Update mutation to unassign security policy from a group

Changelog: changed EE: true

Update mutation to unassign security policy from a group
Changelog: changed EE: true
91f82fc8 · Alan (Maciej) Paruszewski · Bob Van Landuyt · 566ef725 · 91f82fc8 · 91f82fc8
Commit 91f82fc8 authored Mar 24, 2022 by Alan (Maciej) Paruszewski Committed by Bob Van Landuyt Mar 24, 2022
7 changed files
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -4380,7 +4380,7 @@ Input type: `SecurityPolicyProjectCreateInput`

 ### `Mutation.securityPolicyProjectUnassign`

-Unassigns the security policy project for the given project(`project_path`).
+Unassigns the security policy project for the given project (`full_path`).

 Input type: `SecurityPolicyProjectUnassignInput`

@@ -4389,7 +4389,8 @@ Input type: `SecurityPolicyProjectUnassignInput`
 | Name | Type | Description |
 | ---- | ---- | ----------- |
 | <a id="mutationsecuritypolicyprojectunassignclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
-| <a id="mutationsecuritypolicyprojectunassignprojectpath"></a>`projectPath` | [`ID!`](#id) | Full path of the project. |
+| <a id="mutationsecuritypolicyprojectunassignfullpath"></a>`fullPath` | [`String`](#string) | Full path of the project. |
+| <a id="mutationsecuritypolicyprojectunassignprojectpath"></a>`projectPath` **{warning-solid}** | [`ID`](#id) | **Deprecated:** Use `fullPath`. Deprecated in 14.10. |

 #### Fields

--- a/ee/app/graphql/mutations/security_policy/unassign_security_policy_project.rb
+++ b/ee/app/graphql/mutations/security_policy/unassign_security_policy_project.rb
@@ -4,20 +4,25 @@ module Mutations
  module SecurityPolicy
    class UnassignSecurityPolicyProject < BaseMutation
      graphql_name 'SecurityPolicyProjectUnassign'
-      description 'Unassigns the security policy project for the given project(`project_path`).'
+      description 'Unassigns the security policy project for the given project (`full_path`).'

-      include FindsProject
+      include FindsProjectOrGroupForSecurityPolicies

      authorize :update_security_orchestration_policy_project

+      argument :full_path, GraphQL::Types::String,
+               required: false,
+               description: 'Full path of the project.'
+
      argument :project_path, GraphQL::Types::ID,
-               required: true,
+               required: false,
+               deprecated: { reason: 'Use `fullPath`', milestone: '14.10' },
               description: 'Full path of the project.'

      def resolve(args)
-        project = authorized_find!(args[:project_path])
+        project_or_group = authorized_find!(**args)

-        result = unassign_project(project)
+        result = unassign(project_or_group)
        {
          errors: result.success? ? [] : [result.message]
        }
@@ -25,9 +30,9 @@ module Mutations

      private

-      def unassign_project(project)
+      def unassign(project_or_group)
        ::Security::Orchestration::UnassignService
-          .new(project, current_user)
+          .new(container: project_or_group, current_user: current_user)
          .execute
      end
    end

--- a/ee/app/services/security/orchestration/unassign_service.rb
+++ b/ee/app/services/security/orchestration/unassign_service.rb
@@ -2,19 +2,19 @@

 module Security
  module Orchestration
-    class UnassignService < ::BaseService
+    class UnassignService < ::BaseContainerService
      def execute
        return error(_('Policy project doesn\'t exist')) unless security_orchestration_policy_configuration

        result = security_orchestration_policy_configuration.delete
        return success if result

-        error(project.security_orchestration_policy_configuration.errors.full_messages.to_sentence)
+        error(container.security_orchestration_policy_configuration.errors.full_messages.to_sentence)
      end

      private

-      delegate :security_orchestration_policy_configuration, to: :project
+      delegate :security_orchestration_policy_configuration, to: :container

      def success
        ServiceResponse.success

--- a/ee/spec/factories/namespaces.rb
+++ b/ee/spec/factories/namespaces.rb
@@ -41,6 +41,10 @@ FactoryBot.modify do
        create(:ci_namespace_monthly_usage, namespace: namespace, amount_used: 1000)
      end
    end
+
+    trait :with_security_orchestration_policy_configuration do
+      association :security_orchestration_policy_configuration, factory: [:security_orchestration_policy_configuration, :namespace]
+    end
  end
 end


--- a/ee/spec/graphql/mutations/security_policy/unassign_security_policy_project_spec.rb
+++ b/ee/spec/graphql/mutations/security_policy/unassign_security_policy_project_spec.rb
@@ -8,31 +8,34 @@ RSpec.describe Mutations::SecurityPolicy::UnassignSecurityPolicyProject do
  describe '#resolve' do
    let_it_be(:owner) { create(:user) }
    let_it_be(:user) { create(:user) }
+    let_it_be(:namespace) { create(:group, :with_security_orchestration_policy_configuration) }
+    let_it_be(:namespace_without_policy_project) { create(:group) }
    let_it_be(:project) { create(:project, :with_security_orchestration_policy_configuration, namespace: owner.namespace) }
    let_it_be(:project_without_policy_project) { create(:project, namespace: owner.namespace) }

-    let(:project_full_path) { project.full_path }
+    let(:container_full_path) { container.full_path }
    let(:current_user) { owner }

-    subject { mutation.resolve(project_path: project_full_path) }
+    subject { mutation.resolve(full_path: container_full_path) }

+    shared_examples 'unassigns security policy project' do
      context 'when permission is set for user' do
        before do
          stub_licensed_features(security_orchestration_policies: true)
        end

        context 'when user is an owner of the project' do
-        context 'when policy project is assigned to a project' do
-          it 'assigns the security policy project' do
+          context 'when policy project is assigned to a container' do
+            it 'unassigns the security policy project' do
              result = subject

              expect(result[:errors]).to be_empty
-            expect(project.reload.security_orchestration_policy_configuration).to be_blank
+              expect(container.reload.security_orchestration_policy_configuration).to be_blank
            end
          end

-        context 'when policy project is not assigned to a project' do
-          let(:project_full_path) { project_without_policy_project.full_path }
+          context 'when policy project is not assigned to a container' do
+            let(:container_full_path) { container_without_policy_project.full_path }

            it 'respond with an error' do
              result = subject
@@ -46,7 +49,7 @@ RSpec.describe Mutations::SecurityPolicy::UnassignSecurityPolicyProject do
          let(:current_user) { user }

          before do
-          project.add_maintainer(user)
+            container.add_maintainer(user)
          end

          it 'raises exception' do
@@ -65,4 +68,53 @@ RSpec.describe Mutations::SecurityPolicy::UnassignSecurityPolicyProject do
        end
      end
    end
+
+    context 'when both fullPath and projectPath are not provided' do
+      subject { mutation.resolve({}) }
+
+      before do
+        stub_licensed_features(security_orchestration_policies: true)
+      end
+
+      it 'raises exception' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ArgumentError)
+      end
+    end
+
+    context 'for project' do
+      let(:container) { project }
+      let(:container_without_policy_project) { project_without_policy_project }
+
+      it_behaves_like 'unassigns security policy project'
+    end
+
+    context 'for namespace' do
+      let(:container) { namespace }
+      let(:container_without_policy_project) { namespace_without_policy_project }
+
+      before do
+        namespace.add_owner(owner)
+        namespace_without_policy_project.add_owner(owner)
+      end
+
+      context 'when feature is enabled' do
+        before do
+          stub_feature_flags(group_level_security_policies: [namespace, namespace_without_policy_project])
+        end
+
+        it_behaves_like 'unassigns security policy project'
+      end
+
+      context 'when feature is disabled' do
+        before do
+          stub_licensed_features(security_orchestration_policies: true)
+          stub_feature_flags(group_level_security_policies: false)
+        end
+
+        it 'raises exception' do
+          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+        end
+      end
+    end
+  end
 end
--- a/ee/spec/requests/api/graphql/mutations/security_policy/unassign_security_policy_project_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/security_policy/unassign_security_policy_project_spec.rb
@@ -2,19 +2,23 @@

 require 'spec_helper'

-RSpec.describe 'Unassigns scan execution policy project from a project' do
+RSpec.describe 'Unassigns scan execution policy project from a project/namespace' do
  include GraphqlHelpers

  let_it_be_with_refind(:owner) { create(:user) }
  let_it_be_with_refind(:user) { create(:user) }
-  let_it_be_with_refind(:project) { create(:project, namespace: owner.namespace) }
+  let_it_be_with_refind(:project) { create(:project, :with_security_orchestration_policy_configuration, namespace: owner.namespace) }
+  let_it_be_with_refind(:project_without_policy_project) { create(:project, namespace: owner.namespace) }
+  let_it_be_with_refind(:namespace) { create(:group, :with_security_orchestration_policy_configuration) }
+  let_it_be_with_refind(:namespace_without_policy_project) { create(:group) }

+  let(:container_full_path) { container.full_path }
  let(:current_user) { owner }

  subject { post_graphql_mutation(mutation, current_user: current_user) }

  def mutation
-    variables = { project_path: project.full_path }
+    variables = { full_path: container_full_path }

    graphql_mutation(:security_policy_project_unassign, variables) do
      <<-QL.strip_heredoc
@@ -27,14 +31,17 @@ RSpec.describe 'Unassigns scan execution policy project from a project' do
    graphql_mutation_response(:security_policy_project_unassign)
  end

+  shared_examples 'unassigns security policy project' do
    context 'when licensed feature is available' do
      before do
        stub_licensed_features(security_orchestration_policies: true)
      end

-    context 'when user is an owner of the project' do
-      context 'when there is no security policy project assigned to the project' do
-        it 'unassigns the security policy project', :aggregate_failures do
+      context 'when user is an owner of the container' do
+        context 'when there is no security policy project assigned to the container' do
+          let(:container_full_path) { container_without_policy_project.full_path }
+
+          it 'does not unassign the security policy project', :aggregate_failures do
            expect { subject }.not_to change { ::Security::OrchestrationPolicyConfiguration.count }

            expect(response).to have_gitlab_http_status(:success)
@@ -42,10 +49,7 @@ RSpec.describe 'Unassigns scan execution policy project from a project' do
          end
        end

-      context 'when security policy project is assigned to the project' do
-        let!(:security_policy_management_project) { create(:project, :repository, namespace: current_user.namespace) }
-        let!(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: security_policy_management_project) }
-
+        context 'when security policy project is assigned to the container' do
          it 'unassigns the security policy project', :aggregate_failures do
            expect { subject }.to change { ::Security::OrchestrationPolicyConfiguration.count }.by(-1)

@@ -75,4 +79,40 @@ RSpec.describe 'Unassigns scan execution policy project from a project' do
      it_behaves_like 'a mutation that returns top-level errors',
                  errors: [Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
    end
+  end
+
+  context 'for project' do
+    let(:container) { project }
+    let(:container_without_policy_project) { project_without_policy_project }
+
+    it_behaves_like 'unassigns security policy project'
+  end
+
+  context 'for namespace' do
+    let(:container) { namespace }
+    let(:container_without_policy_project) { namespace_without_policy_project }
+
+    before do
+      namespace.add_owner(owner)
+      namespace_without_policy_project.add_owner(owner)
+    end
+
+    context 'when feature is enabled' do
+      before do
+        stub_feature_flags(group_level_security_policies: [namespace, namespace_without_policy_project])
+      end
+
+      it_behaves_like 'unassigns security policy project'
+    end
+
+    context 'when feature is disabled' do
+      before do
+        stub_licensed_features(security_orchestration_policies: true)
+        stub_feature_flags(group_level_security_policies: false)
+      end
+
+      it_behaves_like 'a mutation that returns top-level errors',
+                  errors: [Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
+    end
+  end
 end
--- a/ee/spec/services/security/orchestration/unassign_service_spec.rb
+++ b/ee/spec/services/security/orchestration/unassign_service_spec.rb
@@ -3,25 +3,29 @@
 require 'spec_helper'

 RSpec.describe Security::Orchestration::UnassignService do
-  let_it_be(:project, reload: true) { create(:project, :with_security_orchestration_policy_configuration) }
-  let_it_be(:project_without_policy_project, reload: true) { create(:project) }
-
-  let(:service) { described_class.new(project, nil) }
-
  describe '#execute' do
    subject(:result) { service.execute }

-    context 'when policy project is assigned to a project' do
-      let(:service) { described_class.new(project, nil) }
+    shared_examples 'unassigns policy project' do
+      context 'when policy project is assigned to a project or namespace' do
+        let(:service) { described_class.new(container: container, current_user: nil) }

        it 'unassigns policy project from the project', :aggregate_failures do
          expect(result).to be_success
-        expect(project.security_orchestration_policy_configuration).to be_destroyed
+          expect(container.security_orchestration_policy_configuration).to be_destroyed
        end
+
+        context 'when destroy fails' do
+          before do
+            allow(container.security_orchestration_policy_configuration).to receive(:delete).and_return(false)
          end

-    context 'when policy project is not assigned to a project' do
-      let(:service) { described_class.new(project_without_policy_project, nil) }
+          it { is_expected.not_to be_success }
+        end
+      end
+
+      context 'when policy project is not assigned to a project or namespace' do
+        let(:service) { described_class.new(container: container_without_policy_project, current_user: nil) }

        it 'respond with an error', :aggregate_failures do
          expect(result).not_to be_success
@@ -29,4 +33,19 @@ RSpec.describe Security::Orchestration::UnassignService do
        end
      end
    end
+
+    context 'for project' do
+      let_it_be(:container, reload: true) { create(:project, :with_security_orchestration_policy_configuration) }
+      let_it_be(:container_without_policy_project, reload: true) { create(:project) }
+
+      it_behaves_like 'unassigns policy project'
+    end
+
+    context 'for namespace' do
+      let_it_be(:container, reload: true) { create(:namespace, :with_security_orchestration_policy_configuration) }
+      let_it_be(:container_without_policy_project, reload: true) { create(:namespace) }
+
+      it_behaves_like 'unassigns policy project'
+    end
+  end
 end