Add policy for instance security dashboard

So long as the right license is there, any logged in user should be able to view the dashboard. https://gitlab.com/gitlab-org/gitlab/issues/33831

Add policy for instance security dashboard
So long as the right license is there, any logged in user should be able to view the dashboard. https://gitlab.com/gitlab-org/gitlab/issues/33831
3d1681e7 · Avielle Wolfe · Mayra Cabrera · 06617c42 · 3d1681e7 · 3d1681e7
Commit 3d1681e7 authored Oct 11, 2019 by Avielle Wolfe Committed by Mayra Cabrera Oct 11, 2019
11 changed files
--- a/ee/app/controllers/security/application_controller.rb
+++ b/ee/app/controllers/security/application_controller.rb
+# frozen_string_literal: true
+module Security
+  class ApplicationController < ::ApplicationController
+    before_action :authorize_read_security_dashboard!
+    before_action do
+      push_frontend_feature_flag(:security_dashboard)
+    end
+    private
+    def authorize_read_security_dashboard!
+      render_404 unless Feature.enabled?(:security_dashboard) &&
+        can?(current_user, :read_security_dashboard)
+    end
+  end
+end
--- a/ee/app/controllers/security/dashboard_controller.rb
+++ b/ee/app/controllers/security/dashboard_controller.rb
+# frozen_string_literal: true
+module Security
+  class DashboardController < ::Security::ApplicationController
+    def show
+      head :ok
+    end
+  end
+end
--- a/ee/app/controllers/security/projects_controller.rb
+++ b/ee/app/controllers/security/projects_controller.rb
+# frozen_string_literal: true
+module Security
+  class ProjectsController < ::Security::ApplicationController
+    def index
+      head :ok
+    end
+    def create
+      head :ok
+    end
+    def destroy
+      head :ok
+    end
+  end
+end
--- a/ee/app/controllers/security_controller.rb
+++ b/ee/app/controllers/security_controller.rb
-# frozen_string_literal: true
-class SecurityController < ApplicationController
-  before_action :authorize_read_security_dashboard!
-  before_action do
-    push_frontend_feature_flag(:security_dashboard)
-  end
-  def authorize_read_security_dashboard!
-    render_404 unless Feature.enabled?(:security_dashboard) &&
-      can?(current_user, :read_security_dashboard)
-  end
-end
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -9,7 +9,13 @@ module EE
        License.feature_available?(:operations_dashboard)
      end
+      condition(:security_dashboard_available) do
+        License.feature_available?(:security_dashboard)
+      end
      rule { operations_dashboard_available }.enable :read_operations_dashboard
+      rule { ~anonymous & security_dashboard_available }.enable :read_security_dashboard
      rule { admin }.policy do
        enable :read_licenses
        enable :destroy_licenses

--- a/ee/app/views/dashboard/_nav_link_list.html.haml
+++ b/ee/app/views/dashboard/_nav_link_list.html.haml
@@ -5,5 +5,5 @@
  = link_to operations_path, class: 'dropdown-item' do
    = _('Operations')
 - if dashboard_nav_link?(:security)
-  = link_to security_path, class: 'dropdown-item' do
+  = link_to security_root_path, class: 'dropdown-item' do
    = _('Security')
--- a/ee/config/routes/security.rb
+++ b/ee/config/routes/security.rb
 # frozen_string_literal: true
-get 'security' => 'security#index'
+namespace :security do
+  root to: 'dashboard#show'
+  resources :projects, only: [:index, :create, :destroy]
+end
--- a/ee/spec/controllers/security/dashboard_controller_spec.rb
+++ b/ee/spec/controllers/security/dashboard_controller_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe Security::DashboardController do
+  describe 'GET #show' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        get :show
+      end
+    end
+  end
+end
--- a/ee/spec/controllers/security/projects_controller_spec.rb
+++ b/ee/spec/controllers/security/projects_controller_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe Security::ProjectsController do
+  describe 'GET #index' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        get :index
+      end
+    end
+  end
+  describe 'POST #create' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        post :create
+      end
+    end
+  end
+  describe 'DELETE #destroy' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        delete :destroy, params: { id: 1 }
+      end
+    end
+  end
+end
--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -55,4 +55,30 @@ describe GlobalPolicy do
  describe 'view_productivity_analytics' do
    include_examples 'analytics policy', :view_productivity_analytics
  end
+  describe 'read_security_dashboard' do
+    context 'when the instance has an Ultimate license' do
+      before do
+        stub_licensed_features(security_dashboard: true)
+      end
+      context 'and the user is not logged in' do
+        let(:current_user) { nil }
+        it { is_expected.not_to be_allowed(:read_security_dashboard) }
+      end
+      context 'and the user is logged in' do
+        it { is_expected.to be_allowed(:read_security_dashboard) }
+      end
+    end
+    context 'when the instance does not have an Ultimate license' do
+      before do
+        stub_licensed_features(security_dashboard: false)
+      end
+      it { is_expected.not_to be_allowed(:read_security_dashboard) }
+    end
+  end
 end
--- a/ee/spec/support/shared_examples/controllers/security/application_controller_shared_examples.rb
+++ b/ee/spec/support/shared_examples/controllers/security/application_controller_shared_examples.rb
+# frozen_string_literal: true
+require 'spec_helper'
+shared_examples Security::ApplicationController do
+  context 'when the user is authenticated' do
+    let(:security_application_controller_user) { create(:user) }
+    before do
+      stub_licensed_features(security_dashboard: true)
+      sign_in(security_application_controller_user)
+    end
+    it 'responds with success' do
+      security_application_controller_child_action
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+    context 'and the instance does not have an Ultimate license' do
+      it '404s' do
+        stub_licensed_features(security_dashboard: false)
+        security_application_controller_child_action
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+    context 'and the security dashboard feature is disabled' do
+      it '404s' do
+        stub_feature_flags(security_dashboard: false)
+        security_application_controller_child_action
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+  context 'when the user is not authenticated' do
+    it 'redirects the user to the sign in page' do
+      security_application_controller_child_action
+      expect(response).to redirect_to(new_user_session_path)
+    end
+  end
+end