Implement endpoint to create group-level vulnerability export

This commit also changes the API docs.

Implement endpoint to create group-level vulnerability export
This commit also changes the API docs.
7b89293e · Mehmet Emin INAC · 79110987 · 7b89293e · 7b89293e · 7b89293e
Commit 7b89293e authored May 13, 2020 by Mehmet Emin INAC
3 changed files
--- a/doc/api/vulnerability_exports.md
+++ b/doc/api/vulnerability_exports.md
@@ -42,7 +42,7 @@ POST /security/projects/:id/vulnerability_exports
 curl --header POST "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/security/projects/1/vulnerability_exports
 ```

-The created vulnerability export will be automatically deleted after 1 hour.
+The created vulnerability export is automatically deleted after 1 hour.

 Example response:

@@ -62,6 +62,51 @@ Example response:
 }
 ```

+## Create a group-level vulnerability export
+
+Creates a new vulnerability export for a group.
+
+Vulnerability export permissions inherit permissions from their group. If a group is
+private and a user isn't a member of the group to which the vulnerability
+belongs, requests to that group return a `404 Not Found` status code.
+Vulnerability exports can be only accessed by the export's author.
+
+If an authenticated user doesn't have permission to
+[create a new vulnerability](../user/permissions.md#group-members-permissions),
+this request results in a `403` status code.
+
+```plaintext
+POST /security/groups/:id/vulnerability_exports
+```
+
+| Attribute           | Type              | Required   | Description                                                                                                                  |
+| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------|
+| `id`                | integer or string | yes        | The ID or [URL-encoded path](README.md#namespaced-path-encoding) of the group which the authenticated user is a member of |
+
+```shell
+curl --header POST "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/security/groups/1/vulnerability_exports
+```
+
+The created vulnerability export is automatically deleted after 1 hour.
+
+Example response:
+
+```json
+{
+  "id": 2,
+  "created_at": "2020-03-30T09:35:38.746Z",
+  "project_id": null,
+  "format": "csv",
+  "status": "created",
+  "started_at": null,
+  "finished_at": null,
+  "_links": {
+    "self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
+    "download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
+  }
+}
+```
+
 ## Create an instance-level vulnerability export

 Creates a new vulnerability export for the projects of the user selected in the Security Dashboard.

--- a/ee/lib/api/vulnerability_exports.rb
+++ b/ee/lib/api/vulnerability_exports.rb
@@ -38,7 +38,7 @@ module API
                   default: ::Vulnerabilities::Export.formats.each_key.first,
                   values: ::Vulnerabilities::Export.formats.keys
        end
-        desc 'Generate an export of project vulnerability findings' do
+        desc 'Generate a project-level export' do
          success EE::API::Entities::VulnerabilityExport
        end

@@ -53,6 +53,28 @@ module API
        end
      end

+      resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+        params do
+          requires :id, type: String, desc: 'The ID of a group'
+          optional :export_format, type: String, desc: 'The format of export to be generated',
+                   default: ::Vulnerabilities::Export.formats.each_key.first,
+                   values: ::Vulnerabilities::Export.formats.keys
+        end
+        desc 'Generate a group-level export' do
+          success EE::API::Entities::VulnerabilityExport
+        end
+
+        before do
+          not_found! unless Feature.enabled?(:first_class_vulnerabilities, user_group, default_enabled: true)
+        end
+
+        post ':id/vulnerability_exports' do
+          authorize! :create_vulnerability_export, user_group
+
+          process_create_request_for(user_group)
+        end
+      end
+
      namespace do
        before do
          not_found! unless Feature.enabled?(:first_class_vulnerabilities, default_enabled: true)
@@ -63,7 +85,7 @@ module API
                   default: ::Vulnerabilities::Export.formats.each_key.first,
                   values: ::Vulnerabilities::Export.formats.keys
        end
-        desc 'Generate an instance level export' do
+        desc 'Generate an instance-level export' do
          success EE::API::Entities::VulnerabilityExport
        end
        post 'vulnerability_exports' do
@@ -73,7 +95,7 @@ module API
        end
      end

-      desc 'Get single project vulnerability export' do
+      desc 'Get a single vulnerability export' do
        success EE::API::Entities::VulnerabilityExport
      end
      get 'vulnerability_exports/:id' do
@@ -88,7 +110,7 @@ module API
                with: EE::API::Entities::VulnerabilityExport
      end

-      desc 'Download single project vulnerability export'
+      desc 'Download a single vulnerability export'
      get 'vulnerability_exports/:id/download' do
        authorize! :read_vulnerability_export, vulnerability_export


--- a/ee/spec/requests/api/vulnerability_exports_spec.rb
+++ b/ee/spec/requests/api/vulnerability_exports_spec.rb
@@ -71,6 +71,70 @@ describe API::VulnerabilityExports do
    end
  end

+  describe 'POST /security/groups/:id/vulnerability_exports' do
+    let_it_be(:group) { create(:group) }
+
+    let(:format) { 'csv' }
+    let(:request_path) { "/security/groups/#{group.id}/vulnerability_exports" }
+
+    subject(:create_vulnerability_export) { post api(request_path, user), params: { export_format: format } }
+
+    context 'when the request does not fulfill the requirements' do
+      let(:format) { 'exif' }
+
+      it 'responds with bad_request' do
+        create_vulnerability_export
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(json_response).to eq('error' => 'export_format does not have a valid value')
+      end
+    end
+
+    context 'when the request fulfills the requirements' do
+      context 'when the user is not authorized to take the action' do
+        it 'responds with 403 forbidden' do
+          create_vulnerability_export
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'when the user is authorized to take the action' do
+        let(:mock_service_object) { instance_double(VulnerabilityExports::CreateService, execute: vulnerability_export) }
+
+        before do
+          allow(VulnerabilityExports::CreateService).to receive(:new).and_return(mock_service_object)
+          group.add_developer(user)
+        end
+
+        context 'when the export creation succeeds' do
+          let(:vulnerability_export) { create(:vulnerability_export) }
+
+          it 'returns information about new vulnerability export' do
+            create_vulnerability_export
+
+            expect(response).to have_gitlab_http_status(:created)
+            expect(response).to match_response_schema('public_api/v4/vulnerability_export', dir: 'ee')
+          end
+        end
+
+        context 'when the export creation fails' do
+          let(:errors) { instance_double(ActiveModel::Errors, any?: true, messages: ['foo']) }
+          let(:vulnerability_export) { instance_double(Vulnerabilities::Export, persisted?: false, errors: errors) }
+
+          it 'returns the error message' do
+            create_vulnerability_export
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+            expect(json_response).to eq('message' => ['foo'])
+          end
+        end
+      end
+    end
+
+    it_behaves_like 'forbids access to vulnerability API endpoint in case of disabled features'
+  end
+
  describe 'POST /security/vulnerability_exports' do
    let(:format) { 'csv' }
    let(:request_path) { "/security/vulnerability_exports" }