Add VulnerabilityIssueLinks API w/ "get list" op

Add API endpoints to get the list of VulnerabilityIssueLink entities for a Vulnerability. Extract some common DB and auth related helpers into a reusable module to be used by VulnerabilityIssueLinks and Vulnerabilities API.

Add VulnerabilityIssueLinks API w/ "get list" op
Add API endpoints to get the list of VulnerabilityIssueLink entities for a Vulnerability. Extract some common DB and auth related helpers into a reusable module to be used by VulnerabilityIssueLinks and Vulnerabilities API.
7d7b1b07 · Victor Zagorodny · Dmitriy Zaporozhets · e25dfd65 · 7d7b1b07 · 7d7b1b07
Commit 7d7b1b07 authored Nov 25, 2019 by Victor Zagorodny Committed by Dmitriy Zaporozhets Nov 25, 2019
13 changed files
--- a/ee/app/models/vulnerability.rb
+++ b/ee/app/models/vulnerability.rb
@@ -24,7 +24,12 @@ class Vulnerability < ApplicationRecord
  has_many :findings, class_name: 'Vulnerabilities::Occurrence', inverse_of: :vulnerability
  has_many :issue_links, class_name: 'Vulnerabilities::IssueLink', inverse_of: :vulnerability
-  has_many :related_issues, through: :issue_links, source: :issue
+  has_many :related_issues, through: :issue_links, source: :issue do
+    def with_vulnerability_links
+      select('issues.*, vulnerability_issue_links.id AS vulnerability_link_id, '\
+             'vulnerability_issue_links.link_type AS vulnerability_link_type')
+    end
+  end
  enum state: { opened: 1, closed: 2, resolved: 3 }
  enum severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS, _prefix: :severity

--- a/ee/lib/api/helpers/vulnerabilities_helpers.rb
+++ b/ee/lib/api/helpers/vulnerabilities_helpers.rb
+# frozen_string_literal: true
+module API
+  module Helpers
+    module VulnerabilitiesHelpers
+      def find_and_authorize_vulnerability!(action)
+        find_vulnerability!.tap do |vulnerability|
+          authorize! action, vulnerability.project
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/api/helpers/vulnerabilities_hooks.rb
+++ b/ee/lib/api/helpers/vulnerabilities_hooks.rb
+# frozen_string_literal: true
+module API
+  module Helpers
+    module VulnerabilitiesHooks
+      extend ActiveSupport::Concern
+      included do
+        before do
+          not_found! unless Feature.enabled?(:first_class_vulnerabilities)
+          authenticate!
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/api/vulnerabilities.rb
+++ b/ee/lib/api/vulnerabilities.rb
@@ -2,8 +2,11 @@
 module API
  class Vulnerabilities < Grape::API
+    include ::API::Helpers::VulnerabilitiesHooks
    include PaginationParams
+    helpers ::API::Helpers::VulnerabilitiesHelpers
    helpers do
      def vulnerabilities_by(project)
        Security::VulnerabilitiesFinder.new(project).execute
@@ -17,12 +20,6 @@ module API
        authorize! action, vulnerability.project
      end
-      def find_and_authorize_vulnerability!(action)
-        find_vulnerability!.tap do |vulnerability|
-          authorize_vulnerability!(vulnerability, action)
-        end
-      end
      def render_vulnerability(vulnerability)
        if vulnerability.valid?
          present vulnerability, with: EE::API::Entities::Vulnerability
@@ -32,12 +29,6 @@ module API
      end
    end
-    before do
-      not_found! unless Feature.enabled?(:first_class_vulnerabilities)
-      authenticate!
-    end
    params do
      requires :id, type: String, desc: 'The ID of a vulnerability'
    end

--- a/ee/lib/api/vulnerability_issue_links.rb
+++ b/ee/lib/api/vulnerability_issue_links.rb
+# frozen_string_literal: true
+module API
+  class VulnerabilityIssueLinks < Grape::API
+    include ::API::Helpers::VulnerabilitiesHooks
+    helpers ::API::Helpers::VulnerabilitiesHelpers
+    helpers do
+      def find_vulnerability!
+        Vulnerability.find(params[:id])
+      end
+    end
+    params do
+      requires :id, type: Integer, desc: 'The ID of a vulnerability'
+    end
+    resource :vulnerabilities do
+      desc 'Get related issues for a vulnerability' do
+        success EE::API::Entities::VulnerabilityRelatedIssue
+      end
+      get ':id/issue_links' do
+        vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
+        present vulnerability
+                  .related_issues
+                  .with_api_entity_associations
+                  .with_vulnerability_links,
+                with: EE::API::Entities::VulnerabilityRelatedIssue
+      end
+    end
+  end
+end
--- a/ee/lib/ee/api/api.rb
+++ b/ee/lib/ee/api/api.rb
@@ -41,6 +41,7 @@ module EE
        mount ::API::ProjectApprovals
        mount ::API::Vulnerabilities
        mount ::API::VulnerabilityFindings
+        mount ::API::VulnerabilityIssueLinks
        mount ::API::MergeRequestApprovals
        mount ::API::MergeRequestApprovalRules
        mount ::API::ProjectAliases

--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -938,6 +938,14 @@ module EE
        expose :resolved_at
        expose :closed_at
      end
+      class VulnerabilityRelatedIssue < ::API::Entities::IssueBasic
+        # vulnerability_link_* attributes come from joined Vulnerabilities::IssueLink record
+        expose :vulnerability_link_id
+        expose :vulnerability_link_type do |related_issue|
+          ::Vulnerabilities::IssueLink.link_types.key(related_issue.vulnerability_link_type)
+        end
+      end
    end
  end
 end
--- a/ee/spec/factories/vulnerabilities.rb
+++ b/ee/spec/factories/vulnerabilities.rb
@@ -34,5 +34,13 @@ FactoryBot.define do
          project: vulnerability.project)
      end
    end
+    trait :with_issue_links do
+      after(:create) do |vulnerability|
+        create_list(:issue, 2).each do |issue|
+          create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue)
+        end
+      end
+    end
  end
 end
--- a/ee/spec/fixtures/api/schemas/public_api/v4/vulnerability_related_issue.json
+++ b/ee/spec/fixtures/api/schemas/public_api/v4/vulnerability_related_issue.json
+{
+  "type": "object",
+  "allOf": [
+    { "$ref": "../../../../../../../spec/fixtures/api/schemas/public_api/v4/issue.json" },
+    {
+      "required": ["vulnerability_link_id", "vulnerability_link_type"],
+      "properties": {
+        "vulnerability_link_id": { "type": "integer" },
+        "vulnerability_link_type": {
+          "type": "string",
+          "enum": ["created", "related"]
+        }
+      }
+    }
+  ]
+}
--- a/ee/spec/fixtures/api/schemas/public_api/v4/vulnerability_related_issues.json
+++ b/ee/spec/fixtures/api/schemas/public_api/v4/vulnerability_related_issues.json
+{
+  "type": "array",
+  "items": { "$ref": "vulnerability_related_issue.json" }
+}
--- a/ee/spec/requests/api/vulnerabilities_spec.rb
+++ b/ee/spec/requests/api/vulnerabilities_spec.rb
@@ -12,42 +12,6 @@ describe API::Vulnerabilities do
  let_it_be(:user) { create(:user) }
  let(:project_vulnerabilities_path) { "/projects/#{project.id}/vulnerabilities" }
-  shared_examples 'forbids actions on vulnerability in case of disabled features' do
-    context 'when "first-class vulnerabilities" feature is disabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: false)
-      end
-      it 'responds with "not found"' do
-        subject
-        expect(response).to have_gitlab_http_status(404)
-      end
-    end
-    context 'when security dashboard feature is not available' do
-      before do
-        stub_licensed_features(security_dashboard: false)
-      end
-      it 'responds with 403 Forbidden' do
-        subject
-        expect(response).to have_gitlab_http_status(403)
-      end
-    end
-  end
-  shared_examples 'responds with "not found" for an unknown vulnerability ID' do
-    let(:vulnerability_id) { 0 }
-    it do
-      subject
-      expect(response).to have_gitlab_http_status(404)
-    end
-  end
  describe 'GET /projects/:id/vulnerabilities' do
    let_it_be(:project) { create(:project, :with_vulnerabilities) }

--- a/ee/spec/requests/api/vulnerability_issue_links_spec.rb
+++ b/ee/spec/requests/api/vulnerability_issue_links_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe API::VulnerabilityIssueLinks do
+  include AccessMatchersForRequest
+  before do
+    stub_licensed_features(security_dashboard: true)
+  end
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+  describe 'GET /vulnerabilities/:id/issue_links' do
+    let_it_be(:vulnerability) { create(:vulnerability, :with_issue_links, project: project) }
+    let_it_be(:vulnerability_id) { vulnerability.id }
+    let(:vulnerability_issue_links_path) { "/vulnerabilities/#{vulnerability_id}/issue_links" }
+    subject(:get_issue_links) { get api(vulnerability_issue_links_path, user) }
+    context 'with an authorized user with proper permissions' do
+      before do
+        project.add_developer(user)
+      end
+      it 'gets the list of vulnerabilities' do
+        get_issue_links
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee')
+        expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id))
+        expect(json_response.map { |link| link['vulnerability_link_id'] }).to(
+          match_array(vulnerability.issue_links.map(&:id)))
+        expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
+      end
+      it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
+      it_behaves_like 'forbids actions on vulnerability in case of disabled features'
+    end
+    describe 'permissions' do
+      it { expect { get_issue_links }.to be_allowed_for(:admin) }
+      it { expect { get_issue_links }.to be_allowed_for(:owner).of(project) }
+      it { expect { get_issue_links }.to be_allowed_for(:maintainer).of(project) }
+      it { expect { get_issue_links }.to be_allowed_for(:developer).of(project) }
+      it { expect { get_issue_links }.to be_allowed_for(:auditor) }
+      it { expect { get_issue_links }.to be_denied_for(:reporter).of(project) }
+      it { expect { get_issue_links }.to be_denied_for(:guest).of(project) }
+      it { expect { get_issue_links }.to be_denied_for(:anonymous) }
+    end
+  end
+end
--- a/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
+++ b/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
+# frozen_string_literal: true
+shared_examples 'forbids actions on vulnerability in case of disabled features' do
+  context 'when "first-class vulnerabilities" feature is disabled' do
+    before do
+      stub_feature_flags(first_class_vulnerabilities: false)
+    end
+    it 'responds with "not found"' do
+      subject
+      expect(response).to have_gitlab_http_status(404)
+    end
+  end
+  context 'when security dashboard feature is not available' do
+    before do
+      stub_licensed_features(security_dashboard: false)
+    end
+    it 'responds with 403 Forbidden' do
+      subject
+      expect(response).to have_gitlab_http_status(403)
+    end
+  end
+end
+shared_examples 'responds with "not found" for an unknown vulnerability ID' do
+  let(:vulnerability_id) { 0 }
+  it do
+    subject
+    expect(response).to have_gitlab_http_status(404)
+  end
+end