changes (1)

• installer/resources/pacbot_app/files/DB_Policy.sql

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The recent changes to the SQL statements involve significant updates to the management of policy parameters and entries in the cf_PolicyTable. Key actions include the removal of specific INSERT statements, the introduction of UPDATE statements to adjust policy severity levels, and the deletion of the encrypt_os_and_data_disk policy. These modifications streamline database operations and enhance clarity in policy management.

Changes

Files	Change Summary
installer/resources/pacbot_app/files/DB_Policy.sql	Removed several INSERT statements related to encrypt_os_and_data_disk, added UPDATE statements for policy severity, and deleted the encrypt_os_and_data_disk entry.

Assessment against linked issues

Objective	Addressed	Explanation
Update severity for CMK policies across all clouds (PLG-621)	✅

🐇 In the garden so bright,
Policies change, taking flight.
Old ones fade, new ones grow,
Clarity blooms, as we sow!
With every update, we delight,
A streamlined path, all feels right! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

⚠️ DELETE statement found in the changes of SQL files. Requesting review from @santhosh and @Arun.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between c8b1921 and f23cbe9.

Files selected for processing (1)

• installer/resources/pacbot_app/files/DB_Policy.sql (1 hunks)

Additional comments not posted (3)

installer/resources/pacbot_app/files/DB_Policy.sql (3)

Line range hint 14-16:
Verify the correctness of the UPDATE statements.

Ensure that the UPDATE statements correctly modify the intended policies and that the new severity levels align with the updated risk assessments.

Verification successful

---

The UPDATE and DELETE statements for policy severity levels and policy removal are correctly implemented.

• The UPDATE statement sets the severity to 'medium' for multiple policies in the cf_PolicyTable.
• The DELETE statement removes the encrypt_os_and_data_disk policy from the cf_PolicyTable.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the `UPDATE` statements for policy severity levels.

# Test: Search for the `UPDATE` statements. Expect: Correct policy IDs and severity levels.
rg --type sql -A 5 $'UPDATE cf_PolicyTable SET severity = \'medium\''

Length of output: 74

---

Script:

#!/bin/bash
# Description: Verify the `UPDATE` statements for policy severity levels.

# Test: Search for all `UPDATE` statements in the SQL file to capture any variations in syntax or formatting.
rg --type sql -A 5 'UPDATE cf_PolicyTable SET severity'

Length of output: 1077

---

Line range hint 18-18:
Verify the justification for the policy deletion.

Ensure that the deletion of the encrypt_os_and_data_disk policy is justified and that it does not affect other parts of the system.

---

Line range hint 20-20:
Verify the justification for the removal of the INSERT statements.

Ensure that the removal of the INSERT statements for the encrypt_os_and_data_disk policy is justified and that it does not affect other parts of the system.

Verification successful

---

Justification for the removal of INSERT statements verified.

The removal of the INSERT statements for the encrypt_os_and_data_disk policy is justified as part of a broader update to policy severities. The commit f23cbe9 indicates that these changes are related to updating the severity for CMK policies, suggesting that the encrypt_os_and_data_disk policy is no longer needed or has been replaced.

• Commit: f23cbe9
• Changes: Removal of INSERT and DELETE statements for encrypt_os_and_data_disk
• Context: Update severity for CMK policies

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the justification for the removal of the `INSERT` statements.

# Test: Search for the `INSERT` statements. Expect: Correct policy parameters and justification.
rg --type sql -A 5 $'INSERT IGNORE INTO cf_PolicyParams'

Length of output: 2355

---

Script:

#!/bin/bash
# Description: Check the commit history for changes related to `encrypt_os_and_data_disk` and search for any references to it in the codebase.

# Search for commits related to `encrypt_os_and_data_disk`
git log -S 'encrypt_os_and_data_disk' --pretty=format:'%h %ad | %s%d [%an]' --date=short

# Search for references to `encrypt_os_and_data_disk` in the codebase
rg 'encrypt_os_and_data_disk'

Length of output: 508

---

Script:

#!/bin/bash
# Description: Show the details of commit `f23cbe9` to verify the justification for the removal of the `INSERT` statements.

# Show the details of commit `f23cbe9`
git show f23cbe9

Length of output: 6641

[github-actions]

⚠️ DELETE statement found in the changes of SQL files. Requesting review from @santhosh and @Arun.

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (1)

installer/resources/pacbot_app/files/DB_Policy.sql (1)

Incorrect policyId value in DELETE statements

The policyId value encrypt_os_and_data_disk in the DELETE statements does not match the policyId used in the INSERT and UPDATE statements, which is Use_CMK_to_encrypt_OS_and_Data_disk. This discrepancy needs to be corrected to ensure the intended policy is accurately targeted for removal.

• DELETE statements use policyId='encrypt_os_and_data_disk'
• INSERT and UPDATE statements use policyId='Use_CMK_to_encrypt_OS_and_Data_disk'

Please update the policyId in the DELETE statements to match the INSERT and UPDATE statements.

Analysis chain

Line range hint 2-2:
LGTM! But verify the policyId value.

The DELETE statement correctly removes the encrypt_os_and_data_disk policy.

However, ensure that the policyId value is accurate and corresponds to the intended policy.

---

Let's verify the existence and correctness of the policyId value encrypt_os_and_data_disk in the cf_PolicyTable prior to deletion.

---

Let's search for the policyId value encrypt_os_and_data_disk throughout the entire SQL file to verify its existence and correctness.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the `policyId` value in the `cf_PolicyTable`.

# Test: Search for the `policyId` value. Expect: Only occurrences of valid `policyId` values.
rg --type sql -A 5 $'encrypt_os_and_data_disk'

Length of output: 304

---

Script:

#!/bin/bash
# Description: Verify the existence and correctness of the `policyId` value in the `cf_PolicyTable` prior to deletion.

# Test: Search for the `policyId` value in the INSERT statements or any other relevant statements in the SQL file.
rg --type sql -A 5 $'INSERT INTO cf_PolicyTable' | grep -i 'encrypt_os_and_data_disk'

Length of output: 84

---

Script:

#!/bin/bash
# Description: Search for the `policyId` value `encrypt_os_and_data_disk` throughout the entire SQL file.

# Test: Search for the `policyId` value in the entire SQL file.
rg --type sql -i 'encrypt_os_and_data_disk'

Length of output: 4601

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between f23cbe9 and b88ba4e.

Files selected for processing (1)

• installer/resources/pacbot_app/files/DB_Policy.sql (1 hunks)

Additional comments not posted (4)

installer/resources/pacbot_app/files/DB_Policy.sql (4)

Line range hint 5-5:
Approved as is.

The UPDATE statement for setting the policy display name remains unchanged and aligns with the existing policy management.

---

Line range hint 1-1:
LGTM! But verify the policyId values.

The UPDATE statement correctly modifies the severity level to 'medium' for multiple policies.

However, ensure that the policyId values are accurate and correspond to the intended policies.

---

Line range hint 4-4:
LGTM! But verify no dependencies exist for the removed parameters.

The removal of INSERT statements for the parameters of the encrypt_os_and_data_disk policy aligns with the PR objectives.

However, ensure that no other dependencies exist for the removed parameters.

---

Line range hint 3-3:
LGTM! But verify no dependencies exist for the removed policy.

The removal of INSERT statements for the encrypt_os_and_data_disk policy aligns with the PR objectives.

However, ensure that no other dependencies exist for the removed policy.

Verification successful

---

No dependencies found for the removed encrypt_os_and_data_disk policy.

The DELETE IGNORE statements found are part of the cleanup process, ensuring no remnants of the policy remain in the database.

• installer/resources/pacbot_app/files/DB_Policy.sql: DELETE IGNORE FROM cf_PolicyParams WHERE policyId='encrypt_os_and_data_disk';
• installer/resources/pacbot_app/files/DB_Policy.sql: DELETE IGNORE FROM cf_PolicyTable WHERE policyId='encrypt_os_and_data_disk';

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify no dependencies exist for the removed `encrypt_os_and_data_disk` policy.

# Test: Search for dependencies. Expect: No occurrences of the removed policy.
rg --type sql -A 5 $'encrypt_os_and_data_disk'

Length of output: 304

[github-actions]

⚠️ DELETE statement found in the changes of SQL files. Requesting review from @santhosh and @Arun.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud