Merge branch 'instance-security-dashboard-permissions' into 'master'

Add instance security dashboard permissions See merge request gitlab-org/gitlab!17908

Merge branch 'instance-security-dashboard-permissions' into 'master'
Add instance security dashboard permissions See merge request gitlab-org/gitlab!17908
dcbe4826 · Mayra Cabrera · 06617c42 · 3d1681e7 · dcbe4826 · dcbe4826
Commit dcbe4826 authored Oct 11, 2019 by Mayra Cabrera
11 changed files
--- a/ee/app/controllers/security/application_controller.rb
+++ b/ee/app/controllers/security/application_controller.rb
+# frozen_string_literal: true
+
+module Security
+  class ApplicationController < ::ApplicationController
+    before_action :authorize_read_security_dashboard!
+    before_action do
+      push_frontend_feature_flag(:security_dashboard)
+    end
+
+    private
+
+    def authorize_read_security_dashboard!
+      render_404 unless Feature.enabled?(:security_dashboard) &&
+        can?(current_user, :read_security_dashboard)
+    end
+  end
+end
--- a/ee/app/controllers/security/dashboard_controller.rb
+++ b/ee/app/controllers/security/dashboard_controller.rb
+# frozen_string_literal: true
+
+module Security
+  class DashboardController < ::Security::ApplicationController
+    def show
+      head :ok
+    end
+  end
+end
--- a/ee/app/controllers/security/projects_controller.rb
+++ b/ee/app/controllers/security/projects_controller.rb
+# frozen_string_literal: true
+
+module Security
+  class ProjectsController < ::Security::ApplicationController
+    def index
+      head :ok
+    end
+
+    def create
+      head :ok
+    end
+
+    def destroy
+      head :ok
+    end
+  end
+end
--- a/ee/app/controllers/security_controller.rb
+++ b/ee/app/controllers/security_controller.rb
-# frozen_string_literal: true
-
-class SecurityController < ApplicationController
-  before_action :authorize_read_security_dashboard!
-  before_action do
-    push_frontend_feature_flag(:security_dashboard)
-  end
-
-  def authorize_read_security_dashboard!
-    render_404 unless Feature.enabled?(:security_dashboard) &&
-      can?(current_user, :read_security_dashboard)
-  end
-end
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -9,7 +9,13 @@ module EE
        License.feature_available?(:operations_dashboard)
      end

+      condition(:security_dashboard_available) do
+        License.feature_available?(:security_dashboard)
+      end
+
      rule { operations_dashboard_available }.enable :read_operations_dashboard
+      rule { ~anonymous & security_dashboard_available }.enable :read_security_dashboard
+
      rule { admin }.policy do
        enable :read_licenses
        enable :destroy_licenses

--- a/ee/app/views/dashboard/_nav_link_list.html.haml
+++ b/ee/app/views/dashboard/_nav_link_list.html.haml
@@ -5,5 +5,5 @@
  = link_to operations_path, class: 'dropdown-item' do
    = _('Operations')
 - if dashboard_nav_link?(:security)
-  = link_to security_path, class: 'dropdown-item' do
+  = link_to security_root_path, class: 'dropdown-item' do
    = _('Security')
--- a/ee/config/routes/security.rb
+++ b/ee/config/routes/security.rb
 # frozen_string_literal: true

-get 'security' => 'security#index'
+namespace :security do
+  root to: 'dashboard#show'
+
+  resources :projects, only: [:index, :create, :destroy]
+end
--- a/ee/spec/controllers/security/dashboard_controller_spec.rb
+++ b/ee/spec/controllers/security/dashboard_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Security::DashboardController do
+  describe 'GET #show' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        get :show
+      end
+    end
+  end
+end
--- a/ee/spec/controllers/security/projects_controller_spec.rb
+++ b/ee/spec/controllers/security/projects_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Security::ProjectsController do
+  describe 'GET #index' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        get :index
+      end
+    end
+  end
+
+  describe 'POST #create' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        post :create
+      end
+    end
+  end
+
+  describe 'DELETE #destroy' do
+    it_behaves_like Security::ApplicationController do
+      let(:security_application_controller_child_action) do
+        delete :destroy, params: { id: 1 }
+      end
+    end
+  end
+end
--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -55,4 +55,30 @@ describe GlobalPolicy do
  describe 'view_productivity_analytics' do
    include_examples 'analytics policy', :view_productivity_analytics
  end
+
+  describe 'read_security_dashboard' do
+    context 'when the instance has an Ultimate license' do
+      before do
+        stub_licensed_features(security_dashboard: true)
+      end
+
+      context 'and the user is not logged in' do
+        let(:current_user) { nil }
+
+        it { is_expected.not_to be_allowed(:read_security_dashboard) }
+      end
+
+      context 'and the user is logged in' do
+        it { is_expected.to be_allowed(:read_security_dashboard) }
+      end
+    end
+
+    context 'when the instance does not have an Ultimate license' do
+      before do
+        stub_licensed_features(security_dashboard: false)
+      end
+
+      it { is_expected.not_to be_allowed(:read_security_dashboard) }
+    end
+  end
 end
--- a/ee/spec/support/shared_examples/controllers/security/application_controller_shared_examples.rb
+++ b/ee/spec/support/shared_examples/controllers/security/application_controller_shared_examples.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+shared_examples Security::ApplicationController do
+  context 'when the user is authenticated' do
+    let(:security_application_controller_user) { create(:user) }
+
+    before do
+      stub_licensed_features(security_dashboard: true)
+      sign_in(security_application_controller_user)
+    end
+
+    it 'responds with success' do
+      security_application_controller_child_action
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
+    context 'and the instance does not have an Ultimate license' do
+      it '404s' do
+        stub_licensed_features(security_dashboard: false)
+
+        security_application_controller_child_action
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'and the security dashboard feature is disabled' do
+      it '404s' do
+        stub_feature_flags(security_dashboard: false)
+
+        security_application_controller_child_action
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+
+  context 'when the user is not authenticated' do
+    it 'redirects the user to the sign in page' do
+      security_application_controller_child_action
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
+  end
+end