diff --git a/app/assets/javascripts/security_configuration/components/app.vue b/app/assets/javascripts/security_configuration/components/app.vue index 9a71cf5cd06d93e4fc4179229d4d1f656d64bacb..079be610f27810db6d25b08f49c4d56b35c32e80 100644 --- a/app/assets/javascripts/security_configuration/components/app.vue +++ b/app/assets/javascripts/security_configuration/components/app.vue @@ -12,12 +12,12 @@ import { AUTO_DEVOPS_ENABLED_ALERT_DISMISSED_STORAGE_KEY, TAB_VULNERABILITY_MANAGEMENT_INDEX, i18n, - PRE_RECEIVE_SECRET_DETECTION, + SECRET_PUSH_PROTECTION, } from '../constants'; import AutoDevOpsAlert from './auto_dev_ops_alert.vue'; import AutoDevOpsEnabledAlert from './auto_dev_ops_enabled_alert.vue'; import FeatureCard from './feature_card.vue'; -import PreReceiveSecretDetectionFeatureCard from './pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from './secret_push_protection_feature_card.vue'; import TrainingProviderList from './training_provider_list.vue'; export default { @@ -26,7 +26,7 @@ export default { AutoDevOpsAlert, AutoDevOpsEnabledAlert, FeatureCard, - PreReceiveSecretDetectionFeatureCard, + SecretPushProtectionFeatureCard, GlAlert, GlLink, GlSprintf, @@ -106,8 +106,8 @@ export default { }, methods: { getComponentName(feature) { - if (feature.type === PRE_RECEIVE_SECRET_DETECTION) { - return 'pre-receive-secret-detection-feature-card'; + if (feature.type === SECRET_PUSH_PROTECTION) { + return 'secret-push-protection-feature-card'; } if (feature.type === REPORT_TYPE_CONTAINER_SCANNING_FOR_REGISTRY) { return 'container-scanning-for-registry-feature-card'; diff --git a/app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue similarity index 90% rename from app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue rename to app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue index 6552c34a79726f2252187b4ea0ccb20a8aa31472..925e533e992876f85c92f937246d4289e3b74023 100644 --- a/app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue +++ b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue @@ -9,11 +9,11 @@ import { GlButton, GlTooltipDirective, } from '@gitlab/ui'; -import ProjectSetPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; +import ProjectPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; import { __, s__ } from '~/locale'; export default { - name: 'PreReceiveSecretDetectionFeatureCard', + name: 'SecretPushProtectionFeatureCard', components: { GlCard, GlIcon, @@ -27,8 +27,8 @@ export default { GlTooltip: GlTooltipDirective, }, inject: [ - 'preReceiveSecretDetectionAvailable', - 'preReceiveSecretDetectionEnabled', + 'secretPushProtectionAvailable', + 'secretPushProtectionEnabled', 'userIsProjectAdmin', 'projectFullPath', 'secretDetectionConfigurationPath', @@ -41,7 +41,7 @@ export default { }, data() { return { - toggleValue: this.preReceiveSecretDetectionEnabled, + toggleValue: this.secretPushProtectionEnabled, errorMessage: '', isAlertDismissed: false, }; @@ -73,13 +73,13 @@ export default { }; }, isToggleDisabled() { - return !this.preReceiveSecretDetectionAvailable || !this.userIsProjectAdmin; + return !this.secretPushProtectionAvailable || !this.userIsProjectAdmin; }, showLock() { return this.isToggleDisabled && this.available; }, featureLockDescription() { - if (!this.preReceiveSecretDetectionAvailable) { + if (!this.secretPushProtectionAvailable) { return this.$options.i18n.tooltipDescription; } if (!this.userIsProjectAdmin) { @@ -96,10 +96,10 @@ export default { this.errorMessage = error; this.isAlertDismissed = false; }, - async togglePreReceiveSecretDetection(checked) { + async toggleSecretPushProtection(checked) { try { const { data } = await this.$apollo.mutate({ - mutation: ProjectSetPreReceiveSecretDetection, + mutation: ProjectPreReceiveSecretDetection, variables: { input: { namespacePath: this.projectFullPath, @@ -203,7 +203,7 @@ export default { :value="toggleValue" :label="s__('SecurityConfiguration|Toggle secret push protection')" label-position="hidden" - @change="togglePreReceiveSecretDetection" + @change="toggleSecretPushProtection" /> { containerScanningForRegistryEnabled, secretDetectionConfigurationPath, ...parseBooleanDataAttributes(el, [ - 'preReceiveSecretDetectionAvailable', - 'preReceiveSecretDetectionEnabled', + 'secretPushProtectionAvailable', + 'secretPushProtectionEnabled', 'userIsProjectAdmin', ]), }, diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index be80a38d8bfbb3bff0c72a5d3e0eb9fd80046147..3bb5ed7d3c3a1dfb351e04dbcf3449f2a54d5f0d 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -19,6 +19,8 @@ class ApplicationSetting < ApplicationRecord encrypted_vertex_ai_access_token_iv ], remove_with: '17.10', remove_after: '2025-02-15' + ignore_column :pre_receive_secret_detection_enabled, remove_with: '17.9', remove_after: '2025-02-15' + ignore_columns %i[ elasticsearch_aws elasticsearch_search diff --git a/app/presenters/projects/security/configuration_presenter.rb b/app/presenters/projects/security/configuration_presenter.rb index 7df38dd7d6f6543a2edbe895fcf2b0be8645bd87..8d81c2f2ad73640b033f1e8864db69e97252765c 100644 --- a/app/presenters/projects/security/configuration_presenter.rb +++ b/app/presenters/projects/security/configuration_presenter.rb @@ -21,9 +21,9 @@ def to_h gitlab_ci_history_path: gitlab_ci_history_path, security_training_enabled: project.security_training_available?, container_scanning_for_registry_enabled: container_scanning_for_registry_enabled, - pre_receive_secret_detection_available: - Gitlab::CurrentSettings.current_application_settings.pre_receive_secret_detection_enabled, - pre_receive_secret_detection_enabled: pre_receive_secret_detection_enabled, + secret_push_protection_available: + Gitlab::CurrentSettings.current_application_settings.secret_push_protection_available, + secret_push_protection_enabled: secret_push_protection_enabled, user_is_project_admin: user_is_project_admin?, secret_detection_configuration_path: secret_detection_configuration_path } @@ -65,9 +65,9 @@ def features scans << scan(:dast_profiles, configured: true) # Add pre-receive before secret detection - if project.licensed_feature_available?(:pre_receive_secret_detection) + if project.licensed_feature_available?(:secret_push_protection) secret_detection_index = scans.index { |scan| scan[:type] == :secret_detection } || -1 - scans.insert(secret_detection_index, scan(:pre_receive_secret_detection, configured: true)) + scans.insert(secret_detection_index, scan(:secret_push_protection, configured: true)) end scans @@ -103,7 +103,7 @@ def project_settings end def container_scanning_for_registry_enabled; end - def pre_receive_secret_detection_enabled; end + def secret_push_protection_enabled; end def secret_detection_configuration_path; end end end diff --git a/config/application_setting_columns/secret_push_protection_available.yml b/config/application_setting_columns/secret_push_protection_available.yml new file mode 100644 index 0000000000000000000000000000000000000000..8c2f8351c9dc6b15a5ee50409d13ddeef2dc7702 --- /dev/null +++ b/config/application_setting_columns/secret_push_protection_available.yml @@ -0,0 +1,15 @@ +--- +api_type: boolean +attr: secret_push_protection_available +clusterwide: true +column: secret_push_protection_available +db_type: boolean +default: 'false' +description: Allow projects to enable secret push protection. This does not enable + secret push protection. When you enable this feature, you accept the [GitLab Testing + Agreement](https://handbook.gitlab.com/handbook/legal/testing-agreement/). Ultimate + only. +encrypted: false +gitlab_com_different_than_default: true +jihu: false +not_null: true diff --git a/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb new file mode 100644 index 0000000000000000000000000000000000000000..a7966414a7f7a8fdd5fc07a361f3dcfa976d5c84 --- /dev/null +++ b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +class RenamePreReceiveSecretDetectionEnabledToSecretPushProtectionEnabled < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + TABLE = :project_security_settings + + def up + rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, + :secret_push_protection_enabled, batch_column_name: :project_id + end + + def down + undo_rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, + :secret_push_protection_enabled + end +end diff --git a/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb b/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb new file mode 100644 index 0000000000000000000000000000000000000000..59285556da90de7e2db23bae83ccf01f5f32afa6 --- /dev/null +++ b/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +class RenamePreReceiveSecretDetectionEnabledToSecretPushProtectionAvailable < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + TABLE = :application_settings + + def up + rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, :secret_push_protection_available + end + + def down + undo_rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, :secret_push_protection_available + end +end diff --git a/db/schema_migrations/20250114030220 b/db/schema_migrations/20250114030220 new file mode 100644 index 0000000000000000000000000000000000000000..2244a495a22a333cf809232287223b91f574d1b5 --- /dev/null +++ b/db/schema_migrations/20250114030220 @@ -0,0 +1 @@ +555bf26fb6ee2d65df9aa7ebde9be19a8681563a053b74d3c9c2df1e2dc9dda9 \ No newline at end of file diff --git a/db/schema_migrations/20250114030822 b/db/schema_migrations/20250114030822 new file mode 100644 index 0000000000000000000000000000000000000000..2a744efc277352479ffe5a5fcb7a40222d2e7afe --- /dev/null +++ b/db/schema_migrations/20250114030822 @@ -0,0 +1 @@ +2d74e09c4f8df3a0e49762bc9bde7c802c33c0f1ac1498b83a3080dc35b93ba2 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 54b4fd5cd898e802546261c11cb894fddf079641..6b506bd289b6cd66a18bda3d389273a92073d26a 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -403,6 +403,74 @@ BEGIN END; $$; +CREATE FUNCTION function_for_trigger_1baf8c8e1f66() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."pre_receive_secret_detection_enabled" := NEW."secret_push_protection_available"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_7f41427eda69() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."secret_push_protection_available" := NEW."pre_receive_secret_detection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_7fbecfcdf89a() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."pre_receive_secret_detection_enabled" := NEW."secret_push_protection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_897f35481f9a() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."secret_push_protection_enabled" := NEW."pre_receive_secret_detection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_b9839c6d713f() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF NEW."pre_receive_secret_detection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."secret_push_protection_available" IS DISTINCT FROM 'false' THEN + NEW."pre_receive_secret_detection_enabled" = NEW."secret_push_protection_available"; + END IF; + + IF NEW."secret_push_protection_available" IS NOT DISTINCT FROM 'false' AND NEW."pre_receive_secret_detection_enabled" IS DISTINCT FROM 'false' THEN + NEW."secret_push_protection_available" = NEW."pre_receive_secret_detection_enabled"; + END IF; + + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_cbecfadbc3e8() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF NEW."pre_receive_secret_detection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."secret_push_protection_enabled" IS DISTINCT FROM 'false' THEN + NEW."pre_receive_secret_detection_enabled" = NEW."secret_push_protection_enabled"; + END IF; + + IF NEW."secret_push_protection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."pre_receive_secret_detection_enabled" IS DISTINCT FROM 'false' THEN + NEW."secret_push_protection_enabled" = NEW."pre_receive_secret_detection_enabled"; + END IF; + + RETURN NEW; +END +$$; + CREATE FUNCTION gitlab_schema_prevent_write() RETURNS trigger LANGUAGE plpgsql AS $$ @@ -7952,6 +8020,7 @@ CREATE TABLE application_settings ( elasticsearch_max_code_indexing_concurrency integer DEFAULT 30 NOT NULL, observability_settings jsonb DEFAULT '{}'::jsonb NOT NULL, search jsonb DEFAULT '{}'::jsonb NOT NULL, + secret_push_protection_available boolean DEFAULT false, CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)), @@ -8018,6 +8087,7 @@ CREATE TABLE application_settings ( CONSTRAINT check_application_settings_transactional_emails_is_hash CHECK ((jsonb_typeof(transactional_emails) = 'object'::text)), CONSTRAINT check_b8c74ea5b3 CHECK ((char_length(deactivation_email_additional_text) <= 1000)), CONSTRAINT check_babd774f3c CHECK ((char_length(secret_detection_service_url) <= 255)), + CONSTRAINT check_be6ab41dcc CHECK ((secret_push_protection_available IS NOT NULL)), CONSTRAINT check_bf5157a366 CHECK ((char_length(required_instance_ci_template) <= 1024)), CONSTRAINT check_cdfbd99405 CHECK ((char_length(security_txt_content) <= 2048)), CONSTRAINT check_d03919528d CHECK ((char_length(container_registry_vendor) <= 255)), @@ -19388,7 +19458,9 @@ CREATE TABLE project_security_settings ( auto_fix_sast boolean DEFAULT true NOT NULL, continuous_vulnerability_scans_enabled boolean DEFAULT false NOT NULL, container_scanning_for_registry_enabled boolean DEFAULT false NOT NULL, - pre_receive_secret_detection_enabled boolean DEFAULT false NOT NULL + pre_receive_secret_detection_enabled boolean DEFAULT false NOT NULL, + secret_push_protection_enabled boolean DEFAULT false, + CONSTRAINT check_20a23efdb6 CHECK ((secret_push_protection_enabled IS NOT NULL)) ); CREATE SEQUENCE project_security_settings_project_id_seq @@ -37436,6 +37508,8 @@ CREATE TRIGGER trigger_174b23fa3dfb BEFORE INSERT OR UPDATE ON approval_project_ CREATE TRIGGER trigger_18bc439a6741 BEFORE INSERT OR UPDATE ON packages_conan_metadata FOR EACH ROW EXECUTE FUNCTION trigger_18bc439a6741(); +CREATE TRIGGER trigger_1baf8c8e1f66 BEFORE UPDATE OF secret_push_protection_available ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_1baf8c8e1f66(); + CREATE TRIGGER trigger_1c0f1ca199a3 BEFORE INSERT OR UPDATE ON ci_resources FOR EACH ROW EXECUTE FUNCTION trigger_1c0f1ca199a3(); CREATE TRIGGER trigger_1ed40f4d5f4e BEFORE INSERT OR UPDATE ON packages_maven_metadata FOR EACH ROW EXECUTE FUNCTION trigger_1ed40f4d5f4e(); @@ -37554,6 +37628,10 @@ CREATE TRIGGER trigger_7de792ddbc05 BEFORE INSERT OR UPDATE ON dast_site_validat CREATE TRIGGER trigger_7e2eed79e46e BEFORE INSERT OR UPDATE ON abuse_reports FOR EACH ROW EXECUTE FUNCTION trigger_7e2eed79e46e(); +CREATE TRIGGER trigger_7f41427eda69 BEFORE UPDATE OF pre_receive_secret_detection_enabled ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_7f41427eda69(); + +CREATE TRIGGER trigger_7fbecfcdf89a BEFORE UPDATE OF secret_push_protection_enabled ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_7fbecfcdf89a(); + CREATE TRIGGER trigger_81b4c93e7133 BEFORE INSERT OR UPDATE ON pages_deployment_states FOR EACH ROW EXECUTE FUNCTION trigger_81b4c93e7133(); CREATE TRIGGER trigger_8204480b3a2e BEFORE INSERT OR UPDATE ON incident_management_escalation_rules FOR EACH ROW EXECUTE FUNCTION trigger_8204480b3a2e(); @@ -37562,6 +37640,8 @@ CREATE TRIGGER trigger_84d67ad63e93 BEFORE INSERT OR UPDATE ON wiki_page_slugs F CREATE TRIGGER trigger_85d89f0f11db BEFORE INSERT OR UPDATE ON issue_metrics FOR EACH ROW EXECUTE FUNCTION trigger_85d89f0f11db(); +CREATE TRIGGER trigger_897f35481f9a BEFORE UPDATE OF pre_receive_secret_detection_enabled ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_897f35481f9a(); + CREATE TRIGGER trigger_8a38ce2327de BEFORE INSERT OR UPDATE ON boards_epic_user_preferences FOR EACH ROW EXECUTE FUNCTION trigger_8a38ce2327de(); CREATE TRIGGER trigger_8ac78f164b2d BEFORE INSERT OR UPDATE ON design_management_repositories FOR EACH ROW EXECUTE FUNCTION trigger_8ac78f164b2d(); @@ -37624,6 +37704,8 @@ CREATE TRIGGER trigger_b7abb8fc4cf0 BEFORE INSERT OR UPDATE ON work_item_progres CREATE TRIGGER trigger_b8eecea7f351 BEFORE INSERT OR UPDATE ON dependency_proxy_manifest_states FOR EACH ROW EXECUTE FUNCTION trigger_b8eecea7f351(); +CREATE TRIGGER trigger_b9839c6d713f BEFORE INSERT ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_b9839c6d713f(); + CREATE TRIGGER trigger_c17a166692a2 BEFORE INSERT OR UPDATE ON audit_events_streaming_headers FOR EACH ROW EXECUTE FUNCTION trigger_c17a166692a2(); CREATE TRIGGER trigger_c59fe6f31e71 BEFORE INSERT OR UPDATE ON security_orchestration_policy_rule_schedules FOR EACH ROW EXECUTE FUNCTION trigger_c59fe6f31e71(); @@ -37638,6 +37720,8 @@ CREATE TRIGGER trigger_cac7c0698291 BEFORE INSERT OR UPDATE ON evidences FOR EAC CREATE TRIGGER trigger_catalog_resource_sync_event_on_project_update AFTER UPDATE ON projects FOR EACH ROW WHEN ((((old.name)::text IS DISTINCT FROM (new.name)::text) OR (old.description IS DISTINCT FROM new.description) OR (old.visibility_level IS DISTINCT FROM new.visibility_level))) EXECUTE FUNCTION insert_catalog_resource_sync_event(); +CREATE TRIGGER trigger_cbecfadbc3e8 BEFORE INSERT ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_cbecfadbc3e8(); + CREATE TRIGGER trigger_cd50823537a3 BEFORE INSERT OR UPDATE ON issuable_slas FOR EACH ROW EXECUTE FUNCTION trigger_cd50823537a3(); CREATE TRIGGER trigger_cf646a118cbb BEFORE INSERT OR UPDATE ON milestone_releases FOR EACH ROW EXECUTE FUNCTION trigger_cf646a118cbb(); diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 1453ff25e2a8a824b4884316a006d0fb1b1244e3..106418fec35dbd8e0006a74fa71e017331d2f7c9 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -10026,6 +10026,30 @@ Input type: `SetPreReceiveSecretDetectionInput` | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | | `preReceiveSecretDetectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | + +### `Mutation.setSecretPushProtection` + +Enable/disable secret push protection for the given project. + +Input type: `SetSecretPushProtectionInput` + +#### Arguments + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `enable` | [`Boolean!`](#boolean) | Desired status for secret push protection feature. | +| `namespacePath` | [`ID!`](#id) | Full path of the namespace (project). | + +#### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | +| `preReceiveSecretDetectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | ### `Mutation.starProject` @@ -32596,6 +32620,7 @@ Project-level settings for product analytics provider. | `requirementStatesCount` | [`RequirementStatesCount`](#requirementstatescount) | Number of requirements for the project by their state. | | `sastCiConfiguration` | [`SastCiConfiguration`](#sastciconfiguration) | SAST CI configuration for the project. | | `savedReplies` | [`ProjectSavedReplyConnection`](#projectsavedreplyconnection) | Saved replies available to the project. (see [Connections](#connections)) | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Indicates whether Secret Push Protection is on or not for the project. | | `securityDashboardPath` | [`String`](#string) | Path to project's security dashboard. | | `securityPolicyProject` | [`Project`](#project) | Security policy project assigned to the project, absent if assigned to a parent group. | | `securityPolicyProjectLinkedNamespaces` **{warning-solid}** | [`NamespaceConnection`](#namespaceconnection) | **Deprecated** in GitLab 17.4. This was renamed. Use: `security_policy_project_linked_groups`. | diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index a7912a6e31284380f703d6b6264507c8e645fb81..57697f32912809eb7c2a3d7529f512beddd55547 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -154,9 +154,9 @@ def visible_application_setting_attributes end # Remove the inline rubocop disablement of Metrics/PerceivedComplexity when we can move - # pre_receive_secret_detection_enabled to the simple License feature => attribute name + # secret_push_protection_available to the simple License feature => attribute name # hash above. - attrs << :pre_receive_secret_detection_enabled if License.feature_available?(:pre_receive_secret_detection) + attrs << :secret_push_protection_available if License.feature_available?(:secret_push_protection) if License.feature_available?(:admin_merge_request_approvers_rules) attrs += EE::ApplicationSettingsHelper.merge_request_appovers_rules_attributes diff --git a/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb b/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb index dadbe3bc7f0660307221d8e55717bb643d984453..87034427741d60b2757031e4b4a0b6e1468ed106 100644 --- a/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb +++ b/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb @@ -16,7 +16,7 @@ def show; end private def ensure_feature_is_available! - not_found unless project.licensed_feature_available?(:pre_receive_secret_detection) + not_found unless project.licensed_feature_available?(:secret_push_protection) end def authorize_read_project_security_exclusions! diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb index b857ec8ea9aa9f24aa1726a3f0660bc5c6e7cd9a..91310873022ebd422bbdc35ca26457e6f6d82197 100644 --- a/ee/app/graphql/ee/types/mutation_type.rb +++ b/ee/app/graphql/ee/types/mutation_type.rb @@ -197,6 +197,7 @@ def self.authorization_scopes reason: 'CVS has been enabled permanently. See [this ' \ 'epic](https://gitlab.com/groups/gitlab-org/-/epics/11474) for more information' } + mount_mutation ::Mutations::Security::CiConfiguration::SetSecretPushProtection mount_mutation ::Mutations::Security::CiConfiguration::SetPreReceiveSecretDetection mount_mutation ::Mutations::Security::CiConfiguration::SetGroupSecretPushProtection mount_mutation ::Mutations::Security::CiConfiguration::SetContainerScanningForRegistry diff --git a/ee/app/graphql/ee/types/project_type.rb b/ee/app/graphql/ee/types/project_type.rb index 3bd3a6517c58eed796b1d180a5aff988c0ec265c..634c8de3eb285f221687b400c75739c6159d0e37 100644 --- a/ee/app/graphql/ee/types/project_type.rb +++ b/ee/app/graphql/ee/types/project_type.rb @@ -386,7 +386,12 @@ module ProjectType field :pre_receive_secret_detection_enabled, GraphQL::Types::Boolean, null: true, description: 'Indicates whether Secret Push Protection is on or not for the project.', - authorize: :read_pre_receive_secret_detection_info + authorize: :read_secret_push_protection_info + + field :secret_push_protection_enabled, GraphQL::Types::Boolean, + null: true, + description: 'Indicates whether Secret Push Protection is on or not for the project.', + authorize: :read_secret_push_protection_info field :prevent_merge_without_jira_issue_enabled, GraphQL::Types::Boolean, null: false, @@ -577,8 +582,8 @@ def tracking_key object.project_setting.product_analytics_instrumentation_key end - def pre_receive_secret_detection_enabled - object.security_setting.pre_receive_secret_detection_enabled + def secret_push_protection_enabled + object.security_setting.secret_push_protection_enabled end def api_fuzzing_ci_configuration diff --git a/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb b/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb index fb2191512661ec96142c9ae7690da828a58788ec..72e56e9050ef257259c41117d31c85f967a34de9 100644 --- a/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb +++ b/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb @@ -20,7 +20,7 @@ class SetGroupSecretPushProtection < BaseMutation argument :projects_to_exclude, [GraphQL::Types::Int], required: false, description: 'IDs of projects to exclude from the feature.' - authorize :enable_pre_receive_secret_detection + authorize :enable_secret_push_protection def resolve(namespace_path:, secret_push_protection_enabled:, projects_to_exclude: []) group = authorized_find!(group_path: namespace_path) diff --git a/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb b/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb index 0332a226cd6a3193d39474fb6b8b7802f0d91d23..2a4529fa1967abb844f522da6b59223fc4152322 100644 --- a/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb +++ b/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb @@ -24,11 +24,14 @@ class SetPreReceiveSecretDetection < BaseMutation null: true, description: 'Whether the feature is enabled.' - authorize :enable_pre_receive_secret_detection + field :secret_push_protection_enabled, GraphQL::Types::Boolean, + null: true, + description: 'Whether the feature is enabled.' + + authorize :enable_secret_push_protection def resolve(namespace_path:, enable:) project = authorized_find!(project_path: namespace_path) - response = ::Security::Configuration::SetSecretPushProtectionService .execute(current_user: current_user, project: project, enable: enable) diff --git a/ee/app/graphql/mutations/security/ci_configuration/set_secret_push_protection.rb b/ee/app/graphql/mutations/security/ci_configuration/set_secret_push_protection.rb new file mode 100644 index 0000000000000000000000000000000000000000..2b9851850c54765712cf54967cd91c5cb1d11f14 --- /dev/null +++ b/ee/app/graphql/mutations/security/ci_configuration/set_secret_push_protection.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +module Mutations + module Security + module CiConfiguration + class SetSecretPushProtection < BaseMutation + graphql_name 'SetSecretPushProtection' + + include ResolvesProject + + description <<~DESC + Enable/disable secret push protection for the given project. + DESC + + argument :namespace_path, GraphQL::Types::ID, + required: true, + description: 'Full path of the namespace (project).' + + argument :enable, GraphQL::Types::Boolean, + required: true, + description: 'Desired status for secret push protection feature.' + + field :pre_receive_secret_detection_enabled, GraphQL::Types::Boolean, + null: true, + description: 'Whether the feature is enabled.' + + field :secret_push_protection_enabled, GraphQL::Types::Boolean, + null: true, + description: 'Whether the feature is enabled.' + + authorize :enable_secret_push_protection + + def resolve(namespace_path:, enable:) + project = authorized_find!(project_path: namespace_path) + + response = ::Security::Configuration::SetSecretPushProtectionService + .execute(current_user: current_user, project: project, enable: enable) + + { secret_push_protection_enabled: response.payload[:enabled], errors: response.errors } + end + + private + + def find_object(project_path:) + resolve_project(full_path: project_path) + end + end + end + end +end diff --git a/ee/app/helpers/ee/application_settings_helper.rb b/ee/app/helpers/ee/application_settings_helper.rb index 8db630d360465f18bc1c66bf4ab482826255e926..ae000149706a360160a6f734d3d17dfbe729ceed 100644 --- a/ee/app/helpers/ee/application_settings_helper.rb +++ b/ee/app/helpers/ee/application_settings_helper.rb @@ -145,7 +145,7 @@ def self.possible_licensed_attributes updating_name_disabled_for_users maven_package_requests_forwarding npm_package_requests_forwarding - pre_receive_secret_detection_enabled + secret_push_protection_available pypi_package_requests_forwarding maintenance_mode maintenance_mode_message diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb index 50ddaf034aca98f8e3649fa09561028655b76a6d..6bbe52b7b263b23b1cc4939d27cf3f0691759b57 100644 --- a/ee/app/models/ee/application_setting.rb +++ b/ee/app/models/ee/application_setting.rb @@ -274,7 +274,7 @@ module ApplicationSetting numericality: { only_integer: true, greater_than: proc { Devise.allow_unconfirmed_access_for.in_days.to_i } }, if: :email_confirmation_setting_soft? - validates :pre_receive_secret_detection_enabled, + validates :secret_push_protection_available, inclusion: { in: [true, false], message: N_('must be a boolean value') }, if: :gitlab_dedicated_instance diff --git a/ee/app/models/gitlab_subscriptions/features.rb b/ee/app/models/gitlab_subscriptions/features.rb index 3d2bdd5559b440887f1b101e2325b652e72ca01f..2b063996a0e00435b23526f0f7d185a6e0ef9af1 100644 --- a/ee/app/models/gitlab_subscriptions/features.rb +++ b/ee/app/models/gitlab_subscriptions/features.rb @@ -240,7 +240,7 @@ class Features license_scanning okrs personal_access_token_expiration_policy - pre_receive_secret_detection + secret_push_protection product_analytics project_quality_summary project_level_analytics_dashboard diff --git a/ee/app/models/project_security_setting.rb b/ee/app/models/project_security_setting.rb index 3ba279a4e4f2b8f5439c3fa916a807e328dde686..3afe2c610eade0e0b891af1e4068e85fe2823c71 100644 --- a/ee/app/models/project_security_setting.rb +++ b/ee/app/models/project_security_setting.rb @@ -7,6 +7,8 @@ class ProjectSecuritySetting < ApplicationRecord scope :for_projects, ->(project_ids) { where(project_id: project_ids) } + ignore_column :pre_receive_secret_detection_enabled, remove_with: '17.9', remove_after: '2025-02-15' + def set_continuous_vulnerability_scans!(enabled:) enabled if update!(continuous_vulnerability_scans_enabled: enabled) end @@ -15,7 +17,7 @@ def set_container_scanning_for_registry!(enabled:) enabled if update!(container_scanning_for_registry_enabled: enabled) end - def set_pre_receive_secret_detection!(enabled:) - enabled if update!(pre_receive_secret_detection_enabled: enabled) + def set_secret_push_protection!(enabled:) + enabled if update!(secret_push_protection_enabled: enabled) end end diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index d88d7393feb2de68a8dda646f5465cc8df48d578..4c8a77b2815537a5885167f64f462779ff09a5f8 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -586,8 +586,8 @@ module GroupPolicy enable :read_security_resource end - rule { pre_receive_secret_detection_available & can?(:admin_security_testing) }.policy do - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:admin_security_testing) }.policy do + enable :enable_secret_push_protection end rule { custom_role_enables_admin_group_member }.policy do @@ -878,12 +878,12 @@ module GroupPolicy rule { ~clickhouse_main_database_available }.prevent :read_runner_usage - condition(:pre_receive_secret_detection_available) do - @subject.licensed_feature_available?(:pre_receive_secret_detection) + condition(:secret_push_protection_available) do + @subject.licensed_feature_available?(:secret_push_protection) end - rule { pre_receive_secret_detection_available & can?(:maintainer_access) }.policy do - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:maintainer_access) }.policy do + enable :enable_secret_push_protection end rule { can?(:admin_group) }.policy do diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index aa37a94b3a353dfdce7aefdfe43d9f7f30be5fb5..7c6221d16340d2e9f7b1f3bf5aed2ef130ceab63 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -477,9 +477,9 @@ module ProjectPolicy enable :create_merge_request_from end - rule { pre_receive_secret_detection_available & can?(:admin_security_testing) }.policy do - enable :read_pre_receive_secret_detection_info - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:admin_security_testing) }.policy do + enable :read_secret_push_protection_info + enable :enable_secret_push_protection enable :read_project_security_exclusions end @@ -1061,12 +1061,12 @@ module ProjectPolicy enable :update_saved_replies end - condition(:pre_receive_secret_detection_available) do - @subject.licensed_feature_available?(:pre_receive_secret_detection) + condition(:secret_push_protection_available) do + @subject.licensed_feature_available?(:secret_push_protection) end - rule { pre_receive_secret_detection_available & can?(:maintainer_access) }.policy do - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:maintainer_access) }.policy do + enable :enable_secret_push_protection end condition(:container_scanning_for_registry_available) do @@ -1076,8 +1076,8 @@ module ProjectPolicy enable :enable_container_scanning_for_registry end - rule { pre_receive_secret_detection_available & can?(:developer_access) }.policy do - enable :read_pre_receive_secret_detection_info + rule { secret_push_protection_available & can?(:developer_access) }.policy do + enable :read_secret_push_protection_info end condition(:duo_workflow_enabled) do diff --git a/ee/app/presenters/ee/projects/security/configuration_presenter.rb b/ee/app/presenters/ee/projects/security/configuration_presenter.rb index 217f93bad54daa1a7a98d5bef3f3db8beae0eace..be9a0558de78c5f8794a27a0e77d23f8699f5933 100644 --- a/ee/app/presenters/ee/projects/security/configuration_presenter.rb +++ b/ee/app/presenters/ee/projects/security/configuration_presenter.rb @@ -13,9 +13,9 @@ def container_scanning_for_registry_enabled project_settings&.container_scanning_for_registry_enabled end - override :pre_receive_secret_detection_enabled - def pre_receive_secret_detection_enabled - project_settings&.pre_receive_secret_detection_enabled + override :secret_push_protection_enabled + def secret_push_protection_enabled + project_settings&.secret_push_protection_enabled end override :features diff --git a/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb b/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb index 929dd21e7c444ec0de9bfbd2d02f634a43e83511..5ad1acbc95d4b6b405e493d1efdf172e5a2af0d3 100644 --- a/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb +++ b/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb @@ -36,8 +36,8 @@ def valid_request? def update_security_setting(project_ids) # rubocop:disable CodeReuse/ActiveRecord -- Specific use-case for this service updated_records = ProjectSecuritySetting.for_projects(project_ids) - .where(pre_receive_secret_detection_enabled: !@enable) - .update_all(pre_receive_secret_detection_enabled: @enable, + .where(secret_push_protection_enabled: !@enable) + .update_all(secret_push_protection_enabled: @enable, updated_at: Time.current) # rubocop:enable CodeReuse/ActiveRecord @@ -49,7 +49,7 @@ def create_missing_security_setting(project_ids) security_setting_attributes = projects_without_security_setting.map do |project| { project_id: project.id, - pre_receive_secret_detection_enabled: @enable, + secret_push_protection_enabled: @enable, updated_at: Time.current } end diff --git a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml deleted file mode 100644 index 839e1522911367db850b3b61cc82913ab356c1b9..0000000000000000000000000000000000000000 --- a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml +++ /dev/null @@ -1,10 +0,0 @@ -= gitlab_ui_form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-secret-detection-settings'), html: { class: 'fieldset-form', id: 'secret-detection-settings' } do |f| - = form_errors(@application_setting) - - %fieldset - .form-group.gl-mb-0 - = f.label :pre_receive_secret_detection_enabled, s_('AdminSettings|Secret Push Protection'), class: 'label-bold' - %span.form-text.gl-mt-0.gl-mb-3#pre_receive_secret_detection-help - = _('Prevent secrets such as keys and API tokens from being committed to any repository in this GitLab instance.') - = f.gitlab_ui_checkbox_component :pre_receive_secret_detection_enabled, _('Allow secret push protection'), help_text: _('Allow projects to enable secret push protection. This does not enable secret push protection.'), checkbox_options: { data: { testid: 'secret-push-protection-checkbox' } } - = f.submit _('Save changes'), pajamas_button: true diff --git a/ee/app/views/admin/application_settings/_secret_push_protection.html.haml b/ee/app/views/admin/application_settings/_secret_push_protection.html.haml new file mode 100644 index 0000000000000000000000000000000000000000..250e4dd4ccc027e8f123888d865bfa8bb13ec7fc --- /dev/null +++ b/ee/app/views/admin/application_settings/_secret_push_protection.html.haml @@ -0,0 +1,10 @@ += gitlab_ui_form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-secret-detection-settings'), html: { class: 'fieldset-form', id: 'secret-detection-settings' } do |f| + = form_errors(@application_setting) + + %fieldset + .form-group.gl-mb-0 + = f.label :secret_push_protection_available, s_('AdminSettings|Secret Push Protection'), class: 'label-bold' + %span.form-text.gl-mt-0.gl-mb-3#secret_push_protection-help + = _('Prevent secrets such as keys and API tokens from being committed to any repository in this GitLab instance.') + = f.gitlab_ui_checkbox_component :secret_push_protection_available, _('Allow secret push protection'), help_text: _('Allow projects to enable secret push protection. This does not enable secret push protection.'), checkbox_options: { data: { testid: 'secret-push-protection-checkbox' } } + = f.submit _('Save changes'), pajamas_button: true diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index aca12b443b1575330c115ad579da31b18867f6a1..a5e4d22fc3e466c116a6e4cce304bbd52e896243 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -13,7 +13,7 @@ - c.with_body do = render 'license_compliance' -- if License.feature_available?(:pre_receive_secret_detection) +- if License.feature_available?(:secret_push_protection) = render ::Layouts::SettingsBlockComponent.new(_('Secret Detection'), id: 'js-secret-detection-settings', testid: 'admin-secret-detection-settings', @@ -21,4 +21,4 @@ - c.with_description do = _('Manage secret detection behavior for all projects in your GitLab instance') - c.with_body do - = render 'pre_receive_secret_detection' + = render 'secret_push_protection' diff --git a/ee/lib/api/group_security_settings.rb b/ee/lib/api/group_security_settings.rb index 3ad01005ece0dbc891adc188038938da9ebe53fa..30ff6974851dc246c15f334584ce2772ecfe1c77 100644 --- a/ee/lib/api/group_security_settings.rb +++ b/ee/lib/api/group_security_settings.rb @@ -11,7 +11,7 @@ class GroupSecuritySettings < ::API::Base helpers do def check_feature_availability - forbidden! unless ::License.feature_available?(:pre_receive_secret_detection) + forbidden! unless ::License.feature_available?(:secret_push_protection) end end @@ -22,15 +22,16 @@ def check_feature_availability resource :groups, requirements: ::API::API::NAMESPACE_OR_PROJECT_REQUIREMENTS do segment ':id/security_settings' do desc 'Update group security settings' do - detail 'Updates pre_receive_secret_detection_enabled for all projects to the new value' + detail 'Updates secret_push_protection_enabled for all projects to the new value' tags %w[groups] end params do - requires :secret_push_protection_enabled, type: Boolean, desc: 'Whether to enable the feature' + requires :secret_push_protection_enabled, type: Boolean, + desc: 'Whether to enable the feature' optional :projects_to_exclude, type: Array[Integer], desc: 'IDs of projects to exclude from the feature' end put do - unauthorized! unless can?(current_user, :enable_pre_receive_secret_detection, user_group) + unauthorized! unless can?(current_user, :enable_secret_push_protection, user_group) enabled = params[:secret_push_protection_enabled] projects_to_exclude = params[:projects_to_exclude] diff --git a/ee/lib/api/project_security_settings.rb b/ee/lib/api/project_security_settings.rb index bb5c1bd041fd33b26a87236598f74829ce0a25e3..87d1b027108baa2401878cb10305ce0392c97024 100644 --- a/ee/lib/api/project_security_settings.rb +++ b/ee/lib/api/project_security_settings.rb @@ -7,7 +7,7 @@ class ProjectSecuritySettings < ::API::Base helpers do def check_feature_availability - forbidden! unless ::License.feature_available?(:pre_receive_secret_detection) + forbidden! unless ::License.feature_available?(:secret_push_protection) end end @@ -30,26 +30,34 @@ def check_feature_availability end desc 'Update project security settings' do - detail 'Updates pre_receive_secret_detection_enabled to the new value & returns new project security setting' + detail 'Updates secret_push_protection_enabled to the new value & returns new project security setting' tags %w[projects] end params do - requires :pre_receive_secret_detection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' + optional :secret_push_protection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' + optional :pre_receive_secret_detection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' + at_least_one_of :secret_push_protection_enabled, :pre_receive_secret_detection_enabled end put do unauthorized! unless can?(current_user, :manage_security_settings, user_project) - enabled = params[:pre_receive_secret_detection_enabled] + + enabled = if params.key?(:secret_push_protection_enabled) + params[:secret_push_protection_enabled] + else + params[:pre_receive_secret_detection_enabled] + end + audit_context = { name: 'project_security_setting_updated', author: current_user, target: user_project, scope: user_project, - message: "User #{current_user.name} updated `pre_receive_secret_detection_enabled` to #{enabled}" + message: "User #{current_user.name} updated `secret_push_protection_enabled` to #{enabled}" } ::Gitlab::Audit::Auditor.audit(audit_context) security_setting = user_project&.security_setting - security_setting.set_pre_receive_secret_detection!(enabled: enabled) + security_setting.set_secret_push_protection!(enabled: enabled) present security_setting end end diff --git a/ee/lib/ee/api/entities/application_setting.rb b/ee/lib/ee/api/entities/application_setting.rb index 2ac46574a868d45f5224d32b16a4de6b6fd02474..ba4b10a28080baf0459430a3b6304c118ce17657 100644 --- a/ee/lib/ee/api/entities/application_setting.rb +++ b/ee/lib/ee/api/entities/application_setting.rb @@ -24,7 +24,10 @@ module ApplicationSetting expose :updating_name_disabled_for_users, if: ->(_instance, _opts) { ::License.feature_available?(:disable_name_update_for_users) } expose :maven_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } expose :npm_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } - expose :pre_receive_secret_detection_enabled, if: ->(_instance, _opts) { ::License.feature_available?(:pre_receive_secret_detection) } + expose :secret_push_protection_available, if: ->(_instance, _opts) { ::License.feature_available?(:secret_push_protection) } + expose :secret_push_protection_available, + if: ->(_instance, _opts) { ::License.feature_available?(:secret_push_protection) }, + as: :pre_receive_secret_detection_enabled expose :pypi_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } expose :group_owners_can_manage_default_branch_protection, if: ->(_instance, _opts) { ::License.feature_available?(:default_branch_protection_restriction_in_groups) } expose :maintenance_mode, if: ->(_instance, _opts) { RegistrationFeatures::MaintenanceMode.feature_available? } diff --git a/ee/lib/ee/api/entities/project.rb b/ee/lib/ee/api/entities/project.rb index 3578d54d536b1174da1872713f34aee03540fac7..3bc7a648fca2be97d74c54117ba34579c05c2d98 100644 --- a/ee/lib/ee/api/entities/project.rb +++ b/ee/lib/ee/api/entities/project.rb @@ -38,8 +38,14 @@ def preload_relation(projects_relation, options = {}) expose :security_and_compliance_enabled do |project, options| project.feature_available?(:security_and_compliance, options[:current_user]) end - expose :pre_receive_secret_detection_enabled, documentation: { type: 'boolean' }, if: ->(project, options) { Ability.allowed?(options[:current_user], :read_pre_receive_secret_detection_info, project) } do |project| - project.security_setting&.pre_receive_secret_detection_enabled + expose :secret_push_protection_enabled, documentation: { type: 'boolean' }, if: ->(project, options) { Ability.allowed?(options[:current_user], :read_secret_push_protection_info, project) } do |project| + project.security_setting&.secret_push_protection_enabled + end + expose :secret_push_protection_enabled, + as: :pre_receive_secret_detection_enabled, + documentation: { type: 'boolean' }, + if: ->(project, options) { Ability.allowed?(options[:current_user], :read_secret_push_protection_info, project) } do |project| + project.security_setting&.secret_push_protection_enabled end expose :compliance_frameworks do |project, _| project.compliance_management_frameworks_names diff --git a/ee/lib/gitlab/checks/secrets_check.rb b/ee/lib/gitlab/checks/secrets_check.rb index 77a839b2ac89e2add55305f4dbc621616bcb023b..83801da22959ca0f270d9342ead9a831cc2bced0 100644 --- a/ee/lib/gitlab/checks/secrets_check.rb +++ b/ee/lib/gitlab/checks/secrets_check.rb @@ -69,9 +69,9 @@ def validate! # 4. if it is a delete branch/tag operation, as it would require scanning the entire revision history # 5. if options are passed for us to skip the check - return unless project.licensed_feature_available?(:pre_receive_secret_detection) + return unless project.licensed_feature_available?(:secret_push_protection) - return unless run_pre_receive_secret_detection? + return unless run_secret_push_protection? return if includes_full_revision_history? @@ -176,9 +176,9 @@ def ruleset ############################## # Project Eligibility Checks - def run_pre_receive_secret_detection? - ::Gitlab::CurrentSettings.current_application_settings.pre_receive_secret_detection_enabled && - project.security_setting&.pre_receive_secret_detection_enabled + def run_secret_push_protection? + ::Gitlab::CurrentSettings.current_application_settings.secret_push_protection_available && + project.security_setting&.secret_push_protection_enabled end def use_secret_detection_service? diff --git a/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb b/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb index b73308bd6f3aefb32c2689720aa5020ba2d0a07a..04f3601f603d5ed16ca6ee614a013eee72db439c 100644 --- a/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb +++ b/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb @@ -8,7 +8,7 @@ class CountProjectsWithSecretPushProtectionEnabledMetric < DatabaseMetric operation :count relation do - ProjectSecuritySetting.where(pre_receive_secret_detection_enabled: true) + ProjectSecuritySetting.where(secret_push_protection_enabled: true) end end end diff --git a/ee/spec/controllers/admin/application_settings_controller_spec.rb b/ee/spec/controllers/admin/application_settings_controller_spec.rb index 6ce9e17a3c3d44114de85a39e97c46f62c17e2b6..85eb1ef35a10bcd98b609d66550b67b630155854 100644 --- a/ee/spec/controllers/admin/application_settings_controller_spec.rb +++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb @@ -339,8 +339,8 @@ end context 'with secret detection settings' do - let(:settings) { { pre_receive_secret_detection_enabled: true } } - let(:license_feature) { :pre_receive_secret_detection } + let(:settings) { { secret_push_protection_available: true } } + let(:license_feature) { :secret_push_protection } before do stub_licensed_features(license_feature => true) @@ -348,9 +348,9 @@ it_behaves_like 'settings for licensed features' - it 'updates pre_receive_secret_detection_enabled setting' do + it 'updates secret_push_protection_available setting' do expect { put :update, params: { application_setting: settings } } - .to change { ApplicationSetting.current.reload.attributes['pre_receive_secret_detection_enabled'] } + .to change { ApplicationSetting.current.reload.attributes['secret_push_protection_available'] } end end diff --git a/ee/spec/factories/project_security_settings.rb b/ee/spec/factories/project_security_settings.rb index e32d4a463c7b6cbcf326f90740ee4590b86181c4..9ed8787e6f11d501a4da6e6539a29b30a09be35b 100644 --- a/ee/spec/factories/project_security_settings.rb +++ b/ee/spec/factories/project_security_settings.rb @@ -5,6 +5,6 @@ project { association :project, security_setting: instance } continuous_vulnerability_scans_enabled { false } container_scanning_for_registry_enabled { false } - pre_receive_secret_detection_enabled { false } + secret_push_protection_enabled { false } end end diff --git a/ee/spec/features/projects/security/user_views_security_configuration_spec.rb b/ee/spec/features/projects/security/user_views_security_configuration_spec.rb index 6a63b1e9053a527243815fbf64da6474e6dd8ba5..27970e5cd2ef77eabeff37d8d6e003cb574d7dc5 100644 --- a/ee/spec/features/projects/security/user_views_security_configuration_spec.rb +++ b/ee/spec/features/projects/security/user_views_security_configuration_spec.rb @@ -24,7 +24,7 @@ coverage_fuzzing: true, api_fuzzing: true, security_configuration_in_ui: true, - pre_receive_secret_detection: true + secret_push_protection: true ) end @@ -158,7 +158,7 @@ it 'shows secret push protection disabled' do visit_configuration_page - within_pre_receive_secret_detection_card do + within_secret_push_protection_card do expect(page).to have_text('Secret push protection') expect(page).to have_text('Not enabled') @@ -171,13 +171,13 @@ context 'with Secret push protection' do before do - stub_application_setting(pre_receive_secret_detection_enabled: true) + stub_application_setting(secret_push_protection_available: true) end it 'shows secret push protection' do visit_configuration_page - within_pre_receive_secret_detection_card do + within_secret_push_protection_card do expect(page).to have_text('Secret push protection') expect(page).to have_text('Not enabled') @@ -271,7 +271,7 @@ def within_container_scanning_card end end - def within_pre_receive_secret_detection_card + def within_secret_push_protection_card within '[data-testid="security-testing-card"]:nth-of-type(7)' do yield end diff --git a/ee/spec/graphql/types/project_type_spec.rb b/ee/spec/graphql/types/project_type_spec.rb index 4aecd189bfc5c003757e9e071910cbed63b0c96a..1730444e1a6b2f66223d9c088049289253f15c63 100644 --- a/ee/spec/graphql/types/project_type_spec.rb +++ b/ee/spec/graphql/types/project_type_spec.rb @@ -87,10 +87,10 @@ end describe 'secret push protection' do - let_it_be(:security_setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: true) } + let_it_be(:security_setting) { create(:project_security_setting, secret_push_protection_enabled: true) } let_it_be(:project) { security_setting.project } - describe 'pre_receive_secret_detection_enabled' do + describe 'secret_push_protection_enabled' do where(:user_role, :licensed_feature, :expected) do :guest | true | nil :developer | true | true @@ -99,7 +99,7 @@ with_them do before do - stub_licensed_features(pre_receive_secret_detection: licensed_feature) + stub_licensed_features(secret_push_protection: licensed_feature) project.add_role(user, user_role) end @@ -107,7 +107,7 @@ %( query { project(fullPath: "#{project.full_path}") { - preReceiveSecretDetectionEnabled + secretPushProtectionEnabled } } ) @@ -115,9 +115,9 @@ subject(:response) { GitlabSchema.execute(query, context: { current_user: user }).as_json } - it 'returns the expected pre_receive_secret_detection_enabled value' do - pre_receive_secret_detection_enabled = response.dig('data', 'project', 'preReceiveSecretDetectionEnabled') - expect(pre_receive_secret_detection_enabled).to eq(expected) + it 'returns the expected secret_push_protection_enabled value' do + secret_push_protection_enabled = response.dig('data', 'project', 'secretPushProtectionEnabled') + expect(secret_push_protection_enabled).to eq(expected) end end end diff --git a/ee/spec/helpers/ee/application_settings_helper_spec.rb b/ee/spec/helpers/ee/application_settings_helper_spec.rb index d583559c99ed0042205d87602d471ce2b6d4c084..6c5a6b25a28169110539adbf0b4a9d1ddd75bf5d 100644 --- a/ee/spec/helpers/ee/application_settings_helper_spec.rb +++ b/ee/spec/helpers/ee/application_settings_helper_spec.rb @@ -69,9 +69,9 @@ end describe '.possible_licensed_attributes' do - it 'contains pre_receive_secret_detection_enabled' do + it 'contains secret_push_protection_enabled' do expect(described_class.possible_licensed_attributes).to include( - :pre_receive_secret_detection_enabled + :secret_push_protection_available ) end end diff --git a/ee/spec/lib/ee/api/entities/project_spec.rb b/ee/spec/lib/ee/api/entities/project_spec.rb index ea2a119af8b09c01e818770d84d303f9808249fd..13f6cc84c74e3e61f8059b69dbebf0b5868d0313 100644 --- a/ee/spec/lib/ee/api/entities/project_spec.rb +++ b/ee/spec/lib/ee/api/entities/project_spec.rb @@ -83,17 +83,17 @@ def mock_available end end - describe 'pre_receive_secret_detection_enabled' do + describe 'secret_push_protection_enabled' do let_it_be(:project) { create(:project) } let(:options) { { current_user: current_user } } before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end shared_examples 'returning nil' do it 'returns nil' do - expect(subject[:pre_receive_secret_detection_enabled]).to be(nil) + expect(subject[:secret_push_protection_enabled]).to be(nil) end end @@ -102,7 +102,7 @@ def mock_available let(:current_user) { developer } before do - stub_licensed_features(pre_receive_secret_detection: false) + stub_licensed_features(secret_push_protection: false) end it_behaves_like 'returning nil' @@ -119,7 +119,7 @@ def mock_available let(:current_user) { developer } it 'returns a boolean' do - expect(subject[:pre_receive_secret_detection_enabled]).to be_in([true, false]) + expect(subject[:secret_push_protection_enabled]).to be_in([true, false]) end end end diff --git a/ee/spec/lib/gitlab/checks/secrets_check_spec.rb b/ee/spec/lib/gitlab/checks/secrets_check_spec.rb index 3acc720dc0f6a5f3c0f4d1cfbc419e685635afaa..9fcf993088039522e0f855f66778d1c5018c0fa3 100644 --- a/ee/spec/lib/gitlab/checks/secrets_check_spec.rb +++ b/ee/spec/lib/gitlab/checks/secrets_check_spec.rb @@ -10,7 +10,7 @@ describe '#validate!' do context 'when application setting is disabled' do before do - Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: false) + Gitlab::CurrentSettings.update!(secret_push_protection_available: false) end it_behaves_like 'skips the push check' @@ -18,12 +18,12 @@ context 'when application setting is enabled' do before do - Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: true) + Gitlab::CurrentSettings.update!(secret_push_protection_available: true) end context 'when project setting is disabled' do before do - project.security_setting.update!(pre_receive_secret_detection_enabled: false) + project.security_setting.update!(secret_push_protection_enabled: false) end it_behaves_like 'skips the push check' @@ -31,7 +31,7 @@ context 'when project setting is enabled' do before do - project.security_setting.update!(pre_receive_secret_detection_enabled: true) + project.security_setting.update!(secret_push_protection_enabled: true) end context 'when license is not ultimate' do @@ -40,7 +40,7 @@ context 'when license is ultimate' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end context 'when SDS should be called (on SaaS)' do diff --git a/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb index 1808574e1f4a7eceee592011a8ae69810032331c..b2f9057709294913d3e471120c64d939e5f708f0 100644 --- a/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb +++ b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb @@ -7,7 +7,7 @@ before do 3.times do - create(:project).security_setting.update!(pre_receive_secret_detection_enabled: true) + create(:project).security_setting.update!(secret_push_protection_enabled: true) end create(:project) end diff --git a/ee/spec/models/project_security_setting_spec.rb b/ee/spec/models/project_security_setting_spec.rb index d7dc0b0ba449422d2e8d7ad7e858c96119d41ea5..23d48facb725ef9bb247b39ec5cc3fc6a16e7999 100644 --- a/ee/spec/models/project_security_setting_spec.rb +++ b/ee/spec/models/project_security_setting_spec.rb @@ -47,7 +47,7 @@ end end - describe '#set_pre_receive_secret_detection' do + describe '#set_secret_push_protection' do where(:value_before, :enabled, :value_after) do true | false | false true | true | true @@ -56,11 +56,11 @@ end with_them do - let(:setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: value_before) } + let(:setting) { create(:project_security_setting, secret_push_protection_enabled: value_before) } it 'updates the attribute and returns the new value' do - expect(setting.set_pre_receive_secret_detection!(enabled: enabled)).to eq(value_after) - expect(setting.reload.pre_receive_secret_detection_enabled).to eq(value_after) + expect(setting.set_secret_push_protection!(enabled: enabled)).to eq(value_after) + expect(setting.reload.secret_push_protection_enabled).to eq(value_after) end end end diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index ce737440e5976d3fc94ec07037e1c75e45dfc91c..03e692f861a8ed43e9bd6a850250d82771be86b0 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -3960,7 +3960,7 @@ def create_member_role(member, abilities = member_role_abilities) let(:member_role_abilities) { { admin_security_testing: true } } let(:licensed_features) do { security_dashboard: true, - pre_receive_secret_detection: true, + secret_push_protection: true, group_level_compliance_dashboard: true } end @@ -3970,7 +3970,7 @@ def create_member_role(member, abilities = member_role_abilities) :read_security_configuration, :read_group_security_dashboard, :read_security_resource, - :enable_pre_receive_secret_detection + :enable_secret_push_protection ] end @@ -4358,21 +4358,21 @@ def create_member_role(member, abilities = member_role_abilities) end end - describe 'enable_pre_receive_secret_detection' do + describe 'enable_secret_push_protection' do using RSpec::Parameterized::TableSyntax where(:current_user, :licensed, :match_expected_result) do - ref(:owner) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:developer) | true | be_disallowed(:enable_pre_receive_secret_detection) - ref(:owner) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:developer) | false | be_disallowed(:enable_pre_receive_secret_detection) + ref(:owner) | true | be_allowed(:enable_secret_push_protection) + ref(:maintainer) | true | be_allowed(:enable_secret_push_protection) + ref(:developer) | true | be_disallowed(:enable_secret_push_protection) + ref(:owner) | false | be_disallowed(:enable_secret_push_protection) + ref(:maintainer) | false | be_disallowed(:enable_secret_push_protection) + ref(:developer) | false | be_disallowed(:enable_secret_push_protection) end with_them do before do - stub_licensed_features(pre_receive_secret_detection: licensed) + stub_licensed_features(secret_push_protection: licensed) end it { is_expected.to match_expected_result } @@ -4381,7 +4381,7 @@ def create_member_role(member, abilities = member_role_abilities) describe 'when the group does not have the correct license' do let(:current_user) { owner } - it { is_expected.to be_disallowed(:enable_pre_receive_secret_detection) } + it { is_expected.to be_disallowed(:enable_secret_push_protection) } end end diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 3d34a18de580073518068361a72068c489668730..b03db9e6664a36b21375eeb1266f8024c00c5de5 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -3120,7 +3120,7 @@ def create_member_role(member, abilities = member_role_abilities) security_scans_api: true, security_on_demand_scans: true, coverage_fuzzing: true, - pre_receive_secret_detection: true, + secret_push_protection: true, container_scanning_for_registry: true, project_level_compliance_dashboard: true } end @@ -3133,7 +3133,7 @@ def create_member_role(member, abilities = member_role_abilities) :read_on_demand_dast_scan, :create_on_demand_dast_scan, :edit_on_demand_dast_scan, - :enable_pre_receive_secret_detection, + :enable_secret_push_protection, :read_project_security_dashboard, :read_project_security_exclusions, :read_coverage_fuzzing, @@ -3146,7 +3146,7 @@ def create_member_role(member, abilities = member_role_abilities) :read_merge_request, :download_code, :read_project_runners, - :read_pre_receive_secret_detection_info + :read_secret_push_protection_info ] end @@ -4364,19 +4364,19 @@ def create_member_role(member, abilities = member_role_abilities) end end - describe 'enable_pre_receive_secret_detection' do + describe 'enable_secret_push_protection' do where(:current_user, :licensed, :match_expected_result) do - ref(:owner) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:developer) | true | be_disallowed(:enable_pre_receive_secret_detection) - ref(:owner) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:developer) | false | be_disallowed(:enable_pre_receive_secret_detection) + ref(:owner) | true | be_allowed(:enable_secret_push_protection) + ref(:maintainer) | true | be_allowed(:enable_secret_push_protection) + ref(:developer) | true | be_disallowed(:enable_secret_push_protection) + ref(:owner) | false | be_disallowed(:enable_secret_push_protection) + ref(:maintainer) | false | be_disallowed(:enable_secret_push_protection) + ref(:developer) | false | be_disallowed(:enable_secret_push_protection) end with_them do before do - stub_licensed_features(pre_receive_secret_detection: licensed) + stub_licensed_features(secret_push_protection: licensed) end it { is_expected.to match_expected_result } @@ -4385,7 +4385,7 @@ def create_member_role(member, abilities = member_role_abilities) describe 'when the project does not have the correct license' do let(:current_user) { owner } - it { is_expected.to be_disallowed(:enable_pre_receive_secret_detection) } + it { is_expected.to be_disallowed(:enable_secret_push_protection) } end end @@ -4470,19 +4470,19 @@ def create_member_role(member, abilities = member_role_abilities) end end - describe 'read_pre_receive_secret_detection_info' do + describe 'read_secret_push_protection_info' do where(:current_user, :match_expected_result) do - ref(:owner) | be_allowed(:read_pre_receive_secret_detection_info) - ref(:maintainer) | be_allowed(:read_pre_receive_secret_detection_info) - ref(:developer) | be_allowed(:read_pre_receive_secret_detection_info) - ref(:planner) | be_disallowed(:read_pre_receive_secret_detection_info) - ref(:guest) | be_disallowed(:read_pre_receive_secret_detection_info) - ref(:non_member) | be_disallowed(:read_pre_receive_secret_detection_info) + ref(:owner) | be_allowed(:read_secret_push_protection_info) + ref(:maintainer) | be_allowed(:read_secret_push_protection_info) + ref(:developer) | be_allowed(:read_secret_push_protection_info) + ref(:planner) | be_disallowed(:read_secret_push_protection_info) + ref(:guest) | be_disallowed(:read_secret_push_protection_info) + ref(:non_member) | be_disallowed(:read_secret_push_protection_info) end with_them do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end it { is_expected.to match_expected_result } @@ -4664,4 +4664,23 @@ def create_member_role(member, abilities = member_role_abilities) end end end + + describe 'read_secret_push_protection_info' do + where(:current_user, :match_expected_result) do + ref(:owner) | be_allowed(:read_secret_push_protection_info) + ref(:maintainer) | be_allowed(:read_secret_push_protection_info) + ref(:developer) | be_allowed(:read_secret_push_protection_info) + ref(:planner) | be_disallowed(:read_secret_push_protection_info) + ref(:guest) | be_disallowed(:read_secret_push_protection_info) + ref(:non_member) | be_disallowed(:read_secret_push_protection_info) + end + + with_them do + before do + stub_licensed_features(secret_push_protection: true) + end + + it { is_expected.to match_expected_result } + end + end end diff --git a/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb b/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb index f5aa7d79d0b640b7ab6b2c203a593b803ffda663..bec537086310521e939bb9a96a274c52ea81e5ea 100644 --- a/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb +++ b/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb @@ -22,8 +22,8 @@ expect(result[:container_scanning_for_registry_enabled]).to eq(false) end - it 'includes a default value for pre_receive_secret_detection_enabled' do - expect(result[:pre_receive_secret_detection_enabled]).to eq(false) + it 'includes a default value for secret_push_protection_enabled' do + expect(result[:secret_push_protection_enabled]).to eq(false) end end diff --git a/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb b/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb index 33ac8d05f559334839d39e7b351d7ae0688e5bae..7ca37ea31bf5428d193690e4bfede9cf12d521b6 100644 --- a/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb @@ -27,7 +27,7 @@ context 'with group' do before do allow(::Security::Configuration::SetGroupSecretPushProtectionWorker).to receive(:perform_async) - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end # user is not a member of the group at all, so they're got an unauthorized error diff --git a/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb b/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb similarity index 68% rename from ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb rename to ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb index 21b294fe1ee35a9ceaa808336fba75484a6bc45c..709500a0ac9c1f3d9397a1ee88e20b76643e9e21 100644 --- a/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb @@ -2,13 +2,13 @@ require 'spec_helper' -RSpec.describe 'Setting Project Pre Receive Secret Detection', feature_category: :secret_detection do +RSpec.describe 'Setting Project Secret Push Protection', feature_category: :secret_detection do using RSpec::Parameterized::TableSyntax include GraphqlHelpers let(:current_user) { create(:user) } - let(:security_setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: value_before) } - let(:mutation_name) { :set_pre_receive_secret_detection } + let(:security_setting) { create(:project_security_setting, secret_push_protection_enabled: value_before) } + let(:mutation_name) { :set_secret_push_protection } let(:value_before) { false } let(:enable) { true } @@ -25,16 +25,16 @@ before do stub_licensed_features( - pre_receive_secret_detection: true + secret_push_protection: true ) end context 'when the user does not have permission' do it_behaves_like 'a mutation that returns a top-level access error' - it 'does not enable pre receive secret detection' do + it 'does not enable secret push protection' do expect { post_graphql_mutation(mutation, current_user: current_user) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end @@ -55,23 +55,23 @@ post_graphql_mutation(mutation, current_user: current_user) response = graphql_mutation_response(mutation_name) - expect(response).to include({ 'preReceiveSecretDetectionEnabled' => value_after, 'errors' => [] }) + expect(response).to include({ 'secretPushProtectionEnabled' => value_after, 'errors' => [] }) - expect(security_setting.reload.pre_receive_secret_detection_enabled).to eq(value_after) + expect(security_setting.reload.secret_push_protection_enabled).to eq(value_after) end end end context 'when Secret Push Protection is not available for the project' do before do - stub_licensed_features(pre_receive_secret_detection: false) + stub_licensed_features(secret_push_protection: false) end it_behaves_like 'a mutation that returns a top-level access error' - it 'does not enable pre receive secret detection' do + it 'does not enable secret push protection' do expect { post_graphql_mutation(mutation, current_user: current_user) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end end @@ -89,9 +89,9 @@ context 'when the user does not have permission' do it_behaves_like 'a mutation that returns a top-level access error' - it 'does not enable pre receive secret detection' do + it 'does not enable secret push protection' do expect { post_graphql_mutation(mutation, current_user: current_user) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end @@ -99,7 +99,7 @@ before do group.add_maintainer(current_user) stub_licensed_features( - pre_receive_secret_detection: true + secret_push_protection: true ) end diff --git a/ee/spec/requests/api/group_security_settings_spec.rb b/ee/spec/requests/api/group_security_settings_spec.rb index bef9faa0816271e7ae55a12db79068a6ecfc18cc..f1d7914fe3c2e828035f0649a3b47ba398a4ae46 100644 --- a/ee/spec/requests/api/group_security_settings_spec.rb +++ b/ee/spec/requests/api/group_security_settings_spec.rb @@ -20,7 +20,7 @@ context 'when user is authenticated' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) allow(::Security::Configuration::SetGroupSecretPushProtectionWorker).to receive(:perform_async) end diff --git a/ee/spec/requests/api/project_security_settings_spec.rb b/ee/spec/requests/api/project_security_settings_spec.rb index 739df49fd589b8a12b65822b74276e85196d55d7..80ccf1d8f6c384fb0c4822a51b9ee7c4c85db015 100644 --- a/ee/spec/requests/api/project_security_settings_spec.rb +++ b/ee/spec/requests/api/project_security_settings_spec.rb @@ -20,7 +20,7 @@ context 'when user is authenticated' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end it 'returns project security settings when the user has at least the Developer role' do @@ -59,20 +59,33 @@ context 'when user is authenticated' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end - it 'updates project security settings for users with Maintainer role' do - project.add_maintainer(user) - put api(url, user), params: { pre_receive_secret_detection_enabled: true } + context 'when the user is a Maintainer' do + before do + project.add_maintainer(user) + end - expect(response).to have_gitlab_http_status(:ok) - expect(json_response['pre_receive_secret_detection_enabled']).to be(true) + it 'updates project security settings using the secret_push_protection_enabled param' do + put api(url, user), params: { secret_push_protection_enabled: true } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['secret_push_protection_enabled']).to be(true) + end + + it 'updates project security settings using the pre_receive_secret_detection_enabled param' do + project.add_maintainer(user) + put api(url, user), params: { pre_receive_secret_detection_enabled: true } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['secret_push_protection_enabled']).to be(true) + end end it 'returns 401 Unauthorized for users with Developer role' do project.add_developer(user) - put api(url, user), params: { pre_receive_secret_detection_enabled: true } + put api(url, user), params: { secret_push_protection_enabled: true } expect(response).to have_gitlab_http_status(:unauthorized) end diff --git a/ee/spec/requests/api/settings_spec.rb b/ee/spec/requests/api/settings_spec.rb index c0cb2cd5430ce8f990d49da4b02d8cc78e2170b3..24c73217e1acb27fdba59e52cdd1c14b84c25749 100644 --- a/ee/spec/requests/api/settings_spec.rb +++ b/ee/spec/requests/api/settings_spec.rb @@ -356,9 +356,9 @@ it_behaves_like 'settings for licensed features' end - context 'pre_receive_secret_detection_enabled' do - let(:settings) { { pre_receive_secret_detection_enabled: true } } - let(:feature) { :pre_receive_secret_detection } + context 'secret_push_protection_enabled' do + let(:settings) { { secret_push_protection_available: true } } + let(:feature) { :secret_push_protection } it_behaves_like 'settings for licensed features' end diff --git a/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb b/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb index 9172925f6f8e1da477570912b5c17970d9c6ec88..eb3cf68a5768be073f59bd09202aefc888d28dc5 100644 --- a/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb +++ b/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb @@ -16,7 +16,7 @@ security_dashboard: true, security_on_demand_scans: true, security_scans_api: true, - pre_receive_secret_detection: true, + secret_push_protection: true, container_scanning_for_registry: true, coverage_fuzzing: true) stub_feature_flags(custom_ability_admin_security_testing: true) diff --git a/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb b/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb index e6edc23f612c904f80dac9f50c1915cb11437e28..13dbcc4e3fcf39c3bd2f8a67628236760d0fe646 100644 --- a/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb +++ b/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb @@ -10,7 +10,7 @@ describe 'GET #show' do before do - stub_licensed_features(security_dashboard: true, pre_receive_secret_detection: true) + stub_licensed_features(security_dashboard: true, secret_push_protection: true) login_as(user) end @@ -43,7 +43,7 @@ context 'when feature is not available' do context "when license doesn't support the feature" do before do - stub_licensed_features(pre_receive_secret_detection: false) + stub_licensed_features(secret_push_protection: false) end before_all do diff --git a/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb b/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb index aa421aa84386b9611d9714270b1e1fbca264905a..dc2715f589cf01a4ca2b4db87a8652f3eda326cb 100644 --- a/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb +++ b/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb @@ -30,12 +30,12 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro security_setting = project.security_setting boolean_values.each do |enable_value| - expect { execute_service(subject: top_level_group, enable: enable_value, excluded_projects_ids: nil) } - .to change { security_setting.reload.pre_receive_secret_detection_enabled } - .from(!enable_value).to(enable_value) + expect { execute_service(subject: top_level_group, enable: enable_value) }.to change { + security_setting.reload.secret_push_protection_enabled + }.from(!enable_value).to(enable_value) expect { execute_service(subject: top_level_group, enable: enable_value) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end end @@ -49,17 +49,17 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro it 'doesnt change the attribute for projects in excluded list' do security_setting = excluded_project.security_setting expect { execute_service(subject: top_level_group) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } expect { execute_service(subject: mid_level_group, enable: false) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } end it 'rolls back changes when an error occurs' do initial_values = projects_to_change.map do |project| - project.security_setting.pre_receive_secret_detection_enabled + project.security_setting.secret_push_protection_enabled end call_counter = 0 @@ -78,7 +78,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro projects_to_change.each_with_index do |project, index| project.reload - expect(project.security_setting.pre_receive_secret_detection_enabled).to eq(initial_values[index]) + expect(project.security_setting.secret_push_protection_enabled).to eq(initial_values[index]) end end @@ -141,7 +141,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro bottom_level_group_project.reload.security_setting }.from(nil).to(be_a(ProjectSecuritySetting)) - expect(bottom_level_group_project.reload.security_setting.pre_receive_secret_detection_enabled) + expect(bottom_level_group_project.reload.security_setting.secret_push_protection_enabled) .to be(true) expect(AuditEvent.last.details[:custom_message]).to eq( "Secret push protection has been enabled for group #{bottom_level_group.name} and all of its inherited \ @@ -153,7 +153,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro context 'when arguments are invalid' do it 'does not change the attribute' do expect { execute_service(subject: top_level_group, enable: nil) } - .not_to change { top_level_group_project.reload.security_setting.pre_receive_secret_detection_enabled } + .not_to change { top_level_group_project.reload.security_setting.secret_push_protection_enabled } end end end diff --git a/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb b/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb index 2047f9602bf6319253e06b8e57a22856dedb8d35..30055e5e98d52372b8d0ff9e0dda33a567269b11 100644 --- a/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb +++ b/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb @@ -19,19 +19,19 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro it 'changes the attribute' do security_setting = project_2.security_setting expect { execute_service(subject: project_2) }.to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled }.from(false).to(true) expect { execute_service(subject: project_2) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } expect { execute_service(subject: project_2, enable: false) }.to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled }.from(true).to(false) expect { execute_service(subject: project_2, enable: false) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } end @@ -81,7 +81,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro .to change { project_without_security_setting.reload.security_setting } .from(nil).to(be_a(ProjectSecuritySetting)) - expect(project_without_security_setting.reload.security_setting.pre_receive_secret_detection_enabled) + expect(project_without_security_setting.reload.security_setting.secret_push_protection_enabled) .to be(true) expect(AuditEvent.last.details[:custom_message]).to eq("Secret push protection has been enabled") @@ -92,7 +92,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro context 'when arguments are invalid' do it 'does not change the attribute' do expect { execute_service(subject: project_2, enable: nil) } - .not_to change { project_2.reload.security_setting.pre_receive_secret_detection_enabled } + .not_to change { project_2.reload.security_setting.secret_push_protection_enabled } end end end diff --git a/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb b/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb index cba77e9541a000d5f68cd55f13beabc3c74daa13..735be582e10b602a2ecbd83d06e97a4a4f584011 100644 --- a/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb +++ b/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb @@ -13,7 +13,7 @@ allow(service).to receive_messages(valid_request?: true, subject_project_ids: [project_1.id], audit: nil) expect { service.execute }.to change { - project_1.security_setting.reload.pre_receive_secret_detection_enabled + project_1.security_setting.reload.secret_push_protection_enabled }.from(false).to(true) expect(service.execute).to be(true) end @@ -24,7 +24,7 @@ allow(service).to receive_messages(valid_request?: false, subject_project_ids: [project_1.id], audit: nil) expect { service.execute }.not_to change { - project_1.security_setting.reload.pre_receive_secret_detection_enabled + project_1.security_setting.reload.secret_push_protection_enabled } expect(service.execute).to be_nil end diff --git a/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb b/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb index c79b71825d48bd63a0eeffc7d5821980c5d85255..8466974ef5d516e111cdcbda2d1cc158452229d4 100644 --- a/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb +++ b/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Security::Configuration::SetSecretPushProtectionService, feature_category: :secret_detection do describe '#execute' do - let_it_be(:security_setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: false) } + let_it_be(:security_setting) { create(:project_security_setting, secret_push_protection_enabled: false) } let_it_be(:current_user) { create(:user, :admin) } let_it_be(:project) { security_setting.project } @@ -17,15 +17,15 @@ it 'changes the attribute' do expect { described_class.execute(current_user: current_user, project: project, enable: true) } - .to change { security_setting.reload.pre_receive_secret_detection_enabled } + .to change { security_setting.reload.secret_push_protection_enabled } .from(false).to(true) expect { described_class.execute(current_user: current_user, project: project, enable: true) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } expect { described_class.execute(current_user: current_user, project: project, enable: false) } - .to change { security_setting.reload.pre_receive_secret_detection_enabled } + .to change { security_setting.reload.secret_push_protection_enabled } .from(true).to(false) expect { described_class.execute(current_user: current_user, project: project, enable: false) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end context 'when security_setting record does not yet exist' do @@ -51,7 +51,7 @@ end context 'when attribute changes from true to false' do - let(:security_setting2) { create(:project_security_setting, pre_receive_secret_detection_enabled: true) } + let(:security_setting2) { create(:project_security_setting, secret_push_protection_enabled: true) } let(:project2) { security_setting2.project } it 'creates an audit event with the correct message' do @@ -70,7 +70,7 @@ it 'does not change the attribute' do expect { described_class.execute(current_user: current_user, project: project, enable: nil) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end end diff --git a/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb b/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb index c0d327eb87359aad653eb94f11ef31f0d8925f5f..76b2f79d8b3da9d845f52550efc6cca2a3888894 100644 --- a/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb +++ b/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb @@ -14,10 +14,10 @@ assign(:application_setting, app_settings) allow(view).to receive(:current_user).and_return(user) - stub_licensed_features(pre_receive_secret_detection: feature_available) + stub_licensed_features(secret_push_protection: feature_available) end - shared_examples 'renders pre receive secret detection setting' do + shared_examples 'renders secret push protection setting' do it do render @@ -25,7 +25,7 @@ end end - shared_examples 'does not render pre receive secret detection setting' do + shared_examples 'does not render secret push protection setting' do it do render @@ -36,12 +36,12 @@ describe 'feature available' do let(:feature_available) { true } - it_behaves_like 'renders pre receive secret detection setting' + it_behaves_like 'renders secret push protection setting' end describe 'feature not available' do let(:feature_available) { false } - it_behaves_like 'does not render pre receive secret detection setting' + it_behaves_like 'does not render secret push protection setting' end end diff --git a/lib/gitlab/security/features.rb b/lib/gitlab/security/features.rb index 32abe9acbc7b19b4bd65bbf776a685e4add90f2f..a623dcfba5cb40cf3b0a2e7da621be56e1535c9c 100644 --- a/lib/gitlab/security/features.rb +++ b/lib/gitlab/security/features.rb @@ -87,14 +87,14 @@ def self.data 'user/application_security/container_scanning/index.md', anchor: 'container-scanning-for-registry'), type: 'container_scanning_for_registry' }, - pre_receive_secret_detection: { + secret_push_protection: { name: _('Secret push protection'), description: _('Block secrets such as keys and API tokens from being pushed to your repositories. ' \ 'Secret push protection is triggered when commits are pushed to a repository. ' \ 'If any secrets are detected, the push is blocked.'), help_path: Gitlab::Routing.url_helpers.help_page_path( 'user/application_security/secret_detection/secret_push_protection/index.md'), - type: 'pre_receive_secret_detection' + type: 'secret_push_protection' }, secret_detection: { name: _('Pipeline Secret Detection'), diff --git a/qa/qa/ee/page/admin/settings/securityandcompliance.rb b/qa/qa/ee/page/admin/settings/securityandcompliance.rb index 2756a4a8b7aa8ae350f65a34efe90f170a15d896..e7bebd97136ca16627798317db749cadffeba3d2 100644 --- a/qa/qa/ee/page/admin/settings/securityandcompliance.rb +++ b/qa/qa/ee/page/admin/settings/securityandcompliance.rb @@ -16,7 +16,7 @@ class Securityandcompliance < QA::Page::Base element 'save-package-registry-button' end - view 'ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml' do + view 'ee/app/views/admin/application_settings/_secret_push_protection.html.haml' do element 'secret-push-protection-checkbox' end diff --git a/qa/qa/page/project/secure/configuration_form.rb b/qa/qa/page/project/secure/configuration_form.rb index 762b4566641503c92c8344000a0567a6075f5e1d..6fa0f921df5ea7878a2a382d886a900b6b258a81 100644 --- a/qa/qa/page/project/secure/configuration_form.rb +++ b/qa/qa/page/project/secure/configuration_form.rb @@ -59,11 +59,11 @@ def has_false_dependency_scanning_status? end def has_true_secret_detection_status? - has_element?('feature-status', feature: 'pre_receive_secret_detection_true_status') + has_element?('feature-status', feature: 'secret_push_protection_true_status') end def has_false_secret_detection_status? - has_element?('feature-status', feature: 'pre_receive_secret_detection_false_status') + has_element?('feature-status', feature: 'secret_push_protection_false_status') end def has_auto_devops_container? diff --git a/scripts/cells/application-settings-analysis.rb b/scripts/cells/application-settings-analysis.rb index 7b82bd7073cc8760117dee368b0209c10fb1714a..5b1562af8b12cfcc8897a5bb4c1ff72fef0576e5 100755 --- a/scripts/cells/application-settings-analysis.rb +++ b/scripts/cells/application-settings-analysis.rb @@ -182,7 +182,7 @@ class ApplicationSetting < ApplicationSettingPrototype pipeline_limit_per_project_user_sha plantuml_enabled plantuml_url - pre_receive_secret_detection_enabled + secret_push_protection_available product_analytics_data_collector_host product_analytics_enabled productivity_analytics_start_date diff --git a/spec/frontend/security_configuration/components/app_spec.js b/spec/frontend/security_configuration/components/app_spec.js index 1df91e09c7bd9df34025256af831c24f8f6516cc..7f8fef23127f99fd7ed06b17066a5cff457c31e7 100644 --- a/spec/frontend/security_configuration/components/app_spec.js +++ b/spec/frontend/security_configuration/components/app_spec.js @@ -11,9 +11,9 @@ import AutoDevopsAlert from '~/security_configuration/components/auto_dev_ops_al import AutoDevopsEnabledAlert from '~/security_configuration/components/auto_dev_ops_enabled_alert.vue'; import { AUTO_DEVOPS_ENABLED_ALERT_DISMISSED_STORAGE_KEY } from '~/security_configuration/constants'; import FeatureCard from '~/security_configuration/components/feature_card.vue'; -import PreReceiveSecretDetectionFeatureCard from '~/security_configuration/components/pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import TrainingProviderList from '~/security_configuration/components/training_provider_list.vue'; -import { securityFeaturesMock, provideMock, preReceiveSecretDetectionMock } from '../mock_data'; +import { securityFeaturesMock, provideMock, secretPushProtectionMock } from '../mock_data'; const gitlabCiHistoryPath = 'test/historyPath'; const { vulnerabilityTrainingDocsPath, projectFullPath } = provideMock; @@ -58,8 +58,7 @@ describe('~/security_configuration/components/app', () => { const findGlTabs = () => wrapper.findComponent(GlTabs); const findByTestId = (id) => wrapper.findByTestId(id); const findFeatureCards = () => wrapper.findAllComponents(FeatureCard); - const findPreReceiveSecretDetection = () => - wrapper.findComponent(PreReceiveSecretDetectionFeatureCard); + const findSecretPushProtection = () => wrapper.findComponent(SecretPushProtectionFeatureCard); const findTrainingProviderList = () => wrapper.findComponent(TrainingProviderList); const findManageViaMRErrorAlert = () => wrapper.findByTestId('manage-via-mr-error-alert'); const findLink = ({ href, text, container = wrapper }) => { @@ -285,10 +284,10 @@ describe('~/security_configuration/components/app', () => { }); }); - describe('With pre receive secret detection', () => { + describe('With secret push protection', () => { beforeEach(() => { createComponent({ - augmentedSecurityFeatures: [preReceiveSecretDetectionMock], + augmentedSecurityFeatures: [secretPushProtectionMock], }); }); @@ -296,10 +295,8 @@ describe('~/security_configuration/components/app', () => { expect(findFeatureCards().length).toBe(0); }); it('renders component with correct props', () => { - expect(findPreReceiveSecretDetection().exists()).toBe(true); - expect(findPreReceiveSecretDetection().props('feature')).toEqual( - preReceiveSecretDetectionMock, - ); + expect(findSecretPushProtection().exists()).toBe(true); + expect(findSecretPushProtection().props('feature')).toEqual(secretPushProtectionMock); }); }); diff --git a/spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js similarity index 86% rename from spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js rename to spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js index f6311a977a82ca12105fcbfcdafce2036af66230..3b0d30cc1aa2bd26bc27ee637ce2a9cdf22c1079 100644 --- a/spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js +++ b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js @@ -3,11 +3,11 @@ import { shallowMount } from '@vue/test-utils'; import VueApollo from 'vue-apollo'; import Vue from 'vue'; import { extendedWrapper } from 'helpers/vue_test_utils_helper'; -import PreReceiveSecretDetectionFeatureCard from '~/security_configuration/components/pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import createMockApollo from 'helpers/mock_apollo_helper'; -import ProjectSetPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; +import ProjectPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; import waitForPromises from 'helpers/wait_for_promises'; -import { preReceiveSecretDetectionMock } from '../mock_data'; +import { secretPushProtectionMock } from '../mock_data'; Vue.use(VueApollo); @@ -19,17 +19,17 @@ const setMockResponse = { }, }, }; -const feature = preReceiveSecretDetectionMock; +const feature = secretPushProtectionMock; const defaultProvide = { - preReceiveSecretDetectionAvailable: true, - preReceiveSecretDetectionEnabled: false, + secretPushProtectionAvailable: true, + secretPushProtectionEnabled: false, userIsProjectAdmin: true, projectFullPath: 'flightjs/flight', secretDetectionConfigurationPath: 'flightjs/Flight/-/security/configuration/secret_detection', }; -describe('PreReceiveSecretDetectionFeatureCard component', () => { +describe('SecretPushProtectionFeatureCard component', () => { let wrapper; let apolloProvider; let requestHandlers; @@ -39,7 +39,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { setMutationHandler: jest.fn().mockResolvedValue(setMockResponse), }; return createMockApollo([ - [ProjectSetPreReceiveSecretDetection, requestHandlers.setMutationHandler], + [ProjectPreReceiveSecretDetection, requestHandlers.setMutationHandler], ]); }; @@ -47,7 +47,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { apolloProvider = createMockApolloProvider(); wrapper = extendedWrapper( - shallowMount(PreReceiveSecretDetectionFeatureCard, { + shallowMount(SecretPushProtectionFeatureCard, { propsData: { feature, ...props, @@ -134,7 +134,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { beforeEach(() => { createComponent({ provide: { - preReceiveSecretDetectionAvailable: false, + secretPushProtectionAvailable: false, }, }); }); @@ -165,7 +165,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { createComponent({ props: { feature: { - ...preReceiveSecretDetectionMock, + ...secretPushProtectionMock, available: false, }, }, diff --git a/spec/frontend/security_configuration/mock_data.js b/spec/frontend/security_configuration/mock_data.js index 10435aecf7e0ed8495caad91ed6c329b59b6b498..3a02aedee52c0e2c1cc96e7466ea4a5fb27fca60 100644 --- a/spec/frontend/security_configuration/mock_data.js +++ b/spec/frontend/security_configuration/mock_data.js @@ -3,7 +3,7 @@ import { SAST_SHORT_NAME, SAST_IAC_NAME, SAST_IAC_SHORT_NAME, - PRE_RECEIVE_SECRET_DETECTION, + SECRET_PUSH_PROTECTION, } from '~/security_configuration/constants'; import { helpPagePath } from '~/helpers/help_page_helper'; @@ -149,7 +149,7 @@ export const securityFeaturesMock = [ }, ]; -export const preReceiveSecretDetectionMock = { +export const secretPushProtectionMock = { name: 'Secret push protection', description: `Block secrets such as keys and API tokens from being pushed to your repositories. 'Secret push protection is triggered when commits are pushed to a repository. ' \ @@ -158,7 +158,7 @@ export const preReceiveSecretDetectionMock = { configurationHelpPath: helpPagePath( 'user/application_security/secret_detection/secret_push_protection/index', ), - type: PRE_RECEIVE_SECRET_DETECTION, + type: SECRET_PUSH_PROTECTION, available: true, }; diff --git a/spec/lib/gitlab/security/scan_configuration_spec.rb b/spec/lib/gitlab/security/scan_configuration_spec.rb index 159096df4bca23e5921d4b2506f9291cff99a560..a844ae7899e01e4679be62b33e2d7ee73cee081f 100644 --- a/spec/lib/gitlab/security/scan_configuration_spec.rb +++ b/spec/lib/gitlab/security/scan_configuration_spec.rb @@ -137,13 +137,13 @@ help_path: "/help/user/application_security/container_scanning/index.md", configuration_help_path: "/help/user/application_security/container_scanning/index.md#configuration", type: "container_scanning" } - :pre_receive_secret_detection | { name: _("Secret push protection"), + :secret_push_protection | { name: _("Secret push protection"), description: "Block secrets such as keys and API tokens from being pushed to your repositories. " \ "Secret push protection is triggered when commits are pushed to a repository. " \ "If any secrets are detected, the push is blocked.", help_path: Gitlab::Routing.url_helpers.help_page_path( "user/application_security/secret_detection/secret_push_protection/index.md"), - type: "pre_receive_secret_detection" } + type: "secret_push_protection" } :secret_detection | { name: "Pipeline Secret Detection", description: "Analyze your source code and Git history for secrets by using CI/CD pipelines.", help_path: "/help/user/application_security/secret_detection/pipeline/index.md", diff --git a/spec/presenters/projects/security/configuration_presenter_spec.rb b/spec/presenters/projects/security/configuration_presenter_spec.rb index 5767c9e5a4c42def015fa177e3c7cb5c57875356..c527ea6b69687f2a625e6960e06c884d0cbc70d0 100644 --- a/spec/presenters/projects/security/configuration_presenter_spec.rb +++ b/spec/presenters/projects/security/configuration_presenter_spec.rb @@ -12,7 +12,7 @@ before do stub_licensed_features(licensed_scan_types.index_with { true }) - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end describe '#to_html_data_attribute' do @@ -305,14 +305,14 @@ end end - describe 'pre_receive_secret_detection' do + describe 'secret_push_protection' do let_it_be(:project) { create(:project, :repository) } let(:features) { Gitlab::Json.parse(html_data[:features]) } - it 'feature includes pre_receive_secret_detection' do + it 'feature includes secret_push_protection' do skip unless Gitlab.ee? - feature = features.find { |scan| scan["type"] == 'pre_receive_secret_detection' } + feature = features.find { |scan| scan["type"] == 'secret_push_protection' } expect(feature).not_to be_nil end end diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index c8ccfa20b69fd7ae9148da4c112085571aa09e59..da0d520a53f4b0cc0cb386b7c7d61c72ab389874 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -2671,7 +2671,7 @@ def request security_and_compliance_enabled issues_template merge_requests_template - pre_receive_secret_detection_enabled + secret_push_protection_enabled ] end