Fix group level compliance pipeline feature availability

Update policy feature flag check for group level compliance pipeline configuration in graphql apis. The attribute is gated behind ff_evaluate_group_level_compliance_pipeline FF. This is to keep it independent of the rollout of compliance frameworks.

Fix group level compliance pipeline feature availability
Update policy feature flag check for group level compliance pipeline configuration in graphql apis. The attribute is gated behind ff_evaluate_group_level_compliance_pipeline FF. This is to keep it independent of the rollout of compliance frameworks.
b9b90d4c · Aishwarya Subramanian · a2cab0ab · b9b90d4c · b9b90d4c · b9b90d4c
Commit b9b90d4c authored Mar 15, 2021 by Aishwarya Subramanian
8 changed files
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -177,7 +177,6 @@ class License < ApplicationRecord
    subepics
    threat_monitoring
    vulnerability_auto_fix
-    evaluate_group_level_compliance_pipeline
  ]
  EEU_FEATURES.freeze

--- a/ee/app/policies/compliance_management/framework_policy.rb
+++ b/ee/app/policies/compliance_management/framework_policy.rb
@@ -11,7 +11,7 @@ module ComplianceManagement
    condition(:group_level_compliance_pipeline_enabled) do
      @subject.namespace.feature_available?(:evaluate_group_level_compliance_pipeline) &&
-        Feature.enabled?(:ff_custom_compliance_frameworks, @subject.namespace)
+        Feature.enabled?(:ff_evaluate_group_level_compliance_pipeline, @subject.namespace)
    end
    rule { can?(:owner_access) & custom_compliance_frameworks_enabled }.policy do

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -135,7 +135,7 @@ module EE
      condition(:group_level_compliance_pipeline_available) do
        @subject.feature_available?(:evaluate_group_level_compliance_pipeline) &&
-          ::Feature.enabled?(:ff_custom_compliance_frameworks, @subject, default_enabled: :yaml)
+          ::Feature.enabled?(:ff_evaluate_group_level_compliance_pipeline, @subject, default_enabled: :yaml)
      end
      rule { public_group | logged_in_viewable }.policy do

--- a/ee/app/services/concerns/compliance_management/frameworks.rb
+++ b/ee/app/services/concerns/compliance_management/frameworks.rb
@@ -3,9 +3,12 @@
 module ComplianceManagement
  module Frameworks
    def compliance_pipeline_configuration_available?
-      return true unless params[:pipeline_configuration_full_path].present?
+      return true unless params.key?(:pipeline_configuration_full_path)
-      can? current_user, :manage_group_level_compliance_pipeline_config, framework
+      available = can? current_user, :manage_group_level_compliance_pipeline_config, framework
+      params.delete(:pipeline_configuration_full_path) unless available
+      available
    end
  end
 end
--- a/ee/spec/policies/compliance_management/framework_policy_spec.rb
+++ b/ee/spec/policies/compliance_management/framework_policy_spec.rb
@@ -57,7 +57,9 @@ RSpec.describe ComplianceManagement::FrameworkPolicy do
  context 'feature is disabled' do
    before do
-      stub_feature_flags(ff_custom_compliance_framework: false)
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+      stub_feature_flags(ff_custom_compliance_frameworks: false)
+      stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
    end
    it { is_expected.to be_disallowed(:manage_compliance_framework) }

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -1569,7 +1569,7 @@ RSpec.describe GroupPolicy do
  end
  describe 'compliance framework permissions' do
-    shared_context 'compliance framework permissions' do
+    shared_examples 'compliance framework permissions' do
      using RSpec::Parameterized::TableSyntax
      where(:role, :licensed, :feature_flag, :admin_mode, :allowed) do
@@ -1590,7 +1590,7 @@ RSpec.describe GroupPolicy do
        before do
          stub_licensed_features(licensed_feature => licensed)
-          stub_feature_flags(ff_custom_compliance_frameworks: feature_flag)
+          stub_feature_flags(feature_flag_name => feature_flag)
          enable_admin_mode!(current_user) if admin_mode
        end
@@ -1601,15 +1601,17 @@ RSpec.describe GroupPolicy do
    context ':admin_compliance_framework' do
      let(:policy) { :admin_compliance_framework }
      let(:licensed_feature) { :custom_compliance_frameworks }
+      let(:feature_flag_name) { :ff_custom_compliance_frameworks }
-      include_context 'compliance framework permissions'
+      include_examples 'compliance framework permissions'
    end
    context ':admin_compliance_pipeline_configuration' do
      let(:policy) { :admin_compliance_pipeline_configuration }
      let(:licensed_feature) { :evaluate_group_level_compliance_pipeline }
+      let(:feature_flag_name) { :ff_evaluate_group_level_compliance_pipeline }
-      include_context 'compliance framework permissions'
+      include_examples 'compliance framework permissions'
    end
  end

--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
@@ -42,7 +42,7 @@ RSpec.describe 'Create a Compliance Framework' do
    end
  end
-  context 'feature is unlicensed' do
+  context 'framework feature is unlicensed' do
    before do
      stub_licensed_features(custom_compliance_frameworks: false)
      post_graphql_mutation(mutation, current_user: current_user)
@@ -51,12 +51,21 @@ RSpec.describe 'Create a Compliance Framework' do
    it_behaves_like 'a mutation that returns errors in the response', errors: ['Not permitted to create framework']
  end
+  context 'pipeline configuration feature is unlicensed' do
+    before do
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: false)
+      post_graphql_mutation(mutation, current_user: current_user)
+    end
+    it_behaves_like 'a mutation that returns errors in the response', errors: ['Pipeline configuration full path feature is not available']
+  end
  context 'feature is licensed' do
    before do
      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
    end
-    context 'feature is disabled' do
+    context 'framework feature is disabled' do
      before do
        stub_feature_flags(ff_custom_compliance_frameworks: false)
      end
@@ -64,6 +73,14 @@ RSpec.describe 'Create a Compliance Framework' do
      it_behaves_like 'a mutation that returns errors in the response', errors: ['Not permitted to create framework']
    end
+    context 'pipeline configuration feature is disabled' do
+      before do
+        stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
+      end
+      it_behaves_like 'a mutation that returns errors in the response', errors: ['Pipeline configuration full path feature is not available']
+    end
    context 'current_user is namespace owner' do
      it_behaves_like 'a mutation that creates a compliance framework'
    end

--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
@@ -91,6 +91,19 @@ RSpec.describe 'Update a compliance framework' do
            expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
          end
        end
+        context 'when compliance pipeline configuration feature flag is not enabled' do
+          before do
+            stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+            stub_feature_flags(ff_evaluate_group_level_compliance_pipeline: false)
+          end
+          it 'returns an error' do
+            subject
+            expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
+          end
+        end
      end
      context 'current_user is not permitted to update framework' do