Merge branch 'remove-secure_security_and_compliance_configuration_page_on_ce-flag' into 'master'

Remove security & compliance config page feature flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!56219

app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue

@@ -84,11 +84,6 @@ export default {
       required: false,
       default: false,
     },
-    securityAndComplianceAvailable: {
-      type: Boolean,
-      required: false,
-      default: false,
-    },
     visibilityHelpPath: {
       type: String,
       required: false,
@@ -595,7 +590,6 @@ export default {
         />
       </project-setting-row>
       <project-setting-row
-        v-if="securityAndComplianceAvailable"
         :label="s__('ProjectSettings|Security & Compliance')"
         :help-text="s__('ProjectSettings|Security & Compliance for this project')"
       >

app/controllers/projects/security/configuration_controller.rb

@@ -8,16 +8,8 @@ module Projects
       feature_category :static_application_security_testing
 
       def show
-        return render_404 unless feature_enabled?
-
         render_403 unless can?(current_user, :read_security_configuration, project)
       end
-
-      private
-
-      def feature_enabled?
-        ::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @project, default_enabled: :yaml)
-      end
     end
   end
 end

app/helpers/projects_helper.rb

@@ -379,13 +379,8 @@ module ProjectsHelper
   private
 
   def can_read_security_configuration?(project, current_user)
-    show_security_and_compliance_config? &&
-      can?(current_user, :access_security_and_compliance, project) &&
-      can?(current_user, :read_security_configuration, project)
-  end
-
-  def show_security_and_compliance_config?
-    ::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @subject, default_enabled: :yaml)
+    can?(current_user, :access_security_and_compliance, project) &&
+    can?(current_user, :read_security_configuration, project)
   end
 
   def get_project_security_nav_tabs(project, current_user)
@@ -674,13 +669,10 @@ module ProjectsHelper
       pagesAvailable: Gitlab.config.pages.enabled,
       pagesAccessControlEnabled: Gitlab.config.pages.access_control,
       pagesAccessControlForced: ::Gitlab::Pages.access_control_is_forced?,
-      pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control'),
-      securityAndComplianceAvailable: show_security_and_compliance_toggle?
+      pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control')
     }
   end
 
-  alias_method :show_security_and_compliance_toggle?, :show_security_and_compliance_config?
-
   def project_permissions_panel_data_json(project)
     project_permissions_panel_data(project).to_json.html_safe
   end

changelogs/unreleased/remove-secure_security_and_compliance_configuration_page_on_ce-flag.yml

+---
+title: Remove security & compliance config page feature flag
+merge_request: 56219
+author:
+type: changed

config/feature_flags/development/secure_security_and_compliance_configuration_page_on_ce.yml

----
-name: secure_security_and_compliance_configuration_page_on_ce
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50282
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/294076
-milestone: '13.9'
-type: development
-group: group::static analysis
-default_enabled: false

doc/user/application_security/configuration/index.md

@@ -10,12 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)**
 > - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)**
 > - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)**
-> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9. **(FREE)**
-> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
-> - It's enabled on GitLab.com.
-> - It's recommended for production use.
-> - For GitLab self-managed instances, GitLab administrators can opt to [enable it](#enable-or-disable-security-configuration). **(FREE SELF)**
-> - It can be enabled or disabled for a single project.
+> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9.
 
 WARNING:
 This feature might not be available to you. Check the **version history** note above for details.
@@ -54,25 +49,3 @@ You can configure the following security controls:
   - Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
 - DAST Profiles
   - Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
-
-### Enable or disable Security Configuration **(FREE SELF)**
-
-Security Configuration is under development but ready for production use.
-It is deployed behind a feature flag that is **disabled by default**.
-[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
-can opt to enable it.
-
-NOTE:
-This does not apply to GitLab Ultimate.
-
-To enable it:
-
-```ruby
-Feature.enable(:secure_security_and_compliance_configuration_page_on_ce)
-```
-
-To disable it:
-
-```ruby
-Feature.disable(:secure_security_and_compliance_configuration_page_on_ce)
-```

ee/app/helpers/ee/projects_helper.rb

@@ -82,11 +82,6 @@ module EE
       panel_data
     end
 
-    override :show_security_and_compliance_toggle?
-    def show_security_and_compliance_toggle?
-      super || show_audit_events?(@project)
-    end
-
     override :default_url_to_repo
     def default_url_to_repo(project = @project)
       case default_clone_protocol

ee/spec/controllers/projects/security/configuration_controller_spec.rb

@@ -21,21 +21,16 @@ RSpec.describe Projects::Security::ConfigurationController do
 
     render_views
 
-    where(:user_role, :security_dashboard_enabled, :ce_flag_enabled, :status, :selector) do
-      :guest     | false | false | :not_found | nil
-      :guest     | false | true  | :forbidden | nil
-      :guest     | true  | false | :not_found | nil
-      :guest     | true  | true  | :forbidden | nil
-      :developer | false | false | :not_found | nil
-      :developer | false | true  | :ok        | '#js-security-configuration-static'
-      :developer | true  | false | :ok        | '#js-security-configuration'
-      :developer | true  | true  | :ok        | '#js-security-configuration'
+    where(:user_role, :security_dashboard_enabled, :status, :selector) do
+      :guest     | false | :forbidden | nil
+      :guest     | true  | :forbidden | nil
+      :developer | false | :ok        | '#js-security-configuration-static'
+      :developer | true  | :ok        | '#js-security-configuration'
     end
 
     with_them do
       before do
         stub_licensed_features(security_dashboard: security_dashboard_enabled)
-        stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: ce_flag_enabled)
         group.send("add_#{user_role}", user)
         sign_in(user)
       end
@@ -57,73 +52,59 @@ RSpec.describe Projects::Security::ConfigurationController do
     end
 
     context 'with developer and security dashboard feature enabled' do
-      let(:flag) { :secure_security_and_compliance_configuration_page_on_ce }
-
-      # The tests in this context should be unaffected by this feature flag,
-      # and should behave identically whether this is enabled or disabled.
-      where(:flag_enabled) do
-        [
-          [true],
-          [false]
-        ]
+      before do
+        stub_licensed_features(security_dashboard: true)
+
+        group.add_developer(user)
+        sign_in(user)
       end
 
-      with_them do
-        before do
-          stub_feature_flags(flag => flag_enabled)
-          stub_licensed_features(security_dashboard: true)
+      it 'responds in json format when requested' do
+        get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
 
-          group.add_developer(user)
-          sign_in(user)
-        end
+        types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
 
-        it 'responds in json format when requested' do
-          get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
+        expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true })
+      end
 
-          types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
+      it "renders data on the project's security configuration" do
+        request
 
-          expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
-          expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true })
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to render_template(:show)
+        expect(response.body).to have_css(
+          'div#js-security-configuration'\
+            "[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
+            "[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
+            "[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]"
+        )
+      end
+
+      context 'when the latest pipeline used Auto DevOps' do
+        let!(:pipeline) do
+          create(
+            :ci_pipeline,
+            :auto_devops_source,
+            project: project,
+            ref: project.default_branch,
+            sha: project.commit.sha
+          )
         end
 
-        it "renders data on the project's security configuration" do
+        it 'reports that Auto DevOps is enabled' do
           request
 
           expect(response).to have_gitlab_http_status(:ok)
-          expect(response).to render_template(:show)
           expect(response.body).to have_css(
             'div#js-security-configuration'\
+              '[data-auto-devops-enabled]'\
               "[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
               "[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
-              "[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]"
+              "[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
           )
         end
-
-        context 'when the latest pipeline used Auto DevOps' do
-          let!(:pipeline) do
-            create(
-              :ci_pipeline,
-              :auto_devops_source,
-              project: project,
-              ref: project.default_branch,
-              sha: project.commit.sha
-            )
-          end
-
-          it 'reports that Auto DevOps is enabled' do
-            request
-
-            expect(response).to have_gitlab_http_status(:ok)
-            expect(response.body).to have_css(
-              'div#js-security-configuration'\
-                '[data-auto-devops-enabled]'\
-                "[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
-                "[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
-                "[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
-            )
-          end
-        end
       end
     end
   end

ee/spec/helpers/projects_helper_spec.rb

@@ -604,7 +604,7 @@ RSpec.describe ProjectsHelper do
     using RSpec::Parameterized::TableSyntax
 
     let(:user) { instance_double(User, admin?: false) }
-    let(:expected_data) { { requirementsAvailable: false, securityAndComplianceAvailable: true } }
+    let(:expected_data) { { requirementsAvailable: false } }
 
     subject { helper.project_permissions_panel_data(project) }
 

spec/controllers/projects/security/configuration_controller_spec.rb

@@ -13,42 +13,28 @@ RSpec.describe Projects::Security::ConfigurationController do
   end
 
   describe 'GET show' do
-    context 'when feature flag is disabled' do
+    context 'when user has guest access' do
       before do
-        stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: false)
+        project.add_guest(user)
       end
 
-      it 'renders not found' do
+      it 'denies access' do
         get :show, params: { namespace_id: project.namespace, project_id: project }
 
-        expect(response).to have_gitlab_http_status(:not_found)
+        expect(response).to have_gitlab_http_status(:forbidden)
       end
     end
 
-    context 'when feature flag is enabled' do
-      context 'when user has guest access' do
-        before do
-          project.add_guest(user)
-        end
-
-        it 'denies access' do
-          get :show, params: { namespace_id: project.namespace, project_id: project }
-
-          expect(response).to have_gitlab_http_status(:forbidden)
-        end
+    context 'when user has developer access' do
+      before do
+        project.add_developer(user)
       end
 
-      context 'when user has developer access' do
-        before do
-          project.add_developer(user)
-        end
-
-        it 'grants access' do
-          get :show, params: { namespace_id: project.namespace, project_id: project }
+      it 'grants access' do
+        get :show, params: { namespace_id: project.namespace, project_id: project }
 
-          expect(response).to have_gitlab_http_status(:ok)
-          expect(response).to render_template(:show)
-        end
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to render_template(:show)
       end
     end
   end

spec/helpers/projects_helper_spec.rb

@@ -401,40 +401,20 @@ RSpec.describe ProjectsHelper do
 
     context 'Security & Compliance tabs' do
       before do
-        stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: feature_flag_enabled)
         allow(helper).to receive(:can?).with(user, :read_security_configuration, project).and_return(can_read_security_configuration)
       end
 
       context 'when user cannot read security configuration' do
         let(:can_read_security_configuration) { false }
 
-        context 'when feature flag is disabled' do
-          let(:feature_flag_enabled) { false }
-
-          it { is_expected.not_to include(:security_configuration) }
-        end
-
-        context 'when feature flag is enabled' do
-          let(:feature_flag_enabled) { true }
-
-          it { is_expected.not_to include(:security_configuration) }
-        end
+        it { is_expected.not_to include(:security_configuration) }
       end
 
       context 'when user can read security configuration' do
         let(:can_read_security_configuration) { true }
+        let(:feature_flag_enabled) { true }
 
-        context 'when feature flag is disabled' do
-          let(:feature_flag_enabled) { false }
-
-          it { is_expected.not_to include(:security_configuration) }
-        end
-
-        context 'when feature flag is enabled' do
-          let(:feature_flag_enabled) { true }
-
-          it { is_expected.to include(:security_configuration) }
-        end
+        it { is_expected.to include(:security_configuration) }
       end
     end