Commit 6df7d53e authored by Jan Provaznik's avatar Jan Provaznik

Merge branch '321258-remove-orchestration-feature-flag' into 'master'

Remove orchestration policies feature flag

See merge request gitlab-org/gitlab!71516
parents 8a3cfdd5 15feca4c
---
name: security_orchestration_policies_configuration
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54220
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321258
milestone: '13.9'
type: development
group: group::container security
default_enabled: true
......@@ -6,13 +6,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Policies **(ULTIMATE)**
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5329) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10. Deployed behind a feature flag, disabled by default.
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5329) in GitLab Ultimate 13.10 with a [feature flag](../../../administration/feature_flags.md) named `security_orchestration_policies_configuration`. Disabled by default.
> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 14.3.
FLAG:
On self-managed GitLab, by default this feature is available. To hide the feature,
ask an administrator to [disable the `security_orchestration_policies_configuration` flag](../../../administration/feature_flags.md).
On GitLab.com, this feature is available.
> - [Feature flag `security_orchestration_policies_configuration` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/321258) in GitLab 14.4.
Policies in GitLab provide security teams a way to require scans of their choice to be run
whenever a project pipeline runs according to the configuration specified. Security teams can
......
......@@ -8,11 +8,6 @@ module Projects
before_action :authorize_security_orchestration_policies!
before_action :validate_policy_configuration, only: :edit
before_action do
push_frontend_feature_flag(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
check_feature_flag!
end
feature_category :security_orchestration
def index
......@@ -89,10 +84,6 @@ module Projects
def policy_configuration
@policy_configuration ||= project.security_orchestration_policy_configuration
end
def check_feature_flag!
render_404 if Feature.disabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
end
end
end
......@@ -23,7 +23,6 @@ module Mutations
def resolve(args)
project = authorized_find!(args[:project_path])
raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
policy_project = find_policy_project(args[:security_policy_project_id])
raise_resource_not_available_error! unless policy_project.present?
......@@ -43,10 +42,6 @@ module Mutations
::Gitlab::Graphql::Lazy.force(GitlabSchema.object_from_id(id, expected_type: Project))
end
def allowed?(project)
Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def assign_project(project, policy_project)
::Security::Orchestration::AssignService
.new(project, current_user, policy_project_id: policy_project.id)
......
......@@ -31,7 +31,6 @@ module Mutations
def resolve(args)
project = authorized_find!(args[:project_path])
raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
result = commit_policy(project, args[:policy_yaml], args[:operation_mode])
error_message = result[:status] == :error ? result[:message] : nil
......@@ -44,10 +43,6 @@ module Mutations
private
def allowed?(project)
Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def commit_policy(project, policy_yaml, operation_mode)
::Security::SecurityOrchestrationPolicies::PolicyCommitService
.new(project: project, current_user: current_user, params: { policy_yaml: policy_yaml, operation: Types::MutationOperationModeEnum.enum.key(operation_mode).to_sym })
......
......@@ -21,7 +21,6 @@ module Mutations
def resolve(args)
project = authorized_find!(args[:project_path])
raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
result = create_project(project)
......@@ -35,10 +34,6 @@ module Mutations
private
def allowed?(project)
Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def create_project(project)
::Security::SecurityOrchestrationPolicies::ProjectCreateService
.new(project: project, current_user: current_user)
......
......@@ -10,7 +10,7 @@ module Resolvers
alias_method :project, :object
def resolve(**args)
return [] unless enabled_and_valid?
return [] unless valid?
authorize!
......@@ -37,8 +37,8 @@ module Resolvers
@policy_configuration ||= project.security_orchestration_policy_configuration
end
def enabled_and_valid?
policy_configuration.present? && policy_configuration.enabled? && policy_configuration.policy_configuration_valid?
def valid?
policy_configuration.present? && policy_configuration.policy_configuration_valid?
end
end
end
......@@ -26,8 +26,6 @@ module Security
end
def active_scan_execution_policies
return [] unless enabled?
scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT)
end
......
......@@ -28,10 +28,6 @@ module Security
self.exists?(security_policy_management_project_id: project_id)
end
def enabled?
::Feature.enabled?(:security_orchestration_policies_configuration, project, default_enabled: :yaml)
end
def policy_hash
strong_memoize(:policy_hash) do
next if policy_blob.blank?
......
......@@ -65,8 +65,6 @@ module EE
return unless security_policy_target_project_id.present?
if (security_policy_target_project = ::Project.find(security_policy_target_project_id))
return unless ::Feature.enabled?(:security_orchestration_policies_configuration, security_policy_target_project, default_enabled: :yaml)
::Security::Orchestration::AssignService
.new(security_policy_target_project, current_user, policy_project_id: project.id)
.execute
......
......@@ -20,8 +20,6 @@ module Security
attr_reader :policy_configuration, :policy_index, :policy
def create_new_schedule_rules
return unless policy_configuration.enabled?
policy[:rules].each_with_index do |rule, rule_index|
next if rule[:type] != Security::ScanExecutionPolicy::RULE_TYPES[:schedule]
......
......@@ -13,7 +13,7 @@ module EE
override :perform!
def perform!
return unless project&.feature_available?(:security_orchestration_policies)
return unless security_orchestration_policy_configuration&.enabled?
return unless security_orchestration_policy_configuration
if !security_orchestration_policy_configuration.policy_configuration_exists?
warning(_('scan-execution-policy: policy not applied, %{policy_path} file is missing') % { policy_path: ::Security::OrchestrationPolicyConfiguration::POLICY_PATH })
......
......@@ -143,8 +143,7 @@ module EE
end
def scan_policies_menu_item
if ::Feature.disabled?(:security_orchestration_policies_configuration, context.project, default_enabled: :yaml) ||
!can?(context.current_user, :security_orchestration_policies, context.project)
unless can?(context.current_user, :security_orchestration_policies, context.project)
return ::Sidebars::NilMenuItem.new(item_id: :scan_policies)
end
......
......@@ -15,8 +15,7 @@ module Gitlab
def perform
return @config unless project&.feature_available?(:security_orchestration_policies)
return @config unless security_orchestration_policy_configuration&.enabled?
return @config unless security_orchestration_policy_configuration.policy_configuration_valid?
return @config unless security_orchestration_policy_configuration&.policy_configuration_valid?
return @config unless extend_configuration?
merged_config = @config
......
......@@ -16,10 +16,9 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
subject { mutation.resolve(project_path: project.full_path, security_policy_project_id: policy_project_id) }
context 'when feature is enabled and permission is set for user' do
context 'when permission is set for user' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when user is an owner of the project' do
......@@ -53,17 +52,6 @@ RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
end
end
context 'when feature is disabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when feature is not licensed' do
before do
stub_licensed_features(security_orchestration_policies: false)
......
......@@ -14,12 +14,11 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) }
context 'when feature is enabled and permission is set for user' do
context 'when permission is set for user' do
before do
project.add_maintainer(user)
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end
it 'returns branch name' do
......@@ -30,17 +29,6 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
end
end
context 'when feature is disabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when permission is not enabled' do
before do
stub_licensed_features(security_orchestration_policies: false)
......
......@@ -13,10 +13,9 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do
subject { mutation.resolve(project_path: project.full_path) }
context 'when feature is enabled and permission is set for user' do
context 'when permission is set for user' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when user is an owner of the project' do
......@@ -43,17 +42,6 @@ RSpec.describe Mutations::SecurityPolicy::CreateSecurityPolicyProject do
end
end
context 'when feature is disabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when feature is not licensed' do
before do
stub_licensed_features(security_orchestration_policies: false)
......
......@@ -62,16 +62,6 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
expect { resolve_scan_policies }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when feature flag is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'returns empty list' do
expect(resolve_scan_policies).to eq([])
end
end
end
end
end
......@@ -67,21 +67,6 @@ RSpec.describe Gitlab::Ci::Config do
stub_licensed_features(security_orchestration_policies: true)
end
context 'when feature is not enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not modify the config' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
end
end
context 'when feature is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when policy is not applicable on branch from the pipeline' do
it 'does not modify the config' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
......@@ -143,5 +128,4 @@ RSpec.describe Gitlab::Ci::Config do
end
end
end
end
end
......@@ -54,23 +54,6 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::SecurityOrchestrationPolic
stub_licensed_features(security_orchestration_policies: true)
end
context 'when policy is disabled' do
before do
allow(security_orchestration_policy_configuration).to receive(:enabled?).and_return(false)
end
it 'does not return warning' do
step.perform!
expect(warning_messages).to be_empty
end
end
context 'when policy is enabled' do
before do
allow(security_orchestration_policy_configuration).to receive(:enabled?).and_return(true)
end
context 'when policy file is missing' do
before do
allow(security_orchestration_policy_configuration).to receive(:policy_configuration_exists?).and_return(false)
......@@ -114,5 +97,4 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::SecurityOrchestrationPolic
end
end
end
end
end
......@@ -196,9 +196,7 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do
describe 'Policies' do
let(:item_id) { :scan_policies }
context 'when feature flag :security_orchestration_policies_configuration is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
stub_licensed_features(security_orchestration_policies: true)
end
......@@ -213,15 +211,6 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do
end
end
context 'when feature flag :security_orchestration_policies_configuration is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it { is_expected.to be_nil }
end
end
describe 'Audit Events' do
let(:item_id) { :audit_events }
......
......@@ -68,21 +68,6 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
stub_licensed_features(security_orchestration_policies: true)
end
context 'when feature is not enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not modify the config' do
expect(subject).to eq(config)
end
end
context 'when feature is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when policy is not applicable on branch from the pipeline' do
it 'does not modify the config' do
expect(subject).to eq(config)
......@@ -183,5 +168,4 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
end
end
end
end
end
......@@ -81,26 +81,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end
end
describe '#enabled?' do
subject { security_orchestration_policy_configuration.enabled? }
context 'when feature is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
end
it { is_expected.to eq(true) }
end
context 'when feature is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it { is_expected.to eq(false) }
end
end
describe '#policy_configuration_exists?' do
subject { security_orchestration_policy_configuration.policy_configuration_exists? }
......@@ -216,16 +196,6 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
it 'returns only enabled policies' do
expect(active_scan_execution_policies).to eq(expected_active_policies)
end
context 'when feature is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'returns empty array' do
expect(active_scan_execution_policies).to eq([])
end
end
end
describe '#on_demand_scan_actions' do
......
......@@ -25,21 +25,6 @@ RSpec.describe 'Create scan execution policy for a project' do
graphql_mutation_response(:scan_execution_policy_commit)
end
context 'when feature is disabled' do
before do
project.add_maintainer(current_user)
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not create branch' do
post_graphql_mutation(mutation, current_user: current_user)
expect(graphql_errors).to include(a_hash_including('message' => 'Feature disabled'))
end
end
context 'when security_orchestration_policies_configuration already exists for project' do
let_it_be(:security_policy_management_project) { create(:project, :repository, namespace: current_user.namespace) }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: security_policy_management_project) }
......@@ -49,7 +34,6 @@ RSpec.describe 'Create scan execution policy for a project' do
security_policy_management_project.add_developer(current_user)
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end
it 'creates a branch with commit' do
......
......@@ -13,13 +13,11 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
let_it_be(:index) { project_security_policies_url(project) }
let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) }
let_it_be(:new) { new_project_security_policy_url(project) }
let_it_be(:feature_enabled) { true }
before do
project.add_developer(user)
sign_in(user)
stub_feature_flags(security_orchestration_policies_configuration: feature_enabled)
stub_licensed_features(security_orchestration_policies: feature_enabled)
allow_next_instance_of(Repository) do |repository|
allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml)
......@@ -205,18 +203,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
describe 'GET #new' do
using RSpec::Parameterized::TableSyntax
where(:feature_flag, :license, :status) do
true | true | :ok
false | false | :not_found
false | true | :not_found
true | false | :not_found
where(:license, :status) do
true | :ok
false | :not_found
end
subject(:request) { get new, params: { namespace_id: project.namespace, project_id: project } }
with_them do
before do
stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
stub_licensed_features(security_orchestration_policies: license)
end
......@@ -231,18 +226,15 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
describe 'GET #index' do
using RSpec::Parameterized::TableSyntax
where(:feature_flag, :license, :status) do
true | true | :ok
false | false | :not_found
false | true | :not_found
true | false | :not_found
where(:license, :status) do
true | :ok
false | :not_found
end
subject(:request) { get index, params: { namespace_id: project.namespace, project_id: project } }
with_them do
before do
stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
stub_licensed_features(security_orchestration_policies: license)
end
......
......@@ -363,13 +363,9 @@ RSpec.describe Projects::CreateService, '#execute' do
before do
opts[:security_policy_target_project_id] = security_policy_target_project.id
stub_licensed_features(security_orchestration_policies: feature_enabled)
stub_feature_flags(security_orchestration_policies_configuration: feature_enabled)
stub_licensed_features(security_orchestration_policies: true)
end
context 'when feature flag is enabled globally' do
let_it_be(:feature_enabled) { true }
it 'creates security policy configuration for the project' do
expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
......@@ -377,27 +373,6 @@ RSpec.describe Projects::CreateService, '#execute' do
end
end
context 'when feature flag is disabled globally' do
let_it_be(:feature_enabled) { false }
it 'does not create security policy configuration' do
expect(::Security::Orchestration::AssignService).not_to receive(:new)
create_project(user, opts)
end
end
context 'when feature flag is enabled only for target project' do
let_it_be(:feature_enabled) { security_policy_target_project }
it 'creates security policy configuration' do
expect(::Security::Orchestration::AssignService).to receive_message_chain(:new, :execute)
create_project(user, opts)
end
end
end
def create_project(user, opts)
described_class.new(user, opts).execute
end
......
......@@ -27,7 +27,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
allow(policy_configuration).to receive(:policy_last_updated_by).and_return(owner)
end
context 'when security_orchestration_policies_configuration feature is enabled and policy is scheduled' do
context 'when security_orchestration_policies_configuration policy is scheduled' do
it 'creates new schedule' do
service.execute
......@@ -40,17 +40,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
end
end
context 'when security_orchestration_policies_configuration feature is disabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'deletes schedules' do
expect { service.execute }.to change(Security::OrchestrationPolicyRuleSchedule, :count).by(-1)
expect(policy_configuration.configured_at).not_to be_nil
end
end
context 'when policy is not of type scheduled' do
let(:policy) { build(:scan_execution_policy) }
......
......@@ -7,7 +7,6 @@ RSpec.describe "projects/security/policies/index", type: :view do
let(:project) { create(:project) }
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
sign_in(user)
render template: 'projects/security/policies/index', locals: { project: project }
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment