Merge branch '345316-group-level-policies' into 'master'

Add group-level security policies page

See merge request gitlab-org/gitlab!83262

ee/app/controllers/groups/security/policies_controller.rb

+# frozen_string_literal: true
+
+module Groups
+  module Security
+    class PoliciesController < Groups::ApplicationController
+      before_action :authorize_group_security_policies!
+
+      before_action do
+        push_frontend_feature_flag(:group_level_security_policies, group, default_enabled: :yaml)
+      end
+
+      feature_category :security_orchestration
+
+      def index
+        render :index, locals: { group: group }
+      end
+
+      private
+
+      def authorize_group_security_policies!
+        render_404 unless Feature.enabled?(:group_level_security_policies, group, default_enabled: :yaml)
+      end
+    end
+  end
+end

ee/app/policies/ee/group_policy.rb

@@ -306,6 +306,10 @@ module EE
         enable :read_group_audit_events
       end
 
+      rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
+        enable :security_orchestration_policies
+      end
+
       rule { security_dashboard_enabled & developer }.policy do
         enable :read_group_security_dashboard
         enable :admin_vulnerability
@@ -402,10 +406,6 @@ module EE
         enable :admin_external_audit_events
       end
 
-      rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
-        enable :security_orchestration_policies
-      end
-
       rule { security_orchestration_policies_enabled & can?(:owner_access) }.policy do
         enable :update_security_orchestration_policy_project
       end

ee/app/views/groups/security/policies/index.html.haml

+- breadcrumb_title _("Policies")
+- @content_wrapper_class = 'js-security-policies-container-wrapper'
+
+#js-group-security-policies-list{ data: { group_path: group.full_path,
+  documentation_path: help_page_path('user/application_security/policies/index.md') } }

ee/config/feature_flags/development/group_level_security_policies.yml

 ---
 name: group_level_security_policies
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82754
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83188
 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356258
 milestone: '14.10'
 type: development

ee/config/routes/group.rb

@@ -170,6 +170,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
           put :revoke
         end
       end
+      resources :policies, only: [:index]
       resources :merge_commit_reports, only: [:index], constraints: { format: :csv }
     end
 

ee/lib/sidebars/groups/menus/security_compliance_menu.rb

@@ -10,6 +10,7 @@ module Sidebars
           add_item(vulnerability_report_menu_item)
           add_item(compliance_menu_item)
           add_item(credentials_menu_item)
+          add_item(scan_policies_menu_item)
           add_item(audit_events_menu_item)
 
           true
@@ -109,6 +110,24 @@ module Sidebars
             context.group.enforced_group_managed_accounts?
         end
 
+        def scan_policies_menu_item
+          unless group_level_security_policies_available?
+            return ::Sidebars::NilMenuItem.new(item_id: :scan_policies)
+          end
+
+          ::Sidebars::MenuItem.new(
+            title: _('Policies'),
+            link: group_security_policies_path(context.group),
+            active_routes: { controller: ['groups/security/policies'] },
+            item_id: :scan_policies
+          )
+        end
+
+        def group_level_security_policies_available?
+          Feature.enabled?(:group_level_security_policies, context.group, default_enabled: :yaml) &&
+                    can?(context.current_user, :security_orchestration_policies, context.group)
+        end
+
         def audit_events_menu_item
           unless group_level_audit_events_available?
             return ::Sidebars::NilMenuItem.new(item_id: :audit_events)

ee/spec/controllers/groups/security/policies_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::Security::PoliciesController, type: :request do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:group) { create(:group) }
+  let_it_be(:index) { group_security_policies_url(group) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'GET #index' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:feature_flag, :status) do
+      true | :ok
+      false | :not_found
+    end
+
+    subject(:request) { get index, params: { group_id: group.to_param } }
+
+    with_them do
+      before do
+        stub_feature_flags(group_level_security_policies: feature_flag)
+      end
+
+      specify do
+        subject
+
+        expect(response).to have_gitlab_http_status(status)
+      end
+    end
+  end
+end

ee/spec/lib/sidebars/groups/menus/security_compliance_menu_spec.rb

@@ -158,6 +158,54 @@ RSpec.describe Sidebars::Groups::Menus::SecurityComplianceMenu do
       end
     end
 
+    describe 'Security Policies' do
+      let(:item_id) { :scan_policies }
+
+      context 'when scan_policies feature is enabled' do
+        before do
+          stub_licensed_features(security_orchestration_policies: true)
+        end
+
+        context 'when group security policies feature is disabled' do
+          before do
+            stub_feature_flags(group_level_security_policies: true)
+          end
+
+          it_behaves_like 'menu access rights'
+        end
+
+        context 'when group security policies feature is enabled' do
+          before do
+            stub_feature_flags(group_level_security_policies: false)
+          end
+
+          specify { is_expected.to be_nil }
+        end
+      end
+
+      context 'when scan_policies feature is not enabled' do
+        before do
+          stub_licensed_features(security_orchestration_policies: false)
+        end
+
+        context 'when group security policies feature is disabled' do
+          before do
+            stub_feature_flags(group_level_security_policies: true)
+          end
+
+          specify { is_expected.to be_nil }
+        end
+
+        context 'when group security policies feature is enabled' do
+          before do
+            stub_feature_flags(group_level_security_policies: false)
+          end
+
+          specify { is_expected.to be_nil }
+        end
+      end
+    end
+
     describe 'Audit Events' do
       let(:item_id) { :audit_events }
 

ee/spec/policies/group_policy_spec.rb

@@ -911,6 +911,32 @@ RSpec.describe GroupPolicy do
     end
   end
 
+  describe 'security orchestration policies' do
+    before do
+      stub_licensed_features(security_orchestration_policies: true)
+    end
+
+    context 'with developer or maintainer role' do
+      where(role: %w[maintainer developer])
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to be_allowed(:security_orchestration_policies) }
+      end
+    end
+
+    context 'with owner role' do
+      where(role: %w[owner])
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to be_allowed(:security_orchestration_policies) }
+      end
+    end
+  end
+
   describe 'admin_vulnerability' do
     before do
       stub_licensed_features(security_dashboard: true)

ee/spec/policies/project_policy_spec.rb

@@ -768,7 +768,7 @@ RSpec.describe ProjectPolicy do
     end
   end
 
-  describe 'security complience policy' do
+  describe 'security orchestration policies' do
     before do
       stub_licensed_features(security_orchestration_policies: true)
     end