Merge branch 'sk/329422-assign-security-policy-project' into 'master'

Create GraphQL mutation to assign security policy project

See merge request gitlab-org/gitlab!64800

doc/api/graphql/reference/index.md

@@ -3612,6 +3612,25 @@ Input type: `ScanExecutionPolicyCommitInput`
 | <a id="mutationscanexecutionpolicycommitclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationscanexecutionpolicycommiterrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
 
+### `Mutation.securityPolicyProjectAssign`
+
+Input type: `SecurityPolicyProjectAssignInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationsecuritypolicyprojectassignclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationsecuritypolicyprojectassignprojectpath"></a>`projectPath` | [`ID!`](#id) | Full path of the project. |
+| <a id="mutationsecuritypolicyprojectassignsecuritypolicyprojectid"></a>`securityPolicyProjectId` | [`ProjectID!`](#projectid) | ID of the security policy project. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationsecuritypolicyprojectassignclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationsecuritypolicyprojectassignerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+
 ### `Mutation.terraformStateDelete`
 
 Input type: `TerraformStateDeleteInput`

ee/app/graphql/ee/types/mutation_type.rb

@@ -81,6 +81,7 @@ module EE
         mount_mutation ::Mutations::IncidentManagement::EscalationPolicy::Destroy
         mount_mutation ::Mutations::AppSec::Fuzzing::API::CiConfiguration::Create
         mount_mutation ::Mutations::SecurityPolicy::CommitScanExecutionPolicy
+        mount_mutation ::Mutations::SecurityPolicy::AssignSecurityPolicyProject
 
         prepend(Types::DeprecatedMutations)
       end

ee/app/graphql/mutations/security_policy/assign_security_policy_project.rb

+# frozen_string_literal: true
+
+module Mutations
+  module SecurityPolicy
+    class AssignSecurityPolicyProject < BaseMutation
+      include FindsProject
+
+      graphql_name 'SecurityPolicyProjectAssign'
+
+      authorize :security_orchestration_policies
+
+      argument :project_path, GraphQL::ID_TYPE,
+               required: true,
+               description: 'Full path of the project.'
+
+      argument :security_policy_project_id, ::Types::GlobalIDType[::Project],
+               required: true,
+               description: 'ID of the security policy project.'
+
+      def resolve(args)
+        project = authorized_find!(args[:project_path])
+        raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
+
+        policy_project = find_policy_project(args[:security_policy_project_id])
+        raise_resource_not_available_error! unless policy_project.present?
+
+        result = assign_project(project, policy_project)
+        {
+          errors: result.success? ? [] : [result.message]
+        }
+      end
+
+      private
+
+      def find_policy_project(id)
+        # TODO: remove explicit coercion once compatibility layer has been removed
+        # See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883
+        id = ::Types::GlobalIDType[::Project].coerce_isolated_input(id)
+        ::Gitlab::Graphql::Lazy.force(GitlabSchema.object_from_id(id, expected_type: Project))
+      end
+
+      def allowed?(project)
+        Feature.enabled?(:security_orchestration_policies_configuration, project)
+      end
+
+      def assign_project(project, policy_project)
+        ::Security::Orchestration::AssignService
+          .new(project, current_user, policy_project_id: policy_project.id)
+          .execute
+      end
+    end
+  end
+end

ee/spec/graphql/mutations/security_policy/assign_security_policy_project_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
+  let(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
+
+  describe '#resolve' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:project) { create(:project, namespace: user.namespace) }
+    let_it_be(:policy_project) { create(:project) }
+    let_it_be(:policy_project_id) { GitlabSchema.id_from_object(policy_project) }
+
+    subject { mutation.resolve(project_path: project.full_path, security_policy_project_id: policy_project_id) }
+
+    context 'when feature is enabled and permission is set for user' do
+      before do
+        stub_licensed_features(security_orchestration_policies: true)
+        stub_feature_flags(security_orchestration_policies_configuration: true)
+      end
+
+      it 'assigns the security policy project' do
+        result = subject
+
+        expect(result[:errors]).to be_empty
+        expect(project.security_orchestration_policy_configuration).not_to be_nil
+        expect(project.security_orchestration_policy_configuration.security_policy_management_project).to eq(policy_project)
+      end
+    end
+
+    context 'when policy_project_id is invalid' do
+      let_it_be(:policy_project_id) { 'invalid' }
+
+      it 'raises exception' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+
+    context 'when feature is disabled' do
+      before do
+        stub_licensed_features(security_orchestration_policies: true)
+        stub_feature_flags(security_orchestration_policies_configuration: false)
+      end
+
+      it 'raises exception' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+
+    context 'when permission is not enabled' do
+      before do
+        stub_licensed_features(security_orchestration_policies: false)
+      end
+
+      it 'raises exception' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+  end
+end