Merge branch '415662-ff-removal' into 'master'

Remove custom_roles_vulnerability feature flag See merge request !124049 Merged-by: Jarka Košanová <jarka@gitlab.com> Approved-by: Aboobacker MK <akarakath@gitlab.com> Approved-by: Jessie Young <jessieyoung@gitlab.com>

Merge branch '415662-ff-removal' into 'master'
f470e51a · Jarka Košanová · 6324dca6 · 56b8f9c8 · f470e51a · f470e51a
Commit f470e51a authored 1 year ago by Jarka Košanová
--- a/ee/app/models/members/member_role.rb
+++ b/ee/app/models/members/member_role.rb
@@ -25,12 +25,8 @@ class MemberRole < ApplicationRecord # rubocop:disable Gitlab/NamespacedClass
  validate :max_count_per_group_hierarchy, on: :create
  validate :validate_namespace_locked, on: :update
  validate :attributes_locked_after_member_associated, on: :update
-  validate :validate_minimal_base_access_level, if: ->(member_role) do
-    Feature.enabled?(:custom_roles_vulnerability, member_role.namespace&.root_ancestor)
-  end
-  validate :validate_requirements, if: ->(member_role) do
-    Feature.enabled?(:custom_roles_vulnerability, member_role.namespace&.root_ancestor)
-  end
+  validate :validate_minimal_base_access_level
+  validate :validate_requirements

  validates_associated :members


--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -207,10 +207,6 @@ module ProjectPolicy
        @subject.custom_roles_enabled?
      end

-      condition(:custom_roles_vulnerabilities_allowed) do
-        ::Feature.enabled?(:custom_roles_vulnerability, @subject.root_ancestor)
-      end
-
      desc "Custom role on project that enables read code"
      condition(:role_enables_read_code) do
        next unless @user.is_a?(User)
@@ -579,12 +575,12 @@ module ProjectPolicy
      end

      rule { custom_roles_allowed & role_enables_read_code }.enable :read_code
-      rule { custom_roles_allowed & custom_roles_vulnerabilities_allowed & role_enables_read_vulnerability }.policy do
+      rule { custom_roles_allowed & role_enables_read_vulnerability }.policy do
        enable :read_vulnerability
        enable :read_security_resource
        enable :create_vulnerability_export
      end
-      rule { custom_roles_allowed & custom_roles_vulnerabilities_allowed & role_enables_admin_vulnerability }.policy do
+      rule { custom_roles_allowed & role_enables_admin_vulnerability }.policy do
        enable :admin_vulnerability
      end


--- a/ee/config/feature_flags/development/custom_roles_vulnerability.yml
+++ b/ee/config/feature_flags/development/custom_roles_vulnerability.yml
---
-name: custom_roles_vulnerability
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114734
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/409387
-milestone: '16.0'
-type: development
-group: group::authentication and authorization
-default_enabled: true
--- a/ee/spec/lib/ee/sidebars/projects/menus/security_compliance_menu_spec.rb
+++ b/ee/spec/lib/ee/sidebars/projects/menus/security_compliance_menu_spec.rb
@@ -77,29 +77,13 @@
          :license_compliance, :scan_policies, :audit_events]
      end

-      context 'when custom_roles_vulnerability FF is enabled' do
-        before do
-          stub_feature_flags(custom_roles_vulnerability: true)
-        end
-
-        it 'displays the vulnerability report menu item' do
-          expect(renderable_items.find { |i| i.item_id == :vulnerability_report }).not_to be_nil
-        end
-
-        it 'does not display other pages' do
-          disallowed_pages.each do |page_id|
-            expect(renderable_items.find { |i| i.item_id == page_id }).to be_nil
-          end
-        end
+      it 'displays the vulnerability report menu item' do
+        expect(renderable_items.find { |i| i.item_id == :vulnerability_report }).not_to be_nil
      end

-      context 'when custom_roles_vulnerability FF is disabled' do
-        before do
-          stub_feature_flags(custom_roles_vulnerability: false)
-        end
-
-        it 'does not display the vulnerability report menu item' do
-          expect(renderable_items.find { |i| i.item_id == :vulnerability_report }).to be_nil
+      it 'does not display other pages' do
+        disallowed_pages.each do |page_id|
+          expect(renderable_items.find { |i| i.item_id == page_id }).to be_nil
        end
      end
    end

--- a/ee/spec/models/members/member_role_spec.rb
+++ b/ee/spec/models/members/member_role_spec.rb
@@ -102,54 +102,24 @@
      end

      context 'when base_access_level is too low' do
-        context 'when custom_roles_vulnerability FF is enabled' do
-          it 'creates a validation error' do
-            member_role.base_access_level = Gitlab::Access::MINIMAL_ACCESS
-            member_role.read_vulnerability = true
-
-            expect(member_role).not_to be_valid
-            expect(member_role.errors[:base_access_level])
-              .to include(s_("MemberRole|minimal base access level must be Guest (10)."))
-          end
-        end
-
-        context 'when custom_roles_vulnerability FF is disabled' do
-          before do
-            stub_feature_flags(custom_roles_vulnerability: false)
-          end
-
-          it 'is valid' do
-            member_role.base_access_level = Gitlab::Access::MINIMAL_ACCESS
-            member_role.read_vulnerability = true
+        it 'creates a validation error' do
+          member_role.base_access_level = Gitlab::Access::MINIMAL_ACCESS
+          member_role.read_vulnerability = true

-            expect(member_role).to be_valid
-          end
+          expect(member_role).not_to be_valid
+          expect(member_role.errors[:base_access_level])
+            .to include(s_("MemberRole|minimal base access level must be Guest (10)."))
        end
      end

      context 'when requirement is not met' do
-        context 'when custom_roles_vulnerability FF is enabled' do
-          it 'creates a validation error' do
-            member_role.base_access_level = Gitlab::Access::GUEST
-            member_role.admin_vulnerability = true
-
-            expect(member_role).not_to be_valid
-            expect(member_role.errors[:admin_vulnerability])
-              .to include(s_("MemberRole|read_vulnerability has to be enabled in order to enable admin_vulnerability."))
-          end
-        end
-
-        context 'when custom_roles_vulnerability FF is disabled' do
-          before do
-            stub_feature_flags(custom_roles_vulnerability: false)
-          end
-
-          it 'is valid' do
-            member_role.base_access_level = Gitlab::Access::GUEST
-            member_role.admin_vulnerability = true
+        it 'creates a validation error' do
+          member_role.base_access_level = Gitlab::Access::GUEST
+          member_role.admin_vulnerability = true

-            expect(member_role).to be_valid
-          end
+          expect(member_role).not_to be_valid
+          expect(member_role.errors[:admin_vulnerability])
+            .to include(s_("MemberRole|read_vulnerability has to be enabled in order to enable admin_vulnerability."))
        end
      end
    end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -2534,59 +2534,23 @@ def create_member_role(member, abilities = member_role_abilities)
    end

    context 'for a member role with read_vulnerability true' do
-      context 'with custom_roles_vulnerability FF enabled' do
-        before do
-          stub_feature_flags(custom_roles_vulnerability: [project.group])
-        end
-
-        let(:member_role_abilities) { { read_vulnerability: true } }
-        let(:allowed_abilities) do
-          [:read_vulnerability, :read_security_resource, :create_vulnerability_export]
-        end
-
-        it_behaves_like 'custom roles abilities'
-
-        it 'does not enable to admin_vulnerability' do
-          expect(subject).to be_disallowed(:admin_vulnerability)
-        end
+      let(:member_role_abilities) { { read_vulnerability: true } }
+      let(:allowed_abilities) do
+        [:read_vulnerability, :read_security_resource, :create_vulnerability_export]
      end

-      context 'with custom_roles_vulnerability FF disabled' do
-        before do
-          stub_feature_flags(custom_roles_vulnerability: false)
-          create_member_role(group_member_guest)
-        end
-
-        let(:disallowed_abilities) do
-          [:read_vulnerability, :read_security_resource, :create_vulnerability_export]
-        end
+      it_behaves_like 'custom roles abilities'

-        it { is_expected.to be_disallowed(*disallowed_abilities) }
+      it 'does not enable to admin_vulnerability' do
+        expect(subject).to be_disallowed(:admin_vulnerability)
      end
    end

    context 'for a member role with admin_vulnerability true' do
-      context 'with custom_roles_vulnerability FF enabled' do
-        before do
-          stub_feature_flags(custom_roles_vulnerability: [project.group])
-        end
-
-        let(:member_role_abilities) { { read_vulnerability: true, admin_vulnerability: true } }
-        let(:allowed_abilities) { [:read_vulnerability, :admin_vulnerability] }
-
-        it_behaves_like 'custom roles abilities'
-      end
-
-      context 'with custom_roles_vulnerability FF disabled' do
-        before do
-          stub_feature_flags(custom_roles_vulnerability: false)
-          create_member_role(group_member_guest)
-        end
+      let(:member_role_abilities) { { read_vulnerability: true, admin_vulnerability: true } }
+      let(:allowed_abilities) { [:read_vulnerability, :admin_vulnerability] }

-        let(:disallowed_abilities) { [:admin_vulnerability] }
-
-        it { is_expected.to be_disallowed(*disallowed_abilities) }
-      end
+      it_behaves_like 'custom roles abilities'
    end
  end