Commit 3d1681e7 authored by Avielle Wolfe's avatar Avielle Wolfe Committed by Mayra Cabrera

Add policy for instance security dashboard

So long as the right license is there, any logged in user should
be able to view the dashboard.

https://gitlab.com/gitlab-org/gitlab/issues/33831
parent 06617c42
# frozen_string_literal: true
module Security
class ApplicationController < ::ApplicationController
before_action :authorize_read_security_dashboard!
before_action do
push_frontend_feature_flag(:security_dashboard)
end
private
def authorize_read_security_dashboard!
render_404 unless Feature.enabled?(:security_dashboard) &&
can?(current_user, :read_security_dashboard)
end
end
end
# frozen_string_literal: true
module Security
class DashboardController < ::Security::ApplicationController
def show
head :ok
end
end
end
# frozen_string_literal: true
module Security
class ProjectsController < ::Security::ApplicationController
def index
head :ok
end
def create
head :ok
end
def destroy
head :ok
end
end
end
# frozen_string_literal: true
class SecurityController < ApplicationController
before_action :authorize_read_security_dashboard!
before_action do
push_frontend_feature_flag(:security_dashboard)
end
def authorize_read_security_dashboard!
render_404 unless Feature.enabled?(:security_dashboard) &&
can?(current_user, :read_security_dashboard)
end
end
...@@ -9,7 +9,13 @@ module EE ...@@ -9,7 +9,13 @@ module EE
License.feature_available?(:operations_dashboard) License.feature_available?(:operations_dashboard)
end end
condition(:security_dashboard_available) do
License.feature_available?(:security_dashboard)
end
rule { operations_dashboard_available }.enable :read_operations_dashboard rule { operations_dashboard_available }.enable :read_operations_dashboard
rule { ~anonymous & security_dashboard_available }.enable :read_security_dashboard
rule { admin }.policy do rule { admin }.policy do
enable :read_licenses enable :read_licenses
enable :destroy_licenses enable :destroy_licenses
......
...@@ -5,5 +5,5 @@ ...@@ -5,5 +5,5 @@
= link_to operations_path, class: 'dropdown-item' do = link_to operations_path, class: 'dropdown-item' do
= _('Operations') = _('Operations')
- if dashboard_nav_link?(:security) - if dashboard_nav_link?(:security)
= link_to security_path, class: 'dropdown-item' do = link_to security_root_path, class: 'dropdown-item' do
= _('Security') = _('Security')
# frozen_string_literal: true # frozen_string_literal: true
get 'security' => 'security#index' namespace :security do
root to: 'dashboard#show'
resources :projects, only: [:index, :create, :destroy]
end
# frozen_string_literal: true
require 'spec_helper'
describe Security::DashboardController do
describe 'GET #show' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
get :show
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Security::ProjectsController do
describe 'GET #index' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
get :index
end
end
end
describe 'POST #create' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
post :create
end
end
end
describe 'DELETE #destroy' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
delete :destroy, params: { id: 1 }
end
end
end
end
...@@ -55,4 +55,30 @@ describe GlobalPolicy do ...@@ -55,4 +55,30 @@ describe GlobalPolicy do
describe 'view_productivity_analytics' do describe 'view_productivity_analytics' do
include_examples 'analytics policy', :view_productivity_analytics include_examples 'analytics policy', :view_productivity_analytics
end end
describe 'read_security_dashboard' do
context 'when the instance has an Ultimate license' do
before do
stub_licensed_features(security_dashboard: true)
end
context 'and the user is not logged in' do
let(:current_user) { nil }
it { is_expected.not_to be_allowed(:read_security_dashboard) }
end
context 'and the user is logged in' do
it { is_expected.to be_allowed(:read_security_dashboard) }
end
end
context 'when the instance does not have an Ultimate license' do
before do
stub_licensed_features(security_dashboard: false)
end
it { is_expected.not_to be_allowed(:read_security_dashboard) }
end
end
end end
# frozen_string_literal: true
require 'spec_helper'
shared_examples Security::ApplicationController do
context 'when the user is authenticated' do
let(:security_application_controller_user) { create(:user) }
before do
stub_licensed_features(security_dashboard: true)
sign_in(security_application_controller_user)
end
it 'responds with success' do
security_application_controller_child_action
expect(response).to have_gitlab_http_status(:ok)
end
context 'and the instance does not have an Ultimate license' do
it '404s' do
stub_licensed_features(security_dashboard: false)
security_application_controller_child_action
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'and the security dashboard feature is disabled' do
it '404s' do
stub_feature_flags(security_dashboard: false)
security_application_controller_child_action
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
context 'when the user is not authenticated' do
it 'redirects the user to the sign in page' do
security_application_controller_child_action
expect(response).to redirect_to(new_user_session_path)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment