Commit e893d88a authored by Stan Hu's avatar Stan Hu

Merge branch '345317-prepare-security-orchestration-helper' into 'master'

Use SecurityOrchestrationHelper for both projects and namespaces

See merge request gitlab-org/gitlab!85229
parents a93248cd 21cf7aa6
......@@ -218,10 +218,6 @@ module EE
project.licensed_feature_available?(:sast_fp_reduction).to_s
end
def can_update_security_orchestration_policy_project?(project)
can?(current_user, :update_security_orchestration_policy_project, project)
end
def can_create_feedback?(project, feedback_type)
feedback = Vulnerabilities::Feedback.new(project: project, feedback_type: feedback_type)
can?(current_user, :create_vulnerability_feedback, feedback)
......
# frozen_string_literal: true
module EE
module SecurityOrchestrationHelper
def security_orchestration_policy_data(
namespace,
policy_type = nil,
policy = nil,
approvers = nil
)
return unless namespace
{
assigned_policy_project: nil.to_json,
disable_scan_policy_update: false.to_s,
module EE::SecurityOrchestrationHelper
def can_update_security_orchestration_policy_project?(container)
can?(current_user, :update_security_orchestration_policy_project, container)
end
def assigned_policy_project(container)
return unless container&.security_orchestration_policy_configuration
orchestration_policy_configuration = container.security_orchestration_policy_configuration
security_policy_management_project = orchestration_policy_configuration.security_policy_management_project
{
id: security_policy_management_project.to_global_id.to_s,
name: security_policy_management_project.name,
full_path: security_policy_management_project.full_path,
branch: security_policy_management_project.default_branch_or_main
}
end
def orchestration_policy_data(container, policy_type = nil, policy = nil, environment = nil, approvers = nil)
return unless container
disable_scan_policy_update = !can_update_security_orchestration_policy_project?(container)
policy_data = {
assigned_policy_project: assigned_policy_project(container).to_json,
disable_scan_policy_update: disable_scan_policy_update.to_s,
policy: policy&.to_json,
policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
policy_type: policy_type,
policies_path: security_policies_path(container),
scan_policy_documentation_path: help_page_path('user/application_security/policies/index')
}
if container.is_a?(::Project)
policy_data.merge(
project_path: container.full_path,
project_id: container.id,
default_environment_id: container.default_environment&.id || -1,
network_policies_endpoint: project_security_network_policies_path(container),
create_agent_help_path: help_page_url('user/clusters/agent/install/index'),
policy: policy&.to_json,
policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
policy_type: policy_type,
policies_path: nil,
scan_policy_documentation_path: help_page_path('user/application_security/policies/index'),
network_documentation_path: help_page_path('user/application_security/policies/index'),
environments_endpoint: project_environments_path(container),
environment_id: environment&.id,
scan_result_approvers: approvers&.to_json
}
)
else
policy_data.merge(
namespace_path: container.full_path,
namespace_id: container.id
)
end
end
def security_policies_path(container)
container.is_a?(::Project) ? project_security_policies_path(container) : group_security_policies_path(container)
end
end
# frozen_string_literal: true
module Projects::Security::PoliciesHelper
def assigned_policy_project(project)
return unless project&.security_orchestration_policy_configuration
orchestration_policy_configuration = project.security_orchestration_policy_configuration
security_policy_management_project = orchestration_policy_configuration.security_policy_management_project
{
id: security_policy_management_project.to_global_id.to_s,
name: security_policy_management_project.name,
full_path: security_policy_management_project.full_path,
branch: security_policy_management_project.default_branch_or_main
}
end
def orchestration_policy_data(project, policy_type = nil, policy = nil, environment = nil, approvers = nil)
return unless project
disable_scan_policy_update = !can_update_security_orchestration_policy_project?(project)
{
assigned_policy_project: assigned_policy_project(project).to_json,
default_environment_id: project.default_environment&.id || -1,
disable_scan_policy_update: disable_scan_policy_update.to_s,
network_policies_endpoint: project_security_network_policies_path(project),
create_agent_help_path: help_page_url('user/clusters/agent/install/index'),
environments_endpoint: project_environments_path(project),
environment_id: environment&.id,
network_documentation_path: help_page_path('user/application_security/policies/index', anchor: 'container-network-policy'),
policy: policy&.to_json,
policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
policy_type: policy_type,
project_path: project.full_path,
project_id: project.id,
policies_path: project_security_policies_path(project),
scan_policy_documentation_path: help_page_path('user/application_security/policies/index'),
scan_result_approvers: approvers&.to_json
}
end
end
......@@ -2,4 +2,4 @@
- breadcrumb_title s_("SecurityOrchestration|New policy")
- page_title s_("SecurityOrchestration|Policy editor")
#js-group-policy-builder-app{ data: security_orchestration_policy_data(@group) }
#js-group-policy-builder-app{ data: orchestration_policy_data(@group) }
......@@ -3,47 +3,242 @@
require 'spec_helper'
RSpec.describe EE::SecurityOrchestrationHelper do
let_it_be_with_reload(:project) { create(:project) }
let_it_be_with_reload(:namespace) { create(:group, :public) }
describe '#security_orchestration_policy_data' do
let(:approvers) { %w(approver1 approver2) }
let(:owner) { namespace.first_owner }
let(:base_data) do
{
assigned_policy_project: nil.to_json,
disable_scan_policy_update: false.to_s,
create_agent_help_path: kind_of(String),
policy: policy&.to_json,
policy_editor_empty_state_svg_path: kind_of(String),
policy_type: policy_type,
policies_path: nil,
scan_policy_documentation_path: kind_of(String),
scan_result_approvers: approvers&.to_json
}
end
describe '#can_update_security_orchestration_policy_project?' do
let(:owner) { project.first_owner }
before do
allow(helper).to receive(:current_user) { owner }
end
subject { helper.security_orchestration_policy_data(namespace, policy_type, policy, approvers) }
it 'returns false when user cannot update security orchestration policy project' do
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { false }
expect(helper.can_update_security_orchestration_policy_project?(project)).to eq false
end
it 'returns true when user can update security orchestration policy project' do
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
expect(helper.can_update_security_orchestration_policy_project?(project)).to eq true
end
end
describe '#assigned_policy_project' do
context 'for project' do
subject { helper.assigned_policy_project(project) }
context 'when a project does have a security policy project' do
let_it_be(:policy_management_project) { create(:project) }
let_it_be(:security_orchestration_policy_configuration) do
create(
:security_orchestration_policy_configuration,
security_policy_management_project: policy_management_project, project: project
)
end
it 'include information about policy management project' do
is_expected.to include(
id: policy_management_project.to_global_id.to_s,
name: policy_management_project.name,
full_path: policy_management_project.full_path,
branch: policy_management_project.default_branch_or_main
)
end
end
context 'when a project does not have a security policy project' do
subject { helper.assigned_policy_project(project) }
it { is_expected.to be_nil }
end
end
context 'for namespace' do
subject { helper.assigned_policy_project(project) }
context 'when a new policy is being created' do
context 'when a namespace does have a security policy project' do
let_it_be(:policy_management_project) { create(:project) }
let_it_be(:security_orchestration_policy_configuration) do
create(
:security_orchestration_policy_configuration, :namespace,
security_policy_management_project: policy_management_project, namespace: namespace
)
end
subject { helper.assigned_policy_project(namespace) }
it 'include information about policy management project' do
is_expected.to include({
id: policy_management_project.to_global_id.to_s,
name: policy_management_project.name,
full_path: policy_management_project.full_path,
branch: policy_management_project.default_branch_or_main
})
end
end
context 'when a namespace does not have a security policy project' do
it { is_expected.to be_nil }
end
end
end
describe '#orchestration_policy_data' do
context 'for project' do
let(:approvers) { %w(approver1 approver2) }
let(:owner) { project.first_owner }
let(:policy) { nil }
let(:policy_type) { nil }
let(:approvers) { nil }
let(:policy_type) { 'scan_execution_policy' }
let(:environment) { nil }
let(:base_data) do
{
assigned_policy_project: nil.to_json,
default_environment_id: -1,
disable_scan_policy_update: 'false',
network_policies_endpoint: kind_of(String),
create_agent_help_path: kind_of(String),
environments_endpoint: kind_of(String),
network_documentation_path: kind_of(String),
policy_editor_empty_state_svg_path: kind_of(String),
project_path: project.full_path,
project_id: project.id,
policies_path: kind_of(String),
environment_id: environment&.id,
policy: policy&.to_json,
policy_type: policy_type,
scan_policy_documentation_path: kind_of(String),
scan_result_approvers: approvers&.to_json
}
end
before do
allow(helper).to receive(:current_user) { owner }
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
end
subject { helper.orchestration_policy_data(project, policy_type, policy, environment, approvers) }
context 'when a new policy is being created' do
let(:policy) { nil }
let(:policy_type) { nil }
let(:approvers) { nil }
it { is_expected.to match(base_data) }
it { is_expected.to match(base_data) }
end
context 'when an existing policy is being edited' do
let_it_be(:environment) { create(:environment, project: project) }
let(:policy) { build(:scan_execution_policy, name: 'Run DAST in every pipeline') }
it { is_expected.to match(base_data.merge(default_environment_id: project.default_environment.id)) }
end
context 'when scan policy update is disabled' do
before do
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { false }
end
it { is_expected.to match(base_data.merge(disable_scan_policy_update: 'true')) }
end
context 'when a project does have a security policy project' do
let_it_be(:policy_management_project) { create(:project) }
let_it_be(:security_orchestration_policy_configuration) do
create(
:security_orchestration_policy_configuration,
security_policy_management_project: policy_management_project, project: project
)
end
it 'include information about policy management project' do
is_expected.to match(base_data.merge(assigned_policy_project: {
id: policy_management_project.to_global_id.to_s,
name: policy_management_project.name,
full_path: policy_management_project.full_path,
branch: policy_management_project.default_branch_or_main
}.to_json))
end
end
end
context 'when an existing policy is being edited' do
context 'for namespace' do
let(:environment) { nil }
let(:approvers) { %w(approver1 approver2) }
let(:owner) { namespace.first_owner }
let(:policy) { nil }
let(:policy_type) { 'scan_execution_policy' }
let(:base_data) do
{
assigned_policy_project: nil.to_json,
disable_scan_policy_update: 'false',
policy: policy&.to_json,
policy_editor_empty_state_svg_path: kind_of(String),
policy_type: policy_type,
policies_path: kind_of(String),
scan_policy_documentation_path: kind_of(String),
namespace_path: namespace.full_path,
namespace_id: namespace.id
}
end
let(:policy) do
build(:scan_execution_policy, name: 'Run DAST in every pipeline')
before do
allow(helper).to receive(:current_user) { owner }
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, namespace) { true }
end
it { is_expected.to match(base_data) }
subject { helper.orchestration_policy_data(namespace, policy_type, policy, environment, approvers) }
context 'when a new policy is being created' do
let(:policy) { nil }
let(:policy_type) { nil }
let(:approvers) { nil }
it { is_expected.to match(base_data) }
end
context 'when an existing policy is being edited' do
let(:policy_type) { 'scan_execution_policy' }
let(:policy) do
build(:scan_execution_policy, name: 'Run DAST in every pipeline')
end
it { is_expected.to match(base_data) }
end
context 'when scan policy update is disabled' do
before do
allow(helper).to receive(:can?)
.with(owner, :update_security_orchestration_policy_project, namespace)
.and_return(false)
end
it { is_expected.to match(base_data.merge(disable_scan_policy_update: 'true')) }
end
context 'when a namespace does have a security policy project' do
let_it_be(:policy_management_project) { create(:project) }
let_it_be(:security_orchestration_policy_configuration) do
create(
:security_orchestration_policy_configuration, :namespace,
security_policy_management_project: policy_management_project, namespace: namespace
)
end
it 'include information about policy management project' do
is_expected.to match(base_data.merge(assigned_policy_project: {
id: policy_management_project.to_global_id.to_s,
name: policy_management_project.name,
full_path: policy_management_project.full_path,
branch: policy_management_project.default_branch_or_main
}.to_json))
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Projects::Security::PoliciesHelper do
let_it_be_with_reload(:project) { create(:project, :repository, :public) }
describe '#assigned_policy_project' do
context 'when a project does have a security policy project' do
let_it_be(:policy_management_project) { create(:project) }
subject { helper.assigned_policy_project(project) }
it {
create(:security_orchestration_policy_configuration,
{ security_policy_management_project: policy_management_project, project: project }
)
is_expected.to include({
id: policy_management_project.to_global_id.to_s,
name: policy_management_project.name,
full_path: policy_management_project.full_path,
branch: policy_management_project.default_branch_or_main
})
}
end
context 'when a project does not have a security policy project' do
subject { helper.assigned_policy_project(project) }
it {
is_expected.to be_nil
}
end
end
describe '#orchestration_policy_data' do
let(:approvers) { %w(approver1 approver2) }
let(:owner) { project.first_owner }
let(:base_data) do
{
assigned_policy_project: "null",
default_environment_id: -1,
disable_scan_policy_update: "false",
network_policies_endpoint: kind_of(String),
create_agent_help_path: kind_of(String),
environments_endpoint: kind_of(String),
network_documentation_path: kind_of(String),
policy_editor_empty_state_svg_path: kind_of(String),
project_path: project.full_path,
project_id: project.id,
policies_path: kind_of(String),
environment_id: environment&.id,
policy: policy&.to_json,
policy_type: policy_type,
scan_policy_documentation_path: kind_of(String),
scan_result_approvers: approvers&.to_json
}
end
before do
allow(helper).to receive(:current_user) { owner }
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
end
subject { helper.orchestration_policy_data(project, policy_type, policy, environment, approvers) }
context 'when a new policy is being created' do
let(:environment) { nil }
let(:policy) { nil }
let(:policy_type) { nil }
let(:approvers) { nil }
it { is_expected.to match(base_data) }
end
context 'when an existing policy is being edited' do
let_it_be(:environment) { create(:environment, project: project) }
let(:policy_type) { 'container_policy' }
let(:policy) do
Gitlab::Kubernetes::CiliumNetworkPolicy.new(
name: 'policy',
namespace: 'another',
selector: { matchLabels: { role: 'db' } },
ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
)
end
it { is_expected.to match(base_data.merge(default_environment_id: project.default_environment.id)) }
end
end
end
......@@ -20,24 +20,6 @@ RSpec.describe ProjectsHelper do
end
end
describe '#can_update_security_orchestration_policy_project?' do
let(:owner) { project.first_owner }
before do
allow(helper).to receive(:current_user) { owner }
end
it 'returns false when user cannot update security orchestration policy project' do
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { false }
expect(helper.can_update_security_orchestration_policy_project?(project)).to eq false
end
it 'returns true when user can update security orchestration policy project' do
allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
expect(helper.can_update_security_orchestration_policy_project?(project)).to eq true
end
end
describe '#can_admin_project_member?' do
let_it_be(:user) { create(:user) }
let_it_be(:group) { create(:group) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment