Add scan result policies into the policy

drawer.

EE: true
Changelog: added

ee/app/assets/javascripts/threat_monitoring/components/policies/policies_list.vue

@@ -133,7 +133,7 @@ export default {
         [POLICY_TYPE_OPTIONS.POLICY_TYPE_NETWORK.value]: this.networkPolicies,
         [POLICY_TYPE_OPTIONS.POLICY_TYPE_SCAN_EXECUTION.value]: this.scanExecutionPolicies,
       };
-      if (this.isFeatureEnabled) {
+      if (this.isScanResultPolicyEnabled) {
         allTypes[POLICY_TYPE_OPTIONS.POLICY_TYPE_SCAN_RESULT.value] = this.scanResultPolicies;
       }
       return allTypes;
@@ -228,7 +228,7 @@ export default {
 
       return fields;
     },
-    isFeatureEnabled() {
+    isScanResultPolicyEnabled() {
       return this.glFeatures.scanResultPolicy;
     },
   },

ee/app/assets/javascripts/threat_monitoring/components/policy_drawer/policy_drawer.vue

@@ -5,10 +5,12 @@ import { getContentWrapperHeight, removeUnnecessaryDashes } from '../../utils';
 import { POLICIES_LIST_CONTAINER_CLASS, POLICY_TYPE_COMPONENT_OPTIONS } from '../constants';
 import CiliumNetworkPolicy from './cilium_network_policy.vue';
 import ScanExecutionPolicy from './scan_execution_policy.vue';
+import ScanResultPolicy from './scan_result_policy.vue';
 
 const policyComponent = {
   [POLICY_TYPE_COMPONENT_OPTIONS.container.value]: CiliumNetworkPolicy,
   [POLICY_TYPE_COMPONENT_OPTIONS.scanExecution.value]: ScanExecutionPolicy,
+  [POLICY_TYPE_COMPONENT_OPTIONS.scanResult.value]: ScanResultPolicy,
 };
 
 export default {
@@ -19,6 +21,7 @@ export default {
       import(/* webpackChunkName: 'policy_yaml_editor' */ '../policy_yaml_editor.vue'),
     CiliumNetworkPolicy,
     ScanExecutionPolicy,
+    ScanResultPolicy,
   },
   props: {
     containerClass: {

ee/app/assets/javascripts/threat_monitoring/components/policy_drawer/scan_result_policy.vue

+<script>
+import { s__ } from '~/locale';
+import { fromYaml, humanizeRules, humanizeAction } from '../policy_editor/scan_result_policy/lib';
+import BasePolicy from './base_policy.vue';
+import PolicyInfoRow from './policy_info_row.vue';
+
+export default {
+  i18n: {
+    action: s__('SecurityOrchestration|Action'),
+    description: s__('SecurityOrchestration|Description'),
+    rule: s__('SecurityOrchestration|Rule'),
+    scanResult: s__('SecurityOrchestration|Scan result'),
+    status: s__('SecurityOrchestration|Status'),
+  },
+  components: {
+    BasePolicy,
+    PolicyInfoRow,
+  },
+  props: {
+    policy: {
+      type: Object,
+      required: true,
+    },
+  },
+  computed: {
+    humanizedRules() {
+      return humanizeRules(this.parsedYaml.rules);
+    },
+    humanizedAction() {
+      return humanizeAction(this.requireApproval(this.parsedYaml.actions));
+    },
+    parsedYaml() {
+      try {
+        return fromYaml(this.policy.yaml);
+      } catch (e) {
+        return null;
+      }
+    },
+  },
+  methods: {
+    requireApproval(actions) {
+      return actions.find((action) => action.type === 'require_approval');
+    },
+  },
+};
+</script>
+
+<template>
+  <base-policy :policy="policy">
+    <template #type>{{ $options.i18n.scanResult }}</template>
+
+    <template #default="{ statusLabel }">
+      <div v-if="parsedYaml">
+        <policy-info-row
+          v-if="parsedYaml.description"
+          data-testid="policy-description"
+          :label="$options.i18n.description"
+        >
+          {{ parsedYaml.description }}
+        </policy-info-row>
+
+        <policy-info-row data-testid="policy-rules" :label="$options.i18n.rule">
+          <p>{{ humanizedAction }}</p>
+          <ul>
+            <li v-for="(rule, idx) in humanizedRules" :key="idx">
+              {{ rule }}
+            </li>
+          </ul>
+        </policy-info-row>
+
+        <policy-info-row :label="$options.i18n.status">
+          {{ statusLabel }}
+        </policy-info-row>
+      </div>
+    </template>
+  </base-policy>
+</template>

ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/constants.js

+import { s__ } from '~/locale';
+
+export const NO_RULE_MESSAGE = s__('SecurityOrchestration|No rules defined - policy will not run.');

ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/from_yaml.js

+import { safeLoad } from 'js-yaml';
+
+/*
+  Construct a policy object expected by the policy editor from a yaml manifest.
+*/
+export const fromYaml = (manifest) => {
+  return safeLoad(manifest, { json: true });
+};

ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/humanize.js

+import { sprintf, s__, n__ } from '~/locale';
+import { NO_RULE_MESSAGE } from './constants';
+
+/**
+ * Simple logic for indefinite articles which does not include the exceptions
+ * @param {String} word string representing the word to be considered
+ * @returns {String}
+ */
+const articleForWord = (word) => {
+  const vowels = ['a', 'e', 'i', 'o', 'u'];
+
+  return vowels.includes(word[0].toLowerCase())
+    ? s__('SecurityOrchestration|an')
+    : s__('SecurityOrchestration|a');
+};
+
+/**
+ * Create a human-readable list of strings, adding the necessary punctuation and conjunctions
+ * @param {Array} items strings representing items to compose the final sentence
+ * @param {String} singular string to be used for single items
+ * @param {String} plural string to be used for multiple items
+ * @returns {String}
+ */
+const humanizeItems = ({
+  items,
+  singular,
+  plural,
+  hasArticle = false,
+  hasTextBeforeItems = false,
+}) => {
+  if (!items) {
+    return '';
+  }
+
+  let noun = '';
+
+  if (singular && plural) {
+    noun = items.length > 1 ? plural : singular;
+  }
+
+  const finalSentence = [];
+
+  if (hasArticle && items.length === 1) {
+    finalSentence.push(`${articleForWord(items[0])} `);
+  }
+
+  if (hasTextBeforeItems && noun) {
+    finalSentence.push(`${noun} `);
+  }
+
+  if (items.length === 1) {
+    finalSentence.push(items.join(','));
+  } else {
+    const lastItem = items.pop();
+    finalSentence.push(items.join(', '));
+    finalSentence.push(s__('SecurityOrchestration| or '));
+    finalSentence.push(lastItem);
+  }
+
+  if (!hasTextBeforeItems && noun) {
+    finalSentence.push(` ${noun}`);
+  }
+
+  return finalSentence.join('');
+};
+
+/**
+ * Create a human-readable string, adding the necessary punctuation and conjunctions
+ * @param {Object} action containing or not arrays of string and integers representing approvers
+ * @returns {String}
+ */
+const humanizeApprovers = (action) => {
+  const userApprovers = humanizeItems({ items: action.user_approvers, singular: '', plural: '' });
+  const userApproversIds = humanizeItems({
+    items: action.user_approvers_ids,
+    singular: s__('SecurityOrchestration|user with id'),
+    plural: s__('SecurityOrchestration|users with ids'),
+    hasArticle: false,
+    hasTextBeforeItems: true,
+  });
+  const groupApprovers = humanizeItems({
+    items: action.group_approvers,
+    singular: s__('SecurityOrchestration|members of the group'),
+    plural: s__('SecurityOrchestration|members of groups'),
+    hasArticle: false,
+    hasTextBeforeItems: true,
+  });
+  const groupApproversIds = humanizeItems({
+    items: action.group_approvers_ids,
+    singular: s__('SecurityOrchestration|members of the group with id'),
+    plural: s__('SecurityOrchestration|members of groups with ids'),
+    hasArticle: false,
+    hasTextBeforeItems: true,
+  });
+
+  const conjunctionOr = s__('SecurityOrchestration| or ');
+
+  let finalSentence = userApprovers;
+
+  if (finalSentence && userApproversIds) {
+    finalSentence += conjunctionOr;
+  }
+
+  finalSentence += userApproversIds;
+
+  if (finalSentence && groupApprovers) {
+    finalSentence += conjunctionOr;
+  }
+
+  finalSentence += groupApprovers;
+
+  if (finalSentence && groupApproversIds) {
+    finalSentence += conjunctionOr;
+  }
+
+  finalSentence += groupApproversIds;
+
+  return finalSentence;
+};
+
+/**
+ * Create a human-readable version of the action
+ * @param {Object} action {type: 'require_approval', approvals_required: 1, approvers: Array(1)}
+ * @returns {String}
+ */
+export const humanizeAction = (action) => {
+  const plural = n__('approval', 'approvals', action.approvals_required);
+
+  return sprintf(
+    s__(
+      'SecurityOrchestration|Require %{approvals} %{plural} from %{approvers} if any of the following occur:',
+    ),
+    {
+      approvals: action.approvals_required,
+      plural,
+      approvers: humanizeApprovers(action),
+    },
+  );
+};
+
+/**
+ * Create a human-readable version of the rule
+ * @param {Object} rule {type: 'scan_finding', branches: ['master'], scanners: ['container_scanning'], vulnerabilities_allowed: 1, severity_levels: ['critical']}
+ * @returns {String}
+ */
+const humanizeRule = (rule) => {
+  return sprintf(
+    s__(
+      'SecurityOrchestration|The %{scanners} %{severities} in an open merge request targeting the %{branches}.',
+    ),
+    {
+      scanners: humanizeItems({
+        items: rule.scanners,
+        singular: s__('SecurityOrchestration|scanner finds'),
+        plural: s__('SecurityOrchestration|scanners find'),
+      }),
+      severities: humanizeItems({
+        items: rule.severity_levels,
+        singular: s__('SecurityOrchestration|vulnerability'),
+        plural: s__('SecurityOrchestration|vulnerabilities'),
+        hasArticle: true,
+      }),
+      branches: humanizeItems({
+        items: rule.branches,
+        singular: s__('SecurityOrchestration|branch'),
+        plural: s__('SecurityOrchestration|branches'),
+      }),
+    },
+  );
+};
+
+/**
+ * Create a human-readable version of the rules
+ * @param {Array} rules [{type: 'scan_finding', branches: ['master'], scanners: ['container_scanning'], vulnerabilities_allowed: 1, severity_levels: ['critical']}]
+ * @returns {Array}
+ */
+export const humanizeRules = (rules) => {
+  const humanizedRules = rules.reduce((acc, curr) => {
+    return [...acc, humanizeRule(curr)];
+  }, []);
+  return humanizedRules.length ? humanizedRules : [NO_RULE_MESSAGE];
+};

ee/app/assets/javascripts/threat_monitoring/components/policy_editor/scan_result_policy/lib/index.js

+export { fromYaml } from './from_yaml';
+export * from './humanize';
+export * from './constants';

ee/app/assets/javascripts/threat_monitoring/components/policy_type_filter.vue

@@ -26,12 +26,12 @@ export default {
     selectedValueText() {
       return Object.values(POLICY_TYPE_OPTIONS).find(({ value }) => value === this.value).text;
     },
-    isFeatureEnabled() {
+    isScanResultPolicyEnabled() {
       return this.glFeatures.scanResultPolicy;
     },
     policyTypeOptions() {
       const policyType = POLICY_TYPE_OPTIONS;
-      if (!this.isFeatureEnabled) {
+      if (!this.isScanResultPolicyEnabled) {
         delete policyType.POLICY_TYPE_SCAN_RESULT;
       }
       return policyType;

ee/app/assets/javascripts/threat_monitoring/utils.js

@@ -19,16 +19,9 @@ export const getContentWrapperHeight = (contentWrapperClass) => {
  * @returns {String|null} policy type if available
  */
 export const getPolicyType = (typeName = '') => {
-  if (typeName === POLICY_TYPE_COMPONENT_OPTIONS.container.typeName) {
-    return POLICY_TYPE_COMPONENT_OPTIONS.container.value;
-  }
-  if (typeName === POLICY_TYPE_COMPONENT_OPTIONS.scanExecution.typeName) {
-    return POLICY_TYPE_COMPONENT_OPTIONS.scanExecution.value;
-  }
-  if (typeName === POLICY_TYPE_COMPONENT_OPTIONS.scanResult.typeName) {
-    return POLICY_TYPE_COMPONENT_OPTIONS.scanResult.value;
-  }
-  return null;
+  return Object.values(POLICY_TYPE_COMPONENT_OPTIONS).find(
+    (component) => component.typeName === typeName,
+  )?.value;
 };
 
 /**

ee/spec/frontend/threat_monitoring/components/policy_drawer/scan_result_policy_spec.js

+import BasePolicy from 'ee/threat_monitoring/components/policy_drawer/base_policy.vue';
+import ScanResultPolicy from 'ee/threat_monitoring/components/policy_drawer/scan_result_policy.vue';
+import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
+import { mockScanResultPolicy } from '../../mocks/mock_data';
+
+describe('ScanResultPolicy component', () => {
+  let wrapper;
+
+  const findDescription = () => wrapper.findByTestId('policy-description');
+  const findRules = () => wrapper.findByTestId('policy-rules');
+
+  const factory = ({ propsData } = {}) => {
+    wrapper = shallowMountExtended(ScanResultPolicy, {
+      propsData,
+      stubs: {
+        BasePolicy,
+      },
+    });
+  };
+
+  afterEach(() => {
+    wrapper.destroy();
+  });
+
+  describe('default policy', () => {
+    beforeEach(() => {
+      factory({ propsData: { policy: mockScanResultPolicy } });
+    });
+
+    it.each`
+      component        | finder             | text
+      ${'rules'}       | ${findRules}       | ${''}
+      ${'description'} | ${findDescription} | ${'This policy enforces critical vulnerability CS approvals'}
+    `('does render the policy $component', ({ finder, text }) => {
+      const component = finder();
+      expect(component.exists()).toBe(true);
+      if (text) {
+        expect(component.text()).toBe(text);
+      }
+    });
+  });
+});

ee/spec/frontend/threat_monitoring/components/policy_editor/scan_result_policy/lib/humanize_spec.js

+import {
+  humanizeRules,
+  humanizeAction,
+  NO_RULE_MESSAGE,
+} from 'ee/threat_monitoring/components/policy_editor/scan_result_policy/lib';
+
+jest.mock('~/locale', () => ({
+  getPreferredLocales: jest.fn().mockReturnValue(['en']),
+  sprintf: jest.requireActual('~/locale').sprintf,
+  s__: jest.requireActual('~/locale').s__, // eslint-disable-line no-underscore-dangle
+  n__: jest.requireActual('~/locale').n__, // eslint-disable-line no-underscore-dangle
+}));
+
+const mockActions = [
+  { type: 'require_approval', approvals_required: 2, user_approvers: ['o.leticia.conner'] },
+  {
+    type: 'require_approval',
+    approvals_required: 2,
+    group_approvers: ['security_group/all_members'],
+  },
+  {
+    type: 'require_approval',
+    approvals_required: 2,
+    group_approvers_ids: [10],
+  },
+  {
+    type: 'require_approval',
+    approvals_required: 2,
+    user_approvers_ids: [5],
+  },
+  {
+    type: 'require_approval',
+    approvals_required: 2,
+    user_approvers: ['o.leticia.conner'],
+    group_approvers: ['security_group/all_members'],
+    group_approvers_ids: [10],
+    user_approvers_ids: [5],
+  },
+];
+
+const mockRules = [
+  {
+    type: 'scan_finding',
+    branches: ['main'],
+    scanners: ['sast'],
+    vulnerabilities_allowed: 1,
+    severity_levels: ['critical'],
+    vulnerability_states: ['newly_detected'],
+  },
+  {
+    type: 'scan_finding',
+    branches: ['master', 'main'],
+    scanners: ['dast', 'sast'],
+    vulnerabilities_allowed: 2,
+    severity_levels: ['info', 'critical'],
+    vulnerability_states: ['resolved'],
+  },
+];
+
+describe('humanizeRules', () => {
+  it('returns the empty rules message in an Array if no rules are specified', () => {
+    expect(humanizeRules([])).toStrictEqual([NO_RULE_MESSAGE]);
+  });
+
+  it('returns a single rule as a human-readable string for user approvers only', () => {
+    expect(humanizeRules([mockRules[0]])).toStrictEqual([
+      'The sast scanner finds a critical vulnerability in an open merge request targeting the main branch.',
+    ]);
+  });
+
+  it('returns multiple rules with different number of branches as human-readable strings', () => {
+    expect(humanizeRules(mockRules)).toStrictEqual([
+      'The sast scanner finds a critical vulnerability in an open merge request targeting the main branch.',
+      'The dast or sast scanners find info or critical vulnerabilities in an open merge request targeting the master or main branches.',
+    ]);
+  });
+});
+
+describe('humanizeAction', () => {
+  it('returns a single action as a human-readable string for user approvers only', () => {
+    expect(humanizeAction(mockActions[0])).toEqual(
+      'Require 2 approvals from o.leticia.conner if any of the following occur:',
+    );
+  });
+
+  it('returns a single action as a human-readable string for group approvers only', () => {
+    expect(humanizeAction(mockActions[1])).toEqual(
+      'Require 2 approvals from members of the group security_group/all_members if any of the following occur:',
+    );
+  });
+
+  it('returns a single action as a human-readable string for group approvers ids only', () => {
+    expect(humanizeAction(mockActions[2])).toEqual(
+      'Require 2 approvals from members of the group with id 10 if any of the following occur:',
+    );
+  });
+
+  it('returns a single action as a human-readable string for user approvers ids only', () => {
+    expect(humanizeAction(mockActions[3])).toEqual(
+      'Require 2 approvals from user with id 5 if any of the following occur:',
+    );
+  });
+
+  it('returns a single action as a human-readable string with all approvers types', () => {
+    expect(humanizeAction(mockActions[4])).toEqual(
+      'Require 2 approvals from o.leticia.conner or user with id 5 or members of the group security_group/all_members or members of the group with id 10 if any of the following occur:',
+    );
+  });
+});

ee/spec/frontend/threat_monitoring/utils_spec.js

@@ -35,8 +35,8 @@ describe('Threat Monitoring Utils', () => {
   describe('getPolicyType', () => {
     it.each`
       input                                        | output
-      ${''}                                        | ${null}
-      ${'UnknownPolicyType'}                       | ${null}
+      ${''}                                        | ${undefined}
+      ${'UnknownPolicyType'}                       | ${undefined}
       ${mockNetworkPoliciesResponse[0].__typename} | ${POLICY_TYPE_COMPONENT_OPTIONS.container.value}
       ${mockNetworkPoliciesResponse[1].__typename} | ${POLICY_TYPE_COMPONENT_OPTIONS.container.value}
       ${mockScanExecutionPolicy.__typename}        | ${POLICY_TYPE_COMPONENT_OPTIONS.scanExecution.value}

locale/gitlab.pot

@@ -31573,6 +31573,9 @@ msgstr ""
 msgid "SecurityConfiguration|Vulnerability details and statistics in the merge request"
 msgstr ""
 
+msgid "SecurityOrchestration| or "
+msgstr ""
+
 msgid "SecurityOrchestration|%{branches} %{plural}"
 msgstr ""
 
@@ -31660,6 +31663,9 @@ msgstr ""
 msgid "SecurityOrchestration|Policy type"
 msgstr ""
 
+msgid "SecurityOrchestration|Require %{approvals} %{plural} from %{approvers} if any of the following occur:"
+msgstr ""
+
 msgid "SecurityOrchestration|Rule"
 msgstr ""
 
@@ -31708,6 +31714,9 @@ msgstr ""
 msgid "SecurityOrchestration|Status"
 msgstr ""
 
+msgid "SecurityOrchestration|The %{scanners} %{severities} in an open merge request targeting the %{branches}."
+msgstr ""
+
 msgid "SecurityOrchestration|There was a problem creating the new security policy"
 msgstr ""
 
@@ -31726,9 +31735,51 @@ msgstr ""
 msgid "SecurityOrchestration|Update scan execution policies"
 msgstr ""
 
+msgid "SecurityOrchestration|a"
+msgstr ""
+
+msgid "SecurityOrchestration|an"
+msgstr ""
+
+msgid "SecurityOrchestration|branch"
+msgstr ""
+
+msgid "SecurityOrchestration|branches"
+msgstr ""
+
+msgid "SecurityOrchestration|members of groups"
+msgstr ""
+
+msgid "SecurityOrchestration|members of groups with ids"
+msgstr ""
+
+msgid "SecurityOrchestration|members of the group"
+msgstr ""
+
+msgid "SecurityOrchestration|members of the group with id"
+msgstr ""
+
+msgid "SecurityOrchestration|scanner finds"
+msgstr ""
+
+msgid "SecurityOrchestration|scanners find"
+msgstr ""
+
+msgid "SecurityOrchestration|user with id"
+msgstr ""
+
+msgid "SecurityOrchestration|users with ids"
+msgstr ""
+
 msgid "SecurityOrchestration|view results"
 msgstr ""
 
+msgid "SecurityOrchestration|vulnerabilities"
+msgstr ""
+
+msgid "SecurityOrchestration|vulnerability"
+msgstr ""
+
 msgid "SecurityPolicies|+%{count} more"
 msgstr ""
 
@@ -41506,6 +41557,11 @@ msgstr ""
 msgid "any-approver for the project already exists"
 msgstr ""
 
+msgid "approval"
+msgid_plural "approvals"
+msgstr[0] ""
+msgstr[1] ""
+
 msgid "approved by: "
 msgstr ""