Merge branch 'master' into 'master'

Add security_and_compliance_access_level to Projects API

See merge request gitlab-org/gitlab!81086

doc/api/groups.md

@@ -443,6 +443,7 @@ Example response:
       "builds_access_level":"enabled",
       "snippets_access_level":"enabled",
       "pages_access_level":"enabled",
+      "security_and_compliance_access_level":"enabled",
       "emails_disabled":null,
       "shared_runners_enabled":true,
       "lfs_enabled":true,

doc/api/projects.md

@@ -151,6 +151,7 @@ When the user is authenticated and `simple` is not set this returns something li
     "resolve_outdated_diff_discussions": false,
     "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
     "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
     "created_at": "2013-09-30T13:46:02Z",
     "last_activity_at": "2013-09-30T13:46:02Z",
     "creator_id": 3,
@@ -245,6 +246,7 @@ When the user is authenticated and `simple` is not set this returns something li
     "resolve_outdated_diff_discussions": false,
     "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
     "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
     "created_at": "2013-09-30T13:46:02Z",
     "last_activity_at": "2013-09-30T13:46:02Z",
     "creator_id": 3,
@@ -440,6 +442,7 @@ GET /users/:user_id/projects
     "resolve_outdated_diff_discussions": false,
     "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
     "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
     "created_at": "2013-09-30T13:46:02Z",
     "last_activity_at": "2013-09-30T13:46:02Z",
     "creator_id": 3,
@@ -534,6 +537,7 @@ GET /users/:user_id/projects
     "resolve_outdated_diff_discussions": false,
     "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
     "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
     "created_at": "2013-09-30T13:46:02Z",
     "last_activity_at": "2013-09-30T13:46:02Z",
     "creator_id": 3,
@@ -688,6 +692,7 @@ Example response:
     "resolve_outdated_diff_discussions": false,
     "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
     "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
     "created_at": "2013-09-30T13:46:02Z",
     "last_activity_at": "2013-09-30T13:46:02Z",
     "creator_id": 3,
@@ -777,6 +782,7 @@ Example response:
     "resolve_outdated_diff_discussions": false,
     "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
     "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
     "created_at": "2013-09-30T13:46:02Z",
     "last_activity_at": "2013-09-30T13:46:02Z",
     "creator_id": 3,
@@ -910,6 +916,7 @@ GET /projects/:id
   "resolve_outdated_diff_discussions": false,
   "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
   "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
   "container_expiration_policy": {
     "cadence": "7d",
     "enabled": false,
@@ -1257,6 +1264,7 @@ POST /projects
 | `request_access_enabled`                                    | boolean | **{dotted-circle}** No | Allow users to request member access. |
 | `requirements_access_level`                                 | string  | **{dotted-circle}** No | One of `disabled`, `private` or `enabled` |
 | `resolve_outdated_diff_discussions`                         | boolean | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
+| `security_and_compliance_access_level`                      | string  | **{dotted-circle}** No | (GitLab 14.9 and later) Security and compliance access level. One of `disabled`, `private`, or `enabled`. |
 | `shared_runners_enabled`                                    | boolean | **{dotted-circle}** No | Enable shared runners for this project. |
 | `snippets_access_level`                                     | string  | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
 | `snippets_enabled`                                          | boolean | **{dotted-circle}** No | _(Deprecated)_ Enable snippets for this project. Use `snippets_access_level` instead. |
@@ -1334,6 +1342,7 @@ POST /projects/user/:user_id
 | `request_access_enabled`                                    | boolean | **{dotted-circle}** No | Allow users to request member access. |
 | `requirements_access_level`                                 | string  | **{dotted-circle}** No | One of `disabled`, `private`, `enabled` or `public` |
 | `resolve_outdated_diff_discussions`                         | boolean | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
+| `security_and_compliance_access_level`                      | string  | **{dotted-circle}** No | (GitLab 14.9 and later) Security and compliance access level. One of `disabled`, `private`, or `enabled`. |
 | `shared_runners_enabled`                                    | boolean | **{dotted-circle}** No | Enable shared runners for this project. |
 | `snippets_access_level`                                     | string  | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
 | `snippets_enabled`                                          | boolean | **{dotted-circle}** No | _(Deprecated)_ Enable snippets for this project. Use `snippets_access_level` instead. |
@@ -1433,6 +1442,7 @@ Supported attributes:
 | `requirements_access_level`                                 | string         | **{dotted-circle}** No | One of `disabled`, `private`, `enabled` or `public` |
 | `resolve_outdated_diff_discussions`                         | boolean        | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
 | `restrict_user_defined_variables`                           | boolean        | **{dotted-circle}** No | Allow only users with the Maintainer role to pass user-defined variables when triggering a pipeline. For example when the pipeline is triggered in the UI, with the API, or by a trigger token. |
+| `security_and_compliance_access_level`                      | string         | **{dotted-circle}** No | (GitLab 14.9 and later) Security and compliance access level. One of `disabled`, `private`, or `enabled`. |
 | `service_desk_enabled`                                      | boolean        | **{dotted-circle}** No | Enable or disable Service Desk feature. |
 | `shared_runners_enabled`                                    | boolean        | **{dotted-circle}** No | Enable shared runners for this project. |
 | `snippets_access_level`                                     | string         | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
@@ -1536,6 +1546,7 @@ Example responses:
     "resolve_outdated_diff_discussions": false,
     "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
     "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
     "created_at": "2013-09-30T13:46:02Z",
     "last_activity_at": "2013-09-30T13:46:02Z",
     "creator_id": 3,
@@ -1630,6 +1641,7 @@ Example response:
   "resolve_outdated_diff_discussions": false,
   "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
   "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
   "created_at": "2013-09-30T13:46:02Z",
   "last_activity_at": "2013-09-30T13:46:02Z",
   "creator_id": 3,
@@ -1730,6 +1742,7 @@ Example response:
   "resolve_outdated_diff_discussions": false,
   "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
   "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
   "created_at": "2013-09-30T13:46:02Z",
   "last_activity_at": "2013-09-30T13:46:02Z",
   "creator_id": 3,
@@ -1910,6 +1923,7 @@ Example response:
   "resolve_outdated_diff_discussions": false,
   "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
   "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
   "created_at": "2013-09-30T13:46:02Z",
   "last_activity_at": "2013-09-30T13:46:02Z",
   "creator_id": 3,
@@ -2031,6 +2045,7 @@ Example response:
   "resolve_outdated_diff_discussions": false,
   "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
   "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
   "created_at": "2013-09-30T13:46:02Z",
   "last_activity_at": "2013-09-30T13:46:02Z",
   "creator_id": 3,
@@ -2691,6 +2706,7 @@ Example response:
   "builds_access_level": "enabled",
   "snippets_access_level": "enabled",
   "pages_access_level": "enabled",
+  "security_and_compliance_access_level": "enabled",
   "emails_disabled": null,
   "shared_runners_enabled": true,
   "lfs_enabled": true,

lib/api/entities/project.rb

@@ -74,6 +74,7 @@ module API
       expose(:operations_access_level) { |project, options| project.project_feature.string_access_level(:operations) }
       expose(:analytics_access_level) { |project, options| project.project_feature.string_access_level(:analytics) }
       expose(:container_registry_access_level) { |project, options| project.project_feature.string_access_level(:container_registry) }
+      expose(:security_and_compliance_access_level) { |project, options| project.project_feature.string_access_level(:security_and_compliance) }
 
       expose :emails_disabled
       expose :shared_runners_enabled

lib/api/helpers/projects_helpers.rb

@@ -36,6 +36,7 @@ module API
         optional :operations_access_level, type: String, values: %w(disabled private enabled), desc: 'Operations access level. One of `disabled`, `private` or `enabled`'
         optional :analytics_access_level, type: String, values: %w(disabled private enabled), desc: 'Analytics access level. One of `disabled`, `private` or `enabled`'
         optional :container_registry_access_level, type: String, values: %w(disabled private enabled), desc: 'Controls visibility of the container registry. One of `disabled`, `private` or `enabled`. `private` will make the container registry accessible only to project members (reporter role and above). `enabled` will make the container registry accessible to everyone who has access to the project. `disabled` will disable the container registry'
+        optional :security_and_compliance_access_level, type: String, values: %w(disabled private enabled), desc: 'Security and compliance access level. One of `disabled`, `private` or `enabled`'
 
         optional :emails_disabled, type: Boolean, desc: 'Disable email notifications'
         optional :show_default_award_emojis, type: Boolean, desc: 'Show default award emojis'
@@ -118,6 +119,7 @@ module API
       def self.update_params_at_least_one_of
         [
           :allow_merge_on_skipped_pipeline,
+          :analytics_access_level,
           :autoclose_referenced_issues,
           :auto_devops_enabled,
           :auto_devops_deploy_strategy,
@@ -145,6 +147,7 @@ module API
           :name,
           :only_allow_merge_if_all_discussions_are_resolved,
           :only_allow_merge_if_pipeline_succeeds,
+          :operations_access_level,
           :pages_access_level,
           :path,
           :printing_merge_request_link_enabled,
@@ -154,6 +157,7 @@ module API
           :request_access_enabled,
           :resolve_outdated_diff_discussions,
           :restrict_user_defined_variables,
+          :security_and_compliance_access_level,
           :squash_option,
           :shared_runners_enabled,
           :snippets_access_level,

spec/factories/projects.rb

@@ -35,6 +35,7 @@ FactoryBot.define do
       metrics_dashboard_access_level { ProjectFeature::PRIVATE }
       operations_access_level { ProjectFeature::ENABLED }
       container_registry_access_level { ProjectFeature::ENABLED }
+      security_and_compliance_access_level { ProjectFeature::PRIVATE }
 
       # we can't assign the delegated `#ci_cd_settings` attributes directly, as the
       # `#ci_cd_settings` relation needs to be created first
@@ -70,7 +71,8 @@ FactoryBot.define do
         metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level,
         operations_access_level: evaluator.operations_access_level,
         analytics_access_level: evaluator.analytics_access_level,
-        container_registry_access_level: evaluator.container_registry_access_level
+        container_registry_access_level: evaluator.container_registry_access_level,
+        security_and_compliance_access_level: evaluator.security_and_compliance_access_level
       }
 
       project.build_project_feature(hash)
@@ -359,6 +361,9 @@ FactoryBot.define do
     trait(:container_registry_enabled)  { container_registry_access_level { ProjectFeature::ENABLED } }
     trait(:container_registry_disabled) { container_registry_access_level { ProjectFeature::DISABLED } }
     trait(:container_registry_private)  { container_registry_access_level { ProjectFeature::PRIVATE } }
+    trait(:security_and_compliance_enabled)  { security_and_compliance_access_level { ProjectFeature::ENABLED } }
+    trait(:security_and_compliance_disabled) { security_and_compliance_access_level { ProjectFeature::DISABLED } }
+    trait(:security_and_compliance_private)  { security_and_compliance_access_level { ProjectFeature::PRIVATE } }
 
     trait :auto_devops do
       association :auto_devops, factory: :project_auto_devops

spec/requests/api/project_attributes.yml

@@ -122,7 +122,6 @@ project_feature:
     - created_at
     - metrics_dashboard_access_level
     - project_id
-    - security_and_compliance_access_level
     - updated_at
   computed_attributes:
     - issues_enabled

spec/requests/api/projects_spec.rb

@@ -1077,6 +1077,7 @@ RSpec.describe API::Projects do
         attrs[:operations_access_level] = 'disabled'
         attrs[:analytics_access_level] = 'disabled'
         attrs[:container_registry_access_level] = 'private'
+        attrs[:security_and_compliance_access_level] = 'private'
       end
 
       post api('/projects', user), params: project
@@ -1100,6 +1101,7 @@ RSpec.describe API::Projects do
       expect(project.operations_access_level).to eq(ProjectFeature::DISABLED)
       expect(project.project_feature.analytics_access_level).to eq(ProjectFeature::DISABLED)
       expect(project.project_feature.container_registry_access_level).to eq(ProjectFeature::PRIVATE)
+      expect(project.project_feature.security_and_compliance_access_level).to eq(ProjectFeature::PRIVATE)
     end
 
     it 'assigns container_registry_enabled to project', :aggregate_failures do
@@ -2227,6 +2229,7 @@ RSpec.describe API::Projects do
         expect(json_response['restrict_user_defined_variables']).to eq(project.restrict_user_defined_variables?)
         expect(json_response['only_allow_merge_if_all_discussions_are_resolved']).to eq(project.only_allow_merge_if_all_discussions_are_resolved)
         expect(json_response['operations_access_level']).to be_present
+        expect(json_response['security_and_compliance_access_level']).to be_present
       end
 
       it 'exposes all necessary attributes' do
@@ -2295,6 +2298,7 @@ RSpec.describe API::Projects do
         expect(json_response['wiki_access_level']).to be_present
         expect(json_response['builds_access_level']).to be_present
         expect(json_response['operations_access_level']).to be_present
+        expect(json_response['security_and_compliance_access_level']).to be_present
         expect(json_response).to have_key('emails_disabled')
         expect(json_response['resolve_outdated_diff_discussions']).to eq(project.resolve_outdated_diff_discussions)
         expect(json_response['remove_source_branch_after_merge']).to be_truthy
@@ -3220,6 +3224,30 @@ RSpec.describe API::Projects do
       expect(project.reload.container_registry_access_level).to eq(ProjectFeature::ENABLED)
     end
 
+    it 'sets security_and_compliance_access_level', :aggregate_failures do
+      put api("/projects/#{project.id}", user), params: { security_and_compliance_access_level: 'private' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['security_and_compliance_access_level']).to eq('private')
+      expect(Project.find_by(path: project[:path]).security_and_compliance_access_level).to eq(ProjectFeature::PRIVATE)
+    end
+
+    it 'sets operations_access_level', :aggregate_failures do
+      put api("/projects/#{project.id}", user), params: { operations_access_level: 'private' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['operations_access_level']).to eq('private')
+      expect(Project.find_by(path: project[:path]).operations_access_level).to eq(ProjectFeature::PRIVATE)
+    end
+
+    it 'sets analytics_access_level', :aggregate_failures do
+      put api("/projects/#{project.id}", user), params: { analytics_access_level: 'private' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['analytics_access_level']).to eq('private')
+      expect(Project.find_by(path: project[:path]).analytics_access_level).to eq(ProjectFeature::PRIVATE)
+    end
+
     it 'returns 400 when nothing sent' do
       project_param = {}