Fix group level compliance pipeline feature availability

Update policy feature flag check for group level
compliance pipeline configuration in graphql apis.
The attribute is gated behind
ff_evaluate_group_level_compliance_pipeline FF.
This is to keep it independent of the rollout of
compliance frameworks.

ee/app/models/license.rb

@@ -177,7 +177,6 @@ class License < ApplicationRecord
     subepics
     threat_monitoring
     vulnerability_auto_fix
-    evaluate_group_level_compliance_pipeline
   ]
   EEU_FEATURES.freeze
 

ee/app/policies/compliance_management/framework_policy.rb

@@ -11,7 +11,7 @@ module ComplianceManagement
 
     condition(:group_level_compliance_pipeline_enabled) do
       @subject.namespace.feature_available?(:evaluate_group_level_compliance_pipeline) &&
-        Feature.enabled?(:ff_custom_compliance_frameworks, @subject.namespace)
+        Feature.enabled?(:ff_evaluate_group_level_compliance_pipeline, @subject.namespace)
     end
 
     rule { can?(:owner_access) & custom_compliance_frameworks_enabled }.policy do

ee/app/policies/ee/group_policy.rb

@@ -135,7 +135,7 @@ module EE
 
       condition(:group_level_compliance_pipeline_available) do
         @subject.feature_available?(:evaluate_group_level_compliance_pipeline) &&
-          ::Feature.enabled?(:ff_custom_compliance_frameworks, @subject, default_enabled: :yaml)
+          ::Feature.enabled?(:ff_evaluate_group_level_compliance_pipeline, @subject, default_enabled: :yaml)
       end
 
       rule { public_group | logged_in_viewable }.policy do

ee/app/services/concerns/compliance_management/frameworks.rb

@@ -3,9 +3,12 @@
 module ComplianceManagement
   module Frameworks
     def compliance_pipeline_configuration_available?
-      return true unless params[:pipeline_configuration_full_path].present?
+      return true unless params.key?(:pipeline_configuration_full_path)
 
-      can? current_user, :manage_group_level_compliance_pipeline_config, framework
+      available = can? current_user, :manage_group_level_compliance_pipeline_config, framework
+      params.delete(:pipeline_configuration_full_path) unless available
+
+      available
     end
   end
 end

ee/spec/policies/compliance_management/framework_policy_spec.rb

@@ -57,7 +57,9 @@ RSpec.describe ComplianceManagement::FrameworkPolicy do
 
   context 'feature is disabled' do
     before do
-      stub_feature_flags(ff_custom_compliance_framework: false)
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+      stub_feature_flags(ff_custom_compliance_frameworks: false)
+      stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
     end
 
     it { is_expected.to be_disallowed(:manage_compliance_framework) }

ee/spec/policies/group_policy_spec.rb

@@ -1569,7 +1569,7 @@ RSpec.describe GroupPolicy do
   end
 
   describe 'compliance framework permissions' do
-    shared_context 'compliance framework permissions' do
+    shared_examples 'compliance framework permissions' do
       using RSpec::Parameterized::TableSyntax
 
       where(:role, :licensed, :feature_flag, :admin_mode, :allowed) do
@@ -1590,7 +1590,7 @@ RSpec.describe GroupPolicy do
 
         before do
           stub_licensed_features(licensed_feature => licensed)
-          stub_feature_flags(ff_custom_compliance_frameworks: feature_flag)
+          stub_feature_flags(feature_flag_name => feature_flag)
           enable_admin_mode!(current_user) if admin_mode
         end
 
@@ -1601,15 +1601,17 @@ RSpec.describe GroupPolicy do
     context ':admin_compliance_framework' do
       let(:policy) { :admin_compliance_framework }
       let(:licensed_feature) { :custom_compliance_frameworks }
+      let(:feature_flag_name) { :ff_custom_compliance_frameworks }
 
-      include_context 'compliance framework permissions'
+      include_examples 'compliance framework permissions'
     end
 
     context ':admin_compliance_pipeline_configuration' do
       let(:policy) { :admin_compliance_pipeline_configuration }
       let(:licensed_feature) { :evaluate_group_level_compliance_pipeline }
+      let(:feature_flag_name) { :ff_evaluate_group_level_compliance_pipeline }
 
-      include_context 'compliance framework permissions'
+      include_examples 'compliance framework permissions'
     end
   end
 

ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb

@@ -42,7 +42,7 @@ RSpec.describe 'Create a Compliance Framework' do
     end
   end
 
-  context 'feature is unlicensed' do
+  context 'framework feature is unlicensed' do
     before do
       stub_licensed_features(custom_compliance_frameworks: false)
       post_graphql_mutation(mutation, current_user: current_user)
@@ -51,12 +51,21 @@ RSpec.describe 'Create a Compliance Framework' do
     it_behaves_like 'a mutation that returns errors in the response', errors: ['Not permitted to create framework']
   end
 
+  context 'pipeline configuration feature is unlicensed' do
+    before do
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: false)
+      post_graphql_mutation(mutation, current_user: current_user)
+    end
+
+    it_behaves_like 'a mutation that returns errors in the response', errors: ['Pipeline configuration full path feature is not available']
+  end
+
   context 'feature is licensed' do
     before do
       stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
     end
 
-    context 'feature is disabled' do
+    context 'framework feature is disabled' do
       before do
         stub_feature_flags(ff_custom_compliance_frameworks: false)
       end
@@ -64,6 +73,14 @@ RSpec.describe 'Create a Compliance Framework' do
       it_behaves_like 'a mutation that returns errors in the response', errors: ['Not permitted to create framework']
     end
 
+    context 'pipeline configuration feature is disabled' do
+      before do
+        stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
+      end
+
+      it_behaves_like 'a mutation that returns errors in the response', errors: ['Pipeline configuration full path feature is not available']
+    end
+
     context 'current_user is namespace owner' do
       it_behaves_like 'a mutation that creates a compliance framework'
     end

ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb

@@ -91,6 +91,19 @@ RSpec.describe 'Update a compliance framework' do
             expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
           end
         end
+
+        context 'when compliance pipeline configuration feature flag is not enabled' do
+          before do
+            stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+            stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
+          end
+
+          it 'returns an error' do
+            subject
+
+            expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
+          end
+        end
       end
 
       context 'current_user is not permitted to update framework' do