Merge branch 'reset_severity_levels_default_to_previous_values' into 'master'

Reset severity_levels default See merge request gitlab-org/gitlab!68586

Merge branch 'reset_severity_levels_default_to_previous_values' into 'master'
Reset severity_levels default See merge request gitlab-org/gitlab!68586
9b52b195 · David Kim · da2d8b56 · 0b0b46a9 · 9b52b195 · 9b52b195
Commit 9b52b195 authored Aug 26, 2021 by David Kim
6 changed files
--- a/db/post_migrate/20210819183128_reset_severity_levels_to_new_default.rb
+++ b/db/post_migrate/20210819183128_reset_severity_levels_to_new_default.rb
+# frozen_string_literal: true
+
+class ResetSeverityLevelsToNewDefault < ActiveRecord::Migration[6.1]
+  ALL_SEVERITY_LEVELS = 6 # ::Enums::Vulnerability::SEVERITY_LEVELS.count
+
+  def up
+    execute(<<~SQL.squish)
+      UPDATE approval_project_rules
+      SET severity_levels = '{unknown, high, critical}'
+      WHERE array_length(severity_levels, 1) = #{ALL_SEVERITY_LEVELS};
+    SQL
+  end
+
+  def down
+    # no-op
+  end
+end
--- a/db/schema_migrations/20210819183128
+++ b/db/schema_migrations/20210819183128
+d57791945f0d21da90a5b1d75db9add6c7e916ad3c13df2522c7d71d572baa47
\ No newline at end of file
--- a/ee/app/models/approval_project_rule.rb
+++ b/ee/app/models/approval_project_rule.rb
@@ -6,6 +6,7 @@ class ApprovalProjectRule < ApplicationRecord

  UNSUPPORTED_SCANNER = 'cluster_image_scanning'
  SUPPORTED_SCANNERS = (::Ci::JobArtifact::SECURITY_REPORT_FILE_TYPES - [UNSUPPORTED_SCANNER]).freeze
+  DEFAULT_SEVERITIES = %w[unknown high critical].freeze

  belongs_to :project
  has_and_belongs_to_many :protected_branches
@@ -32,7 +33,7 @@ class ApprovalProjectRule < ApplicationRecord
  default_value_for :vulnerabilities_allowed, allows_nil: false, value: 0

  validates :severity_levels, inclusion: { in: ::Enums::Vulnerability.severity_levels.keys }
-  default_value_for :severity_levels, allows_nil: false, value: ::Enums::Vulnerability.severity_levels.keys
+  default_value_for :severity_levels, allows_nil: false, value: DEFAULT_SEVERITIES

  def applies_to_branch?(branch)
    return true if protected_branches.empty?

--- a/ee/spec/models/approval_project_rule_spec.rb
+++ b/ee/spec/models/approval_project_rule_spec.rb
@@ -9,6 +9,12 @@ RSpec.describe ApprovalProjectRule do
    it 'is invalid when name not unique within rule type and project' do
      is_expected.to validate_uniqueness_of(:name).scoped_to([:project_id, :rule_type])
    end
+
+    context 'DEFAULT_SEVERITIES' do
+      it 'contains a valid subset of severity levels' do
+        expect(::Enums::Vulnerability.severity_levels.keys).to include(*described_class::DEFAULT_SEVERITIES)
+      end
+    end
  end

  describe 'associations' do

--- a/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb
+++ b/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb
@@ -151,7 +151,7 @@ RSpec.shared_examples 'an API endpoint for updating project approval rule' do
      it 'returns 200 status' do
        expect do
          put api(url, current_user), params: { severity_levels: severity_levels }
-        end.to change { approval_rule.reload.severity_levels.count }.from(::Enums::Vulnerability.severity_levels.keys.count).to(severity_levels.count)
+        end.to change { approval_rule.reload.severity_levels.count }.from(::ApprovalProjectRule::DEFAULT_SEVERITIES.count).to(severity_levels.count)
        expect(response).to have_gitlab_http_status(:ok)
      end
    end

--- a/spec/migrations/reset_severity_levels_to_new_default_spec.rb
+++ b/spec/migrations/reset_severity_levels_to_new_default_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+require_migration!
+
+RSpec.describe ResetSeverityLevelsToNewDefault do
+  let(:approval_project_rules) { table(:approval_project_rules) }
+  let(:projects) { table(:projects)}
+  let(:namespaces) { table(:namespaces)}
+  let(:namespace) { namespaces.create!(name: 'namespace', path: 'namespace')}
+  let(:project) { projects.create!(name: 'project', path: 'project', namespace_id: namespace.id)}
+  let(:approval_project_rule) { approval_project_rules.create!(name: 'rule', project_id: project.id, severity_levels: severity_levels) }
+
+  context 'without having all severity levels selected' do
+    let(:severity_levels) { ['high'] }
+
+    it 'does not change severity_levels' do
+      expect(approval_project_rule.severity_levels).to eq(severity_levels)
+      expect { migrate! }.not_to change { approval_project_rule.reload.severity_levels }
+    end
+  end
+
+  context 'with all scanners selected' do
+    let(:severity_levels) { ::Enums::Vulnerability::SEVERITY_LEVELS.keys }
+    let(:default_levels) { %w(unknown high critical) }
+
+    it 'changes severity_levels to the default value' do
+      expect(approval_project_rule.severity_levels).to eq(severity_levels)
+      expect { migrate! }.to change {approval_project_rule.reload.severity_levels}.from(severity_levels).to(default_levels)
+    end
+  end
+end