Remove security & compliance config page feature flag

This commit solves https://gitlab.com/gitlab-org/gitlab/-/issues/294084 It removes the secure_security_and_compliance_configuration_page_on_ce flag

Remove security & compliance config page feature flag
This commit solves https://gitlab.com/gitlab-org/gitlab/-/issues/294084 It removes the secure_security_and_compliance_configuration_page_on_ce flag
ed3074d8 · Jannik Lehmann · Kerri Miller · 3a54e151 · ed3074d8 · ed3074d8
Commit ed3074d8 authored Mar 12, 2021 by Jannik Lehmann Committed by Kerri Miller Mar 12, 2021
11 changed files
--- a/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
+++ b/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
@@ -84,11 +84,6 @@ export default {
      required: false,
      default: false,
    },
-    securityAndComplianceAvailable: {
-      type: Boolean,
-      required: false,
-      default: false,
-    },
    visibilityHelpPath: {
      type: String,
      required: false,
@@ -595,7 +590,6 @@ export default {
        />
      </project-setting-row>
      <project-setting-row
-        v-if="securityAndComplianceAvailable"
        :label="s__('ProjectSettings|Security & Compliance')"
        :help-text="s__('ProjectSettings|Security & Compliance for this project')"
      >

--- a/app/controllers/projects/security/configuration_controller.rb
+++ b/app/controllers/projects/security/configuration_controller.rb
@@ -8,16 +8,8 @@ module Projects
      feature_category :static_application_security_testing
      def show
-        return render_404 unless feature_enabled?
        render_403 unless can?(current_user, :read_security_configuration, project)
      end
-      private
-      def feature_enabled?
-        ::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @project, default_enabled: :yaml)
-      end
    end
  end
 end

--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -379,13 +379,8 @@ module ProjectsHelper
  private
  def can_read_security_configuration?(project, current_user)
-    show_security_and_compliance_config? &&
+    can?(current_user, :access_security_and_compliance, project) &&
-      can?(current_user, :access_security_and_compliance, project) &&
+    can?(current_user, :read_security_configuration, project)
-      can?(current_user, :read_security_configuration, project)
-  end
-  def show_security_and_compliance_config?
-    ::Feature.enabled?(:secure_security_and_compliance_configuration_page_on_ce, @subject, default_enabled: :yaml)
  end
  def get_project_security_nav_tabs(project, current_user)
@@ -674,13 +669,10 @@ module ProjectsHelper
      pagesAvailable: Gitlab.config.pages.enabled,
      pagesAccessControlEnabled: Gitlab.config.pages.access_control,
      pagesAccessControlForced: ::Gitlab::Pages.access_control_is_forced?,
-      pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control'),
+      pagesHelpPath: help_page_path('user/project/pages/introduction', anchor: 'gitlab-pages-access-control')
-      securityAndComplianceAvailable: show_security_and_compliance_toggle?
    }
  end
-  alias_method :show_security_and_compliance_toggle?, :show_security_and_compliance_config?
  def project_permissions_panel_data_json(project)
    project_permissions_panel_data(project).to_json.html_safe
  end

--- a/changelogs/unreleased/remove-secure_security_and_compliance_configuration_page_on_ce-flag.yml
+++ b/changelogs/unreleased/remove-secure_security_and_compliance_configuration_page_on_ce-flag.yml
+---
+title: Remove security & compliance config page feature flag
+merge_request: 56219
+author:
+type: changed
--- a/config/feature_flags/development/secure_security_and_compliance_configuration_page_on_ce.yml
+++ b/config/feature_flags/development/secure_security_and_compliance_configuration_page_on_ce.yml
---
-name: secure_security_and_compliance_configuration_page_on_ce
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50282
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/294076
-milestone: '13.9'
-type: development
-group: group::static analysis
-default_enabled: false
--- a/doc/user/application_security/configuration/index.md
+++ b/doc/user/application_security/configuration/index.md
@@ -10,12 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)**
 > - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)**
 > - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)**
-> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9. **(FREE)**
+> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9.
-> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
-> - It's enabled on GitLab.com.
-> - It's recommended for production use.
-> - For GitLab self-managed instances, GitLab administrators can opt to [enable it](#enable-or-disable-security-configuration). **(FREE SELF)**
-> - It can be enabled or disabled for a single project.
 WARNING:
 This feature might not be available to you. Check the **version history** note above for details.
@@ -54,25 +49,3 @@ You can configure the following security controls:
  - Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
 - DAST Profiles
  - Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
-### Enable or disable Security Configuration **(FREE SELF)**
-Security Configuration is under development but ready for production use.
-It is deployed behind a feature flag that is **disabled by default**.
-[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
-can opt to enable it.
-NOTE:
-This does not apply to GitLab Ultimate.
-To enable it:
-```ruby
-Feature.enable(:secure_security_and_compliance_configuration_page_on_ce)
-```
-To disable it:
-```ruby
-Feature.disable(:secure_security_and_compliance_configuration_page_on_ce)
-```
--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -82,11 +82,6 @@ module EE
      panel_data
    end
-    override :show_security_and_compliance_toggle?
-    def show_security_and_compliance_toggle?
-      super || show_audit_events?(@project)
-    end
    override :default_url_to_repo
    def default_url_to_repo(project = @project)
      case default_clone_protocol

--- a/ee/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -21,21 +21,16 @@ RSpec.describe Projects::Security::ConfigurationController do
    render_views
-    where(:user_role, :security_dashboard_enabled, :ce_flag_enabled, :status, :selector) do
+    where(:user_role, :security_dashboard_enabled, :status, :selector) do
-      :guest     | false | false | :not_found | nil
+      :guest     | false | :forbidden | nil
-      :guest     | false | true  | :forbidden | nil
+      :guest     | true  | :forbidden | nil
-      :guest     | true  | false | :not_found | nil
+      :developer | false | :ok        | '#js-security-configuration-static'
-      :guest     | true  | true  | :forbidden | nil
+      :developer | true  | :ok        | '#js-security-configuration'
-      :developer | false | false | :not_found | nil
-      :developer | false | true  | :ok        | '#js-security-configuration-static'
-      :developer | true  | false | :ok        | '#js-security-configuration'
-      :developer | true  | true  | :ok        | '#js-security-configuration'
    end
    with_them do
      before do
        stub_licensed_features(security_dashboard: security_dashboard_enabled)
-        stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: ce_flag_enabled)
        group.send("add_#{user_role}", user)
        sign_in(user)
      end
@@ -57,73 +52,59 @@ RSpec.describe Projects::Security::ConfigurationController do
    end
    context 'with developer and security dashboard feature enabled' do
-      let(:flag) { :secure_security_and_compliance_configuration_page_on_ce }
+      before do
+        stub_licensed_features(security_dashboard: true)
-      # The tests in this context should be unaffected by this feature flag,
-      # and should behave identically whether this is enabled or disabled.
+        group.add_developer(user)
-      where(:flag_enabled) do
+        sign_in(user)
-        [
-          [true],
-          [false]
-        ]
      end
-      with_them do
+      it 'responds in json format when requested' do
-        before do
+        get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
-          stub_feature_flags(flag => flag_enabled)
-          stub_licensed_features(security_dashboard: true)
-          group.add_developer(user)
+        types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
-          sign_in(user)
-        end
-        it 'responds in json format when requested' do
+        expect(response).to have_gitlab_http_status(:ok)
-          get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
+        expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
+        expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true })
+      end
-          types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
+      it "renders data on the project's security configuration" do
+        request
-          expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
+        expect(response).to render_template(:show)
-          expect(json_response['auto_fix_enabled']).to include({ 'dependency_scanning' => true, 'container_scanning' => true })
+        expect(response.body).to have_css(
+          'div#js-security-configuration'\
+            "[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
+            "[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
+            "[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]"
+        )
+      end
+      context 'when the latest pipeline used Auto DevOps' do
+        let!(:pipeline) do
+          create(
+            :ci_pipeline,
+            :auto_devops_source,
+            project: project,
+            ref: project.default_branch,
+            sha: project.commit.sha
+          )
        end
-        it "renders data on the project's security configuration" do
+        it 'reports that Auto DevOps is enabled' do
          request
          expect(response).to have_gitlab_http_status(:ok)
-          expect(response).to render_template(:show)
          expect(response.body).to have_css(
            'div#js-security-configuration'\
+              '[data-auto-devops-enabled]'\
              "[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
              "[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
-              "[data-latest-pipeline-path=\"#{help_page_path('ci/pipelines')}\"]"
+              "[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
          )
        end
-        context 'when the latest pipeline used Auto DevOps' do
-          let!(:pipeline) do
-            create(
-              :ci_pipeline,
-              :auto_devops_source,
-              project: project,
-              ref: project.default_branch,
-              sha: project.commit.sha
-            )
-          end
-          it 'reports that Auto DevOps is enabled' do
-            request
-            expect(response).to have_gitlab_http_status(:ok)
-            expect(response.body).to have_css(
-              'div#js-security-configuration'\
-                '[data-auto-devops-enabled]'\
-                "[data-auto-devops-help-page-path=\"#{help_page_path('topics/autodevops/index')}\"]"\
-                "[data-help-page-path=\"#{help_page_path('user/application_security/index')}\"]"\
-                "[data-latest-pipeline-path=\"#{project_pipeline_path(project, pipeline)}\"]"
-            )
-          end
-        end
      end
    end
  end

--- a/ee/spec/helpers/projects_helper_spec.rb
+++ b/ee/spec/helpers/projects_helper_spec.rb
@@ -604,7 +604,7 @@ RSpec.describe ProjectsHelper do
    using RSpec::Parameterized::TableSyntax
    let(:user) { instance_double(User, admin?: false) }
-    let(:expected_data) { { requirementsAvailable: false, securityAndComplianceAvailable: true } }
+    let(:expected_data) { { requirementsAvailable: false } }
    subject { helper.project_permissions_panel_data(project) }

--- a/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -13,42 +13,28 @@ RSpec.describe Projects::Security::ConfigurationController do
  end
  describe 'GET show' do
-    context 'when feature flag is disabled' do
+    context 'when user has guest access' do
      before do
-        stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: false)
+        project.add_guest(user)
      end
-      it 'renders not found' do
+      it 'denies access' do
        get :show, params: { namespace_id: project.namespace, project_id: project }
-        expect(response).to have_gitlab_http_status(:not_found)
+        expect(response).to have_gitlab_http_status(:forbidden)
      end
    end
-    context 'when feature flag is enabled' do
+    context 'when user has developer access' do
-      context 'when user has guest access' do
+      before do
-        before do
+        project.add_developer(user)
-          project.add_guest(user)
-        end
-        it 'denies access' do
-          get :show, params: { namespace_id: project.namespace, project_id: project }
-          expect(response).to have_gitlab_http_status(:forbidden)
-        end
      end
-      context 'when user has developer access' do
+      it 'grants access' do
-        before do
+        get :show, params: { namespace_id: project.namespace, project_id: project }
-          project.add_developer(user)
-        end
-        it 'grants access' do
-          get :show, params: { namespace_id: project.namespace, project_id: project }
-          expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to have_gitlab_http_status(:ok)
-          expect(response).to render_template(:show)
+        expect(response).to render_template(:show)
-        end
      end
    end
  end

--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -401,40 +401,20 @@ RSpec.describe ProjectsHelper do
    context 'Security & Compliance tabs' do
      before do
-        stub_feature_flags(secure_security_and_compliance_configuration_page_on_ce: feature_flag_enabled)
        allow(helper).to receive(:can?).with(user, :read_security_configuration, project).and_return(can_read_security_configuration)
      end
      context 'when user cannot read security configuration' do
        let(:can_read_security_configuration) { false }
-        context 'when feature flag is disabled' do
+        it { is_expected.not_to include(:security_configuration) }
-          let(:feature_flag_enabled) { false }
-          it { is_expected.not_to include(:security_configuration) }
-        end
-        context 'when feature flag is enabled' do
-          let(:feature_flag_enabled) { true }
-          it { is_expected.not_to include(:security_configuration) }
-        end
      end
      context 'when user can read security configuration' do
        let(:can_read_security_configuration) { true }
+        let(:feature_flag_enabled) { true }
-        context 'when feature flag is disabled' do
+        it { is_expected.to include(:security_configuration) }
-          let(:feature_flag_enabled) { false }
-          it { is_expected.not_to include(:security_configuration) }
-        end
-        context 'when feature flag is enabled' do
-          let(:feature_flag_enabled) { true }
-          it { is_expected.to include(:security_configuration) }
-        end
      end
    end