Merge branch 'issue#227542-rename-read_vulnerability-policy' into 'master'

Rename read_vulnerability to read_security_resource policy See merge request gitlab-org/gitlab!58704

Merge branch 'issue#227542-rename-read_vulnerability-policy' into 'master'
Rename read_vulnerability to read_security_resource policy See merge request gitlab-org/gitlab!58704
3b5cff44 · Vitali Tatarintev · 7f30efce · ee4fe811 · 3b5cff44 · 3b5cff44
Commit 3b5cff44 authored Jun 03, 2021 by Vitali Tatarintev
29 changed files
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -276,6 +276,10 @@ class Note < ApplicationRecord
    noteable_type == 'AlertManagement::Alert'
  end

+  def for_vulnerability?
+    noteable_type == "Vulnerability"
+  end
+
  def for_project_snippet?
    noteable.is_a?(ProjectSnippet)
  end
@@ -411,6 +415,8 @@ class Note < ApplicationRecord
      'snippet'
    elsif for_alert_mangement_alert?
      'alert_management_alert'
+    elsif for_vulnerability?
+      'security_resource'
    else
      noteable_type.demodulize.underscore
    end

--- a/ee/app/controllers/ee/projects/issues_controller.rb
+++ b/ee/app/controllers/ee/projects/issues_controller.rb
@@ -117,7 +117,7 @@ module EE
      end

      def populate_vulnerability_id
-        self.vulnerability_id = params[:vulnerability_id] if can?(current_user, :read_vulnerability, project)
+        self.vulnerability_id = params[:vulnerability_id] if can?(current_user, :read_security_resource, project)
      end

      def redirect_if_test_case

--- a/ee/app/controllers/projects/dependencies_controller.rb
+++ b/ee/app/controllers/projects/dependencies_controller.rb
@@ -26,7 +26,7 @@ module Projects
    def can_access_vulnerable?
      return true unless query_params[:filter] == 'vulnerable'

-      can?(current_user, :read_vulnerability, project)
+      can?(current_user, :read_security_resource, project)
    end

    def can_collect_dependencies?

--- a/ee/app/controllers/projects/security/scanned_resources_controller.rb
+++ b/ee/app/controllers/projects/security/scanned_resources_controller.rb
@@ -51,7 +51,7 @@ module Projects
      end

      def authorize_read_vulnerability!
-        return if can?(current_user, :read_vulnerability, project)
+        return if can?(current_user, :read_security_resource, project)

        render_404
      end

--- a/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
@@ -28,7 +28,7 @@ module Projects
        def vulnerability
          @vulnerability ||= @project.vulnerabilities.find(params[:vulnerability_id])

-          return render_404 unless can?(current_user, :read_vulnerability, @vulnerability)
+          return render_404 unless can?(current_user, :read_security_resource, @vulnerability)

          @vulnerability
        end

--- a/ee/app/graphql/ee/types/project_type.rb
+++ b/ee/app/graphql/ee/types/project_type.rb
@@ -172,7 +172,7 @@ module EE
      end

      def api_fuzzing_ci_configuration
-        return unless Ability.allowed?(current_user, :read_vulnerability, object)
+        return unless Ability.allowed?(current_user, :read_security_resource, object)

        configuration = ::AppSec::Fuzzing::Api::CiConfiguration.new(project: object)


--- a/ee/app/graphql/mutations/instance_security_dashboard/add_project.rb
+++ b/ee/app/graphql/mutations/instance_security_dashboard/add_project.rb
@@ -37,7 +37,7 @@ module Mutations

      def add_project(project)
        Dashboard::Projects::CreateService
-          .new(current_user, current_user.security_dashboard_projects, ability: :read_vulnerability)
+          .new(current_user, current_user.security_dashboard_projects, ability: :read_security_resource)
          .execute([project.id])
      end


--- a/ee/app/graphql/resolvers/vulnerability_severities_count_resolver.rb
+++ b/ee/app/graphql/resolvers/vulnerability_severities_count_resolver.rb
@@ -6,7 +6,7 @@ module Resolvers
    include Gitlab::Graphql::Authorize::AuthorizeResource

    type Types::VulnerabilitySeveritiesCountType, null: true
-    authorize :read_vulnerability
+    authorize :read_security_resource
    authorizes_object!

    argument :project_id, [GraphQL::ID_TYPE],

--- a/ee/app/graphql/types/vulnerability/external_issue_link_type.rb
+++ b/ee/app/graphql/types/vulnerability/external_issue_link_type.rb
@@ -6,7 +6,7 @@ module Types
      graphql_name 'VulnerabilityExternalIssueLink'
      description 'Represents an external issue link of a vulnerability'

-      authorize :read_vulnerability
+      authorize :read_security_resource

      field :id, GlobalIDType[::Vulnerabilities::ExternalIssueLink], null: false,
            description: 'GraphQL ID of the external issue link.'

--- a/ee/app/graphql/types/vulnerability_type.rb
+++ b/ee/app/graphql/types/vulnerability_type.rb
@@ -7,7 +7,7 @@ module Types

    implements(Types::Notes::NoteableType)

-    authorize :read_vulnerability
+    authorize :read_security_resource

    expose_permissions Types::PermissionTypes::Vulnerability


--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -282,7 +282,7 @@ module EE

      rule { can?(:read_group_security_dashboard) }.policy do
        enable :create_vulnerability_export
-        enable :read_vulnerability
+        enable :read_security_resource
      end

      rule { admin | owner }.policy do

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -196,7 +196,7 @@ module EE
      end

      rule { security_dashboard_enabled & can?(:developer_access) }.policy do
-        enable :read_vulnerability
+        enable :read_security_resource
        enable :read_vulnerability_scanner
      end

@@ -211,7 +211,7 @@ module EE

      rule { can?(:read_merge_request) & can?(:read_pipeline) }.enable :read_merge_train

-      rule { can?(:read_vulnerability) }.policy do
+      rule { can?(:read_security_resource) }.policy do
        enable :read_project_security_dashboard
        enable :create_vulnerability
        enable :create_vulnerability_export
@@ -271,7 +271,7 @@ module EE
      end

      rule { auditor & security_dashboard_enabled }.policy do
-        enable :read_vulnerability
+        enable :read_security_resource
        enable :read_vulnerability_scanner
      end


--- a/ee/app/policies/instance_security_dashboard_policy.rb
+++ b/ee/app/policies/instance_security_dashboard_policy.rb
@@ -8,7 +8,7 @@ class InstanceSecurityDashboardPolicy < BasePolicy

  rule { ~anonymous }.policy do
    enable :read_instance_security_dashboard
-    enable :read_vulnerability
+    enable :read_security_resource
  end

  rule { security_dashboard_enabled & can?(:read_instance_security_dashboard) }.enable :create_vulnerability_export

--- a/ee/app/policies/security/scan_policy.rb
+++ b/ee/app/policies/security/scan_policy.rb
@@ -4,7 +4,7 @@ module Security
  class ScanPolicy < BasePolicy
    delegate { @subject.project }

-    rule { can?(:read_vulnerability) }.policy do
+    rule { can?(:read_security_resource) }.policy do
      enable :read_scan
    end
  end

--- a/ee/app/presenters/ee/ci/pipeline_presenter.rb
+++ b/ee/app/presenters/ee/ci/pipeline_presenter.rb
@@ -6,7 +6,7 @@ module EE
      extend ActiveSupport::Concern

      def expose_security_dashboard?
-        return false unless can?(current_user, :read_vulnerability, pipeline.project)
+        return false unless can?(current_user, :read_security_resource, pipeline.project)

        Ci::JobArtifact::SECURITY_REPORT_FILE_TYPES.any? { |file_type| batch_lookup_report_artifact_for_file_type(file_type.to_sym) }
      end

--- a/ee/app/serializers/dependency_entity.rb
+++ b/ee/app/serializers/dependency_entity.rb
@@ -28,7 +28,7 @@ class DependencyEntity < Grape::Entity
  private

  def can_read_vulnerabilities?
-    can?(request.user, :read_vulnerability, request.project)
+    can?(request.user, :read_security_resource, request.project)
  end

  def can_read_licenses?

--- a/ee/app/serializers/ee/merge_request_widget_entity.rb
+++ b/ee/app/serializers/ee/merge_request_widget_entity.rb
@@ -62,7 +62,7 @@ module EE
      end

      expose :can_read_vulnerabilities do |merge_request|
-        can?(current_user, :read_vulnerability, merge_request.project)
+        can?(current_user, :read_security_resource, merge_request.project)
      end

      expose :can_read_vulnerability_feedback do |merge_request|

--- a/ee/app/services/vulnerability_feedback/create_service.rb
+++ b/ee/app/services/vulnerability_feedback/create_service.rb
@@ -116,7 +116,7 @@ module VulnerabilityFeedback
    def create_vulnerability_issue_link(vulnerability_id, issue)
      return unless vulnerability_id

-      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :read_vulnerability, project)
+      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :read_security_resource, project)

      vulnerability = project.vulnerabilities.find_by_id(vulnerability_id)


--- a/ee/lib/api/vulnerabilities.rb
+++ b/ee/lib/api/vulnerabilities.rb
@@ -32,7 +32,7 @@ module API
    end
    resource :vulnerabilities do
      before do
-        @vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
+        @vulnerability = find_and_authorize_vulnerability!(:read_security_resource)
      end

      desc 'Get a vulnerability' do
@@ -94,7 +94,7 @@ module API
        use :pagination
      end
      get ':id/vulnerabilities' do
-        authorize! :read_vulnerability, user_project
+        authorize! :read_security_resource, user_project

        vulnerabilities = paginate(
          vulnerabilities_by(user_project)

--- a/ee/lib/api/vulnerability_findings.rb
+++ b/ee/lib/api/vulnerability_findings.rb
@@ -84,7 +84,7 @@ module API
        success ::Vulnerabilities::FindingEntity
      end
      get ':id/vulnerability_findings' do
-        authorize! :read_vulnerability, user_project
+        authorize! :read_security_resource, user_project

        Gitlab::Vulnerabilities::FindingsPreloader.preload_feedback!(vulnerability_findings)


--- a/ee/lib/api/vulnerability_issue_links.rb
+++ b/ee/lib/api/vulnerability_issue_links.rb
@@ -34,7 +34,7 @@ module API
        success EE::API::Entities::VulnerabilityRelatedIssue
      end
      get ':id/issue_links' do
-        vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
+        vulnerability = find_and_authorize_vulnerability!(:read_security_resource)
        related_issues = vulnerability.related_issues.with_api_entity_associations.with_vulnerability_links
        present Ability.issues_readable_by_user(related_issues, current_user),
                with: EE::API::Entities::VulnerabilityRelatedIssue

--- a/ee/lib/ee/api/entities/dependency.rb
+++ b/ee/lib/ee/api/entities/dependency.rb
@@ -13,7 +13,7 @@ module EE
        private

        def can_read_vulnerabilities?(user, project)
-          Ability.allowed?(user, :read_vulnerability, project)
+          Ability.allowed?(user, :read_security_resource, project)
        end
      end
    end

--- a/ee/lib/ee/banzai/reference_parser/vulnerability_parser.rb
+++ b/ee/lib/ee/banzai/reference_parser/vulnerability_parser.rb
@@ -17,7 +17,7 @@ module EE
        end

        def can_read_reference?(user, vulnerability)
-          can?(user, :read_vulnerability, vulnerability)
+          can?(user, :read_security_resource, vulnerability)
        end
      end
    end

--- a/ee/spec/graphql/types/vulnerability_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_type_spec.rb
@@ -47,7 +47,7 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
  subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }

  it { expect(described_class).to have_graphql_fields(fields) }
-  it { expect(described_class).to require_graphql_authorizations(:read_vulnerability) }
+  it { expect(described_class).to require_graphql_authorizations(:read_security_resource) }

  describe 'vulnerability_path' do
    let(:query) do

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -848,7 +848,7 @@ RSpec.describe GroupPolicy do

  describe 'read_group_security_dashboard & create_vulnerability_export' do
    let(:abilities) do
-      %i[read_group_security_dashboard create_vulnerability_export read_vulnerability]
+      %i[read_group_security_dashboard create_vulnerability_export read_security_resource]
    end

    before do

--- a/ee/spec/policies/instance_security_dashboard_policy_spec.rb
+++ b/ee/spec/policies/instance_security_dashboard_policy_spec.rb
@@ -13,7 +13,7 @@ RSpec.describe InstanceSecurityDashboardPolicy do
  subject { described_class.new(current_user, [user]) }

  describe 'read_instance_security_dashboard' do
-    let(:abilities) { %i[read_instance_security_dashboard read_vulnerability] }
+    let(:abilities) { %i[read_instance_security_dashboard read_security_resource] }

    context 'when the user is not logged in' do
      let(:current_user) { nil }

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -23,7 +23,7 @@ RSpec.describe ProjectPolicy do
    let(:additional_developer_permissions) do
      %i[
        admin_vulnerability_feedback read_project_audit_events read_project_security_dashboard
-        read_vulnerability read_vulnerability_scanner create_vulnerability create_vulnerability_export admin_vulnerability
+        read_security_resource read_vulnerability_scanner create_vulnerability create_vulnerability_export admin_vulnerability
        admin_vulnerability_issue_link admin_vulnerability_external_issue_link read_merge_train
      ]
    end
@@ -41,7 +41,7 @@ RSpec.describe ProjectPolicy do
        read_pipeline read_build read_commit_status read_container_image
        read_environment read_deployment read_merge_request read_pages
        create_merge_request_in award_emoji
-        read_project_security_dashboard read_vulnerability read_vulnerability_scanner
+        read_project_security_dashboard read_security_resource read_vulnerability_scanner
        read_software_license_policy
        read_threat_monitoring read_merge_train
        read_release

--- a/ee/spec/policies/vulnerability_policy_spec.rb
+++ b/ee/spec/policies/vulnerability_policy_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'

 RSpec.describe VulnerabilityPolicy do
-  describe 'read_vulnerability' do
+  describe 'read_security_resource' do
    let(:project) { create(:project) }
    let(:user) { create(:user) }
    let(:vulnerability) { create(:vulnerability, project: project) }
@@ -20,11 +20,11 @@ RSpec.describe VulnerabilityPolicy do
          project.add_developer(user)
        end

-        it { is_expected.to be_allowed(:read_vulnerability) }
+        it { is_expected.to be_allowed(:read_security_resource) }
      end

      context "when the current user does not have developer access to the vulnerability's project" do
-        it { is_expected.to be_disallowed(:read_vulnerability) }
+        it { is_expected.to be_disallowed(:read_security_resource) }
      end
    end

@@ -35,7 +35,7 @@ RSpec.describe VulnerabilityPolicy do
        project.add_developer(user)
      end

-      it { is_expected.to be_disallowed(:read_vulnerability) }
+      it { is_expected.to be_disallowed(:read_security_resource) }
    end
  end
 end
--- a/ee/spec/services/dashboard/projects/create_service_spec.rb
+++ b/ee/spec/services/dashboard/projects/create_service_spec.rb
@@ -78,7 +78,7 @@ RSpec.describe Dashboard::Projects::CreateService do
        context 'with project for which user has no permission' do
          let(:input) { [project.id] }
          let(:feature) { nil }
-          let(:ability) { :read_vulnerability }
+          let(:ability) { :read_security_resource }
          let(:permission_available) { false }

          it 'does not check if feature is available' do