Extend ProtectDefaultBranchService to support security policy project

This change extends Projects::ProtectDefaultBranchService to EE to support security policy project which overrides the default branch protection defined in the group/namespace of the project. Changelog: added EE: true

Extend ProtectDefaultBranchService to support security policy project
This change extends Projects::ProtectDefaultBranchService to EE to support security policy project which overrides the default branch protection defined in the group/namespace of the project. Changelog: added EE: true
d5f5b361 · Sashi · Nikola Milojevic · 7a4e3eef · d5f5b361 · d5f5b361
Commit d5f5b361 authored Jul 20, 2021 by Sashi Committed by Nikola Milojevic Aug 04, 2021
5 changed files
--- a/app/services/projects/protect_default_branch_service.rb
+++ b/app/services/projects/protect_default_branch_service.rb
@@ -69,3 +69,5 @@ module Projects
    end
  end
 end
+
+Projects::ProtectDefaultBranchService.prepend_mod
--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -36,6 +36,10 @@ module Security
        .where(arel_table[:configured_at].lt(Project.arel_table[:last_repository_updated_at]).or(arel_table[:configured_at].eq(nil)))
    end

+    def self.policy_management_project?(project_id)
+      self.exists?(security_policy_management_project_id: project_id)
+    end
+
    def enabled?
      ::Feature.enabled?(:security_orchestration_policies_configuration, project)
    end

--- a/ee/app/services/ee/projects/protect_default_branch_service.rb
+++ b/ee/app/services/ee/projects/protect_default_branch_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Projects
+    module ProtectDefaultBranchService
+      extend ::Gitlab::Utils::Override
+
+      override :protect_branch?
+      def protect_branch?
+        return true if security_policy_management_project?
+
+        super
+      end
+
+      override :push_access_level
+      def push_access_level
+        return ::Gitlab::Access::NO_ACCESS if security_policy_management_project?
+
+        super
+      end
+
+      override :merge_access_level
+      def merge_access_level
+        return ::Gitlab::Access::MAINTAINER if security_policy_management_project?
+
+        super
+      end
+
+      private
+
+      def security_policy_management_project?
+        ::Security::OrchestrationPolicyConfiguration.policy_management_project?(project.id)
+      end
+    end
+  end
+end
--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -51,6 +51,20 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
    end
  end

+  describe '.policy_management_project?' do
+    before do
+      create(:security_orchestration_policy_configuration, security_policy_management_project: security_policy_management_project)
+    end
+
+    it 'returns true when security_policy_management_project with id exists' do
+      expect(described_class.policy_management_project?(security_policy_management_project.id)).to be_truthy
+    end
+
+    it 'returns false when security_policy_management_project with id does not exist' do
+      expect(described_class.policy_management_project?(non_existing_record_id)).to be_falsey
+    end
+  end
+
  describe '#enabled?' do
    subject { security_orchestration_policy_configuration.enabled? }


--- a/ee/spec/services/projects/protect_default_branch_service_spec.rb
+++ b/ee/spec/services/projects/protect_default_branch_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::ProtectDefaultBranchService do
+  let(:service) { described_class.new(project) }
+  let(:project) { create(:project) }
+
+  shared_context 'has security_policy_project' do
+    before do
+      allow(Security::OrchestrationPolicyConfiguration)
+        .to receive(:exists?)
+              .and_return(true)
+    end
+  end
+
+  describe '#protect_branch?' do
+    context 'when project has security_policy_project' do
+      include_context 'has security_policy_project'
+
+      it 'returns true' do
+        expect(service.protect_branch?).to eq(true)
+      end
+    end
+
+    it { expect(service.protect_branch?).to eq(false) }
+  end
+
+  describe '#push_access_level' do
+    context 'when project has security_policy_project' do
+      include_context 'has security_policy_project'
+
+      it 'returns NO_ACCESS access level' do
+        expect(service.push_access_level).to eq(Gitlab::Access::NO_ACCESS)
+      end
+    end
+
+    context 'when project does not have security_policy_project' do
+      before do
+        allow(project.namespace)
+          .to receive(:default_branch_protection)
+                .and_return(Gitlab::Access::PROTECTION_DEV_CAN_PUSH)
+      end
+
+      it 'returns DEVELOPER access level' do
+        expect(service.push_access_level).to eq(Gitlab::Access::DEVELOPER)
+      end
+    end
+  end
+
+  describe '#merge_access_level' do
+    context 'when project has security_policy_project' do
+      include_context 'has security_policy_project'
+
+      it 'returns Maintainer access level' do
+        expect(service.merge_access_level).to eq(Gitlab::Access::MAINTAINER)
+      end
+    end
+
+    context 'when project does not have security_policy_project' do
+      before do
+        allow(project.namespace)
+          .to receive(:default_branch_protection)
+                .and_return(Gitlab::Access::PROTECTION_DEV_CAN_MERGE)
+      end
+
+      it 'returns DEVELOPER access level' do
+        expect(service.merge_access_level).to eq(Gitlab::Access::DEVELOPER)
+      end
+    end
+  end
+end