Merge branch 'group_level_compliance_pipeline_availability_fix' into 'master'

Segregate feature flag control for Compliance frameworks and Pipeline configuration See merge request gitlab-org/gitlab!56672

Merge branch 'group_level_compliance_pipeline_availability_fix' into 'master'
Segregate feature flag control for Compliance frameworks and Pipeline configuration See merge request gitlab-org/gitlab!56672
51393d6a · Kerri Miller · ed020986 · 60f69c53 · 51393d6a · 51393d6a
Commit 51393d6a authored Mar 16, 2021 by Kerri Miller
8 changed files
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -179,7 +179,6 @@ class License < ApplicationRecord
    subepics
    threat_monitoring
    vulnerability_auto_fix
-    evaluate_group_level_compliance_pipeline
  ]
  EEU_FEATURES.freeze


--- a/ee/app/policies/compliance_management/framework_policy.rb
+++ b/ee/app/policies/compliance_management/framework_policy.rb
@@ -11,7 +11,7 @@ module ComplianceManagement

    condition(:group_level_compliance_pipeline_enabled) do
      @subject.namespace.feature_available?(:evaluate_group_level_compliance_pipeline) &&
-        Feature.enabled?(:ff_custom_compliance_frameworks, @subject.namespace)
+        Feature.enabled?(:ff_evaluate_group_level_compliance_pipeline, @subject.namespace)
    end

    rule { can?(:owner_access) & custom_compliance_frameworks_enabled }.policy do

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -135,7 +135,7 @@ module EE

      condition(:group_level_compliance_pipeline_available) do
        @subject.feature_available?(:evaluate_group_level_compliance_pipeline) &&
-          ::Feature.enabled?(:ff_custom_compliance_frameworks, @subject, default_enabled: :yaml)
+          ::Feature.enabled?(:ff_evaluate_group_level_compliance_pipeline, @subject, default_enabled: :yaml)
      end

      rule { public_group | logged_in_viewable }.policy do

--- a/ee/app/services/concerns/compliance_management/frameworks.rb
+++ b/ee/app/services/concerns/compliance_management/frameworks.rb
@@ -3,9 +3,9 @@
 module ComplianceManagement
  module Frameworks
    def compliance_pipeline_configuration_available?
-      return true unless params[:pipeline_configuration_full_path].present?
+      return true unless params.key?(:pipeline_configuration_full_path)

-      can? current_user, :manage_group_level_compliance_pipeline_config, framework
+      can?(current_user, :manage_group_level_compliance_pipeline_config, framework)
    end
  end
 end
--- a/ee/spec/policies/compliance_management/framework_policy_spec.rb
+++ b/ee/spec/policies/compliance_management/framework_policy_spec.rb
@@ -57,7 +57,9 @@ RSpec.describe ComplianceManagement::FrameworkPolicy do

  context 'feature is disabled' do
    before do
-      stub_feature_flags(ff_custom_compliance_framework: false)
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+      stub_feature_flags(ff_custom_compliance_frameworks: false)
+      stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
    end

    it { is_expected.to be_disallowed(:manage_compliance_framework) }

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -1569,7 +1569,7 @@ RSpec.describe GroupPolicy do
  end

  describe 'compliance framework permissions' do
-    shared_context 'compliance framework permissions' do
+    shared_examples 'compliance framework permissions' do
      using RSpec::Parameterized::TableSyntax

      where(:role, :licensed, :feature_flag, :admin_mode, :allowed) do
@@ -1590,7 +1590,7 @@ RSpec.describe GroupPolicy do

        before do
          stub_licensed_features(licensed_feature => licensed)
-          stub_feature_flags(ff_custom_compliance_frameworks: feature_flag)
+          stub_feature_flags(feature_flag_name => feature_flag)
          enable_admin_mode!(current_user) if admin_mode
        end

@@ -1601,15 +1601,17 @@ RSpec.describe GroupPolicy do
    context ':admin_compliance_framework' do
      let(:policy) { :admin_compliance_framework }
      let(:licensed_feature) { :custom_compliance_frameworks }
+      let(:feature_flag_name) { :ff_custom_compliance_frameworks }

-      include_context 'compliance framework permissions'
+      include_examples 'compliance framework permissions'
    end

    context ':admin_compliance_pipeline_configuration' do
      let(:policy) { :admin_compliance_pipeline_configuration }
      let(:licensed_feature) { :evaluate_group_level_compliance_pipeline }
+      let(:feature_flag_name) { :ff_evaluate_group_level_compliance_pipeline }

-      include_context 'compliance framework permissions'
+      include_examples 'compliance framework permissions'
    end
  end


--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
@@ -42,7 +42,7 @@ RSpec.describe 'Create a Compliance Framework' do
    end
  end

-  context 'feature is unlicensed' do
+  context 'framework feature is unlicensed' do
    before do
      stub_licensed_features(custom_compliance_frameworks: false)
      post_graphql_mutation(mutation, current_user: current_user)
@@ -51,12 +51,21 @@ RSpec.describe 'Create a Compliance Framework' do
    it_behaves_like 'a mutation that returns errors in the response', errors: ['Not permitted to create framework']
  end

+  context 'pipeline configuration feature is unlicensed' do
+    before do
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: false)
+      post_graphql_mutation(mutation, current_user: current_user)
+    end
+
+    it_behaves_like 'a mutation that returns errors in the response', errors: ['Pipeline configuration full path feature is not available']
+  end
+
  context 'feature is licensed' do
    before do
      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
    end

-    context 'feature is disabled' do
+    context 'framework feature is disabled' do
      before do
        stub_feature_flags(ff_custom_compliance_frameworks: false)
      end
@@ -64,6 +73,14 @@ RSpec.describe 'Create a Compliance Framework' do
      it_behaves_like 'a mutation that returns errors in the response', errors: ['Not permitted to create framework']
    end

+    context 'pipeline configuration feature is disabled' do
+      before do
+        stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
+      end
+
+      it_behaves_like 'a mutation that returns errors in the response', errors: ['Pipeline configuration full path feature is not available']
+    end
+
    context 'current_user is namespace owner' do
      it_behaves_like 'a mutation that creates a compliance framework'
    end

--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
@@ -91,6 +91,19 @@ RSpec.describe 'Update a compliance framework' do
            expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
          end
        end
+
+        context 'when compliance pipeline configuration feature flag is not enabled' do
+          before do
+            stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+            stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
+          end
+
+          it 'returns an error' do
+            subject
+
+            expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
+          end
+        end
      end

      context 'current_user is not permitted to update framework' do