Use SecurityOrchestrationHelper for both projects and namespaces

21cf7aa6 · Alan (Maciej) Paruszewski · Stan Hu · 50765963 · 21cf7aa6 · 21cf7aa6
Commit 21cf7aa6 authored Apr 19, 2022 by Alan (Maciej) Paruszewski Committed by Stan Hu Apr 19, 2022
7 changed files
--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -218,10 +218,6 @@ module EE
      project.licensed_feature_available?(:sast_fp_reduction).to_s
    end

-    def can_update_security_orchestration_policy_project?(project)
-      can?(current_user, :update_security_orchestration_policy_project, project)
-    end
-
    def can_create_feedback?(project, feedback_type)
      feedback = Vulnerabilities::Feedback.new(project: project, feedback_type: feedback_type)
      can?(current_user, :create_vulnerability_feedback, feedback)

--- a/ee/app/helpers/ee/security_orchestration_helper.rb
+++ b/ee/app/helpers/ee/security_orchestration_helper.rb
 # frozen_string_literal: true

-module EE
-  module SecurityOrchestrationHelper
-    def security_orchestration_policy_data(
-      namespace,
-      policy_type = nil,
-      policy = nil,
-      approvers = nil
-    )
-      return unless namespace
-
-      {
-        assigned_policy_project: nil.to_json,
-        disable_scan_policy_update: false.to_s,
+module EE::SecurityOrchestrationHelper
+  def can_update_security_orchestration_policy_project?(container)
+    can?(current_user, :update_security_orchestration_policy_project, container)
+  end
+
+  def assigned_policy_project(container)
+    return unless container&.security_orchestration_policy_configuration
+
+    orchestration_policy_configuration = container.security_orchestration_policy_configuration
+    security_policy_management_project = orchestration_policy_configuration.security_policy_management_project
+
+    {
+      id: security_policy_management_project.to_global_id.to_s,
+      name: security_policy_management_project.name,
+      full_path: security_policy_management_project.full_path,
+      branch: security_policy_management_project.default_branch_or_main
+    }
+  end
+
+  def orchestration_policy_data(container, policy_type = nil, policy = nil, environment = nil, approvers = nil)
+    return unless container
+
+    disable_scan_policy_update = !can_update_security_orchestration_policy_project?(container)
+
+    policy_data = {
+      assigned_policy_project: assigned_policy_project(container).to_json,
+      disable_scan_policy_update: disable_scan_policy_update.to_s,
+      policy: policy&.to_json,
+      policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
+      policy_type: policy_type,
+      policies_path: security_policies_path(container),
+      scan_policy_documentation_path: help_page_path('user/application_security/policies/index')
+    }
+
+    if container.is_a?(::Project)
+      policy_data.merge(
+        project_path: container.full_path,
+        project_id: container.id,
+        default_environment_id: container.default_environment&.id || -1,
+        network_policies_endpoint: project_security_network_policies_path(container),
        create_agent_help_path: help_page_url('user/clusters/agent/install/index'),
-        policy: policy&.to_json,
-        policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
-        policy_type: policy_type,
-        policies_path: nil,
-        scan_policy_documentation_path: help_page_path('user/application_security/policies/index'),
+        network_documentation_path: help_page_path('user/application_security/policies/index'),
+        environments_endpoint: project_environments_path(container),
+        environment_id: environment&.id,
        scan_result_approvers: approvers&.to_json
-      }
+      )
+    else
+      policy_data.merge(
+        namespace_path: container.full_path,
+        namespace_id: container.id
+      )
    end
  end
+
+  def security_policies_path(container)
+    container.is_a?(::Project) ? project_security_policies_path(container) : group_security_policies_path(container)
+  end
 end
--- a/ee/app/helpers/projects/security/policies_helper.rb
+++ b/ee/app/helpers/projects/security/policies_helper.rb
-# frozen_string_literal: true
-
-module Projects::Security::PoliciesHelper
-  def assigned_policy_project(project)
-    return unless project&.security_orchestration_policy_configuration
-
-    orchestration_policy_configuration = project.security_orchestration_policy_configuration
-    security_policy_management_project = orchestration_policy_configuration.security_policy_management_project
-
-    {
-      id: security_policy_management_project.to_global_id.to_s,
-      name: security_policy_management_project.name,
-      full_path: security_policy_management_project.full_path,
-      branch: security_policy_management_project.default_branch_or_main
-    }
-  end
-
-  def orchestration_policy_data(project, policy_type = nil, policy = nil, environment = nil, approvers = nil)
-    return unless project
-
-    disable_scan_policy_update = !can_update_security_orchestration_policy_project?(project)
-
-    {
-      assigned_policy_project: assigned_policy_project(project).to_json,
-      default_environment_id: project.default_environment&.id || -1,
-      disable_scan_policy_update: disable_scan_policy_update.to_s,
-      network_policies_endpoint: project_security_network_policies_path(project),
-      create_agent_help_path: help_page_url('user/clusters/agent/install/index'),
-      environments_endpoint: project_environments_path(project),
-      environment_id: environment&.id,
-      network_documentation_path: help_page_path('user/application_security/policies/index', anchor: 'container-network-policy'),
-      policy: policy&.to_json,
-      policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
-      policy_type: policy_type,
-      project_path: project.full_path,
-      project_id: project.id,
-      policies_path: project_security_policies_path(project),
-      scan_policy_documentation_path: help_page_path('user/application_security/policies/index'),
-      scan_result_approvers: approvers&.to_json
-    }
-  end
-end
--- a/ee/app/views/groups/security/policies/new.html.haml
+++ b/ee/app/views/groups/security/policies/new.html.haml
@@ -2,4 +2,4 @@
 - breadcrumb_title s_("SecurityOrchestration|New policy")
 - page_title s_("SecurityOrchestration|Policy editor")

-#js-group-policy-builder-app{ data: security_orchestration_policy_data(@group) }
+#js-group-policy-builder-app{ data: orchestration_policy_data(@group) }
--- a/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
+++ b/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
--- a/ee/spec/helpers/projects/security/policies_helper_spec.rb
+++ b/ee/spec/helpers/projects/security/policies_helper_spec.rb
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Projects::Security::PoliciesHelper do
-  let_it_be_with_reload(:project) { create(:project, :repository, :public) }
-
-  describe '#assigned_policy_project' do
-    context 'when a project does have a security policy project' do
-      let_it_be(:policy_management_project) { create(:project) }
-
-      subject { helper.assigned_policy_project(project) }
-
-      it {
-        create(:security_orchestration_policy_configuration,
-          { security_policy_management_project: policy_management_project, project: project }
-        )
-
-        is_expected.to include({
-          id: policy_management_project.to_global_id.to_s,
-          name: policy_management_project.name,
-          full_path: policy_management_project.full_path,
-          branch: policy_management_project.default_branch_or_main
-        })
-      }
-    end
-
-    context 'when a project does not have a security policy project' do
-      subject { helper.assigned_policy_project(project) }
-
-      it {
-        is_expected.to be_nil
-      }
-    end
-  end
-
-  describe '#orchestration_policy_data' do
-    let(:approvers) { %w(approver1 approver2) }
-    let(:owner) { project.first_owner }
-    let(:base_data) do
-      {
-        assigned_policy_project: "null",
-        default_environment_id: -1,
-        disable_scan_policy_update: "false",
-        network_policies_endpoint: kind_of(String),
-        create_agent_help_path: kind_of(String),
-        environments_endpoint: kind_of(String),
-        network_documentation_path: kind_of(String),
-        policy_editor_empty_state_svg_path: kind_of(String),
-        project_path: project.full_path,
-        project_id: project.id,
-        policies_path: kind_of(String),
-        environment_id: environment&.id,
-        policy: policy&.to_json,
-        policy_type: policy_type,
-        scan_policy_documentation_path: kind_of(String),
-        scan_result_approvers: approvers&.to_json
-      }
-    end
-
-    before do
-      allow(helper).to receive(:current_user) { owner }
-      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
-    end
-
-    subject { helper.orchestration_policy_data(project, policy_type, policy, environment, approvers) }
-
-    context 'when a new policy is being created' do
-      let(:environment) { nil }
-      let(:policy) { nil }
-      let(:policy_type) { nil }
-      let(:approvers) { nil }
-
-      it { is_expected.to match(base_data) }
-    end
-
-    context 'when an existing policy is being edited' do
-      let_it_be(:environment) { create(:environment, project: project) }
-
-      let(:policy_type) { 'container_policy' }
-
-      let(:policy) do
-        Gitlab::Kubernetes::CiliumNetworkPolicy.new(
-          name: 'policy',
-          namespace: 'another',
-          selector: { matchLabels: { role: 'db' } },
-          ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
-        )
-      end
-
-      it { is_expected.to match(base_data.merge(default_environment_id: project.default_environment.id)) }
-    end
-  end
-end
--- a/ee/spec/helpers/projects_helper_spec.rb
+++ b/ee/spec/helpers/projects_helper_spec.rb
@@ -20,24 +20,6 @@ RSpec.describe ProjectsHelper do
    end
  end

-  describe '#can_update_security_orchestration_policy_project?' do
-    let(:owner) { project.first_owner }
-
-    before do
-      allow(helper).to receive(:current_user) { owner }
-    end
-
-    it 'returns false when user cannot update security orchestration policy project' do
-      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { false }
-      expect(helper.can_update_security_orchestration_policy_project?(project)).to eq false
-    end
-
-    it 'returns true when user can update security orchestration policy project' do
-      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
-      expect(helper.can_update_security_orchestration_policy_project?(project)).to eq true
-    end
-  end
-
  describe '#can_admin_project_member?' do
    let_it_be(:user) { create(:user) }
    let_it_be(:group) { create(:group) }