Add group-level security policies page

- add group security - routes - controller - sidebar menu - update tests

Add group-level security policies page
- add group security - routes - controller - sidebar menu - update tests
8287b0ac · Alexander Turinske · Alan (Maciej) Paruszewski · 962a98fc · 8287b0ac · 8287b0ac
Commit 8287b0ac authored Mar 20, 2022 by Alexander Turinske Committed by Alan (Maciej) Paruszewski Mar 22, 2022
10 changed files
--- a/ee/app/controllers/groups/security/policies_controller.rb
+++ b/ee/app/controllers/groups/security/policies_controller.rb
+# frozen_string_literal: true
+
+module Groups
+  module Security
+    class PoliciesController < Groups::ApplicationController
+      before_action :authorize_group_security_policies!
+
+      before_action do
+        push_frontend_feature_flag(:group_security_policies, group, default_enabled: :yaml)
+      end
+
+      feature_category :security_orchestration
+
+      def index
+        render :index, locals: { group: group }
+      end
+
+      private
+
+      def authorize_group_security_policies!
+        render_404 unless Feature.enabled?(:group_security_policies, group, default_enabled: :yaml)
+      end
+    end
+  end
+end
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -72,6 +72,11 @@ module EE
        ldap_lock_bypassable?
      end

+      with_scope :subject
+      condition(:security_orchestration_policies_enabled) do
+        @subject.feature_available?(:security_orchestration_policies)
+      end
+
      condition(:security_dashboard_enabled) do
        @subject.feature_available?(:security_dashboard)
      end
@@ -306,6 +311,10 @@ module EE
        enable :read_group_audit_events
      end

+      rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
+        enable :security_orchestration_policies
+      end
+
      rule { security_dashboard_enabled & developer }.policy do
        enable :read_group_security_dashboard
        enable :admin_vulnerability

--- a/ee/app/views/groups/security/policies/index.html.haml
+++ b/ee/app/views/groups/security/policies/index.html.haml
+- breadcrumb_title _("Policies")
+- @content_wrapper_class = 'js-security-policies-container-wrapper'
+
+#js-group-security-policies-list{ data: { group_path: group.full_path,
+  documentation_path: help_page_path('user/application_security/policies/index.md') } }
--- a/ee/config/feature_flags/development/group_security_policies.yml
+++ b/ee/config/feature_flags/development/group_security_policies.yml
+---
+name: group_security_policies
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83262
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356258
+milestone: '14.9'
+type: development
+group: group::container security
+default_enabled: false
--- a/ee/config/routes/group.rb
+++ b/ee/config/routes/group.rb
@@ -170,6 +170,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
          put :revoke
        end
      end
+      resources :policies, only: [:index]
      resources :merge_commit_reports, only: [:index], constraints: { format: :csv }
    end


--- a/ee/lib/sidebars/groups/menus/security_compliance_menu.rb
+++ b/ee/lib/sidebars/groups/menus/security_compliance_menu.rb
@@ -10,6 +10,7 @@ module Sidebars
          add_item(vulnerability_report_menu_item)
          add_item(compliance_menu_item)
          add_item(credentials_menu_item)
+          add_item(scan_policies_menu_item)
          add_item(audit_events_menu_item)

          true
@@ -109,6 +110,20 @@ module Sidebars
            context.group.enforced_group_managed_accounts?
        end

+        def scan_policies_menu_item
+          unless Feature.enabled?(:group_security_policies, context.group, default_enabled: :yaml) &&
+            can?(context.current_user, :security_orchestration_policies, context.group)
+            return ::Sidebars::NilMenuItem.new(item_id: :scan_policies)
+          end
+
+          ::Sidebars::MenuItem.new(
+            title: _('Policies'),
+            link: group_security_policies_path(context.group),
+            active_routes: { controller: ['groups/security/policies'] },
+            item_id: :scan_policies
+          )
+        end
+
        def audit_events_menu_item
          unless group_level_audit_events_available?
            return ::Sidebars::NilMenuItem.new(item_id: :audit_events)

--- a/ee/spec/controllers/groups/security/policies_controller_spec.rb
+++ b/ee/spec/controllers/groups/security/policies_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::Security::PoliciesController, type: :request do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:group) { create(:group) }
+  let_it_be(:index) { group_security_policies_url(group) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'GET #index' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:feature_flag, :status) do
+      true | :ok
+      false | :not_found
+    end
+
+    subject(:request) { get index, params: { group_id: group.to_param } }
+
+    with_them do
+      before do
+        stub_feature_flags(group_security_policies: feature_flag)
+      end
+
+      specify do
+        subject
+
+        expect(response).to have_gitlab_http_status(status)
+      end
+    end
+  end
+end
--- a/ee/spec/lib/sidebars/groups/menus/security_compliance_menu_spec.rb
+++ b/ee/spec/lib/sidebars/groups/menus/security_compliance_menu_spec.rb
@@ -158,6 +158,54 @@ RSpec.describe Sidebars::Groups::Menus::SecurityComplianceMenu do
      end
    end

+    describe 'Security Policies' do
+      let(:item_id) { :scan_policies }
+
+      context 'when scan_policies feature is enabled' do
+        before do
+          stub_licensed_features(security_orchestration_policies: true)
+        end
+
+        context 'when group security policies feature is disabled' do
+          before do
+            stub_feature_flags(group_security_policies: true)
+          end
+
+          it_behaves_like 'menu access rights'
+        end
+
+        context 'when group security policies feature is enabled' do
+          before do
+            stub_feature_flags(group_security_policies: false)
+          end
+
+          specify { is_expected.to be_nil }
+        end
+      end
+
+      context 'when scan_policies feature is not enabled' do
+        before do
+          stub_licensed_features(security_orchestration_policies: false)
+        end
+
+        context 'when group security policies feature is disabled' do
+          before do
+            stub_feature_flags(group_security_policies: true)
+          end
+
+          specify { is_expected.to be_nil }
+        end
+
+        context 'when group security policies feature is enabled' do
+          before do
+            stub_feature_flags(group_security_policies: false)
+          end
+
+          specify { is_expected.to be_nil }
+        end
+      end
+    end
+
    describe 'Audit Events' do
      let(:item_id) { :audit_events }


--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -911,6 +911,32 @@ RSpec.describe GroupPolicy do
    end
  end

+  describe 'security orchestration policies' do
+    before do
+      stub_licensed_features(security_orchestration_policies: true)
+    end
+
+    context 'with developer or maintainer role' do
+      where(role: %w[maintainer developer])
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to be_allowed(:security_orchestration_policies) }
+      end
+    end
+
+    context 'with owner role' do
+      where(role: %w[owner])
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to be_allowed(:security_orchestration_policies) }
+      end
+    end
+  end
+
  describe 'admin_vulnerability' do
    before do
      stub_licensed_features(security_dashboard: true)

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -768,7 +768,7 @@ RSpec.describe ProjectPolicy do
    end
  end

-  describe 'security complience policy' do
+  describe 'security orchestration policies' do
    before do
      stub_licensed_features(security_orchestration_policies: true)
    end