Merge branch 'create-service-for-sec-orchestration' into 'master'

Create security orchestration scan policy page

See merge request gitlab-org/gitlab!54712

config/feature_flags/development/security_orchestration_policies_configuration.yml

 ---
 name: security_orchestration_policies_configuration
-introduced_by_url:
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54220
 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321258
 milestone: '13.9'
 type: development

ee/app/controllers/projects/security/policies_controller.rb

@@ -7,13 +7,38 @@ module Projects
 
       before_action do
         push_frontend_feature_flag(:security_orchestration_policies_configuration, project)
+        check_permissions!
       end
 
       feature_category :security_orchestration
 
       def show
+        @assigned_policy_id = project&.security_orchestration_policy_configuration&.security_policy_management_project_id
+
+        render :show
+      end
+
+      def assign
+        result = ::Security::Orchestration::AssignService.new(project, nil, policy_project_id: policy_project_params[:policy_project_id]).execute
+
+        if result.success?
+          flash[:notice] = _('Successfull')
+        else
+          flash[:alert] = result.message
+        end
+
+        redirect_to project_security_policy_url(project)
+      end
+
+      private
+
+      def check_permissions!
         render_404 unless Feature.enabled?(:security_orchestration_policies_configuration, project) && can?(current_user, :security_orchestration_policies, project)
       end
+
+      def policy_project_params
+        params.require(:orchestration).permit(:policy_project_id)
+      end
     end
   end
 end

ee/app/helpers/ee/projects_helper.rb

@@ -184,6 +184,7 @@ module EE
         projects/threat_monitoring#new
         projects/threat_monitoring#edit
         projects/threat_monitoring#alert_details
+        projects/security/policies#show
         projects/audit_events#index
       ]
     end
@@ -361,6 +362,10 @@ module EE
         nav_tabs << :threat_monitoring
       end
 
+      if can?(current_user, :security_orchestration_policies, project)
+        nav_tabs << :security_orchestration_policies
+      end
+
       if show_audit_events?(project)
         nav_tabs << :audit_events
       end

ee/app/services/security/orchestration/assign_service.rb

@@ -9,9 +9,9 @@ module Security
         return success if res
 
       rescue ActiveRecord::RecordNotFound => _
-        error('Policy project doesn\'t exists')
+        error(_('Policy project doesn\'t exists'))
       rescue ActiveRecord::RecordInvalid => _
-        error('Couldn\'t assign policy to project')
+        error(_('Couldn\'t assign policy to project'))
       end
 
       private

ee/app/views/layouts/nav/sidebar/_project_security_link.html.haml

@@ -44,6 +44,11 @@
           = link_to project_threat_monitoring_path(@project), title: _('Threat Monitoring') do
             %span= _('Threat Monitoring')
 
+      - if project_nav_tab?(:security_orchestration_policies)
+        = nav_link(controller: ['projects/security/policies']) do
+          = link_to project_security_policy_path(@project), title: _('Scan Policies') do
+            %span= _('Scan Policies')
+
       - if project_nav_tab?(:security_configuration)
         = nav_link(path: sidebar_security_configuration_paths) do
           = link_to project_security_configuration_path(@project), title: _('Configuration'), data: { qa_selector: 'security_configuration_link'} do

ee/app/views/projects/security/policies/show.html.haml

-= s_('Security|Policies')
+- breadcrumb_title _("Scan Policies")
+
+%h2.gl-mb-8
+  = s_("SecurityOrchestration|Create a policy")
+= form_with url:assign_project_security_policy_url(@project), as: :policy_project, html: { class: 'gl-w-half' } do |field|
+  %h4
+    = s_('SecurityOrchestration|Security policy project')
+  %p
+    = project_select_tag('orchestration[policy_project_id]', class: 'hidden-filter-value', toggle_class: 'js-project-search js-project-filter js-filter-submit', dropdown_class: 'dropdown-menu-selectable dropdown-menu-project js-filter-submit',
+        placeholder: _('Select project'), idAttribute: 'id', data: { order_by: 'last_activity_at', idattribute: 'id', simple_filter: true, allow_clear: true, include_groups: false, include_projects_in_subgroups: true, user_id: current_user.id }, value: @assigned_policy_id)
+    .text-muted
+      = html_escape(s_('SecurityOrchestration|A security policy project can be used enforce policies for a given project, group, or instance. It allows you to speficy security policies that are important to you  and enforce them with every commit.')) % { code_open: '<code>'.html_safe, code_close: '</code>'.html_safe }
+      = link_to _('More information'), help_page_path('user/project/clusters/protect/container_network_security/quick_start_guide'), target: '_blank'
+  = field.submit _('Save changes'), class: 'btn gl-button btn-success'

ee/config/routes/project.rb

@@ -64,7 +64,9 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           resources :dashboard, only: [:index], controller: :dashboard
           resources :vulnerability_report, only: [:index], controller: :vulnerability_report
 
-          resource :policy, only: [:show]
+          resource :policy, only: [:show] do
+            post :assign
+          end
 
           resource :configuration, only: [], controller: :configuration do
             post :auto_fix, on: :collection

ee/spec/helpers/projects_helper_spec.rb

@@ -229,6 +229,7 @@ RSpec.describe ProjectsHelper do
         projects/threat_monitoring#new
         projects/threat_monitoring#edit
         projects/threat_monitoring#alert_details
+        projects/security/policies#show
         projects/audit_events#index
       ]
     end

ee/spec/requests/projects/security/policies_controller_spec.rb

@@ -36,4 +36,26 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
       end
     end
   end
+
+  context 'assign action' do
+    let_it_be(:policy_project, reload: true) { create(:project) }
+
+    before do
+      stub_feature_flags(security_orchestration_policies_configuration: true)
+      stub_licensed_features(security_orchestration_policies: true)
+    end
+
+    it 'assigns policy project to project' do
+      post assign_project_security_policy_url(project), params: { orchestration: { policy_project_id: policy_project.id } }
+
+      expect(response).to redirect_to(project_security_policy_url(project))
+      expect(project.security_orchestration_policy_configuration.security_policy_management_project_id).to eq(policy_project.id)
+    end
+
+    it 'returns error message for invalid input' do
+      post assign_project_security_policy_url(project), params: { orchestration: { policy_project_id: nil } }
+
+      expect(flash[:alert]).to eq 'Policy project doesn\'t exists'
+    end
+  end
 end

ee/spec/services/security/orchestration/assign_service_spec.rb

@@ -29,7 +29,6 @@ RSpec.describe Security::Orchestration::AssignService do
       service
 
       repeated_service = described_class.new(another_project, nil, policy_project_id: policy_project.id).execute
-
       expect(repeated_service).to be_error
     end
 

ee/spec/views/projects/security/policies/show.html.haml_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe "projects/security/policies/show", type: :view do
+  let(:user) { project.owner }
+  let(:project) { create(:project) }
+
+  before do
+    assign(:project, project)
+    stub_feature_flags(security_orchestration_policies_configuration: true)
+    stub_licensed_features(security_orchestration_policies: true)
+    sign_in(user)
+    render
+  end
+
+  it 'renders the default state' do
+    expect(rendered).to have_selector('h2')
+    expect(rendered).to have_selector('h4')
+    expect(response).to have_css('input[id=orchestration_policy_project_id]', visible: false)
+    expect(rendered).to have_button('Save changes')
+  end
+end

locale/gitlab.pot

@@ -8530,6 +8530,9 @@ msgstr ""
 msgid "Could not upload your designs as one or more files uploaded are not supported."
 msgstr ""
 
+msgid "Couldn't assign policy to project"
+msgstr ""
+
 msgid "Country"
 msgstr ""
 
@@ -22661,6 +22664,9 @@ msgstr ""
 msgid "Point to any links you like: documentation, built binaries, or other related materials. These can be internal or external links from your GitLab instance. Duplicate URLs are not allowed."
 msgstr ""
 
+msgid "Policy project doesn't exists"
+msgstr ""
+
 msgid "Pre-defined push rules."
 msgstr ""
 
@@ -26170,6 +26176,9 @@ msgstr ""
 msgid "Saving project."
 msgstr ""
 
+msgid "Scan Policies"
+msgstr ""
+
 msgid "Scanner"
 msgstr ""
 
@@ -26588,6 +26597,15 @@ msgstr ""
 msgid "SecurityConfiguration|You can quickly enable all security scanning tools by enabling %{linkStart}Auto DevOps%{linkEnd}."
 msgstr ""
 
+msgid "SecurityOrchestration|A security policy project can be used enforce policies for a given project, group, or instance. It allows you to speficy security policies that are important to you  and enforce them with every commit."
+msgstr ""
+
+msgid "SecurityOrchestration|Create a policy"
+msgstr ""
+
+msgid "SecurityOrchestration|Security policy project"
+msgstr ""
+
 msgid "SecurityReports|%{firstProject} and %{secondProject}"
 msgstr ""
 
@@ -26825,9 +26843,6 @@ msgstr ""
 msgid "SecurityReports|You must sign in as an authorized user to see this report"
 msgstr ""
 
-msgid "Security|Policies"
-msgstr ""
-
 msgid "See GitLab's %{password_policy_guidelines}"
 msgstr ""
 
@@ -28839,6 +28854,9 @@ msgstr ""
 msgid "Successful purchase image"
 msgstr ""
 
+msgid "Successfull"
+msgstr ""
+
 msgid "Successfully activated"
 msgstr ""