Upgrade Compliance pipeline configuration to Ultimate tier

Although compliance framework is available to Premium tier, the compliance pipeline configuration can be used only for Ultimate tier

Upgrade Compliance pipeline configuration to Ultimate tier
347ca5ff · Aishwarya · Bob Van Landuyt :neckbeard: · 41dfe9cb · 347ca5ff · 347ca5ff
Commit 347ca5ff authored 4 years ago by Aishwarya Committed by Bob Van Landuyt :neckbeard: 4 years ago
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -4054,7 +4054,8 @@ type ComplianceFramework {
  
  """
  Full path of the compliance pipeline configuration stored in a project
-  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.
+  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa`
+  **(ULTIMATE)**.
  """
  pipelineConfigurationFullPath: String
 }
@@ -4112,7 +4113,8 @@ input ComplianceFrameworkInput {
  
  """
  Full path of the compliance pipeline configuration stored in a project
-  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.
+  repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa`
+  **(ULTIMATE)**.
  """
  pipelineConfigurationFullPath: String
 }

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -11037,7 +11037,7 @@
            },
            {
              "name": "pipelineConfigurationFullPath",
-              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.",
+              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.",
              "args": [
  
              ],
@@ -11207,7 +11207,7 @@
            },
            {
              "name": "pipelineConfigurationFullPath",
-              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.",
+              "description": "Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.",
              "type": {
                "kind": "SCALAR",
                "name": "String",
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -787,7 +787,7 @@ Represents a ComplianceFramework associated with a Project.
 | `description` | String! | Description of the compliance framework. |
 | `id` | ID! | Compliance framework ID. |
 | `name` | String! | Name of the compliance framework. |
-| `pipelineConfigurationFullPath` | String | Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`. |
+| `pipelineConfigurationFullPath` | String | Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**. |
  
 ### ComposerMetadata
  

--- a/ee/app/graphql/types/compliance_management/compliance_framework_input_type.rb
+++ b/ee/app/graphql/types/compliance_management/compliance_framework_input_type.rb
@@ -24,7 +24,7 @@ class ComplianceFrameworkInputType < BaseInputObject
      argument :pipeline_configuration_full_path,
               GraphQL::STRING_TYPE,
               required: false,
-               description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.'
+               description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.'
    end
  end
 end
--- a/ee/app/graphql/types/compliance_management/compliance_framework_type.rb
+++ b/ee/app/graphql/types/compliance_management/compliance_framework_type.rb
@@ -25,7 +25,8 @@ class ComplianceFrameworkType < Types::BaseObject
  
      field :pipeline_configuration_full_path, GraphQL::STRING_TYPE,
            null: true,
-            description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hippa`.'
+            description: 'Full path of the compliance pipeline configuration stored in a project repository, such as `.gitlab/.compliance-gitlab-ci.yml@compliance/hipaa` **(ULTIMATE)**.',
+            authorize: :manage_group_level_compliance_pipeline_config
    end
  end
 end
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -149,6 +149,7 @@ class License < ApplicationRecord
    enforce_ssh_key_expiration
    enterprise_templates
    environment_alerts
+    evaluate_group_level_compliance_pipeline
    group_ci_cd_analytics
    group_level_compliance_dashboard
    incident_management

--- a/ee/app/policies/compliance_management/framework_policy.rb
+++ b/ee/app/policies/compliance_management/framework_policy.rb
@@ -8,8 +8,17 @@ class FrameworkPolicy < BasePolicy
      License.feature_available?(:custom_compliance_frameworks) && Feature.enabled?(:ff_custom_compliance_frameworks)
    end
  
+    condition(:group_level_compliance_pipeline_enabled) do
+      @subject.namespace.feature_available?(:evaluate_group_level_compliance_pipeline) &&
+        Feature.enabled?(:ff_custom_compliance_frameworks, @subject.namespace)
+    end
+
    rule { can?(:owner_access) & custom_compliance_frameworks_enabled }.policy do
      enable :manage_compliance_framework
    end
+
+    rule { can?(:owner_access) & group_level_compliance_pipeline_enabled }.policy do
+      enable :manage_group_level_compliance_pipeline_config
+    end
  end
 end
--- a/ee/app/services/compliance_management/frameworks/create_service.rb
+++ b/ee/app/services/compliance_management/frameworks/create_service.rb
@@ -3,6 +3,8 @@
 module ComplianceManagement
  module Frameworks
    class CreateService < BaseService
+      include ::ComplianceManagement::Frameworks
+
      attr_reader :namespace, :params, :current_user, :framework
  
      def initialize(namespace:, params:, current_user:)
@@ -22,6 +24,7 @@ def execute
        )
  
        return ServiceResponse.error(message: 'Not permitted to create framework') unless permitted?
+        return ServiceResponse.error(message: 'Pipeline configuration full path feature is not available') unless compliance_pipeline_configuration_available?
  
        framework.save ? success : error
      end

--- a/ee/app/services/compliance_management/frameworks/update_service.rb
+++ b/ee/app/services/compliance_management/frameworks/update_service.rb
@@ -3,6 +3,8 @@
 module ComplianceManagement
  module Frameworks
    class UpdateService < BaseService
+      include ::ComplianceManagement::Frameworks
+
      attr_reader :framework, :current_user, :params
  
      def initialize(framework:, current_user:, params:)
@@ -14,6 +16,11 @@ def initialize(framework:, current_user:, params:)
      def execute
        return error unless permitted?
  
+        unless compliance_pipeline_configuration_available?
+          framework.errors.add(:pipeline_configuration_full_path, 'feature is not available')
+          return error
+        end
+
        framework.update(params) ? success : error
      end
  

--- a/ee/app/services/concerns/compliance_management/frameworks.rb
+++ b/ee/app/services/concerns/compliance_management/frameworks.rb
+# frozen_string_literal: true
+
+module ComplianceManagement
+  module Frameworks
+    def compliance_pipeline_configuration_available?
+      return true unless params[:pipeline_configuration_full_path].present?
+
+      can? current_user, :manage_group_level_compliance_pipeline_config, framework
+    end
+  end
+end
--- a/ee/spec/graphql/mutations/compliance_management/frameworks/create_spec.rb
+++ b/ee/spec/graphql/mutations/compliance_management/frameworks/create_spec.rb
@@ -27,7 +27,7 @@
  
    context 'feature is licensed' do
      before do
-        stub_licensed_features(custom_compliance_frameworks: true)
+        stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
      end
  
      context 'feature flag is disabled' do
@@ -107,7 +107,7 @@ def valid_params
        name: 'GDPR',
        description: 'Example description',
        color: '#abc123',
-        pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+        pipeline_configuration_full_path: '.compliance-gitlab-ci.yml@compliance/hipaa'
      }
    }
  end

--- a/ee/spec/policies/compliance_management/framework_policy_spec.rb
+++ b/ee/spec/policies/compliance_management/framework_policy_spec.rb
@@ -3,18 +3,19 @@
 require 'spec_helper'
  
 RSpec.describe ComplianceManagement::FrameworkPolicy do
-  let_it_be(:framework) { create(:compliance_framework) }
+  let_it_be_with_refind(:framework) { create(:compliance_framework) }
  let(:user) { framework.namespace.owner }
  
  subject { described_class.new(user, framework) }
  
  context 'feature is licensed' do
    before do
-      stub_licensed_features(custom_compliance_frameworks: true)
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
    end
  
    context 'user is namespace owner' do
      it { is_expected.to be_allowed(:manage_compliance_framework) }
+      it { is_expected.to be_allowed(:manage_group_level_compliance_pipeline_config) }
    end
  
    context 'user is group owner' do
@@ -27,27 +28,31 @@
      end
  
      it { is_expected.to be_allowed(:manage_compliance_framework) }
+      it { is_expected.to be_allowed(:manage_group_level_compliance_pipeline_config) }
    end
  
    context 'user is not namespace owner' do
      let(:user) { build(:user) }
  
      it { is_expected.to be_disallowed(:manage_compliance_framework) }
+      it { is_expected.to be_disallowed(:manage_group_level_compliance_pipeline_config) }
    end
  
    context 'user is an admin', :enable_admin_mode do
      let(:user) { build(:admin) }
  
      it { is_expected.to be_allowed(:manage_compliance_framework) }
+      it { is_expected.to be_allowed(:manage_group_level_compliance_pipeline_config) }
    end
  end
  
  context 'feature is unlicensed' do
    before do
-      stub_licensed_features(custom_compliance_frameworks: false)
+      stub_licensed_features(custom_compliance_frameworks: false, evaluate_group_level_compliance_pipeline: false)
    end
  
    it { is_expected.to be_disallowed(:manage_compliance_framework) }
+    it { is_expected.to be_disallowed(:manage_group_level_compliance_pipeline_config) }
  end
  
  context 'feature is disabled' do
@@ -56,5 +61,6 @@
    end
  
    it { is_expected.to be_disallowed(:manage_compliance_framework) }
+    it { is_expected.to be_disallowed(:manage_group_level_compliance_pipeline_config) }
  end
 end
--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/create_spec.rb
@@ -16,7 +16,7 @@
        name: 'GDPR',
        description: 'Example Description',
        color: '#ABC123',
-        pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+        pipeline_configuration_full_path: '.compliance-gitlab-ci.yml@compliance/hipaa'
      }
    )
  end
@@ -38,7 +38,7 @@ def mutation_response
      expect(mutation_response['framework']['color']).to eq '#ABC123'
      expect(mutation_response['framework']['name']).to eq 'GDPR'
      expect(mutation_response['framework']['description']).to eq 'Example Description'
-      expect(mutation_response['framework']['pipelineConfigurationFullPath']).to eq 'compliance/.gitlab-ci.yml'
+      expect(mutation_response['framework']['pipelineConfigurationFullPath']).to eq '.compliance-gitlab-ci.yml@compliance/hipaa'
    end
  end
  
@@ -53,7 +53,7 @@ def mutation_response
  
  context 'feature is licensed' do
    before do
-      stub_licensed_features(custom_compliance_frameworks: true)
+      stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
    end
  
    context 'feature is disabled' do

--- a/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/compliance_management/frameworks/update_spec.rb
@@ -13,8 +13,7 @@
      params: {
        name: 'New Name',
        description: 'New Description',
-        color: '#AAC112',
-        pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+        color: '#AAC112'
      }
    }
  end
@@ -62,7 +61,36 @@ def mutation_response
        expect(mutation_response['complianceFramework']['name']).to eq 'New Name'
        expect(mutation_response['complianceFramework']['description']).to eq 'New Description'
        expect(mutation_response['complianceFramework']['color']).to eq '#AAC112'
-        expect(mutation_response['complianceFramework']['pipelineConfigurationFullPath']).to eq 'compliance/.gitlab-ci.yml'
+      end
+
+      context 'pipeline configuration full path' do
+        before do
+          params[:params][:pipeline_configuration_full_path] = '.compliance-gitlab-ci.yml@compliance/hipaa'
+        end
+
+        context 'when compliance pipeline configuration feature is available' do
+          before do
+            stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+          end
+
+          it 'updates the pipeline configuration path attribute' do
+            subject
+
+            expect(mutation_response['complianceFramework']['pipelineConfigurationFullPath']).to eq '.compliance-gitlab-ci.yml@compliance/hipaa'
+          end
+        end
+
+        context 'when compliance pipeline configuration feature is not available' do
+          before do
+            stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: false)
+          end
+
+          it 'returns an error' do
+            subject
+
+            expect(mutation_response['errors']).to contain_exactly "Pipeline configuration full path feature is not available"
+          end
+        end
      end
  
      context 'current_user is not permitted to update framework' do

--- a/ee/spec/services/compliance_management/frameworks/create_service_spec.rb
+++ b/ee/spec/services/compliance_management/frameworks/create_service_spec.rb
@@ -3,13 +3,12 @@
 require 'spec_helper'
  
 RSpec.describe ComplianceManagement::Frameworks::CreateService do
-  let_it_be(:namespace) { create(:namespace) }
+  let_it_be_with_refind(:namespace) { create(:namespace) }
  let(:params) do
    {
      name: 'GDPR',
      description: 'The EUs data protection directive',
-      color: '#abc123',
-      pipeline_configuration_full_path: 'compliance/.gitlab-ci.yml'
+      color: '#abc123'
    }
  end
  
@@ -72,6 +71,22 @@
      end
    end
  
+    context 'when pipeline_configuration_full_path parameter is used and feature is not available' do
+      subject { described_class.new(namespace: namespace, params: params, current_user: namespace.owner) }
+
+      before do
+        params[:pipeline_configuration_full_path] = '.compliance-gitlab-ci.yml@compliance/hipaa'
+        stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: false)
+      end
+
+      let(:response) { subject.execute }
+
+      it 'returns an error', :aggregate_failures do
+        expect(response.success?).to be false
+        expect(response.message).to eq 'Pipeline configuration full path feature is not available'
+      end
+    end
+
    context 'when using parameters for a valid compliance framework' do
      subject { described_class.new(namespace: namespace, params: params, current_user: namespace.owner) }
  
@@ -89,7 +104,19 @@
        expect(framework.name).to eq('GDPR')
        expect(framework.description).to eq('The EUs data protection directive')
        expect(framework.color).to eq('#abc123')
-        expect(framework.pipeline_configuration_full_path).to eq('compliance/.gitlab-ci.yml')
+      end
+
+      context 'when compliance pipeline configuration is available' do
+        before do
+          params[:pipeline_configuration_full_path] = '.compliance-gitlab-ci.yml@compliance/hipaa'
+          stub_licensed_features(custom_compliance_frameworks: true, evaluate_group_level_compliance_pipeline: true)
+        end
+
+        it 'sets the pipeline configuration path attribute' do
+          framework = subject.execute.payload[:framework]
+
+          expect(framework.pipeline_configuration_full_path).to eq('.compliance-gitlab-ci.yml@compliance/hipaa')
+        end
      end
    end
  end