Merge branch 'network-policy-editor-edit-route' into 'master'

Threat monitoring edit action

See merge request gitlab-org/gitlab!41040

ee/app/controllers/projects/threat_monitoring_controller.rb

@@ -3,11 +3,27 @@
 module Projects
   class ThreatMonitoringController < Projects::ApplicationController
     before_action :authorize_read_threat_monitoring!
-    before_action :verify_network_policy_editor_flag!, only: :new
+    before_action :verify_network_policy_editor_flag!, only: [:new, :edit]
     before_action do
       push_frontend_feature_flag(:network_policy_editor, project)
     end
 
+    def edit
+      environment = project.environments.find(params[:environment_id])
+      @policy_name = params[:id]
+      response = NetworkPolicies::FindResourceService.new(
+        resource_name: @policy_name,
+        environment: environment,
+        kind: Gitlab::Kubernetes::CiliumNetworkPolicy::KIND
+      ).execute
+
+      if response.success?
+        @policy = response.payload
+      else
+        render_404
+      end
+    end
+
     private
 
     def verify_network_policy_editor_flag!

ee/app/services/network_policies/find_resource_service.rb

+# frozen_string_literal: true
+
+module NetworkPolicies
+  class FindResourceService
+    include NetworkPolicies::Responses
+
+    def initialize(resource_name:, environment:, kind: Gitlab::Kubernetes::NetworkPolicy::KIND)
+      @resource_name = resource_name
+      @platform = environment.deployment_platform
+      @kubernetes_namespace = environment.deployment_namespace
+      @kind = kind
+    end
+
+    def execute
+      return no_platform_response unless @platform
+
+      ServiceResponse.success(payload: get_policy)
+    rescue Kubeclient::HttpError => e
+      kubernetes_error_response(e)
+    end
+
+    private
+
+    def get_policy
+      client = @platform.kubeclient
+      if @kind == Gitlab::Kubernetes::CiliumNetworkPolicy::KIND
+        resource = client.get_cilium_network_policy(@resource_name, @kubernetes_namespace)
+        Gitlab::Kubernetes::CiliumNetworkPolicy.from_resource(resource)
+      else
+        resource = client.get_network_policy(@resource_name, @kubernetes_namespace)
+        Gitlab::Kubernetes::NetworkPolicy.from_resource(resource)
+      end
+    end
+  end
+end

ee/app/views/projects/threat_monitoring/edit.html.haml

+- add_to_breadcrumbs s_("ThreatMonitoring|Threat Monitoring"), project_threat_monitoring_path(@project)
+- breadcrumb_title @policy_name
+- page_title s_("NetworkPolicies|Policy editor")
+
+#js-policy-builder-app{ data: { network_policies_endpoint: project_security_network_policies_path(@project),
+  environments_endpoint: project_environments_path(@project),
+  threat_monitoring_path: project_threat_monitoring_path(@project),
+  policy: @policy.to_json,
+} }

ee/config/routes/project.rb

@@ -34,7 +34,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         resources :subscriptions, only: [:create, :destroy]
 
         resource :threat_monitoring, only: [:show], controller: :threat_monitoring do
-          resources :policies, only: [:new], controller: :threat_monitoring
+          resources :policies, only: [:new, :edit], controller: :threat_monitoring
         end
 
         resources :protected_environments, only: [:create, :update, :destroy], constraints: { id: /\d+/ } do

ee/spec/controllers/projects/threat_monitoring_controller_spec.rb

@@ -100,7 +100,7 @@ RSpec.describe Projects::ThreatMonitoringController do
             stub_feature_flags(network_policy_editor: true)
           end
 
-          it 'renders the show template' do
+          it 'renders the new template' do
             subject
 
             expect(response).to have_gitlab_http_status(:ok)
@@ -149,4 +149,125 @@ RSpec.describe Projects::ThreatMonitoringController do
       end
     end
   end
+
+  describe 'GET edit' do
+    subject do
+      get :edit, params: { namespace_id: project.namespace, project_id: project, id: 'policy', environment_id: environment_id }
+    end
+
+    let_it_be(:environment) { create(:environment, :with_review_app, project: project) }
+    let(:environment_id) { environment.id }
+
+    context 'with authorized user' do
+      before do
+        project.add_developer(user)
+        sign_in(user)
+      end
+
+      context 'when feature is available' do
+        before do
+          stub_licensed_features(threat_monitoring: true)
+        end
+
+        context 'and feature flag is disabled' do
+          before do
+            stub_feature_flags(network_policy_editor: false)
+          end
+
+          it 'returns 404' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+
+        context 'and feature flag is enabled' do
+          let(:service) { instance_double('NetworkPolicies::FindResourceService', execute: ServiceResponse.success(payload: policy)) }
+          let(:policy) do
+            Gitlab::Kubernetes::CiliumNetworkPolicy.new(
+              name: 'policy',
+              namespace: 'another',
+              selector: { matchLabels: { role: 'db' } },
+              ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
+            )
+          end
+
+          before do
+            stub_feature_flags(network_policy_editor: true)
+            allow(NetworkPolicies::FindResourceService).to(
+              receive(:new)
+                .with(resource_name: 'policy', environment: environment, kind: Gitlab::Kubernetes::CiliumNetworkPolicy::KIND)
+                .and_return(service)
+            )
+          end
+
+          it 'renders the new template' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(response).to render_template(:edit)
+          end
+
+          context 'when environment is missing' do
+            let(:environment_id) { 'missing' }
+
+            it 'returns 404' do
+              subject
+
+              expect(response).to have_gitlab_http_status(:not_found)
+            end
+          end
+
+          context 'when service failed' do
+            let(:service) { instance_double('NetworkPolicies::FindResourceService', execute: ServiceResponse.error(message: 'error')) }
+
+            it 'returns 404' do
+              subject
+
+              expect(response).to have_gitlab_http_status(:not_found)
+            end
+          end
+        end
+      end
+
+      context 'when feature is not available' do
+        before do
+          stub_licensed_features(threat_monitoring: false)
+        end
+
+        it 'returns 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+
+    context 'with unauthorized user' do
+      before do
+        sign_in(user)
+      end
+
+      context 'when feature is available' do
+        before do
+          stub_licensed_features(threat_monitoring: true)
+        end
+
+        it 'returns 404' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+
+    context 'with anonymous user' do
+      it 'returns 302' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:found)
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
+  end
 end

ee/spec/services/network_policies/find_resource_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe NetworkPolicies::FindResourceService do
+  let(:service) { described_class.new(resource_name: 'policy', environment: environment, kind: kind) }
+  let(:environment) { instance_double('Environment', deployment_platform: platform, deployment_namespace: 'namespace') }
+  let(:platform) { instance_double('Clusters::Platforms::Kubernetes', kubeclient: kubeclient) }
+  let(:kubeclient) { double('Kubeclient::Client') }
+  let(:policy) do
+    Gitlab::Kubernetes::NetworkPolicy.new(
+      name: 'policy',
+      namespace: 'another',
+      selector: { matchLabels: { role: 'db' } },
+      ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
+    )
+  end
+
+  let(:kind) { Gitlab::Kubernetes::NetworkPolicy::KIND }
+
+  describe '#execute' do
+    subject { service.execute }
+
+    it 'returns success response with a requested policy' do
+      expect(kubeclient).to(
+        receive(:get_network_policy)
+          .with('policy', environment.deployment_namespace) { policy.generate }
+      )
+      expect(subject).to be_success
+      expect(subject.payload.as_json).to eq(policy.as_json)
+    end
+
+    context 'with CiliumNetworkPolicy kind' do
+      let(:kind) { Gitlab::Kubernetes::CiliumNetworkPolicy::KIND }
+      let(:policy) do
+        Gitlab::Kubernetes::CiliumNetworkPolicy.new(
+          name: 'policy',
+          namespace: 'another',
+          selector: { matchLabels: { role: 'db' } },
+          ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
+        )
+      end
+
+      it 'returns success response with a requested policy' do
+        expect(kubeclient).to(
+          receive(:get_cilium_network_policy)
+            .with('policy', environment.deployment_namespace) { policy.generate }
+        )
+        expect(subject).to be_success
+        expect(subject.payload.as_json).to eq(policy.as_json)
+      end
+    end
+
+    context 'without deployment_platform' do
+      let(:platform) { nil }
+
+      it 'returns error response' do
+        expect(subject).to be_error
+        expect(subject.http_status).to eq(:bad_request)
+        expect(subject.message).not_to be_nil
+      end
+    end
+
+    context 'with Kubeclient::HttpError' do
+      before do
+        allow(kubeclient).to receive(:get_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+      end
+
+      it 'returns error response' do
+        expect(subject).to be_error
+        expect(subject.http_status).to eq(:bad_request)
+        expect(subject.message).not_to be_nil
+      end
+    end
+  end
+end

lib/gitlab/kubernetes/cilium_network_policy.rb

@@ -9,7 +9,7 @@ module Gitlab
       API_VERSION = "cilium.io/v2"
       KIND = 'CiliumNetworkPolicy'
 
-      def initialize(name:, namespace:, selector:, ingress:, resource_version:, labels: nil, creation_timestamp: nil, egress: nil)
+      def initialize(name:, namespace:, selector:, ingress:, resource_version: nil, labels: nil, creation_timestamp: nil, egress: nil)
         @name = name
         @namespace = namespace
         @labels = labels

lib/gitlab/kubernetes/kube_client.rb

@@ -92,6 +92,7 @@ module Gitlab
       # group client
       delegate :create_network_policy,
         :get_network_policies,
+        :get_network_policy,
         :update_network_policy,
         :delete_network_policy,
         to: :networking_client
@@ -100,6 +101,7 @@ module Gitlab
       # group client
       delegate :create_cilium_network_policy,
         :get_cilium_network_policies,
+        :get_cilium_network_policy,
         :update_cilium_network_policy,
         :delete_cilium_network_policy,
         to: :cilium_networking_client

spec/lib/gitlab/kubernetes/kube_client_spec.rb

@@ -376,6 +376,7 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do
     [
       :create_network_policy,
       :get_network_policies,
+      :get_network_policy,
       :update_network_policy,
       :delete_network_policy
     ].each do |method|
@@ -400,6 +401,7 @@ RSpec.describe Gitlab::Kubernetes::KubeClient do
     [
       :create_cilium_network_policy,
       :get_cilium_network_policies,
+      :get_cilium_network_policy,
       :update_cilium_network_policy,
       :delete_cilium_network_policy
     ].each do |method|