Commit d5f5b361 authored by Sashi's avatar Sashi Committed by Nikola Milojevic

Extend ProtectDefaultBranchService to support security policy project

This change extends Projects::ProtectDefaultBranchService to EE
to support security policy project which overrides the
default branch protection defined in the group/namespace
of the project.
Changelog: added
EE: true
parent 7a4e3eef
...@@ -69,3 +69,5 @@ module Projects ...@@ -69,3 +69,5 @@ module Projects
end end
end end
end end
Projects::ProtectDefaultBranchService.prepend_mod
...@@ -36,6 +36,10 @@ module Security ...@@ -36,6 +36,10 @@ module Security
.where(arel_table[:configured_at].lt(Project.arel_table[:last_repository_updated_at]).or(arel_table[:configured_at].eq(nil))) .where(arel_table[:configured_at].lt(Project.arel_table[:last_repository_updated_at]).or(arel_table[:configured_at].eq(nil)))
end end
def self.policy_management_project?(project_id)
self.exists?(security_policy_management_project_id: project_id)
end
def enabled? def enabled?
::Feature.enabled?(:security_orchestration_policies_configuration, project) ::Feature.enabled?(:security_orchestration_policies_configuration, project)
end end
......
# frozen_string_literal: true
module EE
module Projects
module ProtectDefaultBranchService
extend ::Gitlab::Utils::Override
override :protect_branch?
def protect_branch?
return true if security_policy_management_project?
super
end
override :push_access_level
def push_access_level
return ::Gitlab::Access::NO_ACCESS if security_policy_management_project?
super
end
override :merge_access_level
def merge_access_level
return ::Gitlab::Access::MAINTAINER if security_policy_management_project?
super
end
private
def security_policy_management_project?
::Security::OrchestrationPolicyConfiguration.policy_management_project?(project.id)
end
end
end
end
...@@ -51,6 +51,20 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do ...@@ -51,6 +51,20 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end end
end end
describe '.policy_management_project?' do
before do
create(:security_orchestration_policy_configuration, security_policy_management_project: security_policy_management_project)
end
it 'returns true when security_policy_management_project with id exists' do
expect(described_class.policy_management_project?(security_policy_management_project.id)).to be_truthy
end
it 'returns false when security_policy_management_project with id does not exist' do
expect(described_class.policy_management_project?(non_existing_record_id)).to be_falsey
end
end
describe '#enabled?' do describe '#enabled?' do
subject { security_orchestration_policy_configuration.enabled? } subject { security_orchestration_policy_configuration.enabled? }
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Projects::ProtectDefaultBranchService do
let(:service) { described_class.new(project) }
let(:project) { create(:project) }
shared_context 'has security_policy_project' do
before do
allow(Security::OrchestrationPolicyConfiguration)
.to receive(:exists?)
.and_return(true)
end
end
describe '#protect_branch?' do
context 'when project has security_policy_project' do
include_context 'has security_policy_project'
it 'returns true' do
expect(service.protect_branch?).to eq(true)
end
end
it { expect(service.protect_branch?).to eq(false) }
end
describe '#push_access_level' do
context 'when project has security_policy_project' do
include_context 'has security_policy_project'
it 'returns NO_ACCESS access level' do
expect(service.push_access_level).to eq(Gitlab::Access::NO_ACCESS)
end
end
context 'when project does not have security_policy_project' do
before do
allow(project.namespace)
.to receive(:default_branch_protection)
.and_return(Gitlab::Access::PROTECTION_DEV_CAN_PUSH)
end
it 'returns DEVELOPER access level' do
expect(service.push_access_level).to eq(Gitlab::Access::DEVELOPER)
end
end
end
describe '#merge_access_level' do
context 'when project has security_policy_project' do
include_context 'has security_policy_project'
it 'returns Maintainer access level' do
expect(service.merge_access_level).to eq(Gitlab::Access::MAINTAINER)
end
end
context 'when project does not have security_policy_project' do
before do
allow(project.namespace)
.to receive(:default_branch_protection)
.and_return(Gitlab::Access::PROTECTION_DEV_CAN_MERGE)
end
it 'returns DEVELOPER access level' do
expect(service.merge_access_level).to eq(Gitlab::Access::DEVELOPER)
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment