Merge branch 'sk/336523-add-developers' into 'master'

Add developers and maintainers to security policy project

See merge request gitlab-org/gitlab!67657

app/models/project_team.rb

@@ -78,6 +78,10 @@ class ProjectTeam
     members.where(id: member_user_ids)
   end
 
+  def members_with_access_levels(access_levels = [])
+    fetch_members(access_levels)
+  end
+
   def guests
     @guests ||= fetch_members(Gitlab::Access::GUEST)
   end

ee/app/services/security/security_orchestration_policies/project_create_service.rb

@@ -3,6 +3,8 @@
 module Security
   module SecurityOrchestrationPolicies
     class ProjectCreateService < ::BaseProjectService
+      ACCESS_LEVELS_TO_ADD = [Gitlab::Access::MAINTAINER, Gitlab::Access::DEVELOPER].freeze
+
       def execute
         return error('Security Policy project already exists.') if project.security_orchestration_policy_configuration.present?
 
@@ -21,7 +23,8 @@ module Security
       private
 
       def add_members(policy_project)
-        members_to_add = project.team.maintainers - policy_project.team.members
+        developers_and_maintainers = project.team.members_with_access_levels(ACCESS_LEVELS_TO_ADD)
+        members_to_add = developers_and_maintainers - policy_project.team.members
         policy_project.add_users(members_to_add, :developer)
       end
 

ee/spec/services/security/security_orchestration_policies/project_create_service_spec.rb

@@ -11,18 +11,20 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProjectCreateService do
 
     context 'when security_orchestration_policies_configuration does not exist for project' do
       let_it_be(:maintainer) { create(:user) }
+      let_it_be(:developer) { create(:user) }
 
       before do
         project.add_maintainer(maintainer)
+        project.add_developer(developer)
       end
 
-      it 'creates new project' do
+      it 'creates policy project with maintainers and developers from target project as developers' do
         response = service.execute
 
         policy_project = response[:policy_project]
         expect(project.reload.security_orchestration_policy_configuration.security_policy_management_project).to eq(policy_project)
         expect(policy_project.namespace).to eq(project.namespace)
-        expect(policy_project.team.developers).to contain_exactly(maintainer)
+        expect(policy_project.team.developers).to contain_exactly(maintainer, developer)
         expect(policy_project.container_registry_access_level).to eq(ProjectFeature::DISABLED)
       end
     end

spec/models/project_team_spec.rb

@@ -193,6 +193,36 @@ RSpec.describe ProjectTeam do
     end
   end
 
+  describe '#members_with_access_levels' do
+    let_it_be(:maintainer) { create(:user) }
+    let_it_be(:developer) { create(:user) }
+    let_it_be(:guest) { create(:user) }
+    let_it_be(:project) { create(:project, namespace: maintainer.namespace) }
+    let_it_be(:access_levels) { [Gitlab::Access::DEVELOPER, Gitlab::Access::MAINTAINER] }
+
+    subject(:members_with_access_levels) { project.team.members_with_access_levels(access_levels) }
+
+    before do
+      project.team.add_developer(developer)
+      project.team.add_maintainer(maintainer)
+      project.team.add_guest(guest)
+    end
+
+    context 'with access_levels' do
+      it 'filters members who have given access levels' do
+        expect(members_with_access_levels).to contain_exactly(developer, maintainer)
+      end
+    end
+
+    context 'without access_levels' do
+      let_it_be(:access_levels) { [] }
+
+      it 'returns empty array' do
+        expect(members_with_access_levels).to be_empty
+      end
+    end
+  end
+
   describe '#add_users' do
     let(:user1) { create(:user) }
     let(:user2) { create(:user) }