Add Threat Monitoring skeleton page

Part of [WAF statistics reporting][1].

This adds:

- A skeleton page and sidebar nav link for WAF statistics reporting
- `threat_monitoring` GitLab Ultimate feature
- `threat_monitoring` feature flag (disabled by default)
- Additional unit tests for the EE projects helper

[1]: https://gitlab.com/gitlab-org/gitlab/issues/14707

ee/app/controllers/projects/threat_monitoring_controller.rb

+# frozen_string_literal: true
+
+module Projects
+  class ThreatMonitoringController < Projects::ApplicationController
+    before_action :authorize_read_threat_monitoring!
+
+    before_action only: [:show] do
+      push_frontend_feature_flag(:threat_monitoring)
+    end
+  end
+end

ee/app/helpers/ee/projects_helper.rb

@@ -49,6 +49,10 @@ module EE
         nav_tabs << :licenses
       end
 
+      if can?(current_user, :read_threat_monitoring, project)
+        nav_tabs << :threat_monitoring
+      end
+
       if ::Gitlab.config.packages.enabled &&
           project.feature_available?(:packages) &&
           can?(current_user, :read_package, project)
@@ -145,6 +149,7 @@ module EE
         projects/security/dashboard#show
         projects/dependencies#show
         projects/licenses#show
+        projects/threat_monitoring#show
       ]
     end
 

ee/app/models/license.rb

@@ -120,6 +120,7 @@ class License < ApplicationRecord
     report_approver_rules
     sast
     security_dashboard
+    threat_monitoring
     tracing
     web_ide_terminal
   ]

ee/app/policies/ee/project_policy.rb

@@ -80,6 +80,11 @@ module EE
         @subject.feature_available?(:dependency_scanning)
       end
 
+      with_scope :subject
+      condition(:threat_monitoring_enabled) do
+        @subject.beta_feature_available?(:threat_monitoring)
+      end
+
       with_scope :subject
       condition(:feature_flags_disabled) do
         !@subject.feature_available?(:feature_flags)
@@ -168,6 +173,8 @@ module EE
         enable :admin_vulnerability
       end
 
+      rule { threat_monitoring_enabled & (auditor | can?(:developer_access)) }.enable :read_threat_monitoring
+
       rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback
 
       rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies

ee/app/views/layouts/nav/sidebar/_project_security_link.html.haml

@@ -37,3 +37,8 @@
       = nav_link(path: 'projects/security/configuration#show') do
         = link_to project_security_configuration_path(@project), title: _('Configuration'), data: { qa_selector: 'security_configuration_link'} do
           %span= _('Configuration')
+
+    - if project_nav_tab?(:threat_monitoring)
+      = nav_link(path: 'projects/threat_monitoring#show') do
+        = link_to project_threat_monitoring_path(@project), title: _('Threat Monitoring') do
+          %span= _('Threat Monitoring')

ee/app/views/projects/threat_monitoring/show.html.haml

+- breadcrumb_title _("Threat Monitoring")
+- page_title _("Threat Monitoring")
+
+#js-threat-monitoring-app

ee/config/routes/project.rb

@@ -70,6 +70,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           resources :licenses, only: [:index, :create, :update]
         end
 
+        resource :threat_monitoring, only: [:show], controller: :threat_monitoring
+
         resources :logs, only: [:index] do
           collection do
             get :k8s

ee/spec/controllers/projects/threat_monitoring_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Projects::ThreatMonitoringController do
+  set(:project) { create(:project, :repository, :private) }
+  set(:user) { create(:user) }
+
+  subject { get :show, params: { namespace_id: project.namespace, project_id: project } }
+
+  describe 'GET show' do
+    context 'with authorized user' do
+      before do
+        project.add_developer(user)
+        sign_in(user)
+      end
+
+      context 'when feature is available' do
+        before do
+          stub_licensed_features(threat_monitoring: true)
+        end
+
+        it 'renders the show template' do
+          subject
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(response).to render_template(:show)
+        end
+      end
+
+      context 'when feature is not available' do
+        before do
+          stub_feature_flags(threat_monitoring: false)
+          stub_licensed_features(threat_monitoring: false)
+        end
+
+        it 'returns 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
+
+    context 'with unauthorized user' do
+      before do
+        sign_in(user)
+      end
+
+      context 'when feature is available' do
+        before do
+          stub_licensed_features(threat_monitoring: true)
+        end
+
+        it 'returns 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+    end
+
+    context 'with anonymous user' do
+      it 'returns 302' do
+        subject
+
+        expect(response).to have_gitlab_http_status(302)
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
+  end
+end

ee/spec/helpers/projects_helper_spec.rb

@@ -155,4 +155,49 @@ describe ProjectsHelper do
       end
     end
   end
+
+  describe '#get_project_nav_tabs' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:ability, :nav_tab) do
+      :read_dependencies               | :dependencies
+      :read_feature_flag               | :operations
+      :read_licenses                   | :licenses
+      :read_project_security_dashboard | :security
+      :read_threat_monitoring          | :threat_monitoring
+    end
+
+    with_them do
+      let(:project) { create(:project) }
+      let(:user)    { create(:user) }
+
+      before do
+        allow(helper).to receive(:can?) { false }
+      end
+
+      subject do
+        helper.send(:get_project_nav_tabs, project, user)
+      end
+
+      context 'when the feature is disabled' do
+        before do
+          allow(helper).to receive(:can?).with(user, ability, project).and_return(false)
+        end
+
+        it 'does not include the nav tab' do
+          is_expected.not_to include(nav_tab)
+        end
+      end
+
+      context 'when threat monitoring is enabled' do
+        before do
+          allow(helper).to receive(:can?).with(user, ability, project).and_return(true)
+        end
+
+        it 'includes the nav tab' do
+          is_expected.to include(nav_tab)
+        end
+      end
+    end
+  end
 end

ee/spec/policies/project_policy_spec.rb

@@ -50,6 +50,7 @@ describe ProjectPolicy do
         create_merge_request_in award_emoji
         read_project_security_dashboard read_vulnerability
         read_vulnerability_feedback read_security_findings read_software_license_policy
+        read_threat_monitoring
       ]
     end
 
@@ -65,7 +66,7 @@ describe ProjectPolicy do
       let(:current_user) { create(:user, :auditor) }
 
       before do
-        stub_licensed_features(security_dashboard: true, license_management: true)
+        stub_licensed_features(security_dashboard: true, license_management: true, threat_monitoring: true)
       end
 
       context 'who is not a team member' do
@@ -550,6 +551,58 @@ describe ProjectPolicy do
     end
   end
 
+  describe 'read_threat_monitoring' do
+    context 'when threat monitoring feature is available' do
+      before do
+        stub_feature_flags(threat_monitoring: true)
+        stub_licensed_features(threat_monitoring: true)
+      end
+
+      context 'with developer or higher role' do
+        where(role: %w[admin owner maintainer developer])
+
+        with_them do
+          let(:current_user) { public_send(role) }
+
+          it { is_expected.to be_allowed(:read_threat_monitoring) }
+        end
+      end
+
+      context 'with less than developer role' do
+        where(role: %w[reporter guest])
+
+        with_them do
+          let(:current_user) { public_send(role) }
+
+          it { is_expected.to be_disallowed(:read_threat_monitoring) }
+        end
+      end
+
+      context 'with not member' do
+        let(:current_user) { create(:user) }
+
+        it { is_expected.to be_disallowed(:read_threat_monitoring) }
+      end
+
+      context 'with anonymous' do
+        let(:current_user) { nil }
+
+        it { is_expected.to be_disallowed(:read_threat_monitoring) }
+      end
+    end
+
+    context 'when threat monitoring feature is not available' do
+      let(:current_user) { admin }
+
+      before do
+        stub_feature_flags(threat_monitoring: false)
+        stub_licensed_features(threat_monitoring: false)
+      end
+
+      it { is_expected.to be_disallowed(:read_threat_monitoring) }
+    end
+  end
+
   describe 'read_package' do
     context 'with admin' do
       let(:current_user) { admin }

locale/gitlab.pot

@@ -18254,6 +18254,9 @@ msgstr ""
 msgid "Those emails automatically become issues (with the comments becoming the email conversation) listed here."
 msgstr ""
 
+msgid "Threat Monitoring"
+msgstr ""
+
 msgid "Thursday"
 msgstr ""