Merge branch 'philipcunningham-rename-read-permission-301137' into 'master'

Rename DAST on-demand read policy for consistency See merge request gitlab-org/gitlab!69813

Merge branch 'philipcunningham-rename-read-permission-301137' into 'master'
Rename DAST on-demand read policy for consistency See merge request gitlab-org/gitlab!69813
342186c7 · Etienne Baqué · 8ff5f6af · d7413f28 · 342186c7 · 342186c7
Commit 342186c7 authored Sep 10, 2021 by Etienne Baqué
23 changed files
--- a/ee/app/controllers/projects/on_demand_scans_controller.rb
+++ b/ee/app/controllers/projects/on_demand_scans_controller.rb
@@ -5,7 +5,7 @@ module Projects
    include SecurityAndCompliancePermissions
    include API::Helpers::GraphqlHelpers

-    before_action :authorize_read_on_demand_scans!, only: :index
+    before_action :authorize_read_on_demand_dast_scan!, only: :index
    before_action :authorize_create_on_demand_dast_scan!, only: [:new, :edit]

    before_action do

--- a/ee/app/controllers/projects/security/dast_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_profiles_controller.rb
@@ -6,7 +6,7 @@ module Projects
      include SecurityAndCompliancePermissions

      before_action do
-        authorize_read_on_demand_scans!
+        authorize_read_on_demand_dast_scan!
        push_frontend_feature_flag(:dast_failed_site_validations, @project, default_enabled: :yaml)
      end


--- a/ee/app/controllers/projects/security/dast_scanner_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_scanner_profiles_controller.rb
@@ -5,7 +5,7 @@ module Projects
    class DastScannerProfilesController < Projects::ApplicationController
      include SecurityAndCompliancePermissions

-      before_action :authorize_read_on_demand_scans!
+      before_action :authorize_read_on_demand_dast_scan!

      feature_category :dynamic_application_security_testing


--- a/ee/app/controllers/projects/security/dast_site_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_site_profiles_controller.rb
@@ -7,7 +7,7 @@ module Projects
      include API::Helpers::GraphqlHelpers

      before_action do
-        authorize_read_on_demand_scans!
+        authorize_read_on_demand_dast_scan!
      end

      feature_category :dynamic_application_security_testing

--- a/ee/app/graphql/types/dast/profile_branch_type.rb
+++ b/ee/app/graphql/types/dast/profile_branch_type.rb
@@ -6,7 +6,7 @@ module Types
      graphql_name 'DastProfileBranch'
      description 'Represents a DAST Profile Branch'

-      authorize :read_on_demand_scans
+      authorize :read_on_demand_dast_scan

      field :name, GraphQL::Types::String, null: true,
            description: 'Name of the branch.',

--- a/ee/app/graphql/types/dast/profile_schedule_type.rb
+++ b/ee/app/graphql/types/dast/profile_schedule_type.rb
@@ -6,7 +6,7 @@ module Types
      graphql_name 'DastProfileSchedule'
      description 'Represents a DAST profile schedule.'

-      authorize :read_on_demand_scans
+      authorize :read_on_demand_dast_scan

      field :id, ::Types::GlobalIDType[::Dast::ProfileSchedule], null: false,
            description: 'ID of the DAST profile schedule.'

--- a/ee/app/graphql/types/dast/profile_type.rb
+++ b/ee/app/graphql/types/dast/profile_type.rb
@@ -6,7 +6,7 @@ module Types
      graphql_name 'DastProfile'
      description 'Represents a DAST Profile'

-      authorize :read_on_demand_scans
+      authorize :read_on_demand_dast_scan

      field :id, ::Types::GlobalIDType[::Dast::Profile], null: false,
            description: 'ID of the profile.'

--- a/ee/app/graphql/types/dast/site_profile_auth_type.rb
+++ b/ee/app/graphql/types/dast/site_profile_auth_type.rb
@@ -8,7 +8,7 @@ module Types

      present_using ::Dast::SiteProfilePresenter

-      authorize :read_on_demand_scans
+      authorize :read_on_demand_dast_scan

      field :enabled, GraphQL::Types::Boolean,
            null: true,

--- a/ee/app/graphql/types/dast_scanner_profile_type.rb
+++ b/ee/app/graphql/types/dast_scanner_profile_type.rb
@@ -5,7 +5,7 @@ module Types
    graphql_name 'DastScannerProfile'
    description 'Represents a DAST scanner profile'

-    authorize :read_on_demand_scans
+    authorize :read_on_demand_dast_scan

    field :id, ::Types::GlobalIDType[::DastScannerProfile], null: false,
          description: 'ID of the DAST scanner profile.'

--- a/ee/app/graphql/types/dast_site_profile_type.rb
+++ b/ee/app/graphql/types/dast_site_profile_type.rb
@@ -9,7 +9,7 @@ module Types

    present_using ::Dast::SiteProfilePresenter

-    authorize :read_on_demand_scans
+    authorize :read_on_demand_dast_scan

    expose_permissions Types::PermissionTypes::DastSiteProfile


--- a/ee/app/graphql/types/dast_site_validation_type.rb
+++ b/ee/app/graphql/types/dast_site_validation_type.rb
@@ -5,7 +5,7 @@ module Types
    graphql_name 'DastSiteValidation'
    description 'Represents a DAST Site Validation'

-    authorize :read_on_demand_scans
+    authorize :read_on_demand_dast_scan

    field :id, ::Types::GlobalIDType[::DastSiteValidation], null: false,
          description: 'Global ID of the site validation.'

--- a/ee/app/models/dast_site_profile.rb
+++ b/ee/app/models/dast_site_profile.rb
@@ -62,7 +62,7 @@ class DastSiteProfile < ApplicationRecord
  def secret_ci_variables(user)
    collection = ::Gitlab::Ci::Variables::Collection.new

-    return collection unless Ability.allowed?(user, :read_on_demand_scans, self)
+    return collection unless Ability.allowed?(user, :read_on_demand_dast_scan, self)

    collection.concat(secret_variables)
  end

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -209,7 +209,7 @@ module EE
      end

      rule { on_demand_scans_enabled & can?(:developer_access) }.policy do
-        enable :read_on_demand_scans
+        enable :read_on_demand_dast_scan
        enable :create_on_demand_dast_scan
      end


--- a/ee/app/services/app_sec/dast/profiles/build_config_service.rb
+++ b/ee/app/services/app_sec/dast/profiles/build_config_service.rb
@@ -41,7 +41,7 @@ module AppSec

          profile = yield(name).execute.first

-          unless can?(current_user, :read_on_demand_scans, profile)
+          unless can?(current_user, :read_on_demand_dast_scan, profile)
            errors.push("DAST profile not found: #{name}")
            return
          end

--- a/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
+++ b/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
@@ -87,7 +87,7 @@ module EE
          end

          def on_demand_scans_menu_item
-            unless can?(context.current_user, :read_on_demand_scans, context.project)
+            unless can?(context.current_user, :read_on_demand_dast_scan, context.project)
              return ::Sidebars::NilMenuItem.new(item_id: :on_demand_scans)
            end


--- a/ee/spec/graphql/types/dast/profile_branch_type_spec.rb
+++ b/ee/spec/graphql/types/dast/profile_branch_type_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe GitlabSchema.types['DastProfileBranch'] do
  include GraphqlHelpers

  specify { expect(described_class.graphql_name).to eq('DastProfileBranch') }
-  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_scans) }
+  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_dast_scan) }

  it { expect(described_class).to have_graphql_field(:name, calls_gitaly?: true) }
  it { expect(described_class).to have_graphql_field(:exists, calls_gitaly?: true) }

--- a/ee/spec/graphql/types/dast/profile_type_spec.rb
+++ b/ee/spec/graphql/types/dast/profile_type_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe GitlabSchema.types['DastProfile'] do
  let_it_be(:fields) { %i[id name description dastSiteProfile dastScannerProfile dastProfileSchedule branch editPath] }

  specify { expect(described_class.graphql_name).to eq('DastProfile') }
-  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_scans) }
+  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_dast_scan) }

  before do
    stub_licensed_features(security_on_demand_scans: true)

--- a/ee/spec/graphql/types/dast/site_profile_auth_type_spec.rb
+++ b/ee/spec/graphql/types/dast/site_profile_auth_type_spec.rb
@@ -15,7 +15,7 @@ RSpec.describe GitlabSchema.types['DastSiteProfileAuth'] do
  end

  specify { expect(described_class.graphql_name).to eq('DastSiteProfileAuth') }
-  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_scans) }
+  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_dast_scan) }

  it { expect(described_class).to have_graphql_fields(fields) }


--- a/ee/spec/graphql/types/dast_scanner_profile_type_spec.rb
+++ b/ee/spec/graphql/types/dast_scanner_profile_type_spec.rb
@@ -29,7 +29,7 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
  end

  specify { expect(described_class.graphql_name).to eq('DastScannerProfile') }
-  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_scans) }
+  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_dast_scan) }

  it { expect(described_class).to have_graphql_fields(fields) }


--- a/ee/spec/graphql/types/dast_site_profile_type_spec.rb
+++ b/ee/spec/graphql/types/dast_site_profile_type_spec.rb
@@ -16,7 +16,7 @@ RSpec.describe GitlabSchema.types['DastSiteProfile'] do
  end

  specify { expect(described_class.graphql_name).to eq('DastSiteProfile') }
-  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_scans) }
+  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_dast_scan) }
  specify { expect(described_class).to expose_permissions_using(Types::PermissionTypes::DastSiteProfile) }

  it { expect(described_class).to have_graphql_fields(fields) }

--- a/ee/spec/graphql/types/dast_site_validation_type_spec.rb
+++ b/ee/spec/graphql/types/dast_site_validation_type_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe GitlabSchema.types['DastSiteValidation'] do
  end

  specify { expect(described_class.graphql_name).to eq('DastSiteValidation') }
-  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_scans) }
+  specify { expect(described_class).to require_graphql_authorizations(:read_on_demand_dast_scan) }

  it { expect(described_class).to have_graphql_fields(fields) }


--- a/ee/spec/models/dast_site_profile_spec.rb
+++ b/ee/spec/models/dast_site_profile_spec.rb
@@ -278,11 +278,11 @@ RSpec.describe DastSiteProfile, type: :model do
        end

        it 'works with policy' do
-          expect(Ability.allowed?(user, :read_on_demand_scans, subject)).to be_truthy
+          expect(Ability.allowed?(user, :read_on_demand_dast_scan, subject)).to be_truthy
        end

        it 'checks the policy' do
-          expect(Ability).to receive(:allowed?).with(user, :read_on_demand_scans, subject).and_call_original
+          expect(Ability).to receive(:allowed?).with(user, :read_on_demand_dast_scan, subject).and_call_original

          subject.secret_ci_variables(user)
        end

--- a/ee/spec/support/shared_examples/policies/dast_on_demand_scans_shared_examples.rb
+++ b/ee/spec/support/shared_examples/policies/dast_on_demand_scans_shared_examples.rb
@@ -12,7 +12,7 @@ RSpec.shared_examples 'a dast on-demand scan policy' do
  end

  describe 'dast on-demand policies' do
-    let(:policies) { [:create_on_demand_dast_scan, :read_on_demand_scans] }
+    let(:policies) { [:create_on_demand_dast_scan, :read_on_demand_dast_scan] }

    context 'when a user does not have access to the project' do
      it { is_expected.to be_disallowed(*policies) }