Add support for security policy project for Projects::CreateService

This change adds a new paramter for security policy target project in Projects::CreateService to create Security::OrchestrationPolicyConfiguration associated with the project. Changelog: added EE: true

Add support for security policy project for Projects::CreateService
This change adds a new paramter for security policy target project in Projects::CreateService to create Security::OrchestrationPolicyConfiguration associated with the project. Changelog: added EE: true
75e3e09a · Sashi · Sashi Kumar Kumaresan · c1af69d2 · 75e3e09a · 75e3e09a
Commit 75e3e09a authored Jul 20, 2021 by Sashi Committed by Sashi Kumar Kumaresan Aug 05, 2021
5 changed files
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -101,6 +101,8 @@ module Projects
      @project.track_project_repository
      @project.create_project_setting unless @project.project_setting

+      yield if block_given?
+
      event_service.create_project(@project, current_user)
      system_hook_service.execute_hooks_for(@project, :create)


--- a/ee/app/services/ee/projects/create_service.rb
+++ b/ee/app/services/ee/projects/create_service.rb
@@ -5,6 +5,15 @@ module EE
    module CreateService
      extend ::Gitlab::Utils::Override

+      attr_reader :security_policy_target_project_id
+
+      override :initialize
+      def initialize(user, params)
+        super
+
+        @security_policy_target_project_id = @params.delete(:security_policy_target_project_id)
+      end
+
      override :execute
      def execute
        limit = params.delete(:repository_size_limit)
@@ -45,11 +54,25 @@ module EE

      override :after_create_actions
      def after_create_actions
-        super
+        super do
+          create_security_policy_configuration if security_policy_target_project?
+        end

        create_predefined_push_rule
      end

+      def security_policy_target_project?
+        security_policy_target_project_id && ::Feature.enabled?(:security_orchestration_policies_configuration, project)
+      end
+
+      def create_security_policy_configuration
+        if (security_policy_target_project = ::Project.find(security_policy_target_project_id))
+          ::Security::Orchestration::AssignService
+            .new(security_policy_target_project, current_user, policy_project_id: project.id)
+            .execute
+        end
+      end
+
      # rubocop: disable CodeReuse/ActiveRecord
      def create_predefined_push_rule
        return unless project.feature_available?(:push_rules)

--- a/ee/app/services/security/security_orchestration_policies/project_create_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/project_create_service.rb
@@ -10,11 +10,6 @@ module Security

        return error(policy_project.errors.full_messages.join(',')) unless policy_project.saved?

-        project.create_security_orchestration_policy_configuration! do |p|
-          p.security_policy_management_project_id = policy_project.id
-        end
-        create_or_update_protected_branch(policy_project)
-
        members = add_members(policy_project)
        errors = members.flat_map { |member| member.errors.full_messages }

@@ -25,26 +20,6 @@ module Security

      private

-      def create_or_update_protected_branch(policy_project)
-        protected_branch = policy_project.protected_branches.find_by_name(policy_project.default_branch_or_main)
-        params = {
-          name: policy_project.default_branch_or_main,
-          push_access_levels_attributes: [{ access_level: Gitlab::Access::NO_ACCESS }],
-          merge_access_levels_attributes: [{ access_level: Gitlab::Access::MAINTAINER }]
-        }
-
-        if protected_branch.present?
-          ProtectedBranches::UpdateService
-            .new(policy_project, current_user, params)
-            .execute(protected_branch)
-          return
-        end
-
-        ProtectedBranches::CreateService
-          .new(policy_project, current_user, params)
-          .execute(skip_authorization: true)
-      end
-
      def add_members(policy_project)
        members_to_add = project.team.maintainers - policy_project.team.members
        policy_project.add_users(members_to_add, :developer)
@@ -53,6 +28,7 @@ module Security
      def create_project_params
        {
          visibility_level: project.visibility_level,
+          security_policy_target_project_id: project.id,
          name: "#{project.name} - Security policy project",
          description: "This project is automatically generated to manage security policies for the project.",
          namespace_id: project.namespace.id,

--- a/ee/spec/services/projects/create_service_spec.rb
+++ b/ee/spec/services/projects/create_service_spec.rb
@@ -357,6 +357,37 @@ RSpec.describe Projects::CreateService, '#execute' do
    end
  end

+  context 'security policy configuration' do
+    let_it_be(:security_policy_target_project) { create(:project) }
+
+    before do
+      opts[:security_policy_target_project_id] = security_policy_target_project.id
+
+      stub_licensed_features(security_orchestration_policies: feature_enabled)
+      stub_feature_flags(security_orchestration_policies_configuration: feature_enabled)
+    end
+
+    context 'when feature flag is enabled' do
+      let_it_be(:feature_enabled) { true }
+
+      it 'creates security policy configuration for the project' do
+        expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
+
+        create_project(user, opts)
+      end
+    end
+
+    context 'when feature flag is disabled' do
+      let_it_be(:feature_enabled) { false }
+
+      it 'does not create security policy configuration' do
+        expect(::Security::Orchestration::AssignService).not_to receive(:new)
+
+        create_project(user, opts)
+      end
+    end
+  end
+
  def create_project(user, opts)
    described_class.new(user, opts).execute
  end

--- a/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb
@@ -20,58 +20,13 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do
        response = service.execute

        policy_project = response[:policy_project]
-        expect(project.security_orchestration_policy_configuration.security_policy_management_project).to eq(policy_project)
+        expect(project.reload.security_orchestration_policy_configuration.security_policy_management_project).to eq(policy_project)
        expect(policy_project.namespace).to eq(project.namespace)
-        expect(policy_project.protected_branches.map(&:name)).to contain_exactly(project.default_branch_or_main)
-        expect(policy_project.protected_branches.first.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MAINTAINER])
-        expect(policy_project.protected_branches.first.push_access_levels.map(&:access_level)).to eq([Gitlab::Access::NO_ACCESS])
        expect(policy_project.team.developers).to contain_exactly(maintainer)
        expect(policy_project.container_registry_access_level).to eq(ProjectFeature::DISABLED)
      end
    end

-    context 'when protected branch already exists' do
-      let_it_be(:project) { create(:project) }
-      let_it_be(:current_user) { project.owner }
-      let_it_be(:maintainer) { create(:user) }
-
-      before do
-        project.add_maintainer(maintainer)
-
-        allow_next_instance_of(Project) do |instance|
-          allow(instance).to receive_message_chain(:protected_branches, :find_by_name).and_return([ProtectedBranch.new])
-        end
-
-        protected_branch_service = instance_spy(ProtectedBranches::UpdateService)
-        allow(ProtectedBranches::UpdateService).to receive(:new).and_return(protected_branch_service)
-      end
-
-      it 'updates protected branch' do
-        service.execute
-
-        expect(ProtectedBranches::UpdateService).to have_received(:new)
-      end
-    end
-
-    context 'when protected branch does not exist' do
-      let_it_be(:project) { create(:project) }
-      let_it_be(:current_user) { project.owner }
-      let_it_be(:maintainer) { create(:user) }
-
-      before do
-        project.add_maintainer(maintainer)
-
-        protected_branch_service = instance_spy(ProtectedBranches::CreateService)
-        allow(ProtectedBranches::CreateService).to receive(:new).and_return(protected_branch_service)
-      end
-
-      it 'creates protected branch' do
-        service.execute
-
-        expect(ProtectedBranches::CreateService).to have_received(:new)
-      end
-    end
-
    context 'when adding users to security policy project fails' do
      let_it_be(:project) { create(:project) }
      let_it_be(:current_user) { project.owner }