Commit 8b396589 authored by Kerri Miller's avatar Kerri Miller

Merge branch 'remove-secure_security_and_compliance_configuration_page_on_ce-flag' into 'master'

Remove security & compliance config page feature flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!56219
parents a291193c ed3074d8
...@@ -84,11 +84,6 @@ export default { ...@@ -84,11 +84,6 @@ export default {
required: false, required: false,
default: false, default: false,
}, },
securityAndComplianceAvailable: {
type: Boolean,
required: false,
default: false,
},
visibilityHelpPath: { visibilityHelpPath: {
type: String, type: String,
required: false, required: false,
...@@ -595,7 +590,6 @@ export default { ...@@ -595,7 +590,6 @@ export default {
/> />
</project-setting-row> </project-setting-row>
<project-setting-row <project-setting-row
v-if="securityAndComplianceAvailable"
:label="s__('ProjectSettings|Security & Compliance')" :label="s__('ProjectSettings|Security & Compliance')"
:help-text="s__('ProjectSettings|Security & Compliance for this project')" :help-text="s__('ProjectSettings|Security & Compliance for this project')"
> >
......
...@@ -8,16 +8,8 @@ module Projects ...@@ -8,16 +8,8 @@ module Projects
feature_category :static_application_security_testing feature_category :static_application_security_testing
def show def show
return render_404 unless feature_enabled?
render_403 unless can?(current_user, :read_security_configuration, project) render_403 unless can?(current_user, :read_security_configuration, project)
end end
private
def feature_enabled?
::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @project, default_enabled: :yaml)
end
end end
end end
end end
......
...@@ -379,13 +379,8 @@ module ProjectsHelper ...@@ -379,13 +379,8 @@ module ProjectsHelper
private private
def can_read_security_configuration?(project, current_user) def can_read_security_configuration?(project, current_user)
show_security_and_compliance_config? && can?(current_user, :access_security_and_compliance, project) &&
can?(current_user, :access_security_and_compliance, project) && can?(current_user, :read_security_configuration, project)
can?(current_user, :read_security_configuration, project)
end
def show_security_and_compliance_config?
::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @subject, default_enabled: :yaml)
end end
def get_project_security_nav_tabs(project, current_user) def get_project_security_nav_tabs(project, current_user)
...@@ -674,13 +669,10 @@ module ProjectsHelper ...@@ -674,13 +669,10 @@ module ProjectsHelper
pagesAvailable: Gitlab.config.pages.enabled, pagesAvailable: Gitlab.config.pages.enabled,
pagesAccessControlEnabled: Gitlab.config.pages.access_control, pagesAccessControlEnabled: Gitlab.config.pages.access_control,
pagesAccessControlForced: ::Gitlab::Pages.access_control_is_forced?, pagesAccessControlForced: ::Gitlab::Pages.access_control_is_forced?,
pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control'), pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control')
securityAndComplianceAvailable: show_security_and_compliance_toggle?
} }
end end
alias_method :show_security_and_compliance_toggle?, :show_security_and_compliance_config?
def project_permissions_panel_data_json(project) def project_permissions_panel_data_json(project)
project_permissions_panel_data(project).to_json.html_safe project_permissions_panel_data(project).to_json.html_safe
end end
......
---
title: Remove security & compliance config page feature flag
merge_request: 56219
author:
type: changed
---
name: secure_security_and_compliance_configuration_page_on_ce
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50282
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/294076
milestone: '13.9'
type: development
group: group::static analysis
default_enabled: false
...@@ -10,12 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -10,12 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)**
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)** > - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)**
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)** > - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)**
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9. **(FREE)** > - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9.
> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
> - It's enabled on GitLab.com.
> - It's recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can opt to [enable it](#enable-or-disable-security-configuration). **(FREE SELF)**
> - It can be enabled or disabled for a single project.
WARNING: WARNING:
This feature might not be available to you. Check the **version history** note above for details. This feature might not be available to you. Check the **version history** note above for details.
...@@ -54,25 +49,3 @@ You can configure the following security controls: ...@@ -54,25 +49,3 @@ You can configure the following security controls:
- Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui). - Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- DAST Profiles - DAST Profiles
- Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans). - Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
### Enable or disable Security Configuration **(FREE SELF)**
Security Configuration is under development but ready for production use.
It is deployed behind a feature flag that is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can opt to enable it.
NOTE:
This does not apply to GitLab Ultimate.
To enable it:
```ruby
Feature.enable(:secure_security_and_compliance_configuration_page_on_ce)
```
To disable it:
```ruby
Feature.disable(:secure_security_and_compliance_configuration_page_on_ce)
```
...@@ -82,11 +82,6 @@ module EE ...@@ -82,11 +82,6 @@ module EE
panel_data panel_data
end end
override :show_security_and_compliance_toggle?
def show_security_and_compliance_toggle?
super || show_audit_events?(@project)
end
override :default_url_to_repo override :default_url_to_repo
def default_url_to_repo(project = @project) def default_url_to_repo(project = @project)
case default_clone_protocol case default_clone_protocol
......
...@@ -21,21 +21,16 @@ RSpec.describe Projects::Security::ConfigurationController do ...@@ -21,21 +21,16 @@ RSpec.describe Projects::Security::ConfigurationController do
render_views render_views
where(:user_role, :security_dashboard_enabled, :ce_flag_enabled, :status, :selector) do where(:user_role, :security_dashboard_enabled, :status, :selector) do
:guest | false | false | :not_found | nil :guest | false | :forbidden | nil
:guest | false | true | :forbidden | nil :guest | true | :forbidden | nil
:guest | true | false | :not_found | nil :developer | false | :ok | '#js-security-configuration-static'
:guest | true | true | :forbidden | nil :developer | true | :ok | '#js-security-configuration'
:developer | false | false | :not_found | nil
:developer | false | true | :ok | '#js-security-configuration-static'
:developer | true | false | :ok | '#js-security-configuration'
:developer | true | true | :ok | '#js-security-configuration'
end end
with_them do with_them do
before do before do
stub_licensed_features(security_dashboard: security_dashboard_enabled) stub_licensed_features(security_dashboard: security_dashboard_enabled)
stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: ce_flag_enabled)
group.send("add_#{user_role}", user) group.send("add_#{user_role}", user)
sign_in(user) sign_in(user)
end end
...@@ -57,73 +52,59 @@ RSpec.describe Projects::Security::ConfigurationController do ...@@ -57,73 +52,59 @@ RSpec.describe Projects::Security::ConfigurationController do
end end
context 'with developer and security dashboard feature enabled' do context 'with developer and security dashboard feature enabled' do
let(:flag) { :secure_security_and_compliance_configuration_page_on_ce } before do
stub_licensed_features(security_dashboard: true)
# The tests in this context should be unaffected by this feature flag,
# and should behave identically whether this is enabled or disabled. group.add_developer(user)
where(:flag_enabled) do sign_in(user)
[
[true],
[false]
]
end end
with_them do it 'responds in json format when requested' do
before do get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
stub_feature_flags(flag => flag_enabled)
stub_licensed_features(security_dashboard: true)
group.add_developer(user) types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
sign_in(user)
end
it 'responds in json format when requested' do expect(response).to have_gitlab_http_status(:ok)
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json } expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true })
end
types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing) it "renders data on the project's security configuration" do
request
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['features'].map { |f| f['type'] }).to match_array(types) expect(response).to render_template(:show)
expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true }) expect(response.body).to have_css(
'div#js-security-configuration'\
"[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
"[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
"[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]"
)
end
context 'when the latest pipeline used Auto DevOps' do
let!(:pipeline) do
create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
end end
it "renders data on the project's security configuration" do it 'reports that Auto DevOps is enabled' do
request request
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template(:show)
expect(response.body).to have_css( expect(response.body).to have_css(
'div#js-security-configuration'\ 'div#js-security-configuration'\
'[data-auto-devops-enabled]'\
"[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\ "[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
"[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\ "[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
"[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]" "[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
) )
end end
context 'when the latest pipeline used Auto DevOps' do
let!(:pipeline) do
create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
end
it 'reports that Auto DevOps is enabled' do
request
expect(response).to have_gitlab_http_status(:ok)
expect(response.body).to have_css(
'div#js-security-configuration'\
'[data-auto-devops-enabled]'\
"[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
"[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
"[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
)
end
end
end end
end end
end end
......
...@@ -604,7 +604,7 @@ RSpec.describe ProjectsHelper do ...@@ -604,7 +604,7 @@ RSpec.describe ProjectsHelper do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
let(:user) { instance_double(User, admin?: false) } let(:user) { instance_double(User, admin?: false) }
let(:expected_data) { { requirementsAvailable: false, securityAndComplianceAvailable: true } } let(:expected_data) { { requirementsAvailable: false } }
subject { helper.project_permissions_panel_data(project) } subject { helper.project_permissions_panel_data(project) }
......
...@@ -13,42 +13,28 @@ RSpec.describe Projects::Security::ConfigurationController do ...@@ -13,42 +13,28 @@ RSpec.describe Projects::Security::ConfigurationController do
end end
describe 'GET show' do describe 'GET show' do
context 'when feature flag is disabled' do context 'when user has guest access' do
before do before do
stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: false) project.add_guest(user)
end end
it 'renders not found' do it 'denies access' do
get :show, params: { namespace_id: project.namespace, project_id: project } get :show, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
context 'when feature flag is enabled' do context 'when user has developer access' do
context 'when user has guest access' do before do
before do project.add_developer(user)
project.add_guest(user)
end
it 'denies access' do
get :show, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:forbidden)
end
end end
context 'when user has developer access' do it 'grants access' do
before do get :show, params: { namespace_id: project.namespace, project_id: project }
project.add_developer(user)
end
it 'grants access' do
get :show, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template(:show) expect(response).to render_template(:show)
end
end end
end end
end end
......
...@@ -401,40 +401,20 @@ RSpec.describe ProjectsHelper do ...@@ -401,40 +401,20 @@ RSpec.describe ProjectsHelper do
context 'Security & Compliance tabs' do context 'Security & Compliance tabs' do
before do before do
stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: feature_flag_enabled)
allow(helper).to receive(:can?).with(user, :read_security_configuration, project).and_return(can_read_security_configuration) allow(helper).to receive(:can?).with(user, :read_security_configuration, project).and_return(can_read_security_configuration)
end end
context 'when user cannot read security configuration' do context 'when user cannot read security configuration' do
let(:can_read_security_configuration) { false } let(:can_read_security_configuration) { false }
context 'when feature flag is disabled' do it { is_expected.not_to include(:security_configuration) }
let(:feature_flag_enabled) { false }
it { is_expected.not_to include(:security_configuration) }
end
context 'when feature flag is enabled' do
let(:feature_flag_enabled) { true }
it { is_expected.not_to include(:security_configuration) }
end
end end
context 'when user can read security configuration' do context 'when user can read security configuration' do
let(:can_read_security_configuration) { true } let(:can_read_security_configuration) { true }
let(:feature_flag_enabled) { true }
context 'when feature flag is disabled' do it { is_expected.to include(:security_configuration) }
let(:feature_flag_enabled) { false }
it { is_expected.not_to include(:security_configuration) }
end
context 'when feature flag is enabled' do
let(:feature_flag_enabled) { true }
it { is_expected.to include(:security_configuration) }
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment