Commit 4c89b987 authored by Kerri Miller's avatar Kerri Miller

Merge branch '345316-group-level-policies' into 'master'

Add group-level security policies page

See merge request gitlab-org/gitlab!83262
parents 09289e92 b5e4c22e
# frozen_string_literal: true
module Groups
module Security
class PoliciesController < Groups::ApplicationController
before_action :authorize_group_security_policies!
before_action do
push_frontend_feature_flag(:group_level_security_policies, group, default_enabled: :yaml)
end
feature_category :security_orchestration
def index
render :index, locals: { group: group }
end
private
def authorize_group_security_policies!
render_404 unless Feature.enabled?(:group_level_security_policies, group, default_enabled: :yaml)
end
end
end
end
...@@ -306,6 +306,10 @@ module EE ...@@ -306,6 +306,10 @@ module EE
enable :read_group_audit_events enable :read_group_audit_events
end end
rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
enable :security_orchestration_policies
end
rule { security_dashboard_enabled & developer }.policy do rule { security_dashboard_enabled & developer }.policy do
enable :read_group_security_dashboard enable :read_group_security_dashboard
enable :admin_vulnerability enable :admin_vulnerability
...@@ -402,10 +406,6 @@ module EE ...@@ -402,10 +406,6 @@ module EE
enable :admin_external_audit_events enable :admin_external_audit_events
end end
rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
enable :security_orchestration_policies
end
rule { security_orchestration_policies_enabled & can?(:owner_access) }.policy do rule { security_orchestration_policies_enabled & can?(:owner_access) }.policy do
enable :update_security_orchestration_policy_project enable :update_security_orchestration_policy_project
end end
......
- breadcrumb_title _("Policies")
- @content_wrapper_class = 'js-security-policies-container-wrapper'
#js-group-security-policies-list{ data: { group_path: group.full_path,
documentation_path: help_page_path('user/application_security/policies/index.md') } }
--- ---
name: group_level_security_policies name: group_level_security_policies
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82754 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83188
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356258 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356258
milestone: '14.10' milestone: '14.10'
type: development type: development
......
...@@ -170,6 +170,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do ...@@ -170,6 +170,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
put :revoke put :revoke
end end
end end
resources :policies, only: [:index]
resources :merge_commit_reports, only: [:index], constraints: { format: :csv } resources :merge_commit_reports, only: [:index], constraints: { format: :csv }
end end
......
...@@ -10,6 +10,7 @@ module Sidebars ...@@ -10,6 +10,7 @@ module Sidebars
add_item(vulnerability_report_menu_item) add_item(vulnerability_report_menu_item)
add_item(compliance_menu_item) add_item(compliance_menu_item)
add_item(credentials_menu_item) add_item(credentials_menu_item)
add_item(scan_policies_menu_item)
add_item(audit_events_menu_item) add_item(audit_events_menu_item)
true true
...@@ -109,6 +110,24 @@ module Sidebars ...@@ -109,6 +110,24 @@ module Sidebars
context.group.enforced_group_managed_accounts? context.group.enforced_group_managed_accounts?
end end
def scan_policies_menu_item
unless group_level_security_policies_available?
return ::Sidebars::NilMenuItem.new(item_id: :scan_policies)
end
::Sidebars::MenuItem.new(
title: _('Policies'),
link: group_security_policies_path(context.group),
active_routes: { controller: ['groups/security/policies'] },
item_id: :scan_policies
)
end
def group_level_security_policies_available?
Feature.enabled?(:group_level_security_policies, context.group, default_enabled: :yaml) &&
can?(context.current_user, :security_orchestration_policies, context.group)
end
def audit_events_menu_item def audit_events_menu_item
unless group_level_audit_events_available? unless group_level_audit_events_available?
return ::Sidebars::NilMenuItem.new(item_id: :audit_events) return ::Sidebars::NilMenuItem.new(item_id: :audit_events)
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Groups::Security::PoliciesController, type: :request do
let_it_be(:user) { create(:user) }
let_it_be(:group) { create(:group) }
let_it_be(:index) { group_security_policies_url(group) }
before do
sign_in(user)
end
describe 'GET #index' do
using RSpec::Parameterized::TableSyntax
where(:feature_flag, :status) do
true | :ok
false | :not_found
end
subject(:request) { get index, params: { group_id: group.to_param } }
with_them do
before do
stub_feature_flags(group_level_security_policies: feature_flag)
end
specify do
subject
expect(response).to have_gitlab_http_status(status)
end
end
end
end
...@@ -158,6 +158,54 @@ RSpec.describe Sidebars::Groups::Menus::SecurityComplianceMenu do ...@@ -158,6 +158,54 @@ RSpec.describe Sidebars::Groups::Menus::SecurityComplianceMenu do
end end
end end
describe 'Security Policies' do
let(:item_id) { :scan_policies }
context 'when scan_policies feature is enabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
end
context 'when group security policies feature is disabled' do
before do
stub_feature_flags(group_level_security_policies: true)
end
it_behaves_like 'menu access rights'
end
context 'when group security policies feature is enabled' do
before do
stub_feature_flags(group_level_security_policies: false)
end
specify { is_expected.to be_nil }
end
end
context 'when scan_policies feature is not enabled' do
before do
stub_licensed_features(security_orchestration_policies: false)
end
context 'when group security policies feature is disabled' do
before do
stub_feature_flags(group_level_security_policies: true)
end
specify { is_expected.to be_nil }
end
context 'when group security policies feature is enabled' do
before do
stub_feature_flags(group_level_security_policies: false)
end
specify { is_expected.to be_nil }
end
end
end
describe 'Audit Events' do describe 'Audit Events' do
let(:item_id) { :audit_events } let(:item_id) { :audit_events }
......
...@@ -911,6 +911,32 @@ RSpec.describe GroupPolicy do ...@@ -911,6 +911,32 @@ RSpec.describe GroupPolicy do
end end
end end
describe 'security orchestration policies' do
before do
stub_licensed_features(security_orchestration_policies: true)
end
context 'with developer or maintainer role' do
where(role: %w[maintainer developer])
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to be_allowed(:security_orchestration_policies) }
end
end
context 'with owner role' do
where(role: %w[owner])
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to be_allowed(:security_orchestration_policies) }
end
end
end
describe 'admin_vulnerability' do describe 'admin_vulnerability' do
before do before do
stub_licensed_features(security_dashboard: true) stub_licensed_features(security_dashboard: true)
......
...@@ -768,7 +768,7 @@ RSpec.describe ProjectPolicy do ...@@ -768,7 +768,7 @@ RSpec.describe ProjectPolicy do
end end
end end
describe 'security complience policy' do describe 'security orchestration policies' do
before do before do
stub_licensed_features(security_orchestration_policies: true) stub_licensed_features(security_orchestration_policies: true)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment