Merge branch '255340-delete-compliance-framework-service' into 'master'

Add ComplianceManagement::Frameworks::DestroyService See merge request gitlab-org/gitlab!47937

Merge branch '255340-delete-compliance-framework-service' into 'master'
Add ComplianceManagement::Frameworks::DestroyService See merge request gitlab-org/gitlab!47937
75547a72 · Sean McGivern · f9e9d273 · c47cc5c2 · 75547a72 · 75547a72
Commit 75547a72 authored Nov 27, 2020 by Sean McGivern
9 changed files
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -185,7 +185,10 @@ class GroupPolicy < BasePolicy
  rule { developer & developer_maintainer_access }.enable :create_projects
  rule { create_projects_disabled }.prevent :create_projects

-  rule { owner | admin }.enable :read_statistics
+  rule { owner | admin }.policy do
+    enable :owner_access
+    enable :read_statistics
+  end

  rule { maintainer & can?(:create_projects) }.enable :transfer_projects


--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
  condition(:owner) { @subject.owner == @user }

  rule { owner | admin }.policy do
+    enable :owner_access
    enable :create_projects
    enable :admin_namespace
    enable :read_namespace

--- a/ee/app/policies/compliance_management/framework_policy.rb
+++ b/ee/app/policies/compliance_management/framework_policy.rb
+# frozen_string_literal: true
+
+module ComplianceManagement
+  class FrameworkPolicy < BasePolicy
+    delegate { @subject.namespace }
+
+    condition(:custom_compliance_frameworks_enabled) do
+      License.feature_available?(:custom_compliance_frameworks)
+    end
+
+    rule { can?(:owner_access) & custom_compliance_frameworks_enabled }.policy do
+      enable :manage_compliance_framework
+    end
+  end
+end
--- a/ee/app/services/compliance_management/frameworks/destroy_service.rb
+++ b/ee/app/services/compliance_management/frameworks/destroy_service.rb
+# frozen_string_literal: true
+
+module ComplianceManagement
+  module Frameworks
+    class DestroyService < BaseService
+      attr_reader :framework, :current_user
+
+      def initialize(framework:, current_user:)
+        @framework = framework
+        @current_user = current_user
+      end
+
+      def execute
+        return ServiceResponse.error(message: _('Not permitted to destroy framework')) unless permitted?
+
+        framework.destroy ? success : error
+      end
+
+      private
+
+      def permitted?
+        can? current_user, :manage_compliance_framework, framework
+      end
+
+      def success
+        ServiceResponse.success(message: _('Framework successfully deleted'))
+      end
+
+      def error
+        ServiceResponse.error(message: _('Failed to create framework'), payload: framework.errors )
+      end
+    end
+  end
+end
--- a/ee/spec/policies/compliance_management/framework_policy_spec.rb
+++ b/ee/spec/policies/compliance_management/framework_policy_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ComplianceManagement::FrameworkPolicy do
+  let_it_be(:framework) { create(:compliance_framework) }
+  let(:user) { framework.namespace.owner }
+
+  subject { described_class.new(user, framework) }
+
+  context 'feature is licensed' do
+    before do
+      stub_licensed_features(custom_compliance_frameworks: true)
+    end
+
+    context 'user is namespace owner' do
+      it { is_expected.to be_allowed(:manage_compliance_framework) }
+    end
+
+    context 'user is group owner' do
+      let_it_be(:group) { create(:group) }
+      let_it_be(:framework) { create(:compliance_framework, namespace: group) }
+      let_it_be(:user) { create(:user) }
+
+      before do
+        group.add_owner(user)
+      end
+
+      it { is_expected.to be_allowed(:manage_compliance_framework) }
+    end
+
+    context 'user is not namespace owner' do
+      let(:user) { build(:user) }
+
+      it { is_expected.to be_disallowed(:manage_compliance_framework) }
+    end
+
+    context 'user is an admin', :enable_admin_mode do
+      let(:user) { build(:admin) }
+
+      it { is_expected.to be_allowed(:manage_compliance_framework) }
+    end
+  end
+
+  context 'feature is unlicensed' do
+    before do
+      stub_licensed_features(custom_compliance_frameworks: false)
+    end
+
+    it { is_expected.to be_disallowed(:manage_compliance_framework) }
+  end
+end
--- a/ee/spec/services/compliance_management/frameworks/destroy_service_spec.rb
+++ b/ee/spec/services/compliance_management/frameworks/destroy_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ComplianceManagement::Frameworks::DestroyService do
+  let_it_be(:namespace) { create(:namespace) }
+  let_it_be(:framework) { create(:compliance_framework, namespace: namespace) }
+
+  context 'when feature is disabled' do
+    before do
+      stub_licensed_features(custom_compliance_frameworks: false)
+    end
+
+    subject { described_class.new(framework: framework, current_user: namespace.owner) }
+
+    it 'does not destroy the compliance framework' do
+      expect { subject.execute }.not_to change { ComplianceManagement::Framework.count }
+    end
+
+    it 'is unsuccessful' do
+      expect(subject.execute.success?).to be false
+    end
+  end
+
+  context 'when feature is enabled' do
+    before do
+      stub_licensed_features(custom_compliance_frameworks: true)
+    end
+
+    context 'when current user is namespace owner' do
+      subject { described_class.new(framework: framework, current_user: namespace.owner) }
+
+      it 'destroys the compliance framework' do
+        expect { subject.execute }.to change { ComplianceManagement::Framework.count }.by(-1)
+      end
+
+      it 'is successful' do
+        expect(subject.execute.success?).to be true
+      end
+    end
+
+    context 'when current user is not the namespace owner' do
+      subject { described_class.new(framework: framework, current_user: create(:user)) }
+
+      it 'does not destroy the compliance framework' do
+        expect { subject.execute }.not_to change { ComplianceManagement::Framework.count }
+      end
+
+      it 'is unsuccessful' do
+        expect(subject.execute.success?).to be false
+      end
+    end
+  end
+end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -12199,6 +12199,9 @@ msgstr ""
 msgid "Found errors in your .gitlab-ci.yml:"
 msgstr ""

+msgid "Framework successfully deleted"
+msgstr ""
+
 msgid "Free Trial"
 msgstr ""

@@ -18715,6 +18718,9 @@ msgstr ""
 msgid "Not found."
 msgstr ""

+msgid "Not permitted to destroy framework"
+msgstr ""
+
 msgid "Not ready yet. Try again later."
 msgstr ""


--- a/spec/policies/namespace_policy_spec.rb
+++ b/spec/policies/namespace_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe NamespacePolicy do
  let(:admin) { create(:admin) }
  let(:namespace) { create(:namespace, owner: owner) }

-  let(:owner_permissions) { [:create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects] }
+  let(:owner_permissions) { [:owner_access, :create_projects, :admin_namespace, :read_namespace, :read_statistics, :transfer_projects] }

  subject { described_class.new(current_user, namespace) }


--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -30,6 +30,7 @@ RSpec.shared_context 'GroupPolicy context' do

  let(:owner_permissions) do
    [
+      :owner_access,
      :admin_group,
      :admin_namespace,
      :admin_group_member,