Merge branch '290112_disable_all_security_compliance_features_if_its_switched_off' into 'master'

[RUN AS-IF-FOSS] Disable access to "Security & Compliance" resources See merge request gitlab-org/gitlab!53389

Merge branch '290112_disable_all_security_compliance_features_if_its_switched_off' into 'master'
[RUN AS-IF-FOSS] Disable access to "Security & Compliance" resources See merge request gitlab-org/gitlab!53389
bb813c6a · Stan Hu · 8d7c0521 · 2fbb28cd · bb813c6a · bb813c6a
Commit bb813c6a authored Feb 10, 2021 by Stan Hu
45 changed files
--- a/ee/app/controllers/concerns/security_and_compliance_permissions.rb
+++ b/ee/app/controllers/concerns/security_and_compliance_permissions.rb
+# frozen_string_literal: true
+
+module SecurityAndCompliancePermissions
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :ensure_security_and_compliance_enabled!
+  end
+
+  private
+
+  def ensure_security_and_compliance_enabled!
+    render_404 unless can?(current_user, :access_security_and_compliance, project)
+  end
+end
--- a/ee/app/controllers/ee/projects/security/configuration_controller.rb
+++ b/ee/app/controllers/ee/projects/security/configuration_controller.rb
@@ -7,6 +7,8 @@ module EE
        extend ::Gitlab::Utils::Override

        prepended do
+          include SecurityAndCompliancePermissions
+
          alias_method :vulnerable, :project

          before_action :ensure_security_dashboard_feature_enabled!, except: [:show]

--- a/ee/app/controllers/projects/audit_events_controller.rb
+++ b/ee/app/controllers/projects/audit_events_controller.rb
 # frozen_string_literal: true

 class Projects::AuditEventsController < Projects::ApplicationController
+  include SecurityAndCompliancePermissions
  include Gitlab::Utils::StrongMemoize
  include LicenseHelper
  include AuditEvents::EnforcesValidDateParams

--- a/ee/app/controllers/projects/dependencies_controller.rb
+++ b/ee/app/controllers/projects/dependencies_controller.rb
@@ -2,6 +2,8 @@

 module Projects
  class DependenciesController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
+
    before_action :authorize_read_dependency_list!

    feature_category :dependency_scanning

--- a/ee/app/controllers/projects/licenses_controller.rb
+++ b/ee/app/controllers/projects/licenses_controller.rb
@@ -2,6 +2,8 @@

 module Projects
  class LicensesController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
+
    before_action :authorize_read_licenses!, only: [:index]
    before_action :authorize_admin_software_license_policy!, only: [:create, :update]


--- a/ee/app/controllers/projects/on_demand_scans_controller.rb
+++ b/ee/app/controllers/projects/on_demand_scans_controller.rb
@@ -2,6 +2,8 @@

 module Projects
  class OnDemandScansController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
+
    before_action do
      push_frontend_feature_flag(:security_on_demand_scans_site_validation, @project, default_enabled: :yaml)
      push_frontend_feature_flag(:security_dast_site_profiles_additional_fields, @project, default_enabled: :yaml)

--- a/ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
+++ b/ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class ApiFuzzingConfigurationController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions

      alias_method :vulnerable, :project

--- a/ee/app/controllers/projects/security/corpus_management_controller.rb
+++ b/ee/app/controllers/projects/security/corpus_management_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class CorpusManagementController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      before_action do
        render_404 unless Feature.enabled?(:corpus_management, @project, default_enabled: :yaml)
        authorize_read_coverage_fuzzing!

--- a/ee/app/controllers/projects/security/dashboard_controller.rb
+++ b/ee/app/controllers/projects/security/dashboard_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class DashboardController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions

      alias_method :vulnerable, :project

--- a/ee/app/controllers/projects/security/dast_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_profiles_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DastProfilesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      before_action do
        authorize_read_on_demand_scans!
        push_frontend_feature_flag(:security_on_demand_scans_site_validation, @project, default_enabled: :yaml)

--- a/ee/app/controllers/projects/security/dast_scanner_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_scanner_profiles_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DastScannerProfilesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      before_action :authorize_read_on_demand_scans!

      feature_category :dynamic_application_security_testing

--- a/ee/app/controllers/projects/security/dast_site_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_site_profiles_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DastSiteProfilesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      before_action do
        authorize_read_on_demand_scans!
        push_frontend_feature_flag(:security_dast_site_profiles_additional_fields, @project, default_enabled: :yaml)

--- a/ee/app/controllers/projects/security/discover_controller.rb
+++ b/ee/app/controllers/projects/security/discover_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DiscoverController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      feature_category :navigation

      def show

--- a/ee/app/controllers/projects/security/network_policies_controller.rb
+++ b/ee/app/controllers/projects/security/network_policies_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class NetworkPoliciesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      POLLING_INTERVAL = 5_000

      before_action :authorize_read_threat_monitoring!

--- a/ee/app/controllers/projects/security/sast_configuration_controller.rb
+++ b/ee/app/controllers/projects/security/sast_configuration_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class SastConfigurationController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include CreatesCommit
      include SecurityDashboardsPermissions


--- a/ee/app/controllers/projects/security/scanned_resources_controller.rb
+++ b/ee/app/controllers/projects/security/scanned_resources_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class ScannedResourcesController < ::Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      before_action :authorize_read_vulnerability!
      before_action :scanned_resources


--- a/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
@@ -6,6 +6,7 @@ module Projects
      class NotesController < Projects::ApplicationController
        extend ::Gitlab::Utils::Override

+        include SecurityAndCompliancePermissions
        include SecurityDashboardsPermissions
        include NotesActions
        include NotesHelper

--- a/ee/app/controllers/projects/security/vulnerabilities_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class VulnerabilitiesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions
      include IssuableActions
      include RendersNotes

--- a/ee/app/controllers/projects/security/vulnerability_report_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerability_report_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class VulnerabilityReportController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions

      before_action do

--- a/ee/app/controllers/projects/security/waf_anomalies_controller.rb
+++ b/ee/app/controllers/projects/security/waf_anomalies_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class WafAnomaliesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
      POLLING_INTERVAL = 5_000

      before_action :authorize_read_waf_anomalies!

--- a/ee/app/controllers/projects/threat_monitoring_controller.rb
+++ b/ee/app/controllers/projects/threat_monitoring_controller.rb
@@ -2,6 +2,8 @@

 module Projects
  class ThreatMonitoringController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
+
    before_action :authorize_read_threat_monitoring!
    before_action do
      push_frontend_feature_flag(:threat_monitoring_alerts, project)

--- a/ee/app/models/instance_security_dashboard.rb
+++ b/ee/app/models/instance_security_dashboard.rb
@@ -24,6 +24,7 @@ class InstanceSecurityDashboard

  def projects
    Project.where(id: visible_users_security_dashboard_projects)
+           .with_feature_available_for_user(:security_and_compliance, user)
  end

  def vulnerabilities

--- a/ee/spec/controllers/projects/dependencies_controller_spec.rb
+++ b/ee/spec/controllers/projects/dependencies_controller_spec.rb
@@ -6,20 +6,23 @@ RSpec.describe Projects::DependenciesController do
  describe 'GET #index' do
    let_it_be(:developer) { create(:user) }
    let_it_be(:guest) { create(:user) }
+    let_it_be(:project) { create(:project, :repository, :private) }
+
    let(:params) { { namespace_id: project.namespace, project_id: project } }

    before do
+      project.add_developer(developer)
+      project.add_guest(guest)
+
      sign_in(user)
    end

-    context 'with authorized user' do
-      let_it_be(:project) { create(:project, :repository, :public) }
-
-      before do
-        project.add_developer(developer)
-        project.add_guest(guest)
-      end
+    include_context '"Security & Compliance" permissions' do
+      let(:user) { developer }
+      let(:valid_request) { get :index, params: params }
+    end

+    context 'with authorized user' do
      context 'when feature is available' do
        before do
          stub_licensed_features(dependency_scanning: true, license_scanning: true, security_dashboard: true)
@@ -138,14 +141,6 @@ RSpec.describe Projects::DependenciesController do
                  expect(json_response['dependencies'].length).to eq(3)
                end
              end
-
-              context 'without authorized user to see vulnerabilities' do
-                let(:user) { guest }
-
-                it 'return vulnerable dependencies' do
-                  expect(json_response['dependencies']).to be_empty
-                end
-              end
            end

            context 'with pagination params' do
@@ -247,7 +242,6 @@ RSpec.describe Projects::DependenciesController do
    end

    context 'with unauthorized user' do
-      let(:project) { create(:project, :repository, :private) }
      let(:user) { guest }

      before do

--- a/ee/spec/controllers/projects/licenses_controller_spec.rb
+++ b/ee/spec/controllers/projects/licenses_controller_spec.rb
@@ -13,6 +13,14 @@ RSpec.describe Projects::LicensesController do
      sign_in(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get :index, params: params }
+
+      before_request do
+        project.add_reporter(user)
+      end
+    end
+
    context 'with authorized user' do
      context 'when feature is available' do
        before do
@@ -347,6 +355,7 @@ RSpec.describe Projects::LicensesController do
  end

  describe "POST #create" do
+    let(:current_user) { create(:user) }
    let(:project) { create(:project, :repository, :private) }
    let(:mit_license) { create(:software_license, :mit) }
    let(:default_params) do
@@ -360,9 +369,16 @@ RSpec.describe Projects::LicensesController do
      }
    end

-    context "when authenticated" do
-      let(:current_user) { create(:user) }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { post :create, xhr: true, params: default_params }
+
+      before_request do
+        project.add_reporter(current_user)
+        sign_in(current_user)
+      end
+    end

+    context "when authenticated" do
      before do
        stub_licensed_features(license_scanning: true)
        sign_in(current_user)
@@ -465,6 +481,7 @@ RSpec.describe Projects::LicensesController do
  end

  describe "PATCH #update" do
+    let(:current_user) { create(:user) }
    let(:project) { create(:project, :repository, :private) }
    let(:software_license_policy) { create(:software_license_policy, project: project, software_license: mit_license) }
    let(:mit_license) { create(:software_license, :mit) }
@@ -478,9 +495,16 @@ RSpec.describe Projects::LicensesController do
      }
    end

-    context "when authenticated" do
-      let(:current_user) { create(:user) }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { post :create, xhr: true, params: default_params }
+
+      before_request do
+        project.add_reporter(current_user)
+        sign_in(current_user)
+      end
+    end

+    context "when authenticated" do
      before do
        stub_licensed_features(license_scanning: true)
        sign_in(current_user)

--- a/ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
@@ -8,14 +8,23 @@ RSpec.describe Projects::Security::ApiFuzzingConfigurationController do
  let_it_be(:developer) { create(:user) }
  let_it_be(:guest) { create(:user) }

+  subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
+
  before_all do
    group.add_developer(developer)
    group.add_guest(guest)
  end

-  describe 'GET #show' do
-    subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
+  include_context '"Security & Compliance" permissions' do
+    let(:valid_request) { request }
+
+    before_request do
+      stub_licensed_features(security_dashboard: true)
+      sign_in(developer)
+    end
+  end

+  describe 'GET #show' do
    render_views

    it_behaves_like SecurityDashboardsPermissions do

--- a/ee/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -3,8 +3,14 @@
 require 'spec_helper'

 RSpec.describe Projects::Security::ConfigurationController do
-  let(:group) { create(:group) }
-  let(:project) { create(:project, :repository, namespace: group) }
+  let_it_be(:group) { create(:group) }
+  let_it_be(:user) { create(:user) }
+  let_it_be_with_refind(:project) { create(:project, :repository, namespace: group) }
+
+  before do
+    stub_licensed_features(security_dashboard: true)
+    group.add_developer(user)
+  end

  describe 'GET #show' do
    using RSpec::Parameterized::TableSyntax
@@ -34,6 +40,10 @@ RSpec.describe Projects::Security::ConfigurationController do
        sign_in(user)
      end

+      include_context '"Security & Compliance" permissions' do
+        let(:valid_request) { request }
+      end
+
      it 'responds with the correct status' do
        request

@@ -134,7 +144,6 @@ RSpec.describe Projects::Security::ConfigurationController do
    end

    before do
-      stub_licensed_features(security_dashboard: true)
      project.add_maintainer(maintainer)
      project.add_developer(developer)
      sign_in(user)

--- a/ee/spec/controllers/projects/security/dashboard_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/dashboard_controller_spec.rb
@@ -7,6 +7,19 @@ RSpec.describe Projects::Security::DashboardController do
  let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
  let_it_be(:user)    { create(:user) }

+  before do
+    group.add_developer(user)
+    stub_licensed_features(security_dashboard: true)
+  end
+
+  include_context '"Security & Compliance" permissions' do
+    let(:valid_request) { get :index, params: { namespace_id: project.namespace, project_id: project } }
+
+    before_request do
+      sign_in(user)
+    end
+  end
+
  it_behaves_like SecurityDashboardsPermissions do
    let(:vulnerable) { project }

@@ -15,11 +28,6 @@ RSpec.describe Projects::Security::DashboardController do
    end
  end

-  before do
-    group.add_developer(user)
-    stub_licensed_features(security_dashboard: true)
-  end
-
  describe 'GET #index' do
    let(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }


--- a/ee/spec/controllers/projects/security/network_policies_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/network_policies_controller_spec.rb
@@ -54,10 +54,18 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end

  describe 'GET #summary' do
-    subject { get :summary, params: action_params, format: :json }
+    subject(:request) { get :summary, params: action_params, format: :json }

    let_it_be(:kubernetes_namespace) { environment.deployment_namespace }

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        group.add_developer(user)
+      end
+    end
+
    context 'with authorized user' do
      before do
        group.add_developer(user)
@@ -160,7 +168,15 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end

  describe 'GET #index' do
-    subject { get :index, params: action_params, format: :json }
+    subject(:request) { get :index, params: action_params, format: :json }
+
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        group.add_developer(user)
+      end
+    end

    context 'with authorized user' do
      let(:service) { instance_double('NetworkPolicies::ResourcesService', execute: ServiceResponse.success(payload: [policy])) }
@@ -198,7 +214,7 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end

  describe 'POST #create' do
-    subject { post :create, params: action_params.merge(manifest: manifest), format: :json }
+    subject(:request) { post :create, params: action_params.merge(manifest: manifest), format: :json }

    let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
    let(:policy) do
@@ -210,6 +226,14 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
      )
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        group.add_developer(user)
+      end
+    end
+
    context 'with authorized user' do
      before do
        group.add_developer(user)
@@ -240,7 +264,7 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end

  describe 'PUT #update' do
-    subject { put :update, params: action_params.merge(id: 'example-policy', manifest: manifest, enabled: enabled), as: :json }
+    subject(:request) { put :update, params: action_params.merge(id: 'example-policy', manifest: manifest, enabled: enabled), as: :json }

    let(:enabled) { nil }
    let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
@@ -253,6 +277,14 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
      )
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        group.add_developer(user)
+      end
+    end
+
    context 'with authorized user' do
      before do
        group.add_developer(user)
@@ -283,10 +315,18 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end

  describe 'DELETE #destroy' do
-    subject { delete :destroy, params: action_params.merge(id: 'example-policy', manifest: manifest), format: :json }
+    subject(:request) { delete :destroy, params: action_params.merge(id: 'example-policy', manifest: manifest), format: :json }

    let(:service) { instance_double('NetworkPolicies::DeleteResourceService', execute: ServiceResponse.success) }

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        group.add_developer(user)
+      end
+    end
+
    context 'with authorized user' do
      before do
        group.add_developer(user)

--- a/ee/spec/controllers/projects/security/sast_configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/sast_configuration_controller_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'

 RSpec.describe Projects::Security::SastConfigurationController do
  let_it_be(:group) { create(:group) }
-  let_it_be(:project) { create(:project, namespace: group) }
+  let_it_be(:project) { create(:project, :repository, namespace: group) }
  let_it_be(:developer) { create(:user) }
  let_it_be(:guest) { create(:user) }

@@ -13,11 +13,23 @@ RSpec.describe Projects::Security::SastConfigurationController do
    group.add_guest(guest)
  end

+  before do
+    stub_licensed_features(security_dashboard: true)
+  end
+
  describe 'GET #show' do
    subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }

    render_views

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        sign_in(developer)
+      end
+    end
+
    it_behaves_like SecurityDashboardsPermissions do
      let(:vulnerable) { project }
      let(:security_dashboard_action) { request }
@@ -25,8 +37,6 @@ RSpec.describe Projects::Security::SastConfigurationController do

    context 'with authorized user' do
      before do
-        stub_licensed_features(security_dashboard: true)
-
        sign_in(developer)
      end

@@ -58,8 +68,6 @@ RSpec.describe Projects::Security::SastConfigurationController do

    context 'with unauthorized user' do
      before do
-        stub_licensed_features(security_dashboard: true)
-
        sign_in(guest)
      end

@@ -72,39 +80,38 @@ RSpec.describe Projects::Security::SastConfigurationController do
  end

  describe 'POST #create' do
-    let_it_be(:project) { create(:project, :repository, namespace: group) }
+    let(:params) do
+      {
+        namespace_id: project.namespace.to_param,
+        project_id: project.to_param,
+        sast_configuration: {
+          secure_analyzers_prefix: 'localhost:5000/analyzers',
+          sast_analyzer_image_tag: '1',
+          sast_excluded_paths: 'docs',
+          stage: 'security',
+          search_max_depth: 11
+        },
+        format: :json
+      }
+    end

-    before do
-      stub_licensed_features(security_dashboard: true)
+    subject(:request) { post :create, params: params, as: :json }

+    before do
      sign_in(developer)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+    end
+
    context 'with valid params' do
      it 'returns the new merge request url' do
-        params = {
-          secure_analyzers_prefix: 'localhost:5000/analyzers',
-          sast_analyzer_image_tag: '1',
-          sast_excluded_paths: 'docs',
-          stage: 'security',
-          search_max_depth: 11
-        }
-        create_sast_configuration user: developer, project: project, params: params
+        request

        expect(json_response["message"]).to eq("success")
        expect(json_response["filePath"]).to match(/#{Gitlab::Routing.url_helpers.project_new_merge_request_url(project, {})}(.*)description(.*)source_branch/)
      end
    end
  end
-
-  def create_sast_configuration(user:, project:, params:)
-    post_params = {
-      namespace_id: project.namespace.to_param,
-      project_id: project.to_param,
-      sast_configuration: params,
-      format: :json
-    }
-
-    post :create, params: post_params, as: :json
-  end
 end
--- a/ee/spec/controllers/projects/security/scanned_resources_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/scanned_resources_controller_spec.rb
@@ -16,13 +16,18 @@ RSpec.describe Projects::Security::ScannedResourcesController do
  end

  describe 'GET index' do
-    let(:subject) { get :index, params: action_params, format: :csv }
    let(:parsed_csv_data) { CSV.parse(subject.body, headers: true) }

+    subject(:request) { get :index, params: action_params, format: :csv }
+
    before do
      project.add_developer(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+    end
+
    context 'when DAST security scan is found' do
      before do
        create(:ci_build, :success, name: 'dast_job', pipeline: pipeline, project: project) do |job|

--- a/ee/spec/controllers/projects/security/vulnerabilities/notes_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities/notes_controller_spec.rb
@@ -9,14 +9,6 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do

  let!(:note) { create(:note, noteable: vulnerability, project: project) }

-  it_behaves_like SecurityDashboardsPermissions do
-    let(:vulnerable) { project }
-
-    let(:security_dashboard_action) do
-      get :index, params: { namespace_id: project.namespace, project_id: project, vulnerability_id: vulnerability }
-    end
-  end
-
  before do
    stub_licensed_features(security_dashboard: true)
  end
@@ -31,6 +23,15 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { view_all_notes }
+    end
+
+    it_behaves_like SecurityDashboardsPermissions do
+      let(:vulnerable) { project }
+      let(:security_dashboard_action) { view_all_notes }
+    end
+
    it 'responds with array of notes' do
      view_all_notes

@@ -63,6 +64,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { create_note }
+    end
+
    context 'when note is empty' do
      let(:note_params) { { note: '' } }

@@ -156,6 +161,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { update_note }
+    end
+
    context 'when user is not an author of the note' do
      it 'returns status 404' do
        update_note
@@ -201,6 +210,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { delete_note }
+    end
+
    context 'when user is not an author of the note' do
      it 'does not delete the note' do
        expect { delete_note }.not_to change { Note.count }
@@ -229,6 +242,7 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
  end

  describe 'POST toggle_award_emoji' do
+    let(:emoji_name) { 'thumbsup' }
    let(:request_params) do
      {
        id: note,
@@ -246,7 +260,9 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      project.add_developer(user)
    end

-    let(:emoji_name) { 'thumbsup' }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { toggle_award_emoji }
+    end

    it 'creates the award emoji' do
      expect { toggle_award_emoji }.to change { note.award_emoji.count }.by(1)

--- a/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
@@ -7,20 +7,22 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
  let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
  let_it_be(:user)    { create(:user) }

+  render_views
+
  before do
    group.add_developer(user)
    stub_licensed_features(security_dashboard: true)
+    sign_in(user)
  end

  describe 'GET #show' do
    let_it_be(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }
    let_it_be(:vulnerability) { create(:vulnerability, project: project) }

-    render_views
+    subject(:show_vulnerability) { get :show, params: { namespace_id: project.namespace, project_id: project, id: vulnerability.id } }

-    def show_vulnerability
-      sign_in(user)
-      get :show, params: { namespace_id: project.namespace, project_id: project, id: vulnerability.id }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { show_vulnerability }
    end

    context "when there's an attached pipeline" do
@@ -58,11 +60,10 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
    let_it_be(:vulnerability) { create(:vulnerability, project: project, author: user) }
    let_it_be(:discussion_note) { create(:discussion_note_on_vulnerability, noteable: vulnerability, project: vulnerability.project) }

-    render_views
+    subject(:show_vulnerability_discussion_list) { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: vulnerability } }

-    def show_vulnerability_discussion_list
-      sign_in(user)
-      get :discussions, params: { namespace_id: project.namespace, project_id: project, id: vulnerability }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { show_vulnerability_discussion_list }
    end

    it 'renders discussions' do
@@ -70,7 +71,6 @@ RSpec.describe Projects::Security::VulnerabilitiesController do

      expect(response).to have_gitlab_http_status(:ok)
      expect(response).to match_response_schema('entities/discussions')
-
      expect(json_response.pluck('id')).to eq([discussion_note.discussion_id])
    end
  end

--- a/ee/spec/controllers/projects/security/vulnerability_report_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerability_report_controller_spec.rb
@@ -7,6 +7,19 @@ RSpec.describe Projects::Security::VulnerabilityReportController do
  let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
  let_it_be(:user)    { create(:user) }

+  before do
+    group.add_developer(user)
+    stub_licensed_features(security_dashboard: true)
+  end
+
+  include_context '"Security & Compliance" permissions' do
+    let(:valid_request) { get :index, params: { namespace_id: project.namespace, project_id: project } }
+
+    before_request do
+      sign_in(user)
+    end
+  end
+
  it_behaves_like SecurityDashboardsPermissions do
    let(:vulnerable) { project }

@@ -15,11 +28,6 @@ RSpec.describe Projects::Security::VulnerabilityReportController do
    end
  end

-  before do
-    group.add_developer(user)
-    stub_licensed_features(security_dashboard: true)
-  end
-
  describe 'GET #index' do
    let(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }


--- a/ee/spec/controllers/projects/security/waf_anomalies_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/waf_anomalies_controller_spec.rb
@@ -15,7 +15,7 @@ RSpec.describe Projects::Security::WafAnomaliesController do
  let(:es_client) { nil }

  describe 'GET #summary' do
-    subject { get :summary, params: action_params, format: :json }
+    subject(:request) { get :summary, params: action_params, format: :json }

    before do
      stub_licensed_features(threat_monitoring: true)
@@ -28,6 +28,14 @@ RSpec.describe Projects::Security::WafAnomaliesController do
      end
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        group.add_developer(user)
+      end
+    end
+
    context 'with authorized user' do
      before do
        group.add_developer(user)

--- a/ee/spec/features/projects/audit_events_spec.rb
+++ b/ee/spec/features/projects/audit_events_spec.rb
@@ -42,6 +42,10 @@ RSpec.describe 'Projects > Audit Events', :js do
      allow(LicenseHelper).to receive(:show_promotions?).and_return(true)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:response) { inspect_requests { visit project_audit_events_path(project) }.first }
+    end
+
    it 'returns 200' do
      reqs = inspect_requests do
        visit project_audit_events_path(project)

--- a/ee/spec/features/promotion_spec.rb
+++ b/ee/spec/features/promotion_spec.rb
@@ -266,6 +266,10 @@ RSpec.describe 'Promotions', :js do
      sign_in(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:response) { inspect_requests { visit project_audit_events_path(project) }.first }
+    end
+
    it 'appears on the page' do
      visit project_audit_events_path(project)


--- a/ee/spec/models/instance_security_dashboard_spec.rb
+++ b/ee/spec/models/instance_security_dashboard_spec.rb
@@ -85,8 +85,24 @@ RSpec.describe InstanceSecurityDashboard do

  describe '#projects' do
    context 'when the user cannot read all resources' do
-      it 'returns only projects on their dashboard that they can read' do
-        expect(subject.projects).to contain_exactly(project1)
+      context 'when the `security_and_compliance` is enabled for the project' do
+        before do
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+        end
+
+        it 'returns only projects on their dashboard that they can read' do
+          expect(subject.projects).to contain_exactly(project1)
+        end
+      end
+
+      context 'when the `security_and_compliance` is disabled for the project' do
+        before do
+          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+        end
+
+        it 'returns only projects on their dashboard that they can read' do
+          expect(subject.projects).to be_empty
+        end
      end
    end

@@ -94,8 +110,24 @@ RSpec.describe InstanceSecurityDashboard do
      let(:project_ids) { [project1.id, project2.id] }
      let(:user) { create(:auditor) }

-      it "returns all projects on the user's dashboard" do
-        expect(subject.projects).to contain_exactly(project1, project2, project3)
+      context 'when the `security_and_compliance` is enabled for the project' do
+        before do
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+        end
+
+        it "returns all projects on the user's dashboard" do
+          expect(subject.projects).to contain_exactly(project1, project2, project3)
+        end
+      end
+
+      context 'when the `security_and_compliance` is disabled for the project' do
+        before do
+          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+        end
+
+        it "returns only the feature enabled projects on the user's dashboard" do
+          expect(subject.projects).to contain_exactly(project2, project3)
+        end
      end
    end
  end

--- a/ee/spec/requests/projects/on_demand_scans_controller_spec.rb
+++ b/ee/spec/requests/projects/on_demand_scans_controller_spec.rb
@@ -9,6 +9,15 @@ RSpec.describe Projects::OnDemandScansController, type: :request do
  let(:user) { create(:user) }

  shared_examples 'on-demand scans page' do
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get path }
+
+      before_request do
+        project.add_developer(user)
+        login_as(user)
+      end
+    end
+
    context 'feature available' do
      before do
        stub_licensed_features(security_on_demand_scans: true)

--- a/ee/spec/requests/projects/security/corpus_management_controller_spec.rb
+++ b/ee/spec/requests/projects/security/corpus_management_controller_spec.rb
@@ -7,16 +7,24 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
  let(:user) { create(:user) }

  describe 'GET #show' do
-    context 'feature available' do
-      before do
-        stub_licensed_features(coverage_fuzzing: true)
+    before do
+      stub_licensed_features(coverage_fuzzing: true)
+
+      login_as(user)
+    end
+
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get project_security_configuration_corpus_management_path(project) }
+
+      before_request do
+        project.add_developer(user)
      end
+    end

+    context 'feature available' do
      context 'user authorized' do
        before do
          project.add_developer(user)
-
-          login_as(user)
        end

        it 'can access page' do
@@ -29,8 +37,6 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
      context 'user not authorized' do
        before do
          project.add_guest(user)
-
-          login_as(user)
        end

        it 'sees a 404 error' do
@@ -43,14 +49,13 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do

    context 'feature not available' do
      before do
-        project.add_developer(user)
+        stub_licensed_features(coverage_fuzzing: false)

-        login_as(user)
+        project.add_developer(user)
      end

      context 'license doesnt\'t support the feature' do
        it 'sees a 404 error' do
-          stub_licensed_features(coverage_fuzzing: false)
          get project_security_configuration_corpus_management_path(project)

          expect(response).to have_gitlab_http_status(:not_found)

--- a/ee/spec/requests/projects/security/dast_profiles_controller_spec.rb
+++ b/ee/spec/requests/projects/security/dast_profiles_controller_spec.rb
@@ -7,16 +7,24 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
  let(:user) { create(:user) }

  describe 'GET #index' do
-    context 'feature available' do
-      before do
-        stub_licensed_features(security_on_demand_scans: true)
+    before do
+      stub_licensed_features(security_on_demand_scans: true)
+
+      login_as(user)
+    end
+
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get project_security_configuration_dast_profiles_path(project) }
+
+      before_request do
+        project.add_developer(user)
      end
+    end

+    context 'feature available' do
      context 'user authorized' do
        before do
          project.add_developer(user)
-
-          login_as(user)
        end

        it 'can access page' do
@@ -29,8 +37,6 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
      context 'user not authorized' do
        before do
          project.add_guest(user)
-
-          login_as(user)
        end

        it 'sees a 404 error' do
@@ -43,14 +49,12 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do

    context 'feature not available' do
      before do
+        stub_licensed_features(security_on_demand_scans: false)
        project.add_developer(user)
-
-        login_as(user)
      end

      context 'license doesnt\'t support the feature' do
        it 'sees a 404 error' do
-          stub_licensed_features(security_on_demand_scans: false)
          get project_security_configuration_dast_profiles_path(project)

          expect(response).to have_gitlab_http_status(:not_found)

--- a/ee/spec/requests/projects/security/dast_scanner_profiles_controller_spec.rb
+++ b/ee/spec/requests/projects/security/dast_scanner_profiles_controller_spec.rb
@@ -24,6 +24,15 @@ RSpec.describe Projects::Security::DastScannerProfilesController, type: :request
  end

  shared_examples 'a GET request' do
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get path }
+
+      before_request do
+        project.add_developer(user)
+        login_as(user)
+      end
+    end
+
    context 'feature available' do
      include_context 'on-demand scans feature available'


--- a/ee/spec/requests/projects/security/dast_site_profiles_controller_spec.rb
+++ b/ee/spec/requests/projects/security/dast_site_profiles_controller_spec.rb
@@ -17,6 +17,15 @@ RSpec.describe Projects::Security::DastSiteProfilesController, type: :request do
  end

  shared_examples 'a GET request' do
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get path }
+
+      before_request do
+        with_feature_available
+        with_user_authorized
+      end
+    end
+
    context 'feature available' do
      before do
        with_feature_available

--- a/ee/spec/requests/projects/security/scanned_resources_controller_spec.rb
+++ b/ee/spec/requests/projects/security/scanned_resources_controller_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe Projects::Security::ScannedResourcesController, type: :request do
    let_it_be(:pipeline_id) { pipeline.id }
    let(:parsed_csv_data) { CSV.parse(response.body, headers: true) }

-    subject { get project_security_scanned_resources_path(project, :csv, pipeline_id: pipeline_id) }
+    subject(:request) { get project_security_scanned_resources_path(project, :csv, pipeline_id: pipeline_id) }

    before do
      stub_licensed_features(dast: true, security_dashboard: true)
@@ -20,6 +20,14 @@ RSpec.describe Projects::Security::ScannedResourcesController, type: :request do
      login_as(user)
    end

+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+
+      before_request do
+        project.add_developer(user)
+      end
+    end
+
    shared_examples 'returns a 404' do
      it 'will return a 404' do
        subject

--- a/ee/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb
+++ b/ee/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb
+# frozen_string_literal: true
+
+RSpec.shared_context '"Security & Compliance" permissions' do
+  let(:project_instance) { an_instance_of(Project) }
+  let(:user_instance) { an_instance_of(User) }
+  let(:before_request_defined) { false }
+  let(:valid_request) {}
+
+  def self.before_request(&block)
+    return unless block
+
+    let(:before_request_call) { instance_exec(&block) }
+    let(:before_request_defined) { true }
+  end
+
+  before do
+    allow(Ability).to receive(:allowed?).and_call_original
+    allow(Ability).to receive(:allowed?).with(user_instance, :access_security_and_compliance, project_instance).and_return(true)
+  end
+
+  context 'when the "Security & Compliance" feature is disabled' do
+    subject { response }
+
+    before do
+      before_request_call if before_request_defined
+
+      allow(Ability).to receive(:allowed?).with(user_instance, :access_security_and_compliance, project_instance).and_return(false)
+      valid_request
+    end
+
+    it { is_expected.to have_gitlab_http_status(:not_found) }
+  end
+end
--- a/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -7,6 +7,8 @@ RSpec.describe Projects::Security::ConfigurationController do
  let(:user) { create(:user) }

  before do
+    allow(controller).to receive(:ensure_security_and_compliance_enabled!)
+
    sign_in(user)
  end