Commit ed3074d8 authored by Jannik Lehmann's avatar Jannik Lehmann Committed by Kerri Miller

Remove security & compliance config page feature flag

This commit solves
https://gitlab.com/gitlab-org/gitlab/-/issues/294084
It removes the
secure_security_and_compliance_configuration_page_on_ce flag
parent 3a54e151
......@@ -84,11 +84,6 @@ export default {
required: false,
default: false,
},
securityAndComplianceAvailable: {
type: Boolean,
required: false,
default: false,
},
visibilityHelpPath: {
type: String,
required: false,
......@@ -595,7 +590,6 @@ export default {
/>
</project-setting-row>
<project-setting-row
v-if="securityAndComplianceAvailable"
:label="s__('ProjectSettings|Security & Compliance')"
:help-text="s__('ProjectSettings|Security & Compliance for this project')"
>
......
......@@ -8,16 +8,8 @@ module Projects
feature_category :static_application_security_testing
def show
return render_404 unless feature_enabled?
render_403 unless can?(current_user, :read_security_configuration, project)
end
private
def feature_enabled?
::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @project, default_enabled: :yaml)
end
end
end
end
......
......@@ -379,13 +379,8 @@ module ProjectsHelper
private
def can_read_security_configuration?(project, current_user)
show_security_and_compliance_config? &&
can?(current_user, :access_security_and_compliance, project) &&
can?(current_user, :read_security_configuration, project)
end
def show_security_and_compliance_config?
::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @subject, default_enabled: :yaml)
can?(current_user, :access_security_and_compliance, project) &&
can?(current_user, :read_security_configuration, project)
end
def get_project_security_nav_tabs(project, current_user)
......@@ -674,13 +669,10 @@ module ProjectsHelper
pagesAvailable: Gitlab.config.pages.enabled,
pagesAccessControlEnabled: Gitlab.config.pages.access_control,
pagesAccessControlForced: ::Gitlab::Pages.access_control_is_forced?,
pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control'),
securityAndComplianceAvailable: show_security_and_compliance_toggle?
pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control')
}
end
alias_method :show_security_and_compliance_toggle?, :show_security_and_compliance_config?
def project_permissions_panel_data_json(project)
project_permissions_panel_data(project).to_json.html_safe
end
......
---
title: Remove security & compliance config page feature flag
merge_request: 56219
author:
type: changed
---
name: secure_security_and_compliance_configuration_page_on_ce
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50282
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/294076
milestone: '13.9'
type: development
group: group::static analysis
default_enabled: false
......@@ -10,12 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)**
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)**
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)**
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9. **(FREE)**
> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
> - It's enabled on GitLab.com.
> - It's recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can opt to [enable it](#enable-or-disable-security-configuration). **(FREE SELF)**
> - It can be enabled or disabled for a single project.
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9.
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
......@@ -54,25 +49,3 @@ You can configure the following security controls:
- Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- DAST Profiles
- Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
### Enable or disable Security Configuration **(FREE SELF)**
Security Configuration is under development but ready for production use.
It is deployed behind a feature flag that is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can opt to enable it.
NOTE:
This does not apply to GitLab Ultimate.
To enable it:
```ruby
Feature.enable(:secure_security_and_compliance_configuration_page_on_ce)
```
To disable it:
```ruby
Feature.disable(:secure_security_and_compliance_configuration_page_on_ce)
```
......@@ -82,11 +82,6 @@ module EE
panel_data
end
override :show_security_and_compliance_toggle?
def show_security_and_compliance_toggle?
super || show_audit_events?(@project)
end
override :default_url_to_repo
def default_url_to_repo(project = @project)
case default_clone_protocol
......
......@@ -21,21 +21,16 @@ RSpec.describe Projects::Security::ConfigurationController do
render_views
where(:user_role, :security_dashboard_enabled, :ce_flag_enabled, :status, :selector) do
:guest | false | false | :not_found | nil
:guest | false | true | :forbidden | nil
:guest | true | false | :not_found | nil
:guest | true | true | :forbidden | nil
:developer | false | false | :not_found | nil
:developer | false | true | :ok | '#js-security-configuration-static'
:developer | true | false | :ok | '#js-security-configuration'
:developer | true | true | :ok | '#js-security-configuration'
where(:user_role, :security_dashboard_enabled, :status, :selector) do
:guest | false | :forbidden | nil
:guest | true | :forbidden | nil
:developer | false | :ok | '#js-security-configuration-static'
:developer | true | :ok | '#js-security-configuration'
end
with_them do
before do
stub_licensed_features(security_dashboard: security_dashboard_enabled)
stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: ce_flag_enabled)
group.send("add_#{user_role}", user)
sign_in(user)
end
......@@ -57,73 +52,59 @@ RSpec.describe Projects::Security::ConfigurationController do
end
context 'with developer and security dashboard feature enabled' do
let(:flag) { :secure_security_and_compliance_configuration_page_on_ce }
# The tests in this context should be unaffected by this feature flag,
# and should behave identically whether this is enabled or disabled.
where(:flag_enabled) do
[
[true],
[false]
]
before do
stub_licensed_features(security_dashboard: true)
group.add_developer(user)
sign_in(user)
end
with_them do
before do
stub_feature_flags(flag => flag_enabled)
stub_licensed_features(security_dashboard: true)
it 'responds in json format when requested' do
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
group.add_developer(user)
sign_in(user)
end
types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
it 'responds in json format when requested' do
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true })
end
types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
it "renders data on the project's security configuration" do
request
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true })
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template(:show)
expect(response.body).to have_css(
'div#js-security-configuration'\
"[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
"[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
"[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]"
)
end
context 'when the latest pipeline used Auto DevOps' do
let!(:pipeline) do
create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
end
it "renders data on the project's security configuration" do
it 'reports that Auto DevOps is enabled' do
request
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template(:show)
expect(response.body).to have_css(
'div#js-security-configuration'\
'[data-auto-devops-enabled]'\
"[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
"[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
"[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]"
"[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
)
end
context 'when the latest pipeline used Auto DevOps' do
let!(:pipeline) do
create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
end
it 'reports that Auto DevOps is enabled' do
request
expect(response).to have_gitlab_http_status(:ok)
expect(response.body).to have_css(
'div#js-security-configuration'\
'[data-auto-devops-enabled]'\
"[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
"[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
"[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
)
end
end
end
end
end
......
......@@ -604,7 +604,7 @@ RSpec.describe ProjectsHelper do
using RSpec::Parameterized::TableSyntax
let(:user) { instance_double(User, admin?: false) }
let(:expected_data) { { requirementsAvailable: false, securityAndComplianceAvailable: true } }
let(:expected_data) { { requirementsAvailable: false } }
subject { helper.project_permissions_panel_data(project) }
......
......@@ -13,42 +13,28 @@ RSpec.describe Projects::Security::ConfigurationController do
end
describe 'GET show' do
context 'when feature flag is disabled' do
context 'when user has guest access' do
before do
stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: false)
project.add_guest(user)
end
it 'renders not found' do
it 'denies access' do
get :show, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:not_found)
expect(response).to have_gitlab_http_status(:forbidden)
end
end
context 'when feature flag is enabled' do
context 'when user has guest access' do
before do
project.add_guest(user)
end
it 'denies access' do
get :show, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:forbidden)
end
context 'when user has developer access' do
before do
project.add_developer(user)
end
context 'when user has developer access' do
before do
project.add_developer(user)
end
it 'grants access' do
get :show, params: { namespace_id: project.namespace, project_id: project }
it 'grants access' do
get :show, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template(:show)
end
expect(response).to have_gitlab_http_status(:ok)
expect(response).to render_template(:show)
end
end
end
......
......@@ -401,40 +401,20 @@ RSpec.describe ProjectsHelper do
context 'Security & Compliance tabs' do
before do
stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: feature_flag_enabled)
allow(helper).to receive(:can?).with(user, :read_security_configuration, project).and_return(can_read_security_configuration)
end
context 'when user cannot read security configuration' do
let(:can_read_security_configuration) { false }
context 'when feature flag is disabled' do
let(:feature_flag_enabled) { false }
it { is_expected.not_to include(:security_configuration) }
end
context 'when feature flag is enabled' do
let(:feature_flag_enabled) { true }
it { is_expected.not_to include(:security_configuration) }
end
it { is_expected.not_to include(:security_configuration) }
end
context 'when user can read security configuration' do
let(:can_read_security_configuration) { true }
let(:feature_flag_enabled) { true }
context 'when feature flag is disabled' do
let(:feature_flag_enabled) { false }
it { is_expected.not_to include(:security_configuration) }
end
context 'when feature flag is enabled' do
let(:feature_flag_enabled) { true }
it { is_expected.to include(:security_configuration) }
end
it { is_expected.to include(:security_configuration) }
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment