Commit c372f90e authored by Sashi's avatar Sashi

Create GraphQL mutation to assign security policy project

This commit introduces new graphql mutation to assign
security policy project for a given project
parent f5efd46f
......@@ -3612,6 +3612,25 @@ Input type: `ScanExecutionPolicyCommitInput`
| <a id="mutationscanexecutionpolicycommitclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
| <a id="mutationscanexecutionpolicycommiterrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
### `Mutation.securityPolicyProjectAssign`
Input type: `SecurityPolicyProjectAssignInput`
#### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="mutationsecuritypolicyprojectassignclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
| <a id="mutationsecuritypolicyprojectassignprojectpath"></a>`projectPath` | [`ID!`](#id) | Full path of the project. |
| <a id="mutationsecuritypolicyprojectassignsecuritypolicyprojectid"></a>`securityPolicyProjectId` | [`ProjectID!`](#projectid) | ID of the security policy project. |
#### Fields
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="mutationsecuritypolicyprojectassignclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
| <a id="mutationsecuritypolicyprojectassignerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
### `Mutation.terraformStateDelete`
Input type: `TerraformStateDeleteInput`
......
......@@ -81,6 +81,7 @@ module EE
mount_mutation ::Mutations::IncidentManagement::EscalationPolicy::Destroy
mount_mutation ::Mutations::AppSec::Fuzzing::API::CiConfiguration::Create
mount_mutation ::Mutations::SecurityPolicy::CommitScanExecutionPolicy
mount_mutation ::Mutations::SecurityPolicy::AssignSecurityPolicyProject
prepend(Types::DeprecatedMutations)
end
......
# frozen_string_literal: true
module Mutations
module SecurityPolicy
class AssignSecurityPolicyProject < BaseMutation
include FindsProject
graphql_name 'SecurityPolicyProjectAssign'
authorize :security_orchestration_policies
argument :project_path, GraphQL::ID_TYPE,
required: true,
description: 'Full path of the project.'
argument :security_policy_project_id, ::Types::GlobalIDType[::Project],
required: true,
description: 'ID of the security policy project.'
def resolve(args)
project = authorized_find!(args[:project_path])
raise Gitlab::Graphql::Errors::ResourceNotAvailable, 'Feature disabled' unless allowed?(project)
policy_project = find_policy_project(args[:security_policy_project_id])
raise_resource_not_available_error! unless policy_project.present?
result = assign_project(project, policy_project)
{
errors: result.success? ? [] : [result.message]
}
end
private
def find_policy_project(id)
# TODO: remove explicit coercion once compatibility layer has been removed
# See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883
id = ::Types::GlobalIDType[::Project].coerce_isolated_input(id)
::Gitlab::Graphql::Lazy.force(GitlabSchema.object_from_id(id, expected_type: Project))
end
def allowed?(project)
Feature.enabled?(:security_orchestration_policies_configuration, project)
end
def assign_project(project, policy_project)
::Security::Orchestration::AssignService
.new(project, current_user, policy_project_id: policy_project.id)
.execute
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
let(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
describe '#resolve' do
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project, namespace: user.namespace) }
let_it_be(:policy_project) { create(:project) }
let_it_be(:policy_project_id) { GitlabSchema.id_from_object(policy_project) }
subject { mutation.resolve(project_path: project.full_path, security_policy_project_id: policy_project_id) }
context 'when feature is enabled and permission is set for user' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: true)
end
it 'assigns the security policy project' do
result = subject
expect(result[:errors]).to be_empty
expect(project.security_orchestration_policy_configuration).not_to be_nil
expect(project.security_orchestration_policy_configuration.security_policy_management_project).to eq(policy_project)
end
end
context 'when policy_project_id is invalid' do
let_it_be(:policy_project_id) { 'invalid' }
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when feature is disabled' do
before do
stub_licensed_features(security_orchestration_policies: true)
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
context 'when permission is not enabled' do
before do
stub_licensed_features(security_orchestration_policies: false)
end
it 'raises exception' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment