Upgrade Compliance pipeline configuration to Ultimate tier

Although compliance framework is available to Premium tier, the compliance pipeline configuration can be used only for Ultimate tier

Upgrade Compliance pipeline configuration to Ultimate tier
Although compliance framework is available to Premium tier, the compliance pipeline configuration can be used only for Ultimate tier
347ca5ff · Aishwarya Subramanian · Bob Van Landuyt · 41dfe9cb · 347ca5ff · 347ca5ff
Commit 347ca5ff authored Feb 19, 2021 by Aishwarya Subramanian Committed by Bob Van Landuyt Feb 19, 2021
15 changed files
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -4054,7 +4054,8 @@ type ComplianceFramework {

  """
  Full path of the compliance pipeline configuration stored in a project
-  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.
+  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa`
+  **(ULTIMATE)**.
  """
  pipelineConfigurationFullPath: String
 }
@@ -4112,7 +4113,8 @@ input ComplianceFrameworkInput {

  """
  Full path of the compliance pipeline configuration stored in a project
-  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.
+  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa`
+  **(ULTIMATE)**.
  """
  pipelineConfigurationFullPath: String
 }

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -11037,7 +11037,7 @@
            },
            {
              "name": "pipelineConfigurationFullPath",
-              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.",
+              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.",
              "args": [

              ],
@@ -11207,7 +11207,7 @@
            },
            {
              "name": "pipelineConfigurationFullPath",
-              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.",
+              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.",
              "type": {
                "kind": "SCALAR",
                "name": "String",
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -787,7 +787,7 @@ Represents a ComplianceFramework associated with a Project.
 | `description` | String! | Description of the compliance framework. |
 | `id` | ID! | Compliance framework ID. |
 | `name` | String! | Name of the compliance framework. |
-| `pipelineConfigurationFullPath` | String | Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`. |
+| `pipelineConfigurationFullPath` | String | Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**. |

 ### ComposerMetadata


--- a/ee/app/graphql/types/compliance_management/compliance_framework_input_type.rb
+++ b/ee/app/graphql/types/compliance_management/compliance_framework_input_type.rb
@@ -24,7 +24,7 @@ module Types
      argument :pipeline_configuration_full_path,
               GraphQL::STRING_TYPE,
               required: false,
-               description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.'
+               description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.'
    end
  end
 end
--- a/ee/app/graphql/types/compliance_management/compliance_framework_type.rb
+++ b/ee/app/graphql/types/compliance_management/compliance_framework_type.rb
@@ -25,7 +25,8 @@ module Types

      field :pipeline_configuration_full_path, GraphQL::STRING_TYPE,
            null: true,
-            description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.'
+            description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.',
+            authorize: :manage_group_level_compliance_pipeline_config
    end
  end
 end
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -149,6 +149,7 @@ class License < ApplicationRecord
    enforce_ssh_key_expiration
    enterprise_templates
    environment_alerts
+    evaluate_group_level_compliance_pipeline
    group_ci_cd_analytics
    group_level_compliance_dashboard
    incident_management

--- a/ee/app/policies/compliance_management/framework_policy.rb
+++ b/ee/app/policies/compliance_management/framework_policy.rb
@@ -8,8 +8,17 @@ module ComplianceManagement
      License.feature_available?(:custom_compliance_frameworks) && Feature.enabled?(:ff_custom_compliance_frameworks)
    end

+    condition(:group_level_compliance_pipeline_enabled) do
+      @subject.namespace.feature_available?(:evaluate_group_level_compliance_pipeline) &&
+        Feature.enabled?(:ff_custom_compliance_frameworks, @subject.namespace)
+    end
+
    rule { can?(:owner_access) & custom_compliance_frameworks_enabled }.policy do
      enable :manage_compliance_framework
    end
+
+    rule { can?(:owner_access) & group_level_compliance_pipeline_enabled }.policy do
+      enable :manage_group_level_compliance_pipeline_config
+    end
  end
 end
--- a/ee/app/services/compliance_management/frameworks/create_service.rb
+++ b/ee/app/services/compliance_management/frameworks/create_service.rb
@@ -3,6 +3,8 @@
 module ComplianceManagement
  module Frameworks
    class CreateService < BaseService
+      include ::ComplianceManagement::Frameworks
+
      attr_reader :namespace, :params, :current_user, :framework

      def initialize(namespace:, params:, current_user:)
@@ -22,6 +24,7 @@ module ComplianceManagement
        )

        return ServiceResponse.error(message: 'Not permitted to create framework') unless permitted?
+        return ServiceResponse.error(message: 'Pipeline configuration full path feature is not available') unless compliance_pipeline_configuration_available?

        framework.save ? success : error
      end

--- a/ee/app/services/compliance_management/frameworks/update_service.rb
+++ b/ee/app/services/compliance_management/frameworks/update_service.rb
@@ -3,6 +3,8 @@
 module ComplianceManagement
  module Frameworks
    class UpdateService < BaseService
+      include ::ComplianceManagement::Frameworks
+
      attr_reader :framework, :current_user, :params

      def initialize(framework:, current_user:, params:)
@@ -14,6 +16,11 @@ module ComplianceManagement
      def execute
        return error unless permitted?

+        unless compliance_pipeline_configuration_available?
+          framework.errors.add(:pipeline_configuration_full_path, 'feature is not available')
+          return error
+        end
+
        framework.update(params) ? success : error
      end


--- a/ee/app/services/concerns/compliance_management/frameworks.rb
+++ b/ee/app/services/concerns/compliance_management/frameworks.rb
+# frozen_string_literal: true
+
+module ComplianceManagement
+  module Frameworks
+    def compliance_pipeline_configuration_available?
+      return true unless params[:pipeline_configuration_full_path].present?
+
+      can? current_user, :manage_group_level_compliance_pipeline_config, framework
+    end
+  end
+end
--- a/ee/spec/graphql/mutations/compliance_management/frameworks/create_spec.rb
+++ b/ee/spec/graphql/mutations/compliance_management/frameworks/create_spec.rb
@@ -27,7 +27,7 @@ RSpec.describe Mutations::ComplianceManagement::Frameworks::Create do

    context 'feature is licensed' do
      before do
-        stub_licensed_features(custom_compliance_frameworks: true)
+        stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
      end

      context 'feature flag is disabled' do
@@ -107,7 +107,7 @@ RSpec.describe Mutations::ComplianceManagement::Frameworks::Create do
        name: 'GDPR',
        description: 'Example description',
        color: '#abc123',
-        pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+        pipeline_configuration_full_path: '.compliance-gitlab-ci.yml@compliance/hipaa'
      }
    }
  end

--- a/ee/spec/policies/compliance_management/framework_policy_spec.rb
+++ b/ee/spec/policies/compliance_management/framework_policy_spec.rb
@@ -3,18 +3,19 @@
 require 'spec_helper'

 RSpec.describe ComplianceManagement::FrameworkPolicy do
-  let_it_be(:framework) { create(:compliance_framework) }
+  let_it_be_with_refind(:framework) { create(:compliance_framework) }
  let(:user) { framework.namespace.owner }

  subject { described_class.new(user, framework) }

  context 'feature is licensed' do
    before do
-      stub_licensed_features(custom_compliance_frameworks: true)
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
    end

    context 'user is namespace owner' do
      it { is_expected.to be_allowed(:manage_compliance_framework) }
+      it { is_expected.to be_allowed(:manage_group_level_compliance_pipeline_config) }
    end

    context 'user is group owner' do
@@ -27,27 +28,31 @@ RSpec.describe ComplianceManagement::FrameworkPolicy do
      end

      it { is_expected.to be_allowed(:manage_compliance_framework) }
+      it { is_expected.to be_allowed(:manage_group_level_compliance_pipeline_config) }
    end

    context 'user is not namespace owner' do
      let(:user) { build(:user) }

      it { is_expected.to be_disallowed(:manage_compliance_framework) }
+      it { is_expected.to be_disallowed(:manage_group_level_compliance_pipeline_config) }
    end

    context 'user is an admin', :enable_admin_mode do
      let(:user) { build(:admin) }

      it { is_expected.to be_allowed(:manage_compliance_framework) }
+      it { is_expected.to be_allowed(:manage_group_level_compliance_pipeline_config) }
    end
  end

  context 'feature is unlicensed' do
    before do
-      stub_licensed_features(custom_compliance_frameworks: false)
+      stub_licensed_features(custom_compliance_frameworks: false, evaluate_group_level_compliance_pipeline: false)
    end

    it { is_expected.to be_disallowed(:manage_compliance_framework) }
+    it { is_expected.to be_disallowed(:manage_group_level_compliance_pipeline_config) }
  end

  context 'feature is disabled' do
@@ -56,5 +61,6 @@ RSpec.describe ComplianceManagement::FrameworkPolicy do
    end

    it { is_expected.to be_disallowed(:manage_compliance_framework) }
+    it { is_expected.to be_disallowed(:manage_group_level_compliance_pipeline_config) }
  end
 end
--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
@@ -16,7 +16,7 @@ RSpec.describe 'Create a Compliance Framework' do
        name: 'GDPR',
        description: 'Example Description',
        color: '#ABC123',
-        pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+        pipeline_configuration_full_path: '.compliance-gitlab-ci.yml@compliance/hipaa'
      }
    )
  end
@@ -38,7 +38,7 @@ RSpec.describe 'Create a Compliance Framework' do
      expect(mutation_response['framework']['color']).to eq '#ABC123'
      expect(mutation_response['framework']['name']).to eq 'GDPR'
      expect(mutation_response['framework']['description']).to eq 'Example Description'
-      expect(mutation_response['framework']['pipelineConfigurationFullPath']).to eq 'compliance/.gitlab-ci.yml'
+      expect(mutation_response['framework']['pipelineConfigurationFullPath']).to eq '.compliance-gitlab-ci.yml@compliance/hipaa'
    end
  end

@@ -53,7 +53,7 @@ RSpec.describe 'Create a Compliance Framework' do

  context 'feature is licensed' do
    before do
-      stub_licensed_features(custom_compliance_frameworks: true)
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
    end

    context 'feature is disabled' do

--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
@@ -13,8 +13,7 @@ RSpec.describe 'Update a compliance framework' do
      params: {
        name: 'New Name',
        description: 'New Description',
-        color: '#AAC112',
-        pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+        color: '#AAC112'
      }
    }
  end
@@ -62,7 +61,36 @@ RSpec.describe 'Update a compliance framework' do
        expect(mutation_response['complianceFramework']['name']).to eq 'New Name'
        expect(mutation_response['complianceFramework']['description']).to eq 'New Description'
        expect(mutation_response['complianceFramework']['color']).to eq '#AAC112'
-        expect(mutation_response['complianceFramework']['pipelineConfigurationFullPath']).to eq 'compliance/.gitlab-ci.yml'
+      end
+
+      context 'pipeline configuration full path' do
+        before do
+          params[:params][:pipeline_configuration_full_path] = '.compliance-gitlab-ci.yml@compliance/hipaa'
+        end
+
+        context 'when compliance pipeline configuration feature is available' do
+          before do
+            stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+          end
+
+          it 'updates the pipeline configuration path attribute' do
+            subject
+
+            expect(mutation_response['complianceFramework']['pipelineConfigurationFullPath']).to eq '.compliance-gitlab-ci.yml@compliance/hipaa'
+          end
+        end
+
+        context 'when compliance pipeline configuration feature is not available' do
+          before do
+            stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: false)
+          end
+
+          it 'returns an error' do
+            subject
+
+            expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
+          end
+        end
      end

      context 'current_user is not permitted to update framework' do

--- a/ee/spec/services/compliance_management/frameworks/create_service_spec.rb
+++ b/ee/spec/services/compliance_management/frameworks/create_service_spec.rb
@@ -3,13 +3,12 @@
 require 'spec_helper'

 RSpec.describe ComplianceManagement::Frameworks::CreateService do
-  let_it_be(:namespace) { create(:namespace) }
+  let_it_be_with_refind(:namespace) { create(:namespace) }
  let(:params) do
    {
      name: 'GDPR',
      description: 'The EUs data protection directive',
-      color: '#abc123',
-      pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+      color: '#abc123'
    }
  end

@@ -72,6 +71,22 @@ RSpec.describe ComplianceManagement::Frameworks::CreateService do
      end
    end

+    context 'when pipeline_configuration_full_path parameter is used and feature is not available' do
+      subject { described_class.new(namespace: namespace, params: params, current_user: namespace.owner) }
+
+      before do
+        params[:pipeline_configuration_full_path] = '.compliance-gitlab-ci.yml@compliance/hipaa'
+        stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: false)
+      end
+
+      let(:response) { subject.execute }
+
+      it 'returns an error', :aggregate_failures do
+        expect(response.success?).to be false
+        expect(response.message).to eq 'Pipeline configuration full path feature is not available'
+      end
+    end
+
    context 'when using parameters for a valid compliance framework' do
      subject { described_class.new(namespace: namespace, params: params, current_user: namespace.owner) }

@@ -89,7 +104,19 @@ RSpec.describe ComplianceManagement::Frameworks::CreateService do
        expect(framework.name).to eq('GDPR')
        expect(framework.description).to eq('The EUs data protection directive')
        expect(framework.color).to eq('#abc123')
-        expect(framework.pipeline_configuration_full_path).to eq('compliance/.gitlab-ci.yml')
+      end
+
+      context 'when compliance pipeline configuration is available' do
+        before do
+          params[:pipeline_configuration_full_path] = '.compliance-gitlab-ci.yml@compliance/hipaa'
+          stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+        end
+
+        it 'sets the pipeline configuration path attribute' do
+          framework = subject.execute.payload[:framework]
+
+          expect(framework.pipeline_configuration_full_path).to eq('.compliance-gitlab-ci.yml@compliance/hipaa')
+        end
      end
    end
  end