Use SecurityOrchestrationHelper for both projects and namespaces

21cf7aa6 · Alan (Maciej) Paruszewski · Stan Hu · 50765963 · 21cf7aa6 · 21cf7aa6
Commit 21cf7aa6 authored 2 years ago by Alan (Maciej) Paruszewski Committed by Stan Hu 2 years ago
--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -218,10 +218,6 @@ module EE
      project.licensed_feature_available?(:sast_fp_reduction).to_s
    end
  
-    def can_update_security_orchestration_policy_project?(project)
-      can?(current_user, :update_security_orchestration_policy_project, project)
-    end
-
    def can_create_feedback?(project, feedback_type)
      feedback = Vulnerabilities::Feedback.new(project: project, feedback_type: feedback_type)
      can?(current_user, :create_vulnerability_feedback, feedback)

--- a/ee/app/helpers/ee/security_orchestration_helper.rb
+++ b/ee/app/helpers/ee/security_orchestration_helper.rb
 # frozen_string_literal: true
  
-module EE
-  module SecurityOrchestrationHelper
-    def security_orchestration_policy_data(
-      namespace,
-      policy_type = nil,
-      policy = nil,
-      approvers = nil
-    )
-      return unless namespace
-
-      {
-        assigned_policy_project: nil.to_json,
-        disable_scan_policy_update: false.to_s,
+module EE::SecurityOrchestrationHelper
+  def can_update_security_orchestration_policy_project?(container)
+    can?(current_user, :update_security_orchestration_policy_project, container)
+  end
+
+  def assigned_policy_project(container)
+    return unless container&.security_orchestration_policy_configuration
+
+    orchestration_policy_configuration = container.security_orchestration_policy_configuration
+    security_policy_management_project = orchestration_policy_configuration.security_policy_management_project
+
+    {
+      id: security_policy_management_project.to_global_id.to_s,
+      name: security_policy_management_project.name,
+      full_path: security_policy_management_project.full_path,
+      branch: security_policy_management_project.default_branch_or_main
+    }
+  end
+
+  def orchestration_policy_data(container, policy_type = nil, policy = nil, environment = nil, approvers = nil)
+    return unless container
+
+    disable_scan_policy_update = !can_update_security_orchestration_policy_project?(container)
+
+    policy_data = {
+      assigned_policy_project: assigned_policy_project(container).to_json,
+      disable_scan_policy_update: disable_scan_policy_update.to_s,
+      policy: policy&.to_json,
+      policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
+      policy_type: policy_type,
+      policies_path: security_policies_path(container),
+      scan_policy_documentation_path: help_page_path('user/application_security/policies/index')
+    }
+
+    if container.is_a?(::Project)
+      policy_data.merge(
+        project_path: container.full_path,
+        project_id: container.id,
+        default_environment_id: container.default_environment&.id || -1,
+        network_policies_endpoint: project_security_network_policies_path(container),
        create_agent_help_path: help_page_url('user/clusters/agent/install/index'),
-        policy: policy&.to_json,
-        policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
-        policy_type: policy_type,
-        policies_path: nil,
-        scan_policy_documentation_path: help_page_path('user/application_security/policies/index'),
+        network_documentation_path: help_page_path('user/application_security/policies/index'),
+        environments_endpoint: project_environments_path(container),
+        environment_id: environment&.id,
        scan_result_approvers: approvers&.to_json
-      }
+      )
+    else
+      policy_data.merge(
+        namespace_path: container.full_path,
+        namespace_id: container.id
+      )
    end
  end
+
+  def security_policies_path(container)
+    container.is_a?(::Project) ? project_security_policies_path(container) : group_security_policies_path(container)
+  end
 end
--- a/ee/app/helpers/projects/security/policies_helper.rb
+++ b/ee/app/helpers/projects/security/policies_helper.rb
-# frozen_string_literal: true
-
-module Projects::Security::PoliciesHelper
-  def assigned_policy_project(project)
-    return unless project&.security_orchestration_policy_configuration
-
-    orchestration_policy_configuration = project.security_orchestration_policy_configuration
-    security_policy_management_project = orchestration_policy_configuration.security_policy_management_project
-
-    {
-      id: security_policy_management_project.to_global_id.to_s,
-      name: security_policy_management_project.name,
-      full_path: security_policy_management_project.full_path,
-      branch: security_policy_management_project.default_branch_or_main
-    }
-  end
-
-  def orchestration_policy_data(project, policy_type = nil, policy = nil, environment = nil, approvers = nil)
-    return unless project
-
-    disable_scan_policy_update = !can_update_security_orchestration_policy_project?(project)
-
-    {
-      assigned_policy_project: assigned_policy_project(project).to_json,
-      default_environment_id: project.default_environment&.id || -1,
-      disable_scan_policy_update: disable_scan_policy_update.to_s,
-      network_policies_endpoint: project_security_network_policies_path(project),
-      create_agent_help_path: help_page_url('user/clusters/agent/install/index'),
-      environments_endpoint: project_environments_path(project),
-      environment_id: environment&.id,
-      network_documentation_path: help_page_path('user/application_security/policies/index', anchor: 'container-network-policy'),
-      policy: policy&.to_json,
-      policy_editor_empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
-      policy_type: policy_type,
-      project_path: project.full_path,
-      project_id: project.id,
-      policies_path: project_security_policies_path(project),
-      scan_policy_documentation_path: help_page_path('user/application_security/policies/index'),
-      scan_result_approvers: approvers&.to_json
-    }
-  end
-end
--- a/ee/app/views/groups/security/policies/new.html.haml
+++ b/ee/app/views/groups/security/policies/new.html.haml
@@ -2,4 +2,4 @@
 - breadcrumb_title s_("SecurityOrchestration|New policy")
 - page_title s_("SecurityOrchestration|Policy editor")
  
-#js-group-policy-builder-app{ data: security_orchestration_policy_data(@group) }
+#js-group-policy-builder-app{ data: orchestration_policy_data(@group) }
--- a/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
+++ b/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
@@ -3,47 +3,242 @@
 require 'spec_helper'
  
 RSpec.describe EE::SecurityOrchestrationHelper do
+  let_it_be_with_reload(:project) { create(:project) }
  let_it_be_with_reload(:namespace) { create(:group, :public) }
  
-  describe '#security_orchestration_policy_data' do
-    let(:approvers) { %w(approver1 approver2) }
-    let(:owner) { namespace.first_owner }
-    let(:base_data) do
-      {
-        assigned_policy_project: nil.to_json,
-        disable_scan_policy_update: false.to_s,
-        create_agent_help_path: kind_of(String),
-        policy: policy&.to_json,
-        policy_editor_empty_state_svg_path: kind_of(String),
-        policy_type: policy_type,
-        policies_path: nil,
-        scan_policy_documentation_path: kind_of(String),
-        scan_result_approvers: approvers&.to_json
-      }
-    end
+  describe '#can_update_security_orchestration_policy_project?' do
+    let(:owner) { project.first_owner }
  
    before do
      allow(helper).to receive(:current_user) { owner }
    end
  
-    subject { helper.security_orchestration_policy_data(namespace, policy_type, policy, approvers) }
+    it 'returns false when user cannot update security orchestration policy project' do
+      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { false }
+      expect(helper.can_update_security_orchestration_policy_project?(project)).to eq false
+    end
+
+    it 'returns true when user can update security orchestration policy project' do
+      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
+      expect(helper.can_update_security_orchestration_policy_project?(project)).to eq true
+    end
+  end
+
+  describe '#assigned_policy_project' do
+    context 'for project' do
+      subject { helper.assigned_policy_project(project) }
+
+      context 'when a project does have a security policy project' do
+        let_it_be(:policy_management_project) { create(:project) }
+
+        let_it_be(:security_orchestration_policy_configuration) do
+          create(
+            :security_orchestration_policy_configuration,
+            security_policy_management_project: policy_management_project, project: project
+          )
+        end
+
+        it 'include information about policy management project' do
+          is_expected.to include(
+            id: policy_management_project.to_global_id.to_s,
+            name: policy_management_project.name,
+            full_path: policy_management_project.full_path,
+            branch: policy_management_project.default_branch_or_main
+          )
+        end
+      end
+
+      context 'when a project does not have a security policy project' do
+        subject { helper.assigned_policy_project(project) }
+
+        it { is_expected.to be_nil }
+      end
+    end
+
+    context 'for namespace' do
+      subject { helper.assigned_policy_project(project) }
  
-    context 'when a new policy is being created' do
+      context 'when a namespace does have a security policy project' do
+        let_it_be(:policy_management_project) { create(:project) }
+        let_it_be(:security_orchestration_policy_configuration) do
+          create(
+            :security_orchestration_policy_configuration, :namespace,
+            security_policy_management_project: policy_management_project, namespace: namespace
+          )
+        end
+
+        subject { helper.assigned_policy_project(namespace) }
+
+        it 'include information about policy management project' do
+          is_expected.to include({
+            id: policy_management_project.to_global_id.to_s,
+            name: policy_management_project.name,
+            full_path: policy_management_project.full_path,
+            branch: policy_management_project.default_branch_or_main
+          })
+        end
+      end
+
+      context 'when a namespace does not have a security policy project' do
+        it { is_expected.to be_nil }
+      end
+    end
+  end
+
+  describe '#orchestration_policy_data' do
+    context 'for project' do
+      let(:approvers) { %w(approver1 approver2) }
+      let(:owner) { project.first_owner }
      let(:policy) { nil }
-      let(:policy_type) { nil }
-      let(:approvers) { nil }
+      let(:policy_type) { 'scan_execution_policy' }
+      let(:environment) { nil }
+      let(:base_data) do
+        {
+          assigned_policy_project: nil.to_json,
+          default_environment_id: -1,
+          disable_scan_policy_update: 'false',
+          network_policies_endpoint: kind_of(String),
+          create_agent_help_path: kind_of(String),
+          environments_endpoint: kind_of(String),
+          network_documentation_path: kind_of(String),
+          policy_editor_empty_state_svg_path: kind_of(String),
+          project_path: project.full_path,
+          project_id: project.id,
+          policies_path: kind_of(String),
+          environment_id: environment&.id,
+          policy: policy&.to_json,
+          policy_type: policy_type,
+          scan_policy_documentation_path: kind_of(String),
+          scan_result_approvers: approvers&.to_json
+        }
+      end
+
+      before do
+        allow(helper).to receive(:current_user) { owner }
+        allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
+      end
+
+      subject { helper.orchestration_policy_data(project, policy_type, policy, environment, approvers) }
+
+      context 'when a new policy is being created' do
+        let(:policy) { nil }
+        let(:policy_type) { nil }
+        let(:approvers) { nil }
  
-      it { is_expected.to match(base_data) }
+        it { is_expected.to match(base_data) }
+      end
+
+      context 'when an existing policy is being edited' do
+        let_it_be(:environment) { create(:environment, project: project) }
+
+        let(:policy) { build(:scan_execution_policy, name: 'Run DAST in every pipeline') }
+
+        it { is_expected.to match(base_data.merge(default_environment_id: project.default_environment.id)) }
+      end
+
+      context 'when scan policy update is disabled' do
+        before do
+          allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { false }
+        end
+
+        it { is_expected.to match(base_data.merge(disable_scan_policy_update: 'true')) }
+      end
+
+      context 'when a project does have a security policy project' do
+        let_it_be(:policy_management_project) { create(:project) }
+
+        let_it_be(:security_orchestration_policy_configuration) do
+          create(
+            :security_orchestration_policy_configuration,
+            security_policy_management_project: policy_management_project, project: project
+          )
+        end
+
+        it 'include information about policy management project' do
+          is_expected.to match(base_data.merge(assigned_policy_project: {
+            id: policy_management_project.to_global_id.to_s,
+            name: policy_management_project.name,
+            full_path: policy_management_project.full_path,
+            branch: policy_management_project.default_branch_or_main
+          }.to_json))
+        end
+      end
    end
  
-    context 'when an existing policy is being edited' do
+    context 'for namespace' do
+      let(:environment) { nil }
+      let(:approvers) { %w(approver1 approver2) }
+      let(:owner) { namespace.first_owner }
+      let(:policy) { nil }
      let(:policy_type) { 'scan_execution_policy' }
+      let(:base_data) do
+        {
+          assigned_policy_project: nil.to_json,
+          disable_scan_policy_update: 'false',
+          policy: policy&.to_json,
+          policy_editor_empty_state_svg_path: kind_of(String),
+          policy_type: policy_type,
+          policies_path: kind_of(String),
+          scan_policy_documentation_path: kind_of(String),
+          namespace_path: namespace.full_path,
+          namespace_id: namespace.id
+        }
+      end
  
-      let(:policy) do
-        build(:scan_execution_policy, name: 'Run DAST in every pipeline')
+      before do
+        allow(helper).to receive(:current_user) { owner }
+        allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, namespace) { true }
      end
  
-      it { is_expected.to match(base_data) }
+      subject { helper.orchestration_policy_data(namespace, policy_type, policy, environment, approvers) }
+
+      context 'when a new policy is being created' do
+        let(:policy) { nil }
+        let(:policy_type) { nil }
+        let(:approvers) { nil }
+
+        it { is_expected.to match(base_data) }
+      end
+
+      context 'when an existing policy is being edited' do
+        let(:policy_type) { 'scan_execution_policy' }
+
+        let(:policy) do
+          build(:scan_execution_policy, name: 'Run DAST in every pipeline')
+        end
+
+        it { is_expected.to match(base_data) }
+      end
+
+      context 'when scan policy update is disabled' do
+        before do
+          allow(helper).to receive(:can?)
+            .with(owner, :update_security_orchestration_policy_project, namespace)
+            .and_return(false)
+        end
+
+        it { is_expected.to match(base_data.merge(disable_scan_policy_update: 'true')) }
+      end
+
+      context 'when a namespace does have a security policy project' do
+        let_it_be(:policy_management_project) { create(:project) }
+
+        let_it_be(:security_orchestration_policy_configuration) do
+          create(
+            :security_orchestration_policy_configuration, :namespace,
+            security_policy_management_project: policy_management_project, namespace: namespace
+          )
+        end
+
+        it 'include information about policy management project' do
+          is_expected.to match(base_data.merge(assigned_policy_project: {
+            id: policy_management_project.to_global_id.to_s,
+            name: policy_management_project.name,
+            full_path: policy_management_project.full_path,
+            branch: policy_management_project.default_branch_or_main
+          }.to_json))
+        end
+      end
    end
  end
 end
--- a/ee/spec/helpers/projects/security/policies_helper_spec.rb
+++ b/ee/spec/helpers/projects/security/policies_helper_spec.rb
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Projects::Security::PoliciesHelper do
-  let_it_be_with_reload(:project) { create(:project, :repository, :public) }
-
-  describe '#assigned_policy_project' do
-    context 'when a project does have a security policy project' do
-      let_it_be(:policy_management_project) { create(:project) }
-
-      subject { helper.assigned_policy_project(project) }
-
-      it {
-        create(:security_orchestration_policy_configuration,
-          { security_policy_management_project: policy_management_project, project: project }
-        )
-
-        is_expected.to include({
-          id: policy_management_project.to_global_id.to_s,
-          name: policy_management_project.name,
-          full_path: policy_management_project.full_path,
-          branch: policy_management_project.default_branch_or_main
-        })
-      }
-    end
-
-    context 'when a project does not have a security policy project' do
-      subject { helper.assigned_policy_project(project) }
-
-      it {
-        is_expected.to be_nil
-      }
-    end
-  end
-
-  describe '#orchestration_policy_data' do
-    let(:approvers) { %w(approver1 approver2) }
-    let(:owner) { project.first_owner }
-    let(:base_data) do
-      {
-        assigned_policy_project: "null",
-        default_environment_id: -1,
-        disable_scan_policy_update: "false",
-        network_policies_endpoint: kind_of(String),
-        create_agent_help_path: kind_of(String),
-        environments_endpoint: kind_of(String),
-        network_documentation_path: kind_of(String),
-        policy_editor_empty_state_svg_path: kind_of(String),
-        project_path: project.full_path,
-        project_id: project.id,
-        policies_path: kind_of(String),
-        environment_id: environment&.id,
-        policy: policy&.to_json,
-        policy_type: policy_type,
-        scan_policy_documentation_path: kind_of(String),
-        scan_result_approvers: approvers&.to_json
-      }
-    end
-
-    before do
-      allow(helper).to receive(:current_user) { owner }
-      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
-    end
-
-    subject { helper.orchestration_policy_data(project, policy_type, policy, environment, approvers) }
-
-    context 'when a new policy is being created' do
-      let(:environment) { nil }
-      let(:policy) { nil }
-      let(:policy_type) { nil }
-      let(:approvers) { nil }
-
-      it { is_expected.to match(base_data) }
-    end
-
-    context 'when an existing policy is being edited' do
-      let_it_be(:environment) { create(:environment, project: project) }
-
-      let(:policy_type) { 'container_policy' }
-
-      let(:policy) do
-        Gitlab::Kubernetes::CiliumNetworkPolicy.new(
-          name: 'policy',
-          namespace: 'another',
-          selector: { matchLabels: { role: 'db' } },
-          ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
-        )
-      end
-
-      it { is_expected.to match(base_data.merge(default_environment_id: project.default_environment.id)) }
-    end
-  end
-end
--- a/ee/spec/helpers/projects_helper_spec.rb
+++ b/ee/spec/helpers/projects_helper_spec.rb
@@ -20,24 +20,6 @@ RSpec.describe ProjectsHelper do
    end
  end
  
-  describe '#can_update_security_orchestration_policy_project?' do
-    let(:owner) { project.first_owner }
-
-    before do
-      allow(helper).to receive(:current_user) { owner }
-    end
-
-    it 'returns false when user cannot update security orchestration policy project' do
-      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { false }
-      expect(helper.can_update_security_orchestration_policy_project?(project)).to eq false
-    end
-
-    it 'returns true when user can update security orchestration policy project' do
-      allow(helper).to receive(:can?).with(owner, :update_security_orchestration_policy_project, project) { true }
-      expect(helper.can_update_security_orchestration_policy_project?(project)).to eq true
-    end
-  end
-
  describe '#can_admin_project_member?' do
    let_it_be(:user) { create(:user) }
    let_it_be(:group) { create(:group) }