Skip to content

G
gitlab-ce
Commit 5a1517a5 authored by Mehmet Emin INAC's avatar Mehmet Emin INAC Committed by Stan Hu
Browse files
Options

Disable access to "Security & Compliance" resources 

These resources will be forbidden to access if the feature is off.
parent c65265b4
Hide whitespace changes
Inline Side-by-side
Showing with 371 additions and 108 deletions
ee/app/controllers/concerns/security_and_compliance_permissions.rb 0 → 100644
View file @ 5a1517a5
# frozen_string_literal: true
module SecurityAndCompliancePermissions
extend ActiveSupport::Concern
included do
before_action :ensure_security_and_compliance_enabled!
end
private
def ensure_security_and_compliance_enabled!
render_404 unless can?(current_user, :access_security_and_compliance, project)
end
end
ee/app/controllers/ee/projects/security/configuration_controller.rb
View file @ 5a1517a5
......@@ -7,6 +7,8 @@ module EE
extend ::Gitlab::Utils::Override
prepended do
include SecurityAndCompliancePermissions
alias_method :vulnerable, :project
before_action :ensure_security_dashboard_feature_enabled!, except: [:show]
......
ee/app/controllers/projects/audit_events_controller.rb
View file @ 5a1517a5
# frozen_string_literal: true
class Projects::AuditEventsController < Projects::ApplicationController
include SecurityAndCompliancePermissions
include Gitlab::Utils::StrongMemoize
include LicenseHelper
include AuditEvents::EnforcesValidDateParams
......
ee/app/controllers/projects/dependencies_controller.rb
View file @ 5a1517a5
......@@ -2,6 +2,8 @@
module Projects
class DependenciesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action :authorize_read_dependency_list!
feature_category :dependency_scanning
......
ee/app/controllers/projects/licenses_controller.rb
View file @ 5a1517a5
......@@ -2,6 +2,8 @@
module Projects
class LicensesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action :authorize_read_licenses!, only: [:index]
before_action :authorize_admin_software_license_policy!, only: [:create, :update]
......
ee/app/controllers/projects/on_demand_scans_controller.rb
View file @ 5a1517a5
......@@ -2,6 +2,8 @@
module Projects
class OnDemandScansController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action do
push_frontend_feature_flag(:security_on_demand_scans_site_validation, @project, default_enabled: :yaml)
push_frontend_feature_flag(:security_dast_site_profiles_additional_fields, @project, default_enabled: :yaml)
......
ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,7 @@
module Projects
module Security
class ApiFuzzingConfigurationController < Projects::ApplicationController
include SecurityAndCompliancePermissions
include SecurityDashboardsPermissions
alias_method :vulnerable, :project
......
ee/app/controllers/projects/security/corpus_management_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class CorpusManagementController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action do
render_404 unless Feature.enabled?(:corpus_management, @project, default_enabled: :yaml)
authorize_read_coverage_fuzzing!
......
ee/app/controllers/projects/security/dashboard_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,7 @@
module Projects
module Security
class DashboardController < Projects::ApplicationController
include SecurityAndCompliancePermissions
include SecurityDashboardsPermissions
alias_method :vulnerable, :project
......
ee/app/controllers/projects/security/dast_profiles_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class DastProfilesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action do
authorize_read_on_demand_scans!
push_frontend_feature_flag(:security_on_demand_scans_site_validation, @project, default_enabled: :yaml)
......
ee/app/controllers/projects/security/dast_scanner_profiles_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class DastScannerProfilesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action :authorize_read_on_demand_scans!
feature_category :dynamic_application_security_testing
......
ee/app/controllers/projects/security/dast_site_profiles_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class DastSiteProfilesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action do
authorize_read_on_demand_scans!
push_frontend_feature_flag(:security_dast_site_profiles_additional_fields, @project, default_enabled: :yaml)
......
ee/app/controllers/projects/security/discover_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class DiscoverController < Projects::ApplicationController
include SecurityAndCompliancePermissions
feature_category :navigation
def show
......
ee/app/controllers/projects/security/network_policies_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class NetworkPoliciesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
POLLING_INTERVAL = 5_000
before_action :authorize_read_threat_monitoring!
......
ee/app/controllers/projects/security/sast_configuration_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,7 @@
module Projects
module Security
class SastConfigurationController < Projects::ApplicationController
include SecurityAndCompliancePermissions
include CreatesCommit
include SecurityDashboardsPermissions
......
ee/app/controllers/projects/security/scanned_resources_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class ScannedResourcesController < ::Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action :authorize_read_vulnerability!
before_action :scanned_resources
......
ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
View file @ 5a1517a5
......@@ -6,6 +6,7 @@ module Projects
class NotesController < Projects::ApplicationController
extend ::Gitlab::Utils::Override
include SecurityAndCompliancePermissions
include SecurityDashboardsPermissions
include NotesActions
include NotesHelper
......
ee/app/controllers/projects/security/vulnerabilities_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,7 @@
module Projects
module Security
class VulnerabilitiesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
include SecurityDashboardsPermissions
include IssuableActions
include RendersNotes
......
ee/app/controllers/projects/security/vulnerability_report_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,7 @@
module Projects
module Security
class VulnerabilityReportController < Projects::ApplicationController
include SecurityAndCompliancePermissions
include SecurityDashboardsPermissions
before_action do
......
ee/app/controllers/projects/security/waf_anomalies_controller.rb
View file @ 5a1517a5
......@@ -3,6 +3,8 @@
module Projects
module Security
class WafAnomaliesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
POLLING_INTERVAL = 5_000
before_action :authorize_read_waf_anomalies!
......
ee/app/controllers/projects/threat_monitoring_controller.rb
View file @ 5a1517a5
......@@ -2,6 +2,8 @@
module Projects
class ThreatMonitoringController < Projects::ApplicationController
include SecurityAndCompliancePermissions
before_action :authorize_read_threat_monitoring!
before_action do
push_frontend_feature_flag(:threat_monitoring_alerts, project)
......
ee/spec/controllers/projects/dependencies_controller_spec.rb
View file @ 5a1517a5
......@@ -6,20 +6,23 @@ RSpec.describe Projects::DependenciesController do
describe 'GET #index' do
let_it_be(:developer) { create(:user) }
let_it_be(:guest) { create(:user) }
let_it_be(:project) { create(:project, :repository, :private) }
let(:params) { { namespace_id: project.namespace, project_id: project } }
before do
project.add_developer(developer)
project.add_guest(guest)
sign_in(user)
end
context 'with authorized user' do
let_it_be(:project) { create(:project, :repository, :public) }
before do
project.add_developer(developer)
project.add_guest(guest)
end
include_context '"Security & Compliance" permissions' do
let(:user) { developer }
let(:valid_request) { get :index, params: params }
end
context 'with authorized user' do
context 'when feature is available' do
before do
stub_licensed_features(dependency_scanning: true, license_scanning: true, security_dashboard: true)
......@@ -138,14 +141,6 @@ RSpec.describe Projects::DependenciesController do
expect(json_response['dependencies'].length).to eq(3)
end
end
context 'without authorized user to see vulnerabilities' do
let(:user) { guest }
it 'return vulnerable dependencies' do
expect(json_response['dependencies']).to be_empty
end
end
end
context 'with pagination params' do
......@@ -247,7 +242,6 @@ RSpec.describe Projects::DependenciesController do
end
context 'with unauthorized user' do
let(:project) { create(:project, :repository, :private) }
let(:user) { guest }
before do
......
ee/spec/controllers/projects/licenses_controller_spec.rb
View file @ 5a1517a5
......@@ -13,6 +13,14 @@ RSpec.describe Projects::LicensesController do
sign_in(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get :index, params: params }
before_request do
project.add_reporter(user)
end
end
context 'with authorized user' do
context 'when feature is available' do
before do
......@@ -347,6 +355,7 @@ RSpec.describe Projects::LicensesController do
end
describe "POST #create" do
let(:current_user) { create(:user) }
let(:project) { create(:project, :repository, :private) }
let(:mit_license) { create(:software_license, :mit) }
let(:default_params) do
......@@ -360,9 +369,16 @@ RSpec.describe Projects::LicensesController do
}
end
context "when authenticated" do
let(:current_user) { create(:user) }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { post :create, xhr: true, params: default_params }
before_request do
project.add_reporter(current_user)
sign_in(current_user)
end
end
context "when authenticated" do
before do
stub_licensed_features(license_scanning: true)
sign_in(current_user)
......@@ -465,6 +481,7 @@ RSpec.describe Projects::LicensesController do
end
describe "PATCH #update" do
let(:current_user) { create(:user) }
let(:project) { create(:project, :repository, :private) }
let(:software_license_policy) { create(:software_license_policy, project: project, software_license: mit_license) }
let(:mit_license) { create(:software_license, :mit) }
......@@ -478,9 +495,16 @@ RSpec.describe Projects::LicensesController do
}
end
context "when authenticated" do
let(:current_user) { create(:user) }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { post :create, xhr: true, params: default_params }
before_request do
project.add_reporter(current_user)
sign_in(current_user)
end
end
context "when authenticated" do
before do
stub_licensed_features(license_scanning: true)
sign_in(current_user)
......
ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
View file @ 5a1517a5
......@@ -8,14 +8,23 @@ RSpec.describe Projects::Security::ApiFuzzingConfigurationController do
let_it_be(:developer) { create(:user) }
let_it_be(:guest) { create(:user) }
subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
before_all do
group.add_developer(developer)
group.add_guest(guest)
end
describe 'GET #show' do
subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
stub_licensed_features(security_dashboard: true)
sign_in(developer)
end
end
describe 'GET #show' do
render_views
it_behaves_like SecurityDashboardsPermissions do
......
ee/spec/controllers/projects/security/configuration_controller_spec.rb
View file @ 5a1517a5
......@@ -3,8 +3,14 @@
require 'spec_helper'
RSpec.describe Projects::Security::ConfigurationController do
let(:group) { create(:group) }
let(:project) { create(:project, :repository, namespace: group) }
let_it_be(:group) { create(:group) }
let_it_be(:user) { create(:user) }
let_it_be_with_refind(:project) { create(:project, :repository, namespace: group) }
before do
stub_licensed_features(security_dashboard: true)
group.add_developer(user)
end
describe 'GET #show' do
using RSpec::Parameterized::TableSyntax
......@@ -34,6 +40,10 @@ RSpec.describe Projects::Security::ConfigurationController do
sign_in(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
end
it 'responds with the correct status' do
request
......@@ -134,7 +144,6 @@ RSpec.describe Projects::Security::ConfigurationController do
end
before do
stub_licensed_features(security_dashboard: true)
project.add_maintainer(maintainer)
project.add_developer(developer)
sign_in(user)
......
ee/spec/controllers/projects/security/dashboard_controller_spec.rb
View file @ 5a1517a5
......@@ -7,6 +7,19 @@ RSpec.describe Projects::Security::DashboardController do
let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
let_it_be(:user) { create(:user) }
before do
group.add_developer(user)
stub_licensed_features(security_dashboard: true)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get :index, params: { namespace_id: project.namespace, project_id: project } }
before_request do
sign_in(user)
end
end
it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { project }
......@@ -15,11 +28,6 @@ RSpec.describe Projects::Security::DashboardController do
end
end
before do
group.add_developer(user)
stub_licensed_features(security_dashboard: true)
end
describe 'GET #index' do
let(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }
......
ee/spec/controllers/projects/security/network_policies_controller_spec.rb
View file @ 5a1517a5
......@@ -54,10 +54,18 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
end
describe 'GET #summary' do
subject { get :summary, params: action_params, format: :json }
subject(:request) { get :summary, params: action_params, format: :json }
let_it_be(:kubernetes_namespace) { environment.deployment_namespace }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
group.add_developer(user)
end
end
context 'with authorized user' do
before do
group.add_developer(user)
......@@ -160,7 +168,15 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
end
describe 'GET #index' do
subject { get :index, params: action_params, format: :json }
subject(:request) { get :index, params: action_params, format: :json }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
group.add_developer(user)
end
end
context 'with authorized user' do
let(:service) { instance_double('NetworkPolicies::ResourcesService', execute: ServiceResponse.success(payload: [policy])) }
......@@ -198,7 +214,7 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
end
describe 'POST #create' do
subject { post :create, params: action_params.merge(manifest: manifest), format: :json }
subject(:request) { post :create, params: action_params.merge(manifest: manifest), format: :json }
let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
let(:policy) do
......@@ -210,6 +226,14 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
group.add_developer(user)
end
end
context 'with authorized user' do
before do
group.add_developer(user)
......@@ -240,7 +264,7 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
end
describe 'PUT #update' do
subject { put :update, params: action_params.merge(id: 'example-policy', manifest: manifest, enabled: enabled), as: :json }
subject(:request) { put :update, params: action_params.merge(id: 'example-policy', manifest: manifest, enabled: enabled), as: :json }
let(:enabled) { nil }
let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
......@@ -253,6 +277,14 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
group.add_developer(user)
end
end
context 'with authorized user' do
before do
group.add_developer(user)
......@@ -283,10 +315,18 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
end
describe 'DELETE #destroy' do
subject { delete :destroy, params: action_params.merge(id: 'example-policy', manifest: manifest), format: :json }
subject(:request) { delete :destroy, params: action_params.merge(id: 'example-policy', manifest: manifest), format: :json }
let(:service) { instance_double('NetworkPolicies::DeleteResourceService', execute: ServiceResponse.success) }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
group.add_developer(user)
end
end
context 'with authorized user' do
before do
group.add_developer(user)
......
ee/spec/controllers/projects/security/sast_configuration_controller_spec.rb
View file @ 5a1517a5
......@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Projects::Security::SastConfigurationController do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, namespace: group) }
let_it_be(:project) { create(:project, :repository, namespace: group) }
let_it_be(:developer) { create(:user) }
let_it_be(:guest) { create(:user) }
......@@ -13,11 +13,23 @@ RSpec.describe Projects::Security::SastConfigurationController do
group.add_guest(guest)
end
before do
stub_licensed_features(security_dashboard: true)
end
describe 'GET #show' do
subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
render_views
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
sign_in(developer)
end
end
it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { project }
let(:security_dashboard_action) { request }
......@@ -25,8 +37,6 @@ RSpec.describe Projects::Security::SastConfigurationController do
context 'with authorized user' do
before do
stub_licensed_features(security_dashboard: true)
sign_in(developer)
end
......@@ -58,8 +68,6 @@ RSpec.describe Projects::Security::SastConfigurationController do
context 'with unauthorized user' do
before do
stub_licensed_features(security_dashboard: true)
sign_in(guest)
end
......@@ -72,39 +80,38 @@ RSpec.describe Projects::Security::SastConfigurationController do
end
describe 'POST #create' do
let_it_be(:project) { create(:project, :repository, namespace: group) }
let(:params) do
{
namespace_id: project.namespace.to_param,
project_id: project.to_param,
sast_configuration: {
secure_analyzers_prefix: 'localhost:5000/analyzers',
sast_analyzer_image_tag: '1',
sast_excluded_paths: 'docs',
stage: 'security',
search_max_depth: 11
},
format: :json
}
end
before do
stub_licensed_features(security_dashboard: true)
subject(:request) { post :create, params: params, as: :json }
before do
sign_in(developer)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
end
context 'with valid params' do
it 'returns the new merge request url' do
params = {
secure_analyzers_prefix: 'localhost:5000/analyzers',
sast_analyzer_image_tag: '1',
sast_excluded_paths: 'docs',
stage: 'security',
search_max_depth: 11
}
create_sast_configuration user: developer, project: project, params: params
request
expect(json_response["message"]).to eq("success")
expect(json_response["filePath"]).to match(/#{Gitlab::Routing.url_helpers.project_new_merge_request_url(project, {})}(.*)description(.*)source_branch/)
end
end
end
def create_sast_configuration(user:, project:, params:)
post_params = {
namespace_id: project.namespace.to_param,
project_id: project.to_param,
sast_configuration: params,
format: :json
}
post :create, params: post_params, as: :json
end
end
ee/spec/controllers/projects/security/scanned_resources_controller_spec.rb
View file @ 5a1517a5
......@@ -16,13 +16,18 @@ RSpec.describe Projects::Security::ScannedResourcesController do
end
describe 'GET index' do
let(:subject) { get :index, params: action_params, format: :csv }
let(:parsed_csv_data) { CSV.parse(subject.body, headers: true) }
subject(:request) { get :index, params: action_params, format: :csv }
before do
project.add_developer(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
end
context 'when DAST security scan is found' do
before do
create(:ci_build, :success, name: 'dast_job', pipeline: pipeline, project: project) do |job|
......
ee/spec/controllers/projects/security/vulnerabilities/notes_controller_spec.rb
View file @ 5a1517a5
......@@ -9,14 +9,6 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
let!(:note) { create(:note, noteable: vulnerability, project: project) }
it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { project }
let(:security_dashboard_action) do
get :index, params: { namespace_id: project.namespace, project_id: project, vulnerability_id: vulnerability }
end
end
before do
stub_licensed_features(security_dashboard: true)
end
......@@ -31,6 +23,15 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
sign_in(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { view_all_notes }
end
it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { project }
let(:security_dashboard_action) { view_all_notes }
end
it 'responds with array of notes' do
view_all_notes
......@@ -63,6 +64,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
sign_in(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { create_note }
end
context 'when note is empty' do
let(:note_params) { { note: '' } }
......@@ -156,6 +161,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
sign_in(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { update_note }
end
context 'when user is not an author of the note' do
it 'returns status 404' do
update_note
......@@ -201,6 +210,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
sign_in(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { delete_note }
end
context 'when user is not an author of the note' do
it 'does not delete the note' do
expect { delete_note }.not_to change { Note.count }
......@@ -229,6 +242,7 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
end
describe 'POST toggle_award_emoji' do
let(:emoji_name) { 'thumbsup' }
let(:request_params) do
{
id: note,
......@@ -246,7 +260,9 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
project.add_developer(user)
end
let(:emoji_name) { 'thumbsup' }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { toggle_award_emoji }
end
it 'creates the award emoji' do
expect { toggle_award_emoji }.to change { note.award_emoji.count }.by(1)
......
ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
View file @ 5a1517a5
......@@ -7,20 +7,22 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
let_it_be(:user) { create(:user) }
render_views
before do
group.add_developer(user)
stub_licensed_features(security_dashboard: true)
sign_in(user)
end
describe 'GET #show' do
let_it_be(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }
let_it_be(:vulnerability) { create(:vulnerability, project: project) }
render_views
subject(:show_vulnerability) { get :show, params: { namespace_id: project.namespace, project_id: project, id: vulnerability.id } }
def show_vulnerability
sign_in(user)
get :show, params: { namespace_id: project.namespace, project_id: project, id: vulnerability.id }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { show_vulnerability }
end
context "when there's an attached pipeline" do
......@@ -58,11 +60,10 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
let_it_be(:vulnerability) { create(:vulnerability, project: project, author: user) }
let_it_be(:discussion_note) { create(:discussion_note_on_vulnerability, noteable: vulnerability, project: vulnerability.project) }
render_views
subject(:show_vulnerability_discussion_list) { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: vulnerability } }
def show_vulnerability_discussion_list
sign_in(user)
get :discussions, params: { namespace_id: project.namespace, project_id: project, id: vulnerability }
include_context '"Security & Compliance" permissions' do
let(:valid_request) { show_vulnerability_discussion_list }
end
it 'renders discussions' do
......@@ -70,7 +71,6 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('entities/discussions')
expect(json_response.pluck('id')).to eq([discussion_note.discussion_id])
end
end
......
ee/spec/controllers/projects/security/vulnerability_report_controller_spec.rb
View file @ 5a1517a5
......@@ -7,6 +7,19 @@ RSpec.describe Projects::Security::VulnerabilityReportController do
let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
let_it_be(:user) { create(:user) }
before do
group.add_developer(user)
stub_licensed_features(security_dashboard: true)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get :index, params: { namespace_id: project.namespace, project_id: project } }
before_request do
sign_in(user)
end
end
it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { project }
......@@ -15,11 +28,6 @@ RSpec.describe Projects::Security::VulnerabilityReportController do
end
end
before do
group.add_developer(user)
stub_licensed_features(security_dashboard: true)
end
describe 'GET #index' do
let(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }
......
ee/spec/controllers/projects/security/waf_anomalies_controller_spec.rb
View file @ 5a1517a5
......@@ -15,7 +15,7 @@ RSpec.describe Projects::Security::WafAnomaliesController do
let(:es_client) { nil }
describe 'GET #summary' do
subject { get :summary, params: action_params, format: :json }
subject(:request) { get :summary, params: action_params, format: :json }
before do
stub_licensed_features(threat_monitoring: true)
......@@ -28,6 +28,14 @@ RSpec.describe Projects::Security::WafAnomaliesController do
end
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
group.add_developer(user)
end
end
context 'with authorized user' do
before do
group.add_developer(user)
......
ee/spec/features/projects/audit_events_spec.rb
View file @ 5a1517a5
......@@ -42,6 +42,10 @@ RSpec.describe 'Projects > Audit Events', :js do
allow(LicenseHelper).to receive(:show_promotions?).and_return(true)
end
include_context '"Security & Compliance" permissions' do
let(:response) { inspect_requests { visit project_audit_events_path(project) }.first }
end
it 'returns 200' do
reqs = inspect_requests do
visit project_audit_events_path(project)
......
ee/spec/features/promotion_spec.rb
View file @ 5a1517a5
......@@ -266,6 +266,10 @@ RSpec.describe 'Promotions', :js do
sign_in(user)
end
include_context '"Security & Compliance" permissions' do
let(:response) { inspect_requests { visit project_audit_events_path(project) }.first }
end
it 'appears on the page' do
visit project_audit_events_path(project)
......
ee/spec/requests/projects/on_demand_scans_controller_spec.rb
View file @ 5a1517a5
......@@ -9,6 +9,15 @@ RSpec.describe Projects::OnDemandScansController, type: :request do
let(:user) { create(:user) }
shared_examples 'on-demand scans page' do
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get path }
before_request do
project.add_developer(user)
login_as(user)
end
end
context 'feature available' do
before do
stub_licensed_features(security_on_demand_scans: true)
......
ee/spec/requests/projects/security/corpus_management_controller_spec.rb
View file @ 5a1517a5
......@@ -7,16 +7,24 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
let(:user) { create(:user) }
describe 'GET #show' do
context 'feature available' do
before do
stub_licensed_features(coverage_fuzzing: true)
before do
stub_licensed_features(coverage_fuzzing: true)
login_as(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get project_security_configuration_corpus_management_path(project) }
before_request do
project.add_developer(user)
end
end
context 'feature available' do
context 'user authorized' do
before do
project.add_developer(user)
login_as(user)
end
it 'can access page' do
......@@ -29,8 +37,6 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
context 'user not authorized' do
before do
project.add_guest(user)
login_as(user)
end
it 'sees a 404 error' do
......@@ -43,14 +49,13 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
context 'feature not available' do
before do
project.add_developer(user)
stub_licensed_features(coverage_fuzzing: false)
login_as(user)
project.add_developer(user)
end
context 'license doesnt\'t support the feature' do
it 'sees a 404 error' do
stub_licensed_features(coverage_fuzzing: false)
get project_security_configuration_corpus_management_path(project)
expect(response).to have_gitlab_http_status(:not_found)
......
ee/spec/requests/projects/security/dast_profiles_controller_spec.rb
View file @ 5a1517a5
......@@ -7,16 +7,24 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
let(:user) { create(:user) }
describe 'GET #index' do
context 'feature available' do
before do
stub_licensed_features(security_on_demand_scans: true)
before do
stub_licensed_features(security_on_demand_scans: true)
login_as(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get project_security_configuration_dast_profiles_path(project) }
before_request do
project.add_developer(user)
end
end
context 'feature available' do
context 'user authorized' do
before do
project.add_developer(user)
login_as(user)
end
it 'can access page' do
......@@ -29,8 +37,6 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
context 'user not authorized' do
before do
project.add_guest(user)
login_as(user)
end
it 'sees a 404 error' do
......@@ -43,14 +49,12 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
context 'feature not available' do
before do
stub_licensed_features(security_on_demand_scans: false)
project.add_developer(user)
login_as(user)
end
context 'license doesnt\'t support the feature' do
it 'sees a 404 error' do
stub_licensed_features(security_on_demand_scans: false)
get project_security_configuration_dast_profiles_path(project)
expect(response).to have_gitlab_http_status(:not_found)
......
ee/spec/requests/projects/security/dast_scanner_profiles_controller_spec.rb
View file @ 5a1517a5
......@@ -24,6 +24,15 @@ RSpec.describe Projects::Security::DastScannerProfilesController, type: :request
end
shared_examples 'a GET request' do
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get path }
before_request do
project.add_developer(user)
login_as(user)
end
end
context 'feature available' do
include_context 'on-demand scans feature available'
......
ee/spec/requests/projects/security/dast_site_profiles_controller_spec.rb
View file @ 5a1517a5
......@@ -17,6 +17,15 @@ RSpec.describe Projects::Security::DastSiteProfilesController, type: :request do
end
shared_examples 'a GET request' do
include_context '"Security & Compliance" permissions' do
let(:valid_request) { get path }
before_request do
with_feature_available
with_user_authorized
end
end
context 'feature available' do
before do
with_feature_available
......
ee/spec/requests/projects/security/scanned_resources_controller_spec.rb
View file @ 5a1517a5
......@@ -12,7 +12,7 @@ RSpec.describe Projects::Security::ScannedResourcesController, type: :request do
let_it_be(:pipeline_id) { pipeline.id }
let(:parsed_csv_data) { CSV.parse(response.body, headers: true) }
subject { get project_security_scanned_resources_path(project, :csv, pipeline_id: pipeline_id) }
subject(:request) { get project_security_scanned_resources_path(project, :csv, pipeline_id: pipeline_id) }
before do
stub_licensed_features(dast: true, security_dashboard: true)
......@@ -20,6 +20,14 @@ RSpec.describe Projects::Security::ScannedResourcesController, type: :request do
login_as(user)
end
include_context '"Security & Compliance" permissions' do
let(:valid_request) { request }
before_request do
project.add_developer(user)
end
end
shared_examples 'returns a 404' do
it 'will return a 404' do
subject
......
ee/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb 0 → 100644
View file @ 5a1517a5
# frozen_string_literal: true
RSpec.shared_context '"Security & Compliance" permissions' do
let(:project_instance) { an_instance_of(Project) }
let(:user_instance) { an_instance_of(User) }
let(:before_request_defined) { false }
let(:valid_request) {}
def self.before_request(&block)
return unless block
let(:before_request_call) { instance_exec(&block) }
let(:before_request_defined) { true }
end
before do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(user_instance, :access_security_and_compliance, project_instance).and_return(true)
end
context 'when the "Security & Compliance" feature is disabled' do
subject { response }
before do
before_request_call if before_request_defined
allow(Ability).to receive(:allowed?).with(user_instance, :access_security_and_compliance, project_instance).and_return(false)
valid_request
end
it { is_expected.to have_gitlab_http_status(:not_found) }
end
end
spec/controllers/projects/security/configuration_controller_spec.rb
View file @ 5a1517a5
......@@ -7,6 +7,8 @@ RSpec.describe Projects::Security::ConfigurationController do
let(:user) { create(:user) }
before do
allow(controller).to receive(:ensure_security_and_compliance_enabled!)
sign_in(user)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7