diff --git a/doc/user/application_security/policies/merge_request_approval_policies.md b/doc/user/application_security/policies/merge_request_approval_policies.md
index ed34978545552f82c66f434b90adfe75ef7e576f..1b602144effe4a348309730b098a0d18cbbe0bcd 100644
--- a/doc/user/application_security/policies/merge_request_approval_policies.md
+++ b/doc/user/application_security/policies/merge_request_approval_policies.md
@@ -241,7 +241,9 @@ the bot message is sent as long as at least one of those policies has the `send_
## `approval_settings`
-> - The `block_group_branch_modification` field was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/420724) in GitLab 16.8 [with flag](../../../administration/feature_flags.md) named `scan_result_policy_block_group_branch_modification`. Disabled by default.
+> - The `block_group_branch_modification` field was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/420724) in GitLab 16.8 [with flag](../../../administration/feature_flags.md) named `scan_result_policy_block_group_branch_modification`.
+> - The above field was [enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/437306) in GitLab 16.7.
+> - The above field was [enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/437306) in GitLab 16.7.
> - The `block_unprotecting_branches` field was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/423101) in GitLab 16.4 [with flag](../../../administration/feature_flags.md) named `scan_result_policy_settings`. Disabled by default.
> - The `scan_result_policy_settings` feature flag was replaced by the `scan_result_policies_block_unprotecting_branches` feature flag in 16.4.
> - The `block_unprotecting_branches` field was [replaced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137153) by `block_branch_modification` field in GitLab 16.7.
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/editor_component.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/editor_component.vue
index 3d898166f052854367b5ebcd8bab04dd1e8ffe3f..888a008dae23572a7f33dea03117ab63f20c7fd6 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/editor_component.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/editor_component.vue
@@ -133,10 +133,7 @@ export default {
}
},
skip() {
- return (
- isGroup(this.namespaceType) ||
- !this.glFeatures.scanResultPolicyBlockGroupBranchModification
- );
+ return isGroup(this.namespaceType);
},
},
},
@@ -179,7 +176,6 @@ export default {
},
data() {
const newPolicyYaml = getPolicyYaml({
- withGroupSettings: this.glFeatures.scanResultPolicyBlockGroupBranchModification,
isGroup: isGroup(this.namespaceType),
newYamlFormat: this.glFeatures.securityPoliciesNewYamlFormat,
});
@@ -249,8 +245,6 @@ export default {
options: {
hasLinkedGroups: Boolean(this.linkedSppGroups.length),
namespaceType: this.namespaceType,
- scanResultPolicyBlockGroupBranchModification:
- this.glFeatures.scanResultPolicyBlockGroupBranchModification,
},
});
},
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/index.js b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/index.js
index 23bcf5b6d03784eca24b93cae459fd21e97fc1fb..2f9ba46e704041bfe88f8ab270b0d6c77d5166cc 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/index.js
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/index.js
@@ -76,49 +76,6 @@ export const DEFAULT_SCAN_RESULT_POLICY_NEW_FORMAT = `approval_policy:
fail: closed
`;
-export const DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE = `type: approval_policy
-name: ''
-description: ''
-enabled: true
-policy_scope:
- projects:
- excluding: []
-rules:
- - type: ''
-actions:
- - type: require_approval
- approvals_required: 1
- - type: send_bot_message
- enabled: true
-`
- .concat(DEFAULT_PROJECT_SETTINGS)
- .concat(FALLBACK);
-
-export const DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_NEW_FORMAT = `approval_policy:
-- name: ''
- description: ''
- enabled: true
- policy_scope:
- projects:
- excluding: []
- rules:
- - type: ''
- actions:
- - type: require_approval
- approvals_required: 1
- - type: send_bot_message
- enabled: true
- approval_settings:
- ${BLOCK_BRANCH_MODIFICATION}: true
- ${PREVENT_PUSHING_AND_FORCE_PUSHING}: true
- ${PREVENT_APPROVAL_BY_AUTHOR}: true
- ${PREVENT_APPROVAL_BY_COMMIT_AUTHOR}: true
- ${REMOVE_APPROVALS_WITH_NEW_COMMIT}: true
- ${REQUIRE_PASSWORD_TO_APPROVE}: false
- fallback_behavior:
- fail: closed
-`;
-
export const DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS = `type: approval_policy
name: ''
description: ''
@@ -163,19 +120,16 @@ export const DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS_NEW_FORMA
fail: closed
`;
-export const getPolicyYaml = ({ withGroupSettings, isGroup, newYamlFormat = false }) => {
+export const getPolicyYaml = ({ isGroup, newYamlFormat = false }) => {
const defaultPolicy = newYamlFormat
? DEFAULT_SCAN_RESULT_POLICY_NEW_FORMAT
: DEFAULT_SCAN_RESULT_POLICY;
- const defaultPolicyWithScope = newYamlFormat
- ? DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_NEW_FORMAT
- : DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE;
const defaultPolicyWithScopeAndSettings = newYamlFormat
? DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS_NEW_FORMAT
: DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS;
if (isGroup) {
- return withGroupSettings ? defaultPolicyWithScopeAndSettings : defaultPolicyWithScope;
+ return defaultPolicyWithScopeAndSettings;
}
return defaultPolicy;
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/settings.js b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/settings.js
index a1b6ee551e48011499925c7a583db5b50f4535b2..962811330299e0250b83980fa2e123e2c3648cb0 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/settings.js
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/settings.js
@@ -2,6 +2,7 @@ import { s__ } from '~/locale';
import { helpPagePath } from '~/helpers/help_page_helper';
import { NAMESPACE_TYPES } from 'ee/security_orchestration/constants';
import { getIdFromGraphQLId } from '~/graphql_shared/utils';
+import { isGroup } from 'ee/security_orchestration/components/utils';
export const BLOCK_BRANCH_MODIFICATION = 'block_branch_modification';
export const BLOCK_GROUP_BRANCH_MODIFICATION = 'block_group_branch_modification';
@@ -123,19 +124,13 @@ export const PERMITTED_INVALID_SETTINGS = {
*/
const buildConfig = (
settings,
- {
- hasLinkedGroups = false,
- namespaceType = NAMESPACE_TYPES.PROJECT,
- scanResultPolicyBlockGroupBranchModification = false,
- },
+ { hasLinkedGroups = false, namespaceType = NAMESPACE_TYPES.PROJECT },
) => {
const baseConfigurations = {
...protectedBranchesConfiguration,
};
- const isGroupOrHasLinkedGroups = namespaceType === NAMESPACE_TYPES.GROUP || hasLinkedGroups;
- const shouldIncludeGroupConfiguration =
- isGroupOrHasLinkedGroups && scanResultPolicyBlockGroupBranchModification;
+ const shouldIncludeGroupConfiguration = isGroup(namespaceType) || hasLinkedGroups;
if (shouldIncludeGroupConfiguration) {
Object.assign(
diff --git a/ee/app/controllers/ee/groups/settings/repository_controller.rb b/ee/app/controllers/ee/groups/settings/repository_controller.rb
index 0262fead6ed71737737857191c31c8c3fff703aa..e18ff4d1dafb41c6c62210914087aa2094df101c 100644
--- a/ee/app/controllers/ee/groups/settings/repository_controller.rb
+++ b/ee/app/controllers/ee/groups/settings/repository_controller.rb
@@ -33,8 +33,6 @@ def define_protected_branches
@protected_branch = group.protected_branches.new
gon.push(helpers.protected_access_levels_for_dropdowns)
- return unless ::Feature.enabled?(:scan_result_policy_block_group_branch_modification, group)
-
protected_from_deletion =
::Security::SecurityOrchestrationPolicies::GroupProtectedBranchesDeletionCheckService
.new(group: group)
diff --git a/ee/app/controllers/groups/security/policies_controller.rb b/ee/app/controllers/groups/security/policies_controller.rb
index f1f6fa10bac1ed96b2aa5ed8c770065019b796fa..94b34de37df1856a24a9e20b2a4d9d29e79b0fec 100644
--- a/ee/app/controllers/groups/security/policies_controller.rb
+++ b/ee/app/controllers/groups/security/policies_controller.rb
@@ -11,7 +11,6 @@ class PoliciesController < Groups::ApplicationController
before_action do
push_frontend_feature_flag(:vulnerability_management_policy_type_group, group)
- push_frontend_feature_flag(:scan_result_policy_block_group_branch_modification, group)
push_frontend_feature_flag(:scan_execution_policy_action_limit_group, group)
push_frontend_feature_flag(:security_policies_new_yaml_format, group)
push_frontend_feature_flag(:exclude_license_packages, group)
diff --git a/ee/app/controllers/projects/security/policies_controller.rb b/ee/app/controllers/projects/security/policies_controller.rb
index 47941b26b4a954595cabe178921d8c3a60791ec0..7796decf3297c4319b92b261cae15b927d7136bb 100644
--- a/ee/app/controllers/projects/security/policies_controller.rb
+++ b/ee/app/controllers/projects/security/policies_controller.rb
@@ -12,7 +12,6 @@ class PoliciesController < Projects::ApplicationController
before_action do
push_frontend_feature_flag(:vulnerability_management_policy_type, project)
- push_frontend_feature_flag(:scan_result_policy_block_group_branch_modification, project)
push_frontend_feature_flag(:scan_execution_policy_action_limit, project)
push_frontend_feature_flag(:security_policies_new_yaml_format, project.group)
push_frontend_feature_flag(:exclude_license_packages, project.group)
diff --git a/ee/app/services/ee/protected_branches/renaming_blocked_by_policy.rb b/ee/app/services/ee/protected_branches/renaming_blocked_by_policy.rb
index b1c2baabd395ce88bf929c8efffc8466baa95132..98afe4d41266cdabaa28873e382d078d867214ea 100644
--- a/ee/app/services/ee/protected_branches/renaming_blocked_by_policy.rb
+++ b/ee/app/services/ee/protected_branches/renaming_blocked_by_policy.rb
@@ -30,7 +30,6 @@ def blocking_branch_modification?(project)
def blocking_group_branch_modification?(group)
return false unless group&.licensed_feature_available?(:security_orchestration_policies)
- return false unless ::Feature.enabled?(:scan_result_policy_block_group_branch_modification, group)
::Security::SecurityOrchestrationPolicies::GroupProtectedBranchesDeletionCheckService
.new(group: group)
diff --git a/ee/app/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service.rb b/ee/app/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service.rb
index 791f1840da37ce0b14308e47f7532bab9efcebf0..a4024578539917c27eea47e2ab3e5e195b5df034 100644
--- a/ee/app/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service.rb
@@ -4,8 +4,6 @@ module Security
module SecurityOrchestrationPolicies
class GroupProtectedBranchesDeletionCheckService < BaseGroupService
def execute
- return false unless ::Feature.enabled?(:scan_result_policy_block_group_branch_modification, group)
-
group.all_security_orchestration_policy_configurations.any? do |config|
config.active_scan_result_policies.any? { |policy| applies?(policy) }
end
diff --git a/ee/config/feature_flags/development/scan_result_policy_block_group_branch_modification.yml b/ee/config/feature_flags/development/scan_result_policy_block_group_branch_modification.yml
deleted file mode 100644
index 1acf2e9b4a0f7e50fe5b818bf089584d35eda80d..0000000000000000000000000000000000000000
--- a/ee/config/feature_flags/development/scan_result_policy_block_group_branch_modification.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: scan_result_policy_block_group_branch_modification
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141125
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/437306
-milestone: '16.8'
-type: development
-group: group::security policies
-default_enabled: true
diff --git a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/editor_component_spec.js b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/editor_component_spec.js
index a1ed6ba8636227e1cef7439f394c722a038ad670..45a3fa430d0fbc11956bcd570a3742c6e4feb924 100644
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/editor_component_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/editor_component_spec.js
@@ -23,11 +23,11 @@ import {
buildBotMessageAction,
DISABLED_BOT_MESSAGE_ACTION,
SCAN_FINDING,
- DEFAULT_SCAN_RESULT_POLICY,
- DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE,
getInvalidBranches,
REQUIRE_APPROVAL_TYPE,
+ DEFAULT_SCAN_RESULT_POLICY,
DEFAULT_SCAN_RESULT_POLICY_NEW_FORMAT,
+ DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS,
} from 'ee/security_orchestration/components/policy_editor/scan_result/lib';
import EditorComponent from 'ee/security_orchestration/components/policy_editor/scan_result/editor_component.vue';
import {
@@ -45,7 +45,7 @@ import {
import {
unsupportedManifest,
APPROVAL_POLICY_DEFAULT_POLICY,
- APPROVAL_POLICY_DEFAULT_POLICY_WITH_SCOPE,
+ APPROVAL_POLICY_DEFAULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS,
ASSIGNED_POLICY_PROJECT,
} from 'ee_jest/security_orchestration/mocks/mock_data';
import {
@@ -176,7 +176,7 @@ describe('EditorComponent', () => {
describe('rendering', () => {
it.each`
namespaceType | policy
- ${NAMESPACE_TYPES.GROUP} | ${APPROVAL_POLICY_DEFAULT_POLICY_WITH_SCOPE}
+ ${NAMESPACE_TYPES.GROUP} | ${APPROVAL_POLICY_DEFAULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS}
${NAMESPACE_TYPES.PROJECT} | ${APPROVAL_POLICY_DEFAULT_POLICY}
`('should render default policy for a $namespaceType', ({ namespaceType, policy }) => {
factory({ provide: { namespaceType } });
@@ -186,7 +186,7 @@ describe('EditorComponent', () => {
it.each`
namespaceType | manifest
- ${NAMESPACE_TYPES.GROUP} | ${DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE}
+ ${NAMESPACE_TYPES.GROUP} | ${DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS}
${NAMESPACE_TYPES.PROJECT} | ${DEFAULT_SCAN_RESULT_POLICY}
`(
'should use the correct default policy yaml for a $namespaceType',
@@ -319,7 +319,7 @@ describe('EditorComponent', () => {
describe('rendering', () => {
describe.each`
namespaceType | manifest
- ${NAMESPACE_TYPES.GROUP} | ${DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE}
+ ${NAMESPACE_TYPES.GROUP} | ${DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS}
${NAMESPACE_TYPES.PROJECT} | ${DEFAULT_SCAN_RESULT_POLICY}
`('$namespaceType', ({ namespaceType, manifest }) => {
it('should use the correct default policy yaml for a $namespaceType', () => {
@@ -793,7 +793,7 @@ describe('EditorComponent', () => {
const groupBranchModificationSettingsPolicy = {
actions: [{ type: BOT_MESSAGE_TYPE, enabled: false }],
approval_settings: {
- [BLOCK_GROUP_BRANCH_MODIFICATION]: { enabled: true, exceptions: ['top-level-group'] },
+ [BLOCK_GROUP_BRANCH_MODIFICATION]: { enabled: true, exceptions: [{ id: 1 }] },
},
};
const disabledBotPolicy = { actions: [{ type: BOT_MESSAGE_TYPE, enabled: false }] };
@@ -829,32 +829,15 @@ describe('EditorComponent', () => {
describe('graphql request', () => {
it('fetches when namespace type is project', async () => {
const mockRequestHandler = mockLinkedSppItemsResponse();
- factory({
- provide: { glFeatures: { scanResultPolicyBlockGroupBranchModification: true } },
- handler: mockRequestHandler,
- });
+ factory({ handler: mockRequestHandler });
await waitForPromises();
- expect(mockRequestHandler).toHaveBeenCalledWith({
- fullPath: defaultProjectPath,
- });
+ expect(mockRequestHandler).toHaveBeenCalledWith({ fullPath: defaultProjectPath });
});
it('does not fetch when namespace type is group', async () => {
const mockRequestHandler = mockLinkedSppItemsResponse();
factory({
- provide: {
- namespaceType: NAMESPACE_TYPES.GROUP,
- glFeatures: { scanResultPolicyBlockGroupBranchModification: true },
- },
- handler: mockRequestHandler,
- });
- await waitForPromises();
- expect(mockRequestHandler).not.toHaveBeenCalled();
- });
-
- it('does not fetch when namespace type is a project and the ff is false', async () => {
- const mockRequestHandler = mockLinkedSppItemsResponse();
- factory({
+ provide: { namespaceType: NAMESPACE_TYPES.GROUP },
handler: mockRequestHandler,
});
await waitForPromises();
@@ -863,10 +846,7 @@ describe('EditorComponent', () => {
});
it('updates the settings if groups are linked', async () => {
- factory({
- provide: { glFeatures: { scanResultPolicyBlockGroupBranchModification: true } },
- handler: mockLinkedSppItemsResponse({ groups: defaultGroups }),
- });
+ factory({ handler: mockLinkedSppItemsResponse({ groups: defaultGroups }) });
await waitForPromises();
expect(findSettingsSection().props('settings')).toEqual({
...defaultProjectApprovalConfiguration,
@@ -878,10 +858,7 @@ describe('EditorComponent', () => {
});
it('does not update the settings if groups are not linked', async () => {
- factory({
- provide: { glFeatures: { scanResultPolicyBlockGroupBranchModification: true } },
- handler: mockLinkedSppItemsResponse(),
- });
+ factory({ handler: mockLinkedSppItemsResponse() });
await waitForPromises();
expect(findSettingsSection().props('settings')).toEqual(
defaultProjectApprovalConfiguration,
@@ -895,14 +872,13 @@ describe('EditorComponent', () => {
const blockGroupBranchModificationSetting = {
[BLOCK_GROUP_BRANCH_MODIFICATION]: {
enabled: true,
- exceptions: ['top-level-group'],
+ exceptions: [{ id: 1 }],
},
};
factoryWithExistingPolicy({
policy: {
approval_settings: blockGroupBranchModificationSetting,
},
- provide: { glFeatures: { scanResultPolicyBlockGroupBranchModification: true } },
handler: mockLinkedSppItemsResponse({ groups: defaultGroups }),
});
await waitForPromises();
@@ -913,7 +889,6 @@ describe('EditorComponent', () => {
it('adds settings for an existing policy without settings', async () => {
factoryWithExistingPolicy({
- provide: { glFeatures: { scanResultPolicyBlockGroupBranchModification: true } },
handler: mockLinkedSppItemsResponse({ groups: defaultGroups }),
});
await waitForPromises();
diff --git a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/index_spec.js b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/index_spec.js
index 51641f67f773dfcb766cb8c498823a75ade7ca8a..11f2df959c26350d4d8137e42e3a037d73d797b5 100644
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/index_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/index_spec.js
@@ -1,6 +1,5 @@
import {
DEFAULT_SCAN_RESULT_POLICY,
- DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE,
DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS,
getPolicyYaml,
} from 'ee/security_orchestration/components/policy_editor/scan_result/lib';
@@ -9,16 +8,10 @@ import { NAMESPACE_TYPES } from 'ee/security_orchestration/constants';
describe('getPolicyYaml', () => {
it.each`
- namespaceType | withGroupSettings | expected
- ${NAMESPACE_TYPES.GROUP} | ${false} | ${DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE}
- ${NAMESPACE_TYPES.PROJECT} | ${false} | ${DEFAULT_SCAN_RESULT_POLICY}
- ${NAMESPACE_TYPES.GROUP} | ${true} | ${DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS}
- `(
- 'returns the yaml for the $namespaceType namespace',
- ({ namespaceType, expected, withGroupSettings }) => {
- expect(getPolicyYaml({ isGroup: isGroup(namespaceType), withGroupSettings })).toEqual(
- expected,
- );
- },
- );
+ namespaceType | expected
+ ${NAMESPACE_TYPES.PROJECT} | ${DEFAULT_SCAN_RESULT_POLICY}
+ ${NAMESPACE_TYPES.GROUP} | ${DEFAULT_SCAN_RESULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS}
+ `('returns the yaml for the $namespaceType namespace', ({ namespaceType, expected }) => {
+ expect(getPolicyYaml({ isGroup: isGroup(namespaceType) })).toEqual(expected);
+ });
});
diff --git a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/settings_spec.js b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/settings_spec.js
index 6ff9e7c3397bb250fdbfce7d7ac2fe652a2a6d02..9ae804bde8d3b79c6e0bf000b22c5ec31f9832e4 100644
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/settings_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/settings_spec.js
@@ -12,17 +12,24 @@ import {
} from 'ee/security_orchestration/components/policy_editor/scan_result/lib/settings';
import { createMockGroup } from 'ee_jest/security_orchestration/mocks/mock_data';
-const defaultSettings = buildSettingsList();
-
describe('buildSettingsList', () => {
- it('returns the default settings with no arguments', () => {
- expect(buildSettingsList()).toEqual(defaultSettings);
+ it('returns the default project settings with no arguments', () => {
+ expect(buildSettingsList()).toEqual({
+ ...protectedBranchesConfiguration,
+ ...pushingBranchesConfiguration,
+ ...mergeRequestConfiguration,
+ });
});
- it('returns the default settings when there are no settings', () => {
+ it('returns the default group settings when there are no settings', () => {
expect(
buildSettingsList({ settings: undefined, options: { namespaceType: NAMESPACE_TYPES.GROUP } }),
- ).toEqual(defaultSettings);
+ ).toEqual({
+ ...protectedBranchesConfiguration,
+ ...groupProtectedBranchesConfiguration(false),
+ ...pushingBranchesConfiguration,
+ ...mergeRequestConfiguration,
+ });
});
it('can update merge request settings for projects', () => {
@@ -37,7 +44,7 @@ describe('buildSettingsList', () => {
});
});
- it('can update merge request settings for group w/ scanResultPolicyBlockGroupBranchModification ff', () => {
+ it('can update merge request settings for group', () => {
const settings = {
...pushingBranchesConfiguration,
...mergeRequestConfiguration,
@@ -46,10 +53,7 @@ describe('buildSettingsList', () => {
expect(
buildSettingsList({
settings,
- options: {
- namespaceType: NAMESPACE_TYPES.GROUP,
- scanResultPolicyBlockGroupBranchModification: true,
- },
+ options: { namespaceType: NAMESPACE_TYPES.GROUP },
}),
).toEqual({
...protectedBranchesConfiguration,
@@ -58,7 +62,7 @@ describe('buildSettingsList', () => {
});
});
- it('can update merge request settings for a group w/ an enabled block_branch_modification setting and w/ scanResultPolicyBlockGroupBranchModification ff', () => {
+ it('can update merge request settings for a group with an enabled block_branch_modification setting', () => {
const enabledSetting = { [BLOCK_BRANCH_MODIFICATION]: true };
const settings = {
...pushingBranchesConfiguration,
@@ -68,10 +72,7 @@ describe('buildSettingsList', () => {
expect(
buildSettingsList({
settings: enabledSetting,
- options: {
- namespaceType: NAMESPACE_TYPES.GROUP,
- scanResultPolicyBlockGroupBranchModification: true,
- },
+ options: { namespaceType: NAMESPACE_TYPES.GROUP },
}),
).toEqual({
...enabledSetting,
@@ -80,7 +81,7 @@ describe('buildSettingsList', () => {
});
});
- it('can update merge request settings for SPP w/ linked groups && w/ scanResultPolicyBlockGroupBranchModification ff', () => {
+ it('can update merge request settings for SPP with linked groups', () => {
const settings = {
...pushingBranchesConfiguration,
...mergeRequestConfiguration,
@@ -92,7 +93,6 @@ describe('buildSettingsList', () => {
options: {
hasLinkedGroups: true,
namespaceType: NAMESPACE_TYPES.PROJECT,
- scanResultPolicyBlockGroupBranchModification: true,
},
}),
).toEqual({
@@ -102,33 +102,15 @@ describe('buildSettingsList', () => {
});
});
- it('can update merge request settings for group w/o scanResultPolicyBlockGroupBranchModification ff', () => {
- const settings = {
- ...pushingBranchesConfiguration,
- ...mergeRequestConfiguration,
- [PREVENT_APPROVAL_BY_AUTHOR]: false,
- };
- expect(
- buildSettingsList({
- settings,
- options: {
- namespaceType: NAMESPACE_TYPES.GROUP,
- scanResultPolicyBlockGroupBranchModification: false,
- },
- }),
- ).toEqual({
- ...protectedBranchesConfiguration,
- ...settings,
- });
- });
-
- it('has fall back values for settings', () => {
+ it('has fallback values for settings', () => {
const settings = {
[PREVENT_APPROVAL_BY_AUTHOR]: true,
};
expect(buildSettingsList({ settings, hasAnyMergeRequestRule: true })).toEqual({
- ...defaultSettings,
+ ...protectedBranchesConfiguration,
+ ...pushingBranchesConfiguration,
+ ...mergeRequestConfiguration,
...settings,
});
});
diff --git a/ee/spec/frontend/security_orchestration/mocks/mock_data.js b/ee/spec/frontend/security_orchestration/mocks/mock_data.js
index 5fc1da016cbf2ee521167af76a7776adb5fb6a7f..bcaf9a771c25557d3e8f412ddc14baf255ff0f95 100644
--- a/ee/spec/frontend/security_orchestration/mocks/mock_data.js
+++ b/ee/spec/frontend/security_orchestration/mocks/mock_data.js
@@ -56,9 +56,13 @@ export const APPROVAL_POLICY_DEFAULT_POLICY = {
fallback_behavior: { fail: 'closed' },
};
-export const APPROVAL_POLICY_DEFAULT_POLICY_WITH_SCOPE = {
+export const APPROVAL_POLICY_DEFAULT_POLICY_WITH_SCOPE_WITH_GROUP_SETTINGS = {
...APPROVAL_POLICY_DEFAULT_POLICY,
policy_scope: { projects: { excluding: [] } },
+ approval_settings: {
+ ...APPROVAL_POLICY_DEFAULT_POLICY.approval_settings,
+ block_group_branch_modification: true,
+ },
};
export const SCAN_EXECUTION_DEFAULT_POLICY = {
diff --git a/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/compliance_frameworks_spec.js b/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/compliance_frameworks_spec.js
index 3693ba73554f8f05d4bbdffbb3b0ced71a514220..6f2d2f725caa61b925d4125ff28a0cd4ded8903c 100644
--- a/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/compliance_frameworks_spec.js
+++ b/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/compliance_frameworks_spec.js
@@ -22,7 +22,7 @@ import { verify } from '../utils';
import {
mockScanExecutionActionManifest,
mockPipelineExecutionActionManifest,
- mockApprovalActionManifest,
+ mockApprovalActionGroupManifest,
mockApprovalActionProjectManifest,
mockScanExecutionActionProjectManifest,
} from './mocks';
@@ -78,7 +78,7 @@ describe('ComplianceFrameworks', () => {
policyType | manifest
${SCAN_EXECUTION_POLICY} | ${mockScanExecutionActionManifest}
${PIPELINE_EXECUTION_POLICY} | ${mockPipelineExecutionActionManifest}
- ${APPROVAL_POLICY} | ${mockApprovalActionManifest}
+ ${APPROVAL_POLICY} | ${mockApprovalActionGroupManifest}
`('$policyType', ({ policyType, manifest }) => {
beforeEach(() => {
jest.spyOn(urlUtils, 'getParameterByName').mockReturnValue(policyType);
diff --git a/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/mocks.js b/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/mocks.js
index d9e7324f9e7a3148c0cf221e1f0e155c878e59c3..8e1ff9c03276a0ec99da6278f501f521e86b939b 100644
--- a/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/mocks.js
+++ b/ee/spec/frontend_integration/security_orchestration/policy_editor/policy_scope/mocks.js
@@ -1,3 +1,5 @@
+import { removeGroupSetting } from '../utils';
+
const putPolicyScopeComplianceFrameworksToEndOfYaml = (yaml) =>
yaml
.replace('\npolicy_scope:\n compliance_frameworks:\n - id: 1\n - id: 2', '')
@@ -8,8 +10,9 @@ const putPolicyScopeProjectsToEndOfYaml = (yaml) =>
.replace('\npolicy_scope:\n projects:\n excluding:\n - id: 1\n - id: 2', '')
.concat('policy_scope:\n projects:\n excluding:\n - id: 1\n - id: 2\n');
-const SETTINGS = `approval_settings:
+const GROUP_SETTINGS = `approval_settings:
block_branch_modification: true
+ block_group_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
@@ -55,7 +58,7 @@ policy_scope:
- id: 2
`);
-export const mockApprovalActionManifest = BASE_POLICY('approval_policy')
+export const mockApprovalActionGroupManifest = BASE_POLICY('approval_policy')
.concat(
`policy_scope:
compliance_frameworks:
@@ -70,11 +73,11 @@ actions:
enabled: true
`,
)
- .concat(SETTINGS)
+ .concat(GROUP_SETTINGS)
.concat(FALLBACK);
-export const mockApprovalActionProjectManifest = putPolicyScopeComplianceFrameworksToEndOfYaml(
- mockApprovalActionManifest,
+export const mockApprovalActionProjectManifest = removeGroupSetting(
+ putPolicyScopeComplianceFrameworksToEndOfYaml(mockApprovalActionGroupManifest),
);
export const EXCLUDING_PROJECTS_MOCKS = {
@@ -117,7 +120,7 @@ actions:
enabled: true
`,
)
- .concat(SETTINGS)
+ .concat(GROUP_SETTINGS)
.concat(FALLBACK),
};
@@ -126,7 +129,9 @@ export const EXCLUDING_PROJECTS_PROJECTS_LEVEL_MOCKS = {
PIPELINE_EXECUTION: putPolicyScopeProjectsToEndOfYaml(
EXCLUDING_PROJECTS_MOCKS.PIPELINE_EXECUTION,
),
- APPROVAL_POLICY: putPolicyScopeProjectsToEndOfYaml(EXCLUDING_PROJECTS_MOCKS.APPROVAL_POLICY),
+ APPROVAL_POLICY: removeGroupSetting(
+ putPolicyScopeProjectsToEndOfYaml(EXCLUDING_PROJECTS_MOCKS.APPROVAL_POLICY),
+ ),
};
const replaceProjectKey = (value) => value.replace('excluding', 'including');
@@ -201,7 +206,7 @@ actions:
enabled: true
`,
)
- .concat(SETTINGS)
+ .concat(GROUP_SETTINGS)
.concat(FALLBACK),
};
diff --git a/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/mocks.js b/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/mocks.js
index 7a5d443a27f3649b42a21a250d482017719eed57..9cb152cdf46b096bdc79c76e74dc03dcb2792b18 100644
--- a/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/mocks.js
+++ b/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/mocks.js
@@ -1,11 +1,13 @@
import { GROUP_TYPE, USER_TYPE } from 'ee/security_orchestration/constants';
+import { removeGroupSetting } from '../utils';
const BOT_ACTION = ` - type: send_bot_message
enabled: true
`;
-const SETTINGS = `approval_settings:
+const GROUP_SETTINGS = `approval_settings:
block_branch_modification: true
+ block_group_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
@@ -13,6 +15,8 @@ const SETTINGS = `approval_settings:
require_password_to_approve: false
`;
+const PROJECT_SETTINGS = removeGroupSetting(GROUP_SETTINGS);
+
const FALLBACK = `fallback_behavior:
fail: closed
`;
@@ -47,7 +51,7 @@ actions:
- developer
`
.concat(BOT_ACTION)
- .concat(SETTINGS)
+ .concat(PROJECT_SETTINGS)
.concat(FALLBACK);
export const mockUserApproversApprovalManifest = `type: approval_policy
@@ -63,7 +67,7 @@ actions:
- ${USER.id}
`
.concat(BOT_ACTION)
- .concat(SETTINGS)
+ .concat(PROJECT_SETTINGS)
.concat(FALLBACK);
export const mockGroupApproversApprovalManifest = `type: approval_policy
@@ -82,7 +86,7 @@ actions:
- ${GROUP.id}
`
.concat(BOT_ACTION)
- .concat(SETTINGS)
+ .concat(GROUP_SETTINGS)
.concat(FALLBACK);
export const mockLicenseApprovalManifest = `type: approval_policy
@@ -100,7 +104,7 @@ actions:
approvals_required: 1
`
.concat(BOT_ACTION)
- .concat(SETTINGS)
+ .concat(PROJECT_SETTINGS)
.concat(FALLBACK);
export const mockSecurityApprovalManifest = `type: approval_policy
@@ -119,7 +123,7 @@ actions:
approvals_required: 1
`
.concat(BOT_ACTION)
- .concat(SETTINGS)
+ .concat(PROJECT_SETTINGS)
.concat(FALLBACK);
export const mockAnyMergeRequestApprovalManifest = `type: approval_policy
@@ -135,5 +139,5 @@ actions:
approvals_required: 1
`
.concat(BOT_ACTION)
- .concat(SETTINGS)
+ .concat(PROJECT_SETTINGS)
.concat(FALLBACK);
diff --git a/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/rules_spec.js b/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/rules_spec.js
index 1e5f394e357193407b96958c49b912421fa135e2..f380d5f7cc7f25b77d75ffe9c58627e6b08720c0 100644
--- a/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/rules_spec.js
+++ b/ee/spec/frontend_integration/security_orchestration/policy_editor/scan_result/rules_spec.js
@@ -97,15 +97,6 @@ describe('Scan result policy rules', () => {
await findScanTypeSelect().vm.$emit('select', LICENSE_FINDING);
await verify({ manifest: mockLicenseApprovalManifest, verifyRuleMode, wrapper });
});
-
- it('should select license rule after breaking changes for match on inclusion license', async () => {
- await findScanTypeSelect().vm.$emit('select', LICENSE_FINDING);
- await verify({
- manifest: mockLicenseApprovalManifest,
- verifyRuleMode,
- wrapper,
- });
- });
});
describe('any merge request rule', () => {
diff --git a/ee/spec/frontend_integration/security_orchestration/policy_editor/utils.js b/ee/spec/frontend_integration/security_orchestration/policy_editor/utils.js
index 04e7d4d429257ef985b42914d9417093541e9059..4f1cfc6df9ab6c3f1358d73bf025b811b8887a1c 100644
--- a/ee/spec/frontend_integration/security_orchestration/policy_editor/utils.js
+++ b/ee/spec/frontend_integration/security_orchestration/policy_editor/utils.js
@@ -47,3 +47,6 @@ export const createSppSubscriptionHandler = () =>
},
},
});
+
+export const removeGroupSetting = (yaml) =>
+ yaml.replace(' block_group_branch_modification: true\n', '');
diff --git a/ee/spec/requests/groups/protected_branches_controller_spec.rb b/ee/spec/requests/groups/protected_branches_controller_spec.rb
index 2d1eb875fe469576ac87bf3e78f7e3df6b9e0d52..3ee6f9826bb80eca8a88eaf8470e3f4a6a502432 100644
--- a/ee/spec/requests/groups/protected_branches_controller_spec.rb
+++ b/ee/spec/requests/groups/protected_branches_controller_spec.rb
@@ -153,24 +153,6 @@
expect(response).to have_gitlab_http_status(:forbidden)
end
-
- context 'with feature disabled' do
- before do
- stub_feature_flags(scan_result_policy_block_group_branch_modification: false)
- end
-
- it 'renames' do
- expect { patch member_path, params: update_params }.to change {
- protected_branch.reload.name
- }.to(update_params.dig(:protected_branch, :name))
- end
-
- it 'responds with 200' do
- patch member_path, params: update_params
-
- expect(response).to have_gitlab_http_status(:success)
- end
- end
end
include_context 'with scan result policy blocking protected branches' do
diff --git a/ee/spec/services/ee/protected_branches/destroy_service_spec.rb b/ee/spec/services/ee/protected_branches/destroy_service_spec.rb
index ae934be25e1d3df8475acef238d4a873806d92e2..d133b5c8ac439af6bbe715aa2e6c80766626631b 100644
--- a/ee/spec/services/ee/protected_branches/destroy_service_spec.rb
+++ b/ee/spec/services/ee/protected_branches/destroy_service_spec.rb
@@ -116,16 +116,6 @@
it 'blocks unprotecting branches' do
expect { service.execute(protected_branch) }.to raise_error(Gitlab::Access::AccessDeniedError)
end
-
- context 'with feature disabled' do
- before do
- stub_feature_flags(scan_result_policy_block_group_branch_modification: false)
- end
-
- it 'does not block unprotecting branches' do
- expect { service.execute(protected_branch) }.not_to raise_error
- end
- end
end
end
end
diff --git a/ee/spec/services/ee/protected_branches/update_service_spec.rb b/ee/spec/services/ee/protected_branches/update_service_spec.rb
index c60cd5b7f94d8cbaa9b66b5ce8903180b6a173e5..6166f2ab42d499c2ae7d2326c2bf3c071074cf90 100644
--- a/ee/spec/services/ee/protected_branches/update_service_spec.rb
+++ b/ee/spec/services/ee/protected_branches/update_service_spec.rb
@@ -79,18 +79,6 @@
it 'raises' do
expect { service.execute(protected_branch) }.to raise_error(::Gitlab::Access::AccessDeniedError)
end
-
- context 'with feature disabled' do
- before do
- stub_feature_flags(scan_result_policy_block_group_branch_modification: false)
- end
-
- it 'renames' do
- expect { service.execute(protected_branch) }.to change {
- protected_branch.reload.name
- }.to(branch_name.reverse)
- end
- end
end
include_context 'with scan result policy blocking protected branches' do
diff --git a/ee/spec/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service_spec.rb b/ee/spec/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service_spec.rb
index aaf96341ed6d5039e02381708dba62a17b3ec366..f1025879b37d0597075e04ab8b9f3434007e5270 100644
--- a/ee/spec/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/group_protected_branches_deletion_check_service_spec.rb
@@ -63,17 +63,6 @@
it { is_expected.to be(expectation) }
end
- context 'with feature disabled' do
- before do
- stub_feature_flags(scan_result_policy_block_group_branch_modification: false)
- end
-
- let(:block_branch_modification) { true }
- let(:block_group_branch_modification) { true }
-
- it { is_expected.to be(false) }
- end
-
context 'without approval_settings' do
let(:approval_settings) { nil }