Fix multiple issues for FOSS

- Secret detection is always available in FOSS
- SAST can be configured only in Ultimate
- Changed condition for configuration path (now only for Ultimate)

app/presenters/projects/security/configuration_presenter.rb

@@ -80,7 +80,8 @@ module Projects
           type: scan.type,
           configured: scan.configured?,
           configuration_path: scan.configuration_path,
-          available: scan.available?
+          available: scan.available?,
+          can_enable_in_merge_request: scan.can_enable_in_merge_request?
         }
       end
 

ee/app/models/license.rb

@@ -193,6 +193,7 @@ class License < ApplicationRecord
     sast_custom_rulesets
     sast_fp_reduction
     secret_detection
+    security_configuration_in_ui
     security_dashboard
     security_on_demand_scans
     security_orchestration_policies

ee/lib/ee/gitlab/security/scan_configuration.rb

@@ -13,25 +13,30 @@ module EE
 
         override :configuration_path
         def configuration_path
-          super if available? || always_available?
+          configurable_scans[type] if can_configure_scan_in_ui?
         end
 
         private
 
-        override :configurable_scans
+        def can_configure_scan_in_ui?
+          project.licensed_feature_available?(:security_configuration_in_ui)
+        end
+
         def configurable_scans
           strong_memoize(:configurable_scans) do
             {
+              sast: project_security_configuration_sast_path(project),
               dast: project_security_configuration_dast_path(project),
               dast_profiles: project_security_configuration_dast_scans_path(project),
               api_fuzzing: project_security_configuration_api_fuzzing_path(project),
               corpus_management: (project_security_configuration_corpus_management_path(project) if ::Feature.enabled?(:corpus_management_ui, project, default_enabled: :yaml))
-            }.merge(super)
+            }
           end
         end
 
-        def always_available?
-          [:corpus_management, :dast_profiles].include?(type)
+        override :scans_configurable_in_merge_request
+        def scans_configurable_in_merge_request
+          super.concat(%i[dependency_scanning container_scanning])
         end
       end
     end

ee/spec/features/projects/security/user_views_security_configuration_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe 'User sees Security Configuration table', :js do
     before do
       stub_licensed_features(security_dashboard: true, sast: true, sast_iac: true, dast: true,
                              dependency_scanning: true, container_scanning: true, coverage_fuzzing: true,
-                             cluster_image_scanning: true, api_fuzzing: true)
+                             cluster_image_scanning: true, api_fuzzing: true, security_configuration_in_ui: true)
     end
 
     context 'with no SAST report' do

ee/spec/lib/ee/gitlab/security/scan_configuration_spec.rb

@@ -3,15 +3,15 @@
 require 'spec_helper'
 
 RSpec.describe ::Gitlab::Security::ScanConfiguration do
+  using RSpec::Parameterized::TableSyntax
+
   let_it_be(:project) { create(:project, :repository) }
 
-  let(:scan) { described_class.new(project: project, type: type, configured: configured) }
+  let(:scan) { described_class.new(project: project, type: type) }
 
   describe '#available?' do
     subject { scan.available? }
 
-    let(:configured) { true }
-
     context 'with a core scanner' do
       let(:type) { :sast }
 
@@ -54,39 +54,65 @@ RSpec.describe ::Gitlab::Security::ScanConfiguration do
   describe '#configuration_path' do
     subject { scan.configuration_path }
 
-    let(:configured) { true }
+    context 'when configuration in UI is available' do
+      before do
+        stub_licensed_features(security_configuration_in_ui: true)
+      end
 
-    context 'with licensed scanner' do
-      let(:type) { :dast }
-      let(:configuration_path) { "/#{project.namespace.path}/#{project.name}/-/security/configuration/dast" }
+      context 'with licensed scanner' do
+        let(:path) { "/#{project.namespace.path}/#{project.name}/-/security/configuration" }
 
-      before do
-        stub_licensed_features(dast: true)
+        where(:type, :configuration_path) do
+          :sast | lazy { "#{path}/sast" }
+          :dast | lazy { "#{path}/dast" }
+          :dast_profiles | lazy { "#{path}/dast_scans" }
+          :api_fuzzing | lazy { "#{path}/api_fuzzing" }
+          :corpus_management | lazy { "#{path}/corpus_management" }
+        end
+
+        with_them do
+          it { is_expected.to eq(configuration_path) }
+        end
       end
 
-      it { is_expected.to eq(configuration_path) }
-    end
+      context 'with a scanner under feature flag' do
+        let(:type) { :corpus_management }
+        let(:configuration_path) { "/#{project.namespace.path}/#{project.name}/-/security/configuration/corpus_management" }
+
+        it { is_expected.to eq(configuration_path) }
 
-    context 'with always available scanner' do
-      let(:type) { :dast_profiles }
-      let(:configuration_path) { "/#{project.namespace.path}/#{project.name}/-/security/configuration/dast_scans" }
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(corpus_management_ui: false)
+          end
 
-      it { is_expected.to eq(configuration_path) }
+          it { is_expected.to be_nil }
+        end
+      end
     end
 
-    context 'with a scanner under feature flag' do
-      let(:type) { :corpus_management }
-      let(:configuration_path) { "/#{project.namespace.path}/#{project.name}/-/security/configuration/corpus_management" }
+    context 'when configuration in UI is not available' do
+      let(:type) { :sast }
+
+      it { is_expected.to be_nil }
+    end
+  end
 
-      it { is_expected.to eq(configuration_path) }
+  describe '#can_enable_in_merge_request?' do
+    subject { scan.can_enable_in_merge_request? }
 
-      context 'when feature flag is disabled' do
-        before do
-          stub_feature_flags(corpus_management_ui: false)
-        end
+    context 'with a scanner that can be enabled in merge request' do
+      where(type: %i(sast sast_iac secret_detection dependency_scanning container_scanning))
 
-        it { is_expected.to be_nil }
+      with_them do
+        it { is_expected.to be_truthy }
       end
     end
+
+    context 'with a scanner that can not be enabled in merge request' do
+      let(:type) { :dast }
+
+      it { is_expected.to be_falsey }
+    end
   end
 end

lib/gitlab/security/scan_configuration.rb

@@ -18,27 +18,25 @@ module Gitlab
         # SAST and Secret Detection are always available, but this isn't
         # reflected by our license model yet.
         # TODO: https://gitlab.com/gitlab-org/gitlab/-/issues/333113
-        %i[sast secret_detection].include?(type)
+        %i[sast sast_iac secret_detection].include?(type)
+      end
+
+      def can_enable_in_merge_request?
+        scans_configurable_in_merge_request.include?(type)
       end
 
       def configured?
         configured
       end
 
-      def configuration_path
-        configurable_scans[type]
-      end
+      def configuration_path; end
 
       private
 
       attr_reader :project, :configured
 
-      def configurable_scans
-        strong_memoize(:configurable_scans) do
-          {
-            sast: project_security_configuration_sast_path(project)
-          }
-        end
+      def scans_configurable_in_merge_request
+        %i[sast sast_iac secret_detection]
       end
     end
   end

spec/lib/gitlab/security/scan_configuration_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe ::Gitlab::Security::ScanConfiguration do
+  using RSpec::Parameterized::TableSyntax
+
   let_it_be(:project) { create(:project, :repository) }
 
   let(:scan) { described_class.new(project: project, type: type, configured: configured) }
@@ -13,9 +15,11 @@ RSpec.describe ::Gitlab::Security::ScanConfiguration do
     let(:configured) { true }
 
     context 'with a core scanner' do
-      let(:type) { :sast }
+      where(type: %i(sast sast_iac secret_detection))
 
-      it { is_expected.to be_truthy }
+      with_them do
+        it { is_expected.to be_truthy }
+      end
     end
 
     context 'with custom scanner' do
@@ -38,27 +42,28 @@ RSpec.describe ::Gitlab::Security::ScanConfiguration do
     subject { scan.configuration_path }
 
     let(:configured) { true }
+    let(:type) { :sast }
 
-    context 'with a non configurable scanner' do
-      let(:type) { :secret_detection }
+    it { is_expected.to be_nil }
+  end
 
-      it { is_expected.to be_nil }
-    end
+  describe '#can_enable_in_merge_request?' do
+    subject { scan.can_enable_in_merge_request? }
 
-    context 'with licensed scanner for FOSS environment' do
-      let(:type) { :dast }
+    let(:configured) { true }
 
-      before do
-        stub_env('FOSS_ONLY', '1')
-      end
+    context 'with a core scanner' do
+      where(type: %i(sast sast_iac secret_detection))
 
-      it { is_expected.to be_nil }
+      with_them do
+        it { is_expected.to be_truthy }
+      end
     end
 
-    context 'with custom scanner' do
+    context 'with a custom scanner' do
       let(:type) { :my_scanner }
 
-      it { is_expected.to be_nil }
+      it { is_expected.to be_falsey }
     end
   end
 end

spec/presenters/projects/security/configuration_presenter_spec.rb

@@ -86,8 +86,9 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
 
         expect(feature['type']).to eq('sast')
         expect(feature['configured']).to eq(true)
-        expect(feature['configuration_path']).to eq(project_security_configuration_sast_path(project))
+        expect(feature['configuration_path']).to be_nil
         expect(feature['available']).to eq(true)
+        expect(feature['can_enable_in_merge_request']).to eq(true)
       end
 
       context 'when checking features configured status' do