Automatic merge of gitlab-org/gitlab master

f1965f56 · GitLab Bot · b56ec263 · 7857dc72 · f1965f56 · f1965f56
Commit f1965f56 authored Feb 25, 2022 by GitLab Bot
7 changed files
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -443,6 +443,7 @@ Example response:
      "builds_access_level":"enabled",
      "snippets_access_level":"enabled",
      "pages_access_level":"enabled",
+      "security_and_compliance_access_level":"enabled",
      "emails_disabled":null,
      "shared_runners_enabled":true,
      "lfs_enabled":true,

--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -151,6 +151,7 @@ When the user is authenticated and `simple` is not set this returns something li
    "resolve_outdated_diff_discussions": false,
    "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
    "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
    "created_at": "2013-09-30T13:46:02Z",
    "last_activity_at": "2013-09-30T13:46:02Z",
    "creator_id": 3,
@@ -245,6 +246,7 @@ When the user is authenticated and `simple` is not set this returns something li
    "resolve_outdated_diff_discussions": false,
    "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
    "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
    "created_at": "2013-09-30T13:46:02Z",
    "last_activity_at": "2013-09-30T13:46:02Z",
    "creator_id": 3,
@@ -440,6 +442,7 @@ GET /users/:user_id/projects
    "resolve_outdated_diff_discussions": false,
    "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
    "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
    "created_at": "2013-09-30T13:46:02Z",
    "last_activity_at": "2013-09-30T13:46:02Z",
    "creator_id": 3,
@@ -534,6 +537,7 @@ GET /users/:user_id/projects
    "resolve_outdated_diff_discussions": false,
    "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
    "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
    "created_at": "2013-09-30T13:46:02Z",
    "last_activity_at": "2013-09-30T13:46:02Z",
    "creator_id": 3,
@@ -688,6 +692,7 @@ Example response:
    "resolve_outdated_diff_discussions": false,
    "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
    "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
    "created_at": "2013-09-30T13:46:02Z",
    "last_activity_at": "2013-09-30T13:46:02Z",
    "creator_id": 3,
@@ -777,6 +782,7 @@ Example response:
    "resolve_outdated_diff_discussions": false,
    "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
    "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
    "created_at": "2013-09-30T13:46:02Z",
    "last_activity_at": "2013-09-30T13:46:02Z",
    "creator_id": 3,
@@ -910,6 +916,7 @@ GET /projects/:id
  "resolve_outdated_diff_discussions": false,
  "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
  "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
  "container_expiration_policy": {
    "cadence": "7d",
    "enabled": false,
@@ -1257,6 +1264,7 @@ POST /projects
 | `request_access_enabled`                                    | boolean | **{dotted-circle}** No | Allow users to request member access. |
 | `requirements_access_level`                                 | string  | **{dotted-circle}** No | One of `disabled`, `private` or `enabled` |
 | `resolve_outdated_diff_discussions`                         | boolean | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
+| `security_and_compliance_access_level`                      | string  | **{dotted-circle}** No | (GitLab 14.9 and later) Security and compliance access level. One of `disabled`, `private`, or `enabled`. |
 | `shared_runners_enabled`                                    | boolean | **{dotted-circle}** No | Enable shared runners for this project. |
 | `snippets_access_level`                                     | string  | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
 | `snippets_enabled`                                          | boolean | **{dotted-circle}** No | _(Deprecated)_ Enable snippets for this project. Use `snippets_access_level` instead. |
@@ -1334,6 +1342,7 @@ POST /projects/user/:user_id
 | `request_access_enabled`                                    | boolean | **{dotted-circle}** No | Allow users to request member access. |
 | `requirements_access_level`                                 | string  | **{dotted-circle}** No | One of `disabled`, `private`, `enabled` or `public` |
 | `resolve_outdated_diff_discussions`                         | boolean | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
+| `security_and_compliance_access_level`                      | string  | **{dotted-circle}** No | (GitLab 14.9 and later) Security and compliance access level. One of `disabled`, `private`, or `enabled`. |
 | `shared_runners_enabled`                                    | boolean | **{dotted-circle}** No | Enable shared runners for this project. |
 | `snippets_access_level`                                     | string  | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
 | `snippets_enabled`                                          | boolean | **{dotted-circle}** No | _(Deprecated)_ Enable snippets for this project. Use `snippets_access_level` instead. |
@@ -1433,6 +1442,7 @@ Supported attributes:
 | `requirements_access_level`                                 | string         | **{dotted-circle}** No | One of `disabled`, `private`, `enabled` or `public` |
 | `resolve_outdated_diff_discussions`                         | boolean        | **{dotted-circle}** No | Automatically resolve merge request diffs discussions on lines changed with a push. |
 | `restrict_user_defined_variables`                           | boolean        | **{dotted-circle}** No | Allow only users with the Maintainer role to pass user-defined variables when triggering a pipeline. For example when the pipeline is triggered in the UI, with the API, or by a trigger token. |
+| `security_and_compliance_access_level`                      | string         | **{dotted-circle}** No | (GitLab 14.9 and later) Security and compliance access level. One of `disabled`, `private`, or `enabled`. |
 | `service_desk_enabled`                                      | boolean        | **{dotted-circle}** No | Enable or disable Service Desk feature. |
 | `shared_runners_enabled`                                    | boolean        | **{dotted-circle}** No | Enable shared runners for this project. |
 | `snippets_access_level`                                     | string         | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. |
@@ -1536,6 +1546,7 @@ Example responses:
    "resolve_outdated_diff_discussions": false,
    "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
    "container_registry_access_level": "disabled",
+    "security_and_compliance_access_level": "disabled",
    "created_at": "2013-09-30T13:46:02Z",
    "last_activity_at": "2013-09-30T13:46:02Z",
    "creator_id": 3,
@@ -1630,6 +1641,7 @@ Example response:
  "resolve_outdated_diff_discussions": false,
  "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
  "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
  "created_at": "2013-09-30T13:46:02Z",
  "last_activity_at": "2013-09-30T13:46:02Z",
  "creator_id": 3,
@@ -1730,6 +1742,7 @@ Example response:
  "resolve_outdated_diff_discussions": false,
  "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
  "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
  "created_at": "2013-09-30T13:46:02Z",
  "last_activity_at": "2013-09-30T13:46:02Z",
  "creator_id": 3,
@@ -1910,6 +1923,7 @@ Example response:
  "resolve_outdated_diff_discussions": false,
  "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
  "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
  "created_at": "2013-09-30T13:46:02Z",
  "last_activity_at": "2013-09-30T13:46:02Z",
  "creator_id": 3,
@@ -2031,6 +2045,7 @@ Example response:
  "resolve_outdated_diff_discussions": false,
  "container_registry_enabled": false, // deprecated, use container_registry_access_level instead
  "container_registry_access_level": "disabled",
+  "security_and_compliance_access_level": "disabled",
  "created_at": "2013-09-30T13:46:02Z",
  "last_activity_at": "2013-09-30T13:46:02Z",
  "creator_id": 3,
@@ -2691,6 +2706,7 @@ Example response:
  "builds_access_level": "enabled",
  "snippets_access_level": "enabled",
  "pages_access_level": "enabled",
+  "security_and_compliance_access_level": "enabled",
  "emails_disabled": null,
  "shared_runners_enabled": true,
  "lfs_enabled": true,

--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -74,6 +74,7 @@ module API
      expose(:operations_access_level) { |project, options| project.project_feature.string_access_level(:operations) }
      expose(:analytics_access_level) { |project, options| project.project_feature.string_access_level(:analytics) }
      expose(:container_registry_access_level) { |project, options| project.project_feature.string_access_level(:container_registry) }
+      expose(:security_and_compliance_access_level) { |project, options| project.project_feature.string_access_level(:security_and_compliance) }

      expose :emails_disabled
      expose :shared_runners_enabled

--- a/lib/api/helpers/projects_helpers.rb
+++ b/lib/api/helpers/projects_helpers.rb
@@ -36,6 +36,7 @@ module API
        optional :operations_access_level, type: String, values: %w(disabled private enabled), desc: 'Operations access level. One of `disabled`, `private` or `enabled`'
        optional :analytics_access_level, type: String, values: %w(disabled private enabled), desc: 'Analytics access level. One of `disabled`, `private` or `enabled`'
        optional :container_registry_access_level, type: String, values: %w(disabled private enabled), desc: 'Controls visibility of the container registry. One of `disabled`, `private` or `enabled`. `private` will make the container registry accessible only to project members (reporter role and above). `enabled` will make the container registry accessible to everyone who has access to the project. `disabled` will disable the container registry'
+        optional :security_and_compliance_access_level, type: String, values: %w(disabled private enabled), desc: 'Security and compliance access level. One of `disabled`, `private` or `enabled`'

        optional :emails_disabled, type: Boolean, desc: 'Disable email notifications'
        optional :show_default_award_emojis, type: Boolean, desc: 'Show default award emojis'
@@ -118,6 +119,7 @@ module API
      def self.update_params_at_least_one_of
        [
          :allow_merge_on_skipped_pipeline,
+          :analytics_access_level,
          :autoclose_referenced_issues,
          :auto_devops_enabled,
          :auto_devops_deploy_strategy,
@@ -145,6 +147,7 @@ module API
          :name,
          :only_allow_merge_if_all_discussions_are_resolved,
          :only_allow_merge_if_pipeline_succeeds,
+          :operations_access_level,
          :pages_access_level,
          :path,
          :printing_merge_request_link_enabled,
@@ -154,6 +157,7 @@ module API
          :request_access_enabled,
          :resolve_outdated_diff_discussions,
          :restrict_user_defined_variables,
+          :security_and_compliance_access_level,
          :squash_option,
          :shared_runners_enabled,
          :snippets_access_level,

--- a/spec/factories/projects.rb
+++ b/spec/factories/projects.rb
@@ -35,6 +35,7 @@ FactoryBot.define do
      metrics_dashboard_access_level { ProjectFeature::PRIVATE }
      operations_access_level { ProjectFeature::ENABLED }
      container_registry_access_level { ProjectFeature::ENABLED }
+      security_and_compliance_access_level { ProjectFeature::PRIVATE }

      # we can't assign the delegated `#ci_cd_settings` attributes directly, as the
      # `#ci_cd_settings` relation needs to be created first
@@ -70,7 +71,8 @@ FactoryBot.define do
        metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level,
        operations_access_level: evaluator.operations_access_level,
        analytics_access_level: evaluator.analytics_access_level,
-        container_registry_access_level: evaluator.container_registry_access_level
+        container_registry_access_level: evaluator.container_registry_access_level,
+        security_and_compliance_access_level: evaluator.security_and_compliance_access_level
      }

      project.build_project_feature(hash)
@@ -359,6 +361,9 @@ FactoryBot.define do
    trait(:container_registry_enabled)  { container_registry_access_level { ProjectFeature::ENABLED } }
    trait(:container_registry_disabled) { container_registry_access_level { ProjectFeature::DISABLED } }
    trait(:container_registry_private)  { container_registry_access_level { ProjectFeature::PRIVATE } }
+    trait(:security_and_compliance_enabled)  { security_and_compliance_access_level { ProjectFeature::ENABLED } }
+    trait(:security_and_compliance_disabled) { security_and_compliance_access_level { ProjectFeature::DISABLED } }
+    trait(:security_and_compliance_private)  { security_and_compliance_access_level { ProjectFeature::PRIVATE } }

    trait :auto_devops do
      association :auto_devops, factory: :project_auto_devops

--- a/spec/requests/api/project_attributes.yml
+++ b/spec/requests/api/project_attributes.yml
@@ -122,7 +122,6 @@ project_feature:
    - created_at
    - metrics_dashboard_access_level
    - project_id
-    - security_and_compliance_access_level
    - updated_at
  computed_attributes:
    - issues_enabled

--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1077,6 +1077,7 @@ RSpec.describe API::Projects do
        attrs[:operations_access_level] = 'disabled'
        attrs[:analytics_access_level] = 'disabled'
        attrs[:container_registry_access_level] = 'private'
+        attrs[:security_and_compliance_access_level] = 'private'
      end

      post api('/projects', user), params: project
@@ -1100,6 +1101,7 @@ RSpec.describe API::Projects do
      expect(project.operations_access_level).to eq(ProjectFeature::DISABLED)
      expect(project.project_feature.analytics_access_level).to eq(ProjectFeature::DISABLED)
      expect(project.project_feature.container_registry_access_level).to eq(ProjectFeature::PRIVATE)
+      expect(project.project_feature.security_and_compliance_access_level).to eq(ProjectFeature::PRIVATE)
    end

    it 'assigns container_registry_enabled to project', :aggregate_failures do
@@ -2227,6 +2229,7 @@ RSpec.describe API::Projects do
        expect(json_response['restrict_user_defined_variables']).to eq(project.restrict_user_defined_variables?)
        expect(json_response['only_allow_merge_if_all_discussions_are_resolved']).to eq(project.only_allow_merge_if_all_discussions_are_resolved)
        expect(json_response['operations_access_level']).to be_present
+        expect(json_response['security_and_compliance_access_level']).to be_present
      end

      it 'exposes all necessary attributes' do
@@ -2295,6 +2298,7 @@ RSpec.describe API::Projects do
        expect(json_response['wiki_access_level']).to be_present
        expect(json_response['builds_access_level']).to be_present
        expect(json_response['operations_access_level']).to be_present
+        expect(json_response['security_and_compliance_access_level']).to be_present
        expect(json_response).to have_key('emails_disabled')
        expect(json_response['resolve_outdated_diff_discussions']).to eq(project.resolve_outdated_diff_discussions)
        expect(json_response['remove_source_branch_after_merge']).to be_truthy
@@ -3220,6 +3224,30 @@ RSpec.describe API::Projects do
      expect(project.reload.container_registry_access_level).to eq(ProjectFeature::ENABLED)
    end

+    it 'sets security_and_compliance_access_level', :aggregate_failures do
+      put api("/projects/#{project.id}", user), params: { security_and_compliance_access_level: 'private' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['security_and_compliance_access_level']).to eq('private')
+      expect(Project.find_by(path: project[:path]).security_and_compliance_access_level).to eq(ProjectFeature::PRIVATE)
+    end
+
+    it 'sets operations_access_level', :aggregate_failures do
+      put api("/projects/#{project.id}", user), params: { operations_access_level: 'private' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['operations_access_level']).to eq('private')
+      expect(Project.find_by(path: project[:path]).operations_access_level).to eq(ProjectFeature::PRIVATE)
+    end
+
+    it 'sets analytics_access_level', :aggregate_failures do
+      put api("/projects/#{project.id}", user), params: { analytics_access_level: 'private' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['analytics_access_level']).to eq('private')
+      expect(Project.find_by(path: project[:path]).analytics_access_level).to eq(ProjectFeature::PRIVATE)
+    end
+
    it 'returns 400 when nothing sent' do
      project_param = {}