Merge branch 'add_validation_for_threat_monitoring_alert_id' into 'master'

Add validation for alert id with respective specs See merge request gitlab-org/gitlab!59676

Merge branch 'add_validation_for_threat_monitoring_alert_id' into 'master'
Add validation for alert id with respective specs See merge request gitlab-org/gitlab!59676
f83afba5 · Jan Provaznik · 0327e789 · ee8a9ab6 · f83afba5 · f83afba5
Commit f83afba5 authored Apr 22, 2021 by Jan Provaznik
4 changed files
--- a/ee/app/controllers/projects/threat_monitoring_controller.rb
+++ b/ee/app/controllers/projects/threat_monitoring_controller.rb
@@ -10,11 +10,12 @@ module Projects
      push_frontend_feature_flag(:threat_monitoring_alerts, project, default_enabled: :yaml)
    end
+    before_action :threat_monitoring_ff_enabled, only: [:alert_details]
    feature_category :web_firewall
    def alert_details
-      render_404 unless Feature.enabled?(:threat_monitoring_alerts, project, default_enabled: :yaml)
+      @alert_id = project.alert_management_alerts.find(params[:id]).id
-      @alert_id = params[:id]
    end
    def edit
@@ -32,5 +33,11 @@ module Projects
        render_404
      end
    end
+    private
+    def threat_monitoring_ff_enabled
+      render_404 unless Feature.enabled?(:threat_monitoring_alerts, project, default_enabled: :yaml)
+    end
  end
 end
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -40,7 +40,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
        resources :subscriptions, only: [:create, :destroy]
        resource :threat_monitoring, only: [:show], controller: :threat_monitoring do
-          get '/alerts/:id', action: 'alert_details'
+          get '/alerts/:id', action: 'alert_details', constraints: { id: /\d+/ }
          resources :policies, only: [:new, :edit], controller: :threat_monitoring
        end

--- a/ee/spec/controllers/projects/threat_monitoring_controller_spec.rb
+++ b/ee/spec/controllers/projects/threat_monitoring_controller_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
 RSpec.describe Projects::ThreatMonitoringController do
  let_it_be(:project) { create(:project, :repository, :private) }
+  let_it_be(:alert) { create(:alert_management_alert, :cilium, project: project) }
  let_it_be(:user) { create(:user) }
  describe 'GET show' do
@@ -238,7 +239,9 @@ RSpec.describe Projects::ThreatMonitoringController do
  end
  describe 'GET threat monitoring alerts' do
-    subject { get :alert_details, params: { namespace_id: project.namespace, project_id: project, id: '5' } }
+    let(:alert_id) { alert.id }
+    subject { get :alert_details, params: { namespace_id: project.namespace, project_id: project, id: alert_id } }
    context 'with authorized user' do
      before do
@@ -246,6 +249,29 @@ RSpec.describe Projects::ThreatMonitoringController do
        sign_in(user)
      end
+      context 'with threat_monitoring feature and threat_monitoring_alerts feature flag' do
+        using RSpec::Parameterized::TableSyntax
+        where(:feature_flag, :feature, :http_status) do
+          false | false | :not_found
+          false | true  | :not_found
+          true | false | :not_found
+          true | true | :ok
+        end
+        with_them do
+          before do
+            stub_licensed_features(threat_monitoring: feature)
+            stub_feature_flags(threat_monitoring_alerts: feature_flag)
+          end
+          specify do
+            subject
+            expect(response).to have_gitlab_http_status(http_status)
+          end
+        end
+      end
      context 'when feature is available' do
        before do
          stub_licensed_features(threat_monitoring: true)
@@ -254,21 +280,25 @@ RSpec.describe Projects::ThreatMonitoringController do
        it 'renders the show template' do
          subject
-          expect(response).to have_gitlab_http_status(:ok)
          expect(response).to render_template(:alert_details)
        end
-      end
-      context 'when feature is not available' do
+        context 'when id is invalid' do
-        before do
+          let(:alert_id) { nil }
-          stub_licensed_features(threat_monitoring: true)
-          stub_feature_flags(threat_monitoring_alerts: false)
+          it 'raises an error' do
+            expect { subject }.to raise_error(ActionController::UrlGenerationError)
+          end
        end
-        it 'returns 404' do
+        context 'when id is not found' do
-          subject
+          let(:alert_id) { non_existing_record_id }
-          expect(response).to have_gitlab_http_status(:not_found)
+          it 'renders not found' do
+            subject
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
        end
      end
    end

--- a/spec/factories/alert_management/alerts.rb
+++ b/spec/factories/alert_management/alerts.rb
@@ -109,6 +109,20 @@ FactoryBot.define do
      end
    end
+    trait :cilium do
+      monitoring_tool { Gitlab::AlertManagement::Payload::MONITORING_TOOLS[:cilium] }
+      payload do
+        {
+          annotations: {
+            title: 'This is a cilium alert',
+            summary: 'Summary of the alert',
+            description: 'Description of the alert'
+          },
+          startsAt: started_at
+        }.with_indifferent_access
+      end
+    end
    trait :all_fields do
      with_issue
      with_assignee