Merge branch 'end-point-for-policy-assignment' into 'master'

Scaffolding for security policy view [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!54220

config/feature_flags/development/security_orchestration_policies_configuration.yml

+---
+name: security_orchestration_policies_configuration
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321258
+milestone: '13.9'
+type: development
+group: group::container security
+default_enabled: false

ee/app/controllers/projects/security/policies_controller.rb

+# frozen_string_literal: true
+
+module Projects
+  module Security
+    class PoliciesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+
+      before_action do
+        push_frontend_feature_flag(:security_orchestration_policies_configuration, project)
+      end
+
+      feature_category :security_orchestration
+
+      def show
+        render_404 unless Feature.enabled?(:security_orchestration_policies_configuration, project) && can?(current_user, :security_orchestration_policies, project)
+      end
+    end
+  end
+end

ee/app/models/license.rb

@@ -169,6 +169,7 @@ class License < ApplicationRecord
     secret_detection
     security_dashboard
     security_on_demand_scans
+    security_orchestration_policies
     status_page
     subepics
     threat_monitoring

ee/app/policies/ee/project_policy.rb

@@ -115,6 +115,11 @@ module EE
         @subject.feature_available?(:reject_unsigned_commits)
       end
 
+      with_scope :subject
+      condition(:security_orchestration_policies_enabled) do
+        @subject.feature_available?(:security_orchestration_policies)
+      end
+
       with_scope :subject
       condition(:security_dashboard_enabled) do
         @subject.feature_available?(:security_dashboard)
@@ -229,6 +234,10 @@ module EE
 
       rule { can?(:read_project) & iterations_available }.enable :read_iteration
 
+      rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
+        enable :security_orchestration_policies
+      end
+
       rule { security_dashboard_enabled & can?(:developer_access) }.policy do
         enable :read_vulnerability
         enable :read_vulnerability_scanner

ee/app/views/projects/security/policies/show.html.haml

+= s_('Security|Policies')

ee/config/routes/project.rb

@@ -64,6 +64,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           resources :dashboard, only: [:index], controller: :dashboard
           resources :vulnerability_report, only: [:index], controller: :vulnerability_report
 
+          resource :policy, only: [:show]
+
           resource :configuration, only: [], controller: :configuration do
             post :auto_fix, on: :collection
             resource :corpus_management, only: [:show], controller: :corpus_management

ee/spec/policies/project_policy_spec.rb

@@ -673,6 +673,22 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'security complience policy' do
+    before do
+      stub_licensed_features(security_orchestration_policies: true)
+    end
+
+    context 'with developer or higher role' do
+      where(role: %w[owner maintainer developer])
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        it { is_expected.to be_allowed(:security_orchestration_policies) }
+      end
+    end
+  end
+
   describe 'read_corpus_management' do
     context 'when corpus_management feature is available' do
       before do

ee/spec/requests/projects/security/policies_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::Security::PoliciesController, type: :request do
+  let_it_be(:project, reload: true) { create(:project) }
+  let_it_be(:user) { create(:user) }
+
+  before do
+    project.add_developer(user)
+    login_as(user)
+  end
+
+  context 'displaying page' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:feature_flag, :license, :status) do
+      true | true | :ok
+      false | false | :not_found
+      false | true | :not_found
+      true | false | :not_found
+    end
+
+    subject { get project_security_policy_url(project) }
+
+    with_them do
+      before do
+        stub_feature_flags(security_orchestration_policies_configuration: feature_flag)
+        stub_licensed_features(security_orchestration_policies: license)
+      end
+
+      specify do
+        get project_security_policy_url(project)
+
+        expect(response).to have_gitlab_http_status(status)
+      end
+    end
+  end
+end

ee/spec/routing/project_routing_spec.rb

@@ -64,4 +64,10 @@ RSpec.describe 'EE-specific project routing' do
       expect(get("/gitlab/gitlabhq/-/integrations/jira/issues")).to route_to('projects/integrations/jira/issues#index', namespace_id: 'gitlab', project_id: 'gitlabhq')
     end
   end
+
+  describe Projects::Security::PoliciesController, 'routing' do
+    it 'to #show' do
+      expect(get('/gitlab/gitlabhq/-/security/policy')).to route_to('projects/security/policies#show', namespace_id: 'gitlab', project_id: 'gitlabhq')
+    end
+  end
 end

locale/gitlab.pot

@@ -26437,6 +26437,9 @@ msgstr ""
 msgid "SecurityReports|[No reason]"
 msgstr ""
 
+msgid "Security|Policies"
+msgstr ""
+
 msgid "See GitLab's %{password_policy_guidelines}"
 msgstr ""