Add annotation policies

To assure correct access
protection to annotation related
actions we need to introduce new policy
and update existing ones for project
and group.

app/policies/group_policy.rb

@@ -75,6 +75,9 @@ class GroupPolicy < BasePolicy
   rule { developer }.policy do
     enable :admin_milestone
     enable :read_package
+    enable :create_metrics_dashboard_annotation
+    enable :delete_metrics_dashboard_annotation
+    enable :update_metrics_dashboard_annotation
   end
 
   rule { reporter }.policy do
@@ -82,6 +85,7 @@ class GroupPolicy < BasePolicy
     enable :admin_label
     enable :admin_list
     enable :admin_issue
+    enable :read_metrics_dashboard_annotation
   end
 
   rule { maintainer }.policy do

app/policies/metrics/dashboard/annotation_policy.rb

+# frozen_string_literal: true
+module Metrics
+  module Dashboard
+    class AnnotationPolicy < BasePolicy
+      delegate { @subject.cluster }
+      delegate { @subject.environment }
+    end
+  end
+end

app/policies/project_policy.rb

@@ -224,6 +224,7 @@ class ProjectPolicy < BasePolicy
     enable :read_sentry_issue
     enable :update_sentry_issue
     enable :read_prometheus
+    enable :read_metrics_dashboard_annotation
   end
 
   # We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -276,6 +277,9 @@ class ProjectPolicy < BasePolicy
     enable :update_deployment
     enable :create_release
     enable :update_release
+    enable :create_metrics_dashboard_annotation
+    enable :delete_metrics_dashboard_annotation
+    enable :update_metrics_dashboard_annotation
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do

spec/policies/metrics/dashboard/annotation_policy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Metrics::Dashboard::AnnotationPolicy, :models do
+  shared_examples 'metrics dashboard annotation policy' do
+    context 'when guest' do
+      before do
+        project.add_guest(user)
+      end
+
+      it { expect(policy).to be_disallowed :read_metrics_dashboard_annotation }
+      it { expect(policy).to be_disallowed :create_metrics_dashboard_annotation }
+      it { expect(policy).to be_disallowed :update_metrics_dashboard_annotation }
+      it { expect(policy).to be_disallowed :delete_metrics_dashboard_annotation }
+    end
+
+    context 'when reporter' do
+      before do
+        project.add_reporter(user)
+      end
+
+      it { expect(policy).to be_allowed :read_metrics_dashboard_annotation }
+      it { expect(policy).to be_disallowed :create_metrics_dashboard_annotation }
+      it { expect(policy).to be_disallowed :update_metrics_dashboard_annotation }
+      it { expect(policy).to be_disallowed :delete_metrics_dashboard_annotation }
+    end
+
+    context 'when developer' do
+      before do
+        project.add_developer(user)
+      end
+
+      it { expect(policy).to be_allowed :read_metrics_dashboard_annotation }
+      it { expect(policy).to be_allowed :create_metrics_dashboard_annotation }
+      it { expect(policy).to be_allowed :update_metrics_dashboard_annotation }
+      it { expect(policy).to be_allowed :delete_metrics_dashboard_annotation }
+    end
+
+    context 'when maintainer' do
+      before do
+        project.add_maintainer(user)
+      end
+
+      it { expect(policy).to be_allowed :read_metrics_dashboard_annotation }
+      it { expect(policy).to be_allowed :create_metrics_dashboard_annotation }
+      it { expect(policy).to be_allowed :update_metrics_dashboard_annotation }
+      it { expect(policy).to be_allowed :delete_metrics_dashboard_annotation }
+    end
+  end
+
+  describe 'rules' do
+    context 'environments annotation' do
+      let(:annotation) { create(:metrics_dashboard_annotation, environment: environment) }
+      let(:environment) { create(:environment) }
+      let!(:project) { environment.project }
+      let(:user) { create(:user) }
+      let(:policy) { described_class.new(user, annotation) }
+
+      it_behaves_like 'metrics dashboard annotation policy'
+    end
+
+    context 'cluster annotation' do
+      let(:annotation) { create(:metrics_dashboard_annotation, environment: nil, cluster: cluster) }
+      let(:cluster) { create(:cluster, :project) }
+      let(:project) { cluster.project }
+      let(:user) { create(:user) }
+      let(:policy) { described_class.new(user, annotation) }
+
+      it_behaves_like 'metrics dashboard annotation policy'
+    end
+  end
+end

spec/policies/project_policy_spec.rb

@@ -28,7 +28,7 @@ describe ProjectPolicy do
       download_code fork_project create_snippet update_issue
       admin_issue admin_label admin_list read_commit_status read_build
       read_container_image read_pipeline read_environment read_deployment
-      read_merge_request download_wiki_code read_sentry_issue
+      read_merge_request download_wiki_code read_sentry_issue read_metrics_dashboard_annotation
     ]
   end
 
@@ -43,6 +43,7 @@ describe ProjectPolicy do
       update_pipeline create_merge_request_from create_wiki push_code
       resolve_note create_container_image update_container_image destroy_container_image
       create_environment update_environment create_deployment update_deployment create_release update_release
+      create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation
     ]
   end
 

spec/support/shared_contexts/policies/group_policy_shared_context.rb

@@ -18,8 +18,8 @@ RSpec.shared_context 'GroupPolicy context' do
    ]
   end
   let(:read_group_permissions) { %i[read_label read_list read_milestone read_board] }
-  let(:reporter_permissions) { %i[admin_label read_container_image] }
-  let(:developer_permissions) { [:admin_milestone] }
+  let(:reporter_permissions) { %i[admin_label read_container_image read_metrics_dashboard_annotation] }
+  let(:developer_permissions) { %i[admin_milestone create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation] }
   let(:maintainer_permissions) do
     %i[
       create_projects