Scaffolding for security policy view

Feature flag security_orchestration_policies_configuration

Scaffolding for security policy view
Feature flag security_orchestration_policies_configuration
f10ef1cf · Can Eldem · Bob Van Landuyt · 14c54040 · f10ef1cf · f10ef1cf
Commit f10ef1cf authored Feb 19, 2021 by Can Eldem Committed by Bob Van Landuyt Feb 19, 2021
10 changed files
--- a/config/feature_flags/development/security_orchestration_policies_configuration.yml
+++ b/config/feature_flags/development/security_orchestration_policies_configuration.yml
+---
+name: security_orchestration_policies_configuration
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321258
+milestone: '13.9'
+type: development
+group: group::container security
+default_enabled: false
--- a/ee/app/controllers/projects/security/policies_controller.rb
+++ b/ee/app/controllers/projects/security/policies_controller.rb
+# frozen_string_literal: true
+
+module Projects
+  module Security
+    class PoliciesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
+      before_action do
+        push_frontend_feature_flag(:security_orchestration_policies_configuration, project)
+      end
+
+      feature_category :security_orchestration
+
+      def show
+        render_404 unless Feature.enabled?(:security_orchestration_policies_configuration, project) && can?(current_user, :security_orchestration_policies, project)
+      end
+    end
+  end
+end
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -168,6 +168,7 @@ class License < ApplicationRecord
    secret_detection
    security_dashboard
    security_on_demand_scans
+    security_orchestration_policies
    status_page
    subepics
    threat_monitoring

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -115,6 +115,11 @@ module EE
        @subject.feature_available?(:reject_unsigned_commits)
      end

+      with_scope :subject
+      condition(:security_orchestration_policies_enabled) do
+        @subject.feature_available?(:security_orchestration_policies)
+      end
+
      with_scope :subject
      condition(:security_dashboard_enabled) do
        @subject.feature_available?(:security_dashboard)
@@ -229,6 +234,10 @@ module EE

      rule { can?(:read_project) & iterations_available }.enable :read_iteration

+      rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
+        enable :security_orchestration_policies
+      end
+
      rule { security_dashboard_enabled & can?(:developer_access) }.policy do
        enable :read_vulnerability
        enable :read_vulnerability_scanner

--- a/ee/app/views/projects/security/policies/show.html.haml
+++ b/ee/app/views/projects/security/policies/show.html.haml
+= s_('Security|Policies')
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -64,6 +64,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
          resources :dashboard, only: [:index], controller: :dashboard
          resources :vulnerability_report, only: [:index], controller: :vulnerability_report

+          resource :policy, only: [:show]
+
          resource :configuration, only: [], controller: :configuration do
            post :auto_fix, on: :collection
            resource :corpus_management, only: [:show], controller: :corpus_management

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -673,6 +673,22 @@ RSpec.describe ProjectPolicy do
    end
  end

+  describe 'security complience policy' do
+    before do
+      stub_licensed_features(security_orchestration_policies: true)
+    end
+
+    context 'with developer or higher role' do
+      where(role: %w[owner maintainer developer])
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to be_allowed(:security_orchestration_policies) }
+      end
+    end
+  end
+
  describe 'read_corpus_management' do
    context 'when corpus_management feature is available' do
      before do

--- a/ee/spec/requests/projects/security/policies_controller_spec.rb
+++ b/ee/spec/requests/projects/security/policies_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::Security::PoliciesController, type: :request do
+  let_it_be(:project, reload: true) { create(:project) }
+  let_it_be(:user) { create(:user) }
+
+  before do
+    project.add_developer(user)
+    login_as(user)
+  end
+
+  context 'displaying page' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:feature_flag, :license, :status) do
+      true | true | :ok
+      false | false | :not_found
+      false | true | :not_found
+      true | false | :not_found
+    end
+
+    subject { get project_security_policy_url(project) }
+
+    with_them do
+      before do
+        stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
+        stub_licensed_features(security_orchestration_policies: license)
+      end
+
+      specify do
+        get project_security_policy_url(project)
+
+        expect(response).to have_gitlab_http_status(status)
+      end
+    end
+  end
+end
--- a/ee/spec/routing/project_routing_spec.rb
+++ b/ee/spec/routing/project_routing_spec.rb
@@ -64,4 +64,10 @@ RSpec.describe 'EE-specific project routing' do
      expect(get("/gitlab/gitlabhq/-/integrations/jira/issues")).to route_to('projects/integrations/jira/issues#index', namespace_id: 'gitlab', project_id: 'gitlabhq')
    end
  end
+
+  describe Projects::Security::PoliciesController, 'routing' do
+    it 'to #show' do
+      expect(get('/gitlab/gitlabhq/-/security/policy')).to route_to('projects/security/policies#show', namespace_id: 'gitlab', project_id: 'gitlabhq')
+    end
+  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -26437,6 +26437,9 @@ msgstr ""
 msgid "SecurityReports|[No reason]"
 msgstr ""

+msgid "Security|Policies"
+msgstr ""
+
 msgid "See GitLab's %{password_policy_guidelines}"
 msgstr ""