Merge branch '321258-remove-orchestration-feature-flag' into 'master'

Remove orchestration policies feature flag See merge request gitlab-org/gitlab!71516

Merge branch '321258-remove-orchestration-feature-flag' into 'master'
Remove orchestration policies feature flag See merge request gitlab-org/gitlab!71516
6df7d53e · Jan Provaznik · 8a3cfdd5 · 15feca4c · 8a3cfdd5 · 6df7d53e
Commit 6df7d53e authored Oct 06, 2021 by Jan Provaznik
28 changed files
--- a/config/feature_flags/development/security_orchestration_policies_configuration.yml
+++ b/config/feature_flags/development/security_orchestration_policies_configuration.yml
---
-name: security_orchestration_policies_configuration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54220
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321258
-milestone: '13.9'
-type: development
-group: group::container security
-default_enabled: true
--- a/doc/user/application_security/policies/index.md
+++ b/doc/user/application_security/policies/index.md
@@ -6,13 +6,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w

 # Policies **(ULTIMATE)**

-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5329) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10. Deployed behind a feature flag, disabled by default.
+> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5329) in GitLab Ultimate 13.10 with a [feature flag](../../../administration/feature_flags.md) named `security_orchestration_policies_configuration`. Disabled by default.
 > - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.3.
-
-FLAG:
-On self-managed GitLab, by default this feature is available. To hide the feature,
-ask an administrator to [disable the `security_orchestration_policies_configuration` flag](../../../administration/feature_flags.md).
-On GitLab.com, this feature is available.
+> - [Feature flag `security_orchestration_policies_configuration` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in GitLab 14.4.

 Policies in GitLab provide security teams a way to require scans of their choice to be run
 whenever a project pipeline runs according to the configuration specified. Security teams can

--- a/ee/app/controllers/projects/security/policies_controller.rb
+++ b/ee/app/controllers/projects/security/policies_controller.rb
@@ -8,11 +8,6 @@ module Projects
      before_action :authorize_security_orchestration_policies!
      before_action :validate_policy_configuration, only: :edit

-      before_action do
-        push_frontend_feature_flag(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
-        check_feature_flag!
-      end
-
      feature_category :security_orchestration

      def index
@@ -89,10 +84,6 @@ module Projects
      def policy_configuration
        @policy_configuration ||= project.security_orchestration_policy_configuration
      end
-
-      def check_feature_flag!
-        render_404 if Feature.disabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
-      end
    end
  end
 end
--- a/ee/app/graphql/mutations/security_policy/assign_security_policy_project.rb
+++ b/ee/app/graphql/mutations/security_policy/assign_security_policy_project.rb
@@ -23,7 +23,6 @@ module Mutations

      def resolve(args)
        project = authorized_find!(args[:project_path])
-        raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)

        policy_project = find_policy_project(args[:security_policy_project_id])
        raise_resource_not_available_error! unless policy_project.present?
@@ -43,10 +42,6 @@ module Mutations
        ::Gitlab::Graphql::Lazy.force(GitlabSchema.object_from_id(id, expected_type: Project))
      end

-      def allowed?(project)
-        Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
-      end
-
      def assign_project(project, policy_project)
        ::Security::Orchestration::AssignService
          .new(project, current_user, policy_project_id: policy_project.id)

--- a/ee/app/graphql/mutations/security_policy/commit_scan_execution_policy.rb
+++ b/ee/app/graphql/mutations/security_policy/commit_scan_execution_policy.rb
@@ -31,7 +31,6 @@ module Mutations

      def resolve(args)
        project = authorized_find!(args[:project_path])
-        raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)

        result = commit_policy(project, args[:policy_yaml], args[:operation_mode])
        error_message = result[:status] == :error ? result[:message] : nil
@@ -44,10 +43,6 @@ module Mutations

      private

-      def allowed?(project)
-        Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
-      end
-
      def commit_policy(project, policy_yaml, operation_mode)
        ::Security::SecurityOrchestrationPolicies::PolicyCommitService
          .new(project: project, current_user: current_user, params: { policy_yaml: policy_yaml, operation: Types::MutationOperationModeEnum.enum.key(operation_mode).to_sym })

--- a/ee/app/graphql/mutations/security_policy/create_security_policy_project.rb
+++ b/ee/app/graphql/mutations/security_policy/create_security_policy_project.rb
@@ -21,7 +21,6 @@ module Mutations

      def resolve(args)
        project = authorized_find!(args[:project_path])
-        raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)

        result = create_project(project)

@@ -35,10 +34,6 @@ module Mutations

      private

-      def allowed?(project)
-        Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
-      end
-
      def create_project(project)
        ::Security::SecurityOrchestrationPolicies::ProjectCreateService
          .new(project: project, current_user: current_user)

--- a/ee/app/graphql/resolvers/scan_execution_policy_resolver.rb
+++ b/ee/app/graphql/resolvers/scan_execution_policy_resolver.rb
@@ -10,7 +10,7 @@ module Resolvers
    alias_method :project, :object

    def resolve(**args)
-      return [] unless enabled_and_valid?
+      return [] unless valid?

      authorize!

@@ -37,8 +37,8 @@ module Resolvers
      @policy_configuration ||= project.security_orchestration_policy_configuration
    end

-    def enabled_and_valid?
-      policy_configuration.present? && policy_configuration.enabled? && policy_configuration.policy_configuration_valid?
+    def valid?
+      policy_configuration.present? && policy_configuration.policy_configuration_valid?
    end
  end
 end
--- a/ee/app/models/concerns/security/scan_execution_policy.rb
+++ b/ee/app/models/concerns/security/scan_execution_policy.rb
@@ -26,8 +26,6 @@ module Security
    end

    def active_scan_execution_policies
-      return [] unless enabled?
-
      scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT)
    end


--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -28,10 +28,6 @@ module Security
      self.exists?(security_policy_management_project_id: project_id)
    end

-    def enabled?
-      ::Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
-    end
-
    def policy_hash
      strong_memoize(:policy_hash) do
        next if policy_blob.blank?

--- a/ee/app/services/ee/projects/create_service.rb
+++ b/ee/app/services/ee/projects/create_service.rb
@@ -65,8 +65,6 @@ module EE
        return unless security_policy_target_project_id.present?

        if (security_policy_target_project = ::Project.find(security_policy_target_project_id))
-          return unless ::Feature.enabled?(:security_orchestration_policies_configuration, security_policy_target_project, default_enabled: :yaml)
-
          ::Security::Orchestration::AssignService
            .new(security_policy_target_project, current_user, policy_project_id: project.id)
            .execute

--- a/ee/app/services/security/security_orchestration_policies/process_rule_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/process_rule_service.rb
@@ -20,8 +20,6 @@ module Security
      attr_reader :policy_configuration, :policy_index, :policy

      def create_new_schedule_rules
-        return unless policy_configuration.enabled?
-
        policy[:rules].each_with_index do |rule, rule_index|
          next if rule[:type] != Security::ScanExecutionPolicy::RULE_TYPES[:schedule]


--- a/ee/lib/ee/gitlab/ci/pipeline/chain/validate/security_orchestration_policy.rb
+++ b/ee/lib/ee/gitlab/ci/pipeline/chain/validate/security_orchestration_policy.rb
@@ -13,7 +13,7 @@ module EE
              override :perform!
              def perform!
                return unless project&.feature_available?(:security_orchestration_policies)
-                return unless security_orchestration_policy_configuration&.enabled?
+                return unless security_orchestration_policy_configuration

                if !security_orchestration_policy_configuration.policy_configuration_exists?
                  warning(_('scan-execution-policy: policy not applied, %{policy_path} file is missing') % { policy_path: ::Security::OrchestrationPolicyConfiguration::POLICY_PATH })

--- a/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
+++ b/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
@@ -143,8 +143,7 @@ module EE
          end

          def scan_policies_menu_item
-            if ::Feature.disabled?(:security_orchestration_policies_configuration, context.project, default_enabled: :yaml) ||
-              !can?(context.current_user, :security_orchestration_policies, context.project)
+            unless can?(context.current_user, :security_orchestration_policies, context.project)
              return ::Sidebars::NilMenuItem.new(item_id: :scan_policies)
            end


--- a/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
+++ b/ee/lib/gitlab/ci/config/security_orchestration_policies/processor.rb
@@ -15,8 +15,7 @@ module Gitlab

          def perform
            return @config unless project&.feature_available?(:security_orchestration_policies)
-            return @config unless security_orchestration_policy_configuration&.enabled?
-            return @config unless security_orchestration_policy_configuration.policy_configuration_valid?
+            return @config unless security_orchestration_policy_configuration&.policy_configuration_valid?
            return @config unless extend_configuration?

            merged_config = @config

--- a/ee/spec/graphql/mutations/security_policy/assign_security_policy_project_spec.rb
+++ b/ee/spec/graphql/mutations/security_policy/assign_security_policy_project_spec.rb
@@ -16,10 +16,9 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do

    subject { mutation.resolve(project_path: project.full_path, security_policy_project_id: policy_project_id) }

-    context 'when feature is enabled and permission is set for user' do
+    context 'when permission is set for user' do
      before do
        stub_licensed_features(security_orchestration_policies: true)
-        stub_feature_flags(security_orchestration_policies_configuration: true)
      end

      context 'when user is an owner of the project' do
@@ -53,17 +52,6 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
      end
    end

-    context 'when feature is disabled' do
-      before do
-        stub_licensed_features(security_orchestration_policies: true)
-        stub_feature_flags(security_orchestration_policies_configuration: false)
-      end
-
-      it 'raises exception' do
-        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-      end
-    end
-
    context 'when feature is not licensed' do
      before do
        stub_licensed_features(security_orchestration_policies: false)

--- a/ee/spec/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb
+++ b/ee/spec/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb
@@ -14,12 +14,11 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do

    subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) }

-    context 'when feature is enabled and permission is set for user' do
+    context 'when permission is set for user' do
      before do
        project.add_maintainer(user)

        stub_licensed_features(security_orchestration_policies: true)
-        stub_feature_flags(security_orchestration_policies_configuration: true)
      end

      it 'returns branch name' do
@@ -30,17 +29,6 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
      end
    end

-    context 'when feature is disabled' do
-      before do
-        stub_licensed_features(security_orchestration_policies: true)
-        stub_feature_flags(security_orchestration_policies_configuration: false)
-      end
-
-      it 'raises exception' do
-        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-      end
-    end
-
    context 'when permission is not enabled' do
      before do
        stub_licensed_features(security_orchestration_policies: false)

--- a/ee/spec/graphql/mutations/security_policy/create_security_policy_project_spec.rb
+++ b/ee/spec/graphql/mutations/security_policy/create_security_policy_project_spec.rb
@@ -13,10 +13,9 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do

    subject { mutation.resolve(project_path: project.full_path) }

-    context 'when feature is enabled and permission is set for user' do
+    context 'when permission is set for user' do
      before do
        stub_licensed_features(security_orchestration_policies: true)
-        stub_feature_flags(security_orchestration_policies_configuration: true)
      end

      context 'when user is an owner of the project' do
@@ -43,17 +42,6 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do
      end
    end

-    context 'when feature is disabled' do
-      before do
-        stub_licensed_features(security_orchestration_policies: true)
-        stub_feature_flags(security_orchestration_policies_configuration: false)
-      end
-
-      it 'raises exception' do
-        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-      end
-    end
-
    context 'when feature is not licensed' do
      before do
        stub_licensed_features(security_orchestration_policies: false)

--- a/ee/spec/graphql/resolvers/scan_execution_policy_resolver_spec.rb
+++ b/ee/spec/graphql/resolvers/scan_execution_policy_resolver_spec.rb
@@ -62,16 +62,6 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
          expect { resolve_scan_policies }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
        end
      end
-
-      context 'when feature flag is disabled' do
-        before do
-          stub_feature_flags(security_orchestration_policies_configuration: false)
-        end
-
-        it 'returns empty list' do
-          expect(resolve_scan_policies).to eq([])
-        end
-      end
    end
  end
 end
--- a/ee/spec/lib/ee/gitlab/ci/config_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/config_spec.rb
@@ -67,77 +67,61 @@ RSpec.describe Gitlab::Ci::Config do
        stub_licensed_features(security_orchestration_policies: true)
      end

-      context 'when feature is not enabled' do
-        before do
-          stub_feature_flags(security_orchestration_policies_configuration: false)
-        end
-
+      context 'when policy is not applicable on branch from the pipeline' do
        it 'does not modify the config' do
          expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
        end
      end

-      context 'when feature is enabled' do
-        before do
-          stub_feature_flags(security_orchestration_policies_configuration: true)
-        end
+      context 'when policy is not applicable on branch from the pipeline' do
+        let_it_be(:ref) { 'refs/heads/production' }

-        context 'when policy is not applicable on branch from the pipeline' do
-          it 'does not modify the config' do
-            expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
+        context 'when DAST profiles are not found' do
+          it 'adds a job with error message' do
+            expect(config.to_hash).to eq(
+              sample_job: { script: ["echo 'test'"] },
+              'dast-on-demand-0': { allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' }
+            )
          end
        end

-        context 'when policy is not applicable on branch from the pipeline' do
-          let_it_be(:ref) { 'refs/heads/production' }
-
-          context 'when DAST profiles are not found' do
-            it 'adds a job with error message' do
-              expect(config.to_hash).to eq(
-                sample_job: { script: ["echo 'test'"] },
-                'dast-on-demand-0': { allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' }
-              )
-            end
-          end
-
-          context 'when DAST profiles are found' do
-            let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
-            let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
-
-            let(:expected_configuration) do
-              {
-                sample_job: {
-                  script: ["echo 'test'"]
+        context 'when DAST profiles are found' do
+          let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
+          let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
+
+          let(:expected_configuration) do
+            {
+              sample_job: {
+                script: ["echo 'test'"]
+              },
+              'dast-on-demand-0': {
+                stage: 'dast',
+                image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
+                variables: {
+                  DAST_VERSION: 2,
+                  SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
+                  GIT_STRATEGY: 'none'
                },
-                'dast-on-demand-0': {
-                  stage: 'dast',
-                  image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
-                  variables: {
-                    DAST_VERSION: 2,
-                    SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
-                    GIT_STRATEGY: 'none'
-                  },
-                  allow_failure: true,
-                  script: ['/analyze'],
-                  artifacts: { reports: { dast: 'gl-dast-report.json' } },
-                  dast_configuration: {
-                    site_profile: dast_site_profile.name,
-                    scanner_profile: dast_scanner_profile.name
-                  }
+                allow_failure: true,
+                script: ['/analyze'],
+                artifacts: { reports: { dast: 'gl-dast-report.json' } },
+                dast_configuration: {
+                  site_profile: dast_site_profile.name,
+                  scanner_profile: dast_scanner_profile.name
                }
              }
-            end
+            }
+          end

-            it 'extends config with additional jobs' do
-              expect(config.to_hash).to include(expected_configuration)
-            end
+          it 'extends config with additional jobs' do
+            expect(config.to_hash).to include(expected_configuration)
+          end

-            context 'when source is ondemand_dast_scan' do
-              let(:source) { 'ondemand_dast_scan' }
+          context 'when source is ondemand_dast_scan' do
+            let(:source) { 'ondemand_dast_scan' }

-              it 'does not modify the config' do
-                expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
-              end
+            it 'does not modify the config' do
+              expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
            end
          end
        end

--- a/ee/spec/lib/ee/gitlab/ci/pipeline/chain/validate/security_orchestration_policy_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/pipeline/chain/validate/security_orchestration_policy_spec.rb
@@ -54,62 +54,44 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::SecurityOrchestrationPolic
        stub_licensed_features(security_orchestration_policies: true)
      end

-      context 'when policy is disabled' do
+      context 'when policy file is missing' do
        before do
-          allow(security_orchestration_policy_configuration).to receive(:enabled?).and_return(false)
+          allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(false)
        end

-        it 'does not return warning' do
+        it 'returns warning' do
          step.perform!

-          expect(warning_messages).to be_empty
+          expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is missing')
        end
      end

-      context 'when policy is enabled' do
+      context 'when policy file is present' do
        before do
-          allow(security_orchestration_policy_configuration).to receive(:enabled?).and_return(true)
+          allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(true)
        end

-        context 'when policy file is missing' do
+        context 'when policy file is invalid' do
          before do
-            allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(false)
+            allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(false)
          end

          it 'returns warning' do
            step.perform!

-            expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is missing')
+            expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is invalid')
          end
        end

-        context 'when policy file is present' do
+        context 'when policy file is valid' do
          before do
-            allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(true)
+            allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(true)
          end

-          context 'when policy file is invalid' do
-            before do
-              allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(false)
-            end
-
-            it 'returns warning' do
-              step.perform!
-
-              expect(warning_messages).to include('scan-execution-policy: policy not applied, .gitlab/security-policies/policy.yml file is invalid')
-            end
-          end
-
-          context 'when policy file is valid' do
-            before do
-              allow(security_orchestration_policy_configuration).to receive(:policy_configuration_valid?).and_return(true)
-            end
-
-            it 'does not return warning' do
-              step.perform!
+          it 'does not return warning' do
+            step.perform!

-              expect(warning_messages).to be_empty
-            end
+            expect(warning_messages).to be_empty
          end
        end
      end

--- a/ee/spec/lib/ee/sidebars/projects/menus/security_compliance_menu_spec.rb
+++ b/ee/spec/lib/ee/sidebars/projects/menus/security_compliance_menu_spec.rb
@@ -196,27 +196,16 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do
    describe 'Policies' do
      let(:item_id) { :scan_policies }

-      context 'when feature flag :security_orchestration_policies_configuration is enabled' do
-        before do
-          stub_feature_flags(security_orchestration_policies_configuration: true)
-          stub_licensed_features(security_orchestration_policies: true)
-        end
-
-        context 'when user can access policies tab' do
-          it { is_expected.not_to be_nil }
-        end
-
-        context 'when user cannot access policies tab' do
-          let(:user) { nil }
+      before do
+        stub_licensed_features(security_orchestration_policies: true)
+      end

-          it { is_expected.to be_nil }
-        end
+      context 'when user can access policies tab' do
+        it { is_expected.not_to be_nil }
      end

-      context 'when feature flag :security_orchestration_policies_configuration is disabled' do
-        before do
-          stub_feature_flags(security_orchestration_policies_configuration: false)
-        end
+      context 'when user cannot access policies tab' do
+        let(:user) { nil }

        it { is_expected.to be_nil }
      end

--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -68,117 +68,101 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
      stub_licensed_features(security_orchestration_policies: true)
    end

-    context 'when feature is not enabled' do
-      before do
-        stub_feature_flags(security_orchestration_policies_configuration: false)
-      end
-
+    context 'when policy is not applicable on branch from the pipeline' do
      it 'does not modify the config' do
        expect(subject).to eq(config)
      end
    end

-    context 'when feature is enabled' do
-      before do
-        stub_feature_flags(security_orchestration_policies_configuration: true)
-      end
+    context 'when ref is a tag' do
+      let_it_be(:ref) { 'refs/tags/v1.1.0' }

-      context 'when policy is not applicable on branch from the pipeline' do
-        it 'does not modify the config' do
-          expect(subject).to eq(config)
-        end
+      it 'does not modify the config' do
+        expect(subject).to eq(config)
      end
+    end

-      context 'when ref is a tag' do
-        let_it_be(:ref) { 'refs/tags/v1.1.0' }
+    context 'when policy is not applicable on branch from the pipeline' do
+      let_it_be(:ref) { 'refs/heads/production' }

+      context 'when DAST profiles are not found' do
        it 'does not modify the config' do
-          expect(subject).to eq(config)
+          expect(subject[:'dast-on-demand-0']).to eq({ allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' })
        end
      end

-      context 'when policy is not applicable on branch from the pipeline' do
-        let_it_be(:ref) { 'refs/heads/production' }
-
-        context 'when DAST profiles are not found' do
-          it 'does not modify the config' do
-            expect(subject[:'dast-on-demand-0']).to eq({ allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' })
-          end
-        end
-
-        it_behaves_like 'with pipeline source applicable for CI'
-        it_behaves_like 'when policy is invalid'
-
-        context 'when DAST profiles are found' do
-          let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
-          let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
-
-          it_behaves_like 'with different scan type' do
-            let(:expected_configuration) do
-              {
-                image: 'ruby:3.0.1',
-                'dast-on-demand-0': {
-                  stage: 'dast',
-                  image: {
-                    name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION'
-                  },
-                  variables: {
-                    DAST_VERSION: 2,
-                    SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
-                    GIT_STRATEGY: 'none'
-                  },
-                  allow_failure: true,
-                  script: ['/analyze'],
-                  artifacts: {
-                    reports: {
-                      dast: 'gl-dast-report.json'
-                    }
-                  },
-                  dast_configuration: {
-                    site_profile: dast_site_profile.name,
-                    scanner_profile: dast_scanner_profile.name
+      it_behaves_like 'with pipeline source applicable for CI'
+      it_behaves_like 'when policy is invalid'
+
+      context 'when DAST profiles are found' do
+        let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
+        let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
+
+        it_behaves_like 'with different scan type' do
+          let(:expected_configuration) do
+            {
+              image: 'ruby:3.0.1',
+              'dast-on-demand-0': {
+                stage: 'dast',
+                image: {
+                  name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION'
+                },
+                variables: {
+                  DAST_VERSION: 2,
+                  SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
+                  GIT_STRATEGY: 'none'
+                },
+                allow_failure: true,
+                script: ['/analyze'],
+                artifacts: {
+                  reports: {
+                    dast: 'gl-dast-report.json'
                  }
+                },
+                dast_configuration: {
+                  site_profile: dast_site_profile.name,
+                  scanner_profile: dast_scanner_profile.name
                }
              }
-            end
+            }
          end
-
-          it_behaves_like 'with pipeline source applicable for CI'
-          it_behaves_like 'when policy is invalid'
        end

-        context 'when scan type is secret_detection' do
-          it_behaves_like 'with different scan type' do
-            let(:expected_configuration) do
-              {
-                'secret-detection-0': {
-                  rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
-                  script:
-                    ['if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi',
-                     'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi',
-                     'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME',
-                     'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt',
-                     'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt',
-                     '/analyzer run',
-                     'rm "$CI_COMMIT_SHA"_commit_list.txt'],
-                  stage: 'test',
-                  image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
-                  services: [],
-                  allow_failure: true,
-                  artifacts: {
-                    reports: {
-                      secret_detection: 'gl-secret-detection-report.json'
-                    }
-                  },
-                  variables: {
-                    SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
-                    SECRETS_ANALYZER_VERSION: '3',
-                    SECRET_DETECTION_EXCLUDED_PATHS: '',
-                    SECRET_DETECTION_HISTORIC_SCAN: 'false'
+        it_behaves_like 'with pipeline source applicable for CI'
+        it_behaves_like 'when policy is invalid'
+      end
+
+      context 'when scan type is secret_detection' do
+        it_behaves_like 'with different scan type' do
+          let(:expected_configuration) do
+            {
+              'secret-detection-0': {
+                rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
+                script:
+                  ['if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi',
+                   'if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi',
+                   'git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME',
+                   'git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt',
+                   'export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt',
+                   '/analyzer run',
+                   'rm "$CI_COMMIT_SHA"_commit_list.txt'],
+                stage: 'test',
+                image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
+                services: [],
+                allow_failure: true,
+                artifacts: {
+                  reports: {
+                    secret_detection: 'gl-secret-detection-report.json'
                  }
+                },
+                variables: {
+                  SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+                  SECRETS_ANALYZER_VERSION: '3',
+                  SECRET_DETECTION_EXCLUDED_PATHS: '',
+                  SECRET_DETECTION_HISTORIC_SCAN: 'false'
                }
              }
-            end
+            }
          end
        end
      end

--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -81,26 +81,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
    end
  end

-  describe '#enabled?' do
-    subject { security_orchestration_policy_configuration.enabled? }
-
-    context 'when feature is enabled' do
-      before do
-        stub_feature_flags(security_orchestration_policies_configuration: true)
-      end
-
-      it { is_expected.to eq(true) }
-    end
-
-    context 'when feature is disabled' do
-      before do
-        stub_feature_flags(security_orchestration_policies_configuration: false)
-      end
-
-      it { is_expected.to eq(false) }
-    end
-  end
-
  describe '#policy_configuration_exists?' do
    subject { security_orchestration_policy_configuration.policy_configuration_exists? }

@@ -216,16 +196,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
    it 'returns only enabled policies' do
      expect(active_scan_execution_policies).to eq(expected_active_policies)
    end
-
-    context 'when feature is disabled' do
-      before do
-        stub_feature_flags(security_orchestration_policies_configuration: false)
-      end
-
-      it 'returns empty array' do
-        expect(active_scan_execution_policies).to eq([])
-      end
-    end
  end

  describe '#on_demand_scan_actions' do

--- a/ee/spec/requests/api/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb
@@ -25,21 +25,6 @@ RSpec.describe 'Create scan execution policy for a project' do
    graphql_mutation_response(:scan_execution_policy_commit)
  end

-  context 'when feature is disabled' do
-    before do
-      project.add_maintainer(current_user)
-
-      stub_licensed_features(security_orchestration_policies: true)
-      stub_feature_flags(security_orchestration_policies_configuration: false)
-    end
-
-    it 'does not create branch' do
-      post_graphql_mutation(mutation, current_user: current_user)
-
-      expect(graphql_errors).to include(a_hash_including('message' => 'Feature disabled'))
-    end
-  end
-
  context 'when security_orchestration_policies_configuration already exists for project' do
    let_it_be(:security_policy_management_project) { create(:project, :repository, namespace: current_user.namespace) }
    let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: security_policy_management_project) }
@@ -49,7 +34,6 @@ RSpec.describe 'Create scan execution policy for a project' do
      security_policy_management_project.add_developer(current_user)

      stub_licensed_features(security_orchestration_policies: true)
-      stub_feature_flags(security_orchestration_policies_configuration: true)
    end

    it 'creates a branch with commit' do

--- a/ee/spec/requests/projects/security/policies_controller_spec.rb
+++ b/ee/spec/requests/projects/security/policies_controller_spec.rb
@@ -13,13 +13,11 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
  let_it_be(:index) { project_security_policies_url(project) }
  let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) }
  let_it_be(:new) { new_project_security_policy_url(project) }
-
  let_it_be(:feature_enabled) { true }

  before do
    project.add_developer(user)
    sign_in(user)
-    stub_feature_flags(security_orchestration_policies_configuration: feature_enabled)
    stub_licensed_features(security_orchestration_policies: feature_enabled)
    allow_next_instance_of(Repository) do |repository|
      allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml)
@@ -205,18 +203,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
  describe 'GET #new' do
    using RSpec::Parameterized::TableSyntax

-    where(:feature_flag, :license, :status) do
-      true | true | :ok
-      false | false | :not_found
-      false | true | :not_found
-      true | false | :not_found
+    where(:license, :status) do
+      true | :ok
+      false | :not_found
    end

    subject(:request) { get new, params: { namespace_id: project.namespace, project_id: project } }

    with_them do
      before do
-        stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
        stub_licensed_features(security_orchestration_policies: license)
      end

@@ -231,18 +226,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
  describe 'GET #index' do
    using RSpec::Parameterized::TableSyntax

-    where(:feature_flag, :license, :status) do
-      true | true | :ok
-      false | false | :not_found
-      false | true | :not_found
-      true | false | :not_found
+    where(:license, :status) do
+      true | :ok
+      false | :not_found
    end

    subject(:request) { get index, params: { namespace_id: project.namespace, project_id: project } }

    with_them do
      before do
-        stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
        stub_licensed_features(security_orchestration_policies: license)
      end


--- a/ee/spec/services/projects/create_service_spec.rb
+++ b/ee/spec/services/projects/create_service_spec.rb
@@ -363,38 +363,13 @@ RSpec.describe Projects::CreateService, '#execute' do
    before do
      opts[:security_policy_target_project_id] = security_policy_target_project.id

-      stub_licensed_features(security_orchestration_policies: feature_enabled)
-      stub_feature_flags(security_orchestration_policies_configuration: feature_enabled)
+      stub_licensed_features(security_orchestration_policies: true)
    end

-    context 'when feature flag is enabled globally' do
-      let_it_be(:feature_enabled) { true }
+    it 'creates security policy configuration for the project' do
+      expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)

-      it 'creates security policy configuration for the project' do
-        expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
-
-        create_project(user, opts)
-      end
-    end
-
-    context 'when feature flag is disabled globally' do
-      let_it_be(:feature_enabled) { false }
-
-      it 'does not create security policy configuration' do
-        expect(::Security::Orchestration::AssignService).not_to receive(:new)
-
-        create_project(user, opts)
-      end
-    end
-
-    context 'when feature flag is enabled only for target project' do
-      let_it_be(:feature_enabled) { security_policy_target_project }
-
-      it 'creates security policy configuration' do
-        expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
-
-        create_project(user, opts)
-      end
+      create_project(user, opts)
    end
  end


--- a/ee/spec/services/security/security_orchestration_policies/process_rule_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/process_rule_service_spec.rb
@@ -27,7 +27,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
      allow(policy_configuration).to receive(:policy_last_updated_by).and_return(owner)
    end

-    context 'when security_orchestration_policies_configuration feature is enabled and policy is scheduled' do
+    context 'when security_orchestration_policies_configuration policy is scheduled' do
      it 'creates new schedule' do
        service.execute

@@ -40,17 +40,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
      end
    end

-    context 'when security_orchestration_policies_configuration feature is disabled' do
-      before do
-        stub_feature_flags(security_orchestration_policies_configuration: false)
-      end
-
-      it 'deletes schedules' do
-        expect { service.execute }.to change(Security::OrchestrationPolicyRuleSchedule, :count).by(-1)
-        expect(policy_configuration.configured_at).not_to be_nil
-      end
-    end
-
    context 'when policy is not of type scheduled' do
      let(:policy) { build(:scan_execution_policy) }


--- a/ee/spec/views/projects/security/policies/index.html.haml_spec.rb
+++ b/ee/spec/views/projects/security/policies/index.html.haml_spec.rb
@@ -7,7 +7,6 @@ RSpec.describe "projects/security/policies/index", type: :view do
  let(:project) { create(:project) }

  before do
-    stub_feature_flags(security_orchestration_policies_configuration: true)
    sign_in(user)
    render template: 'projects/security/policies/index', locals: { project: project }
  end