From a7135bffcfd90e1bd551d9f3f2b735405256f84b Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 16 Jan 2025 14:58:19 -0600 Subject: [PATCH 01/20] Use batch column name --- ...abled_to_secret_push_protection_enabled.rb | 18 ++++ ...led_to_secret_push_protection_available.rb | 16 ++++ db/schema_migrations/20250114030220 | 1 + db/schema_migrations/20250114030822 | 1 + db/structure.sql | 86 ++++++++++++++++++- 5 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb create mode 100644 db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb create mode 100644 db/schema_migrations/20250114030220 create mode 100644 db/schema_migrations/20250114030822 diff --git a/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb new file mode 100644 index 00000000000000..27942e60e0e61a --- /dev/null +++ b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +class RenamePreReceiveSecretDetectionEnabledToSecretPushProtectionEnabled < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + TABLE = :project_security_settings + + def up + rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, + :secret_push_protection_enabled, batch_column_name: :project_id + end + + def down + undo_rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, + :secret_push_protection_enabled, batch_column_name: :project_id + end +end diff --git a/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb b/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb new file mode 100644 index 00000000000000..59285556da90de --- /dev/null +++ b/db/migrate/20250114030822_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_available.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +class RenamePreReceiveSecretDetectionEnabledToSecretPushProtectionAvailable < Gitlab::Database::Migration[2.2] + milestone '17.9' + disable_ddl_transaction! + + TABLE = :application_settings + + def up + rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, :secret_push_protection_available + end + + def down + undo_rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, :secret_push_protection_available + end +end diff --git a/db/schema_migrations/20250114030220 b/db/schema_migrations/20250114030220 new file mode 100644 index 00000000000000..2244a495a22a33 --- /dev/null +++ b/db/schema_migrations/20250114030220 @@ -0,0 +1 @@ +555bf26fb6ee2d65df9aa7ebde9be19a8681563a053b74d3c9c2df1e2dc9dda9 \ No newline at end of file diff --git a/db/schema_migrations/20250114030822 b/db/schema_migrations/20250114030822 new file mode 100644 index 00000000000000..2a744efc277352 --- /dev/null +++ b/db/schema_migrations/20250114030822 @@ -0,0 +1 @@ +2d74e09c4f8df3a0e49762bc9bde7c802c33c0f1ac1498b83a3080dc35b93ba2 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 54b4fd5cd898e8..6b506bd289b6cd 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -403,6 +403,74 @@ BEGIN END; $$; +CREATE FUNCTION function_for_trigger_1baf8c8e1f66() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."pre_receive_secret_detection_enabled" := NEW."secret_push_protection_available"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_7f41427eda69() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."secret_push_protection_available" := NEW."pre_receive_secret_detection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_7fbecfcdf89a() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."pre_receive_secret_detection_enabled" := NEW."secret_push_protection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_897f35481f9a() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + NEW."secret_push_protection_enabled" := NEW."pre_receive_secret_detection_enabled"; + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_b9839c6d713f() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF NEW."pre_receive_secret_detection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."secret_push_protection_available" IS DISTINCT FROM 'false' THEN + NEW."pre_receive_secret_detection_enabled" = NEW."secret_push_protection_available"; + END IF; + + IF NEW."secret_push_protection_available" IS NOT DISTINCT FROM 'false' AND NEW."pre_receive_secret_detection_enabled" IS DISTINCT FROM 'false' THEN + NEW."secret_push_protection_available" = NEW."pre_receive_secret_detection_enabled"; + END IF; + + RETURN NEW; +END +$$; + +CREATE FUNCTION function_for_trigger_cbecfadbc3e8() RETURNS trigger + LANGUAGE plpgsql + AS $$ +BEGIN + IF NEW."pre_receive_secret_detection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."secret_push_protection_enabled" IS DISTINCT FROM 'false' THEN + NEW."pre_receive_secret_detection_enabled" = NEW."secret_push_protection_enabled"; + END IF; + + IF NEW."secret_push_protection_enabled" IS NOT DISTINCT FROM 'false' AND NEW."pre_receive_secret_detection_enabled" IS DISTINCT FROM 'false' THEN + NEW."secret_push_protection_enabled" = NEW."pre_receive_secret_detection_enabled"; + END IF; + + RETURN NEW; +END +$$; + CREATE FUNCTION gitlab_schema_prevent_write() RETURNS trigger LANGUAGE plpgsql AS $$ @@ -7952,6 +8020,7 @@ CREATE TABLE application_settings ( elasticsearch_max_code_indexing_concurrency integer DEFAULT 30 NOT NULL, observability_settings jsonb DEFAULT '{}'::jsonb NOT NULL, search jsonb DEFAULT '{}'::jsonb NOT NULL, + secret_push_protection_available boolean DEFAULT false, CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)), @@ -8018,6 +8087,7 @@ CREATE TABLE application_settings ( CONSTRAINT check_application_settings_transactional_emails_is_hash CHECK ((jsonb_typeof(transactional_emails) = 'object'::text)), CONSTRAINT check_b8c74ea5b3 CHECK ((char_length(deactivation_email_additional_text) <= 1000)), CONSTRAINT check_babd774f3c CHECK ((char_length(secret_detection_service_url) <= 255)), + CONSTRAINT check_be6ab41dcc CHECK ((secret_push_protection_available IS NOT NULL)), CONSTRAINT check_bf5157a366 CHECK ((char_length(required_instance_ci_template) <= 1024)), CONSTRAINT check_cdfbd99405 CHECK ((char_length(security_txt_content) <= 2048)), CONSTRAINT check_d03919528d CHECK ((char_length(container_registry_vendor) <= 255)), @@ -19388,7 +19458,9 @@ CREATE TABLE project_security_settings ( auto_fix_sast boolean DEFAULT true NOT NULL, continuous_vulnerability_scans_enabled boolean DEFAULT false NOT NULL, container_scanning_for_registry_enabled boolean DEFAULT false NOT NULL, - pre_receive_secret_detection_enabled boolean DEFAULT false NOT NULL + pre_receive_secret_detection_enabled boolean DEFAULT false NOT NULL, + secret_push_protection_enabled boolean DEFAULT false, + CONSTRAINT check_20a23efdb6 CHECK ((secret_push_protection_enabled IS NOT NULL)) ); CREATE SEQUENCE project_security_settings_project_id_seq @@ -37436,6 +37508,8 @@ CREATE TRIGGER trigger_174b23fa3dfb BEFORE INSERT OR UPDATE ON approval_project_ CREATE TRIGGER trigger_18bc439a6741 BEFORE INSERT OR UPDATE ON packages_conan_metadata FOR EACH ROW EXECUTE FUNCTION trigger_18bc439a6741(); +CREATE TRIGGER trigger_1baf8c8e1f66 BEFORE UPDATE OF secret_push_protection_available ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_1baf8c8e1f66(); + CREATE TRIGGER trigger_1c0f1ca199a3 BEFORE INSERT OR UPDATE ON ci_resources FOR EACH ROW EXECUTE FUNCTION trigger_1c0f1ca199a3(); CREATE TRIGGER trigger_1ed40f4d5f4e BEFORE INSERT OR UPDATE ON packages_maven_metadata FOR EACH ROW EXECUTE FUNCTION trigger_1ed40f4d5f4e(); @@ -37554,6 +37628,10 @@ CREATE TRIGGER trigger_7de792ddbc05 BEFORE INSERT OR UPDATE ON dast_site_validat CREATE TRIGGER trigger_7e2eed79e46e BEFORE INSERT OR UPDATE ON abuse_reports FOR EACH ROW EXECUTE FUNCTION trigger_7e2eed79e46e(); +CREATE TRIGGER trigger_7f41427eda69 BEFORE UPDATE OF pre_receive_secret_detection_enabled ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_7f41427eda69(); + +CREATE TRIGGER trigger_7fbecfcdf89a BEFORE UPDATE OF secret_push_protection_enabled ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_7fbecfcdf89a(); + CREATE TRIGGER trigger_81b4c93e7133 BEFORE INSERT OR UPDATE ON pages_deployment_states FOR EACH ROW EXECUTE FUNCTION trigger_81b4c93e7133(); CREATE TRIGGER trigger_8204480b3a2e BEFORE INSERT OR UPDATE ON incident_management_escalation_rules FOR EACH ROW EXECUTE FUNCTION trigger_8204480b3a2e(); @@ -37562,6 +37640,8 @@ CREATE TRIGGER trigger_84d67ad63e93 BEFORE INSERT OR UPDATE ON wiki_page_slugs F CREATE TRIGGER trigger_85d89f0f11db BEFORE INSERT OR UPDATE ON issue_metrics FOR EACH ROW EXECUTE FUNCTION trigger_85d89f0f11db(); +CREATE TRIGGER trigger_897f35481f9a BEFORE UPDATE OF pre_receive_secret_detection_enabled ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_897f35481f9a(); + CREATE TRIGGER trigger_8a38ce2327de BEFORE INSERT OR UPDATE ON boards_epic_user_preferences FOR EACH ROW EXECUTE FUNCTION trigger_8a38ce2327de(); CREATE TRIGGER trigger_8ac78f164b2d BEFORE INSERT OR UPDATE ON design_management_repositories FOR EACH ROW EXECUTE FUNCTION trigger_8ac78f164b2d(); @@ -37624,6 +37704,8 @@ CREATE TRIGGER trigger_b7abb8fc4cf0 BEFORE INSERT OR UPDATE ON work_item_progres CREATE TRIGGER trigger_b8eecea7f351 BEFORE INSERT OR UPDATE ON dependency_proxy_manifest_states FOR EACH ROW EXECUTE FUNCTION trigger_b8eecea7f351(); +CREATE TRIGGER trigger_b9839c6d713f BEFORE INSERT ON application_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_b9839c6d713f(); + CREATE TRIGGER trigger_c17a166692a2 BEFORE INSERT OR UPDATE ON audit_events_streaming_headers FOR EACH ROW EXECUTE FUNCTION trigger_c17a166692a2(); CREATE TRIGGER trigger_c59fe6f31e71 BEFORE INSERT OR UPDATE ON security_orchestration_policy_rule_schedules FOR EACH ROW EXECUTE FUNCTION trigger_c59fe6f31e71(); @@ -37638,6 +37720,8 @@ CREATE TRIGGER trigger_cac7c0698291 BEFORE INSERT OR UPDATE ON evidences FOR EAC CREATE TRIGGER trigger_catalog_resource_sync_event_on_project_update AFTER UPDATE ON projects FOR EACH ROW WHEN ((((old.name)::text IS DISTINCT FROM (new.name)::text) OR (old.description IS DISTINCT FROM new.description) OR (old.visibility_level IS DISTINCT FROM new.visibility_level))) EXECUTE FUNCTION insert_catalog_resource_sync_event(); +CREATE TRIGGER trigger_cbecfadbc3e8 BEFORE INSERT ON project_security_settings FOR EACH ROW EXECUTE FUNCTION function_for_trigger_cbecfadbc3e8(); + CREATE TRIGGER trigger_cd50823537a3 BEFORE INSERT OR UPDATE ON issuable_slas FOR EACH ROW EXECUTE FUNCTION trigger_cd50823537a3(); CREATE TRIGGER trigger_cf646a118cbb BEFORE INSERT OR UPDATE ON milestone_releases FOR EACH ROW EXECUTE FUNCTION trigger_cf646a118cbb(); -- GitLab From aaaae655c337318c130959f144098f95cbbea1bf Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 16 Jan 2025 15:05:13 -0600 Subject: [PATCH 02/20] Add yml and ignore_column --- .../secret_push_protection_available.yml | 15 +++++++++++++++ ee/app/models/ee/application_setting.rb | 2 ++ ee/app/models/project_security_setting.rb | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 config/application_setting_columns/secret_push_protection_available.yml diff --git a/config/application_setting_columns/secret_push_protection_available.yml b/config/application_setting_columns/secret_push_protection_available.yml new file mode 100644 index 00000000000000..8c2f8351c9dc6b --- /dev/null +++ b/config/application_setting_columns/secret_push_protection_available.yml @@ -0,0 +1,15 @@ +--- +api_type: boolean +attr: secret_push_protection_available +clusterwide: true +column: secret_push_protection_available +db_type: boolean +default: 'false' +description: Allow projects to enable secret push protection. This does not enable + secret push protection. When you enable this feature, you accept the [GitLab Testing + Agreement](https://handbook.gitlab.com/handbook/legal/testing-agreement/). Ultimate + only. +encrypted: false +gitlab_com_different_than_default: true +jihu: false +not_null: true diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb index 50ddaf034aca98..c8c45f817d8473 100644 --- a/ee/app/models/ee/application_setting.rb +++ b/ee/app/models/ee/application_setting.rb @@ -278,6 +278,8 @@ module ApplicationSetting inclusion: { in: [true, false], message: N_('must be a boolean value') }, if: :gitlab_dedicated_instance + ignore_column :pre_receive_secret_detection_enabled, remove_with: '17.9', remove_after: '2025-02-15' + validates :instance_level_ai_beta_features_enabled, allow_nil: false, inclusion: { in: [true, false], message: N_('must be a boolean value') } diff --git a/ee/app/models/project_security_setting.rb b/ee/app/models/project_security_setting.rb index 3ba279a4e4f2b8..a1a210bc5ac734 100644 --- a/ee/app/models/project_security_setting.rb +++ b/ee/app/models/project_security_setting.rb @@ -7,6 +7,8 @@ class ProjectSecuritySetting < ApplicationRecord scope :for_projects, ->(project_ids) { where(project_id: project_ids) } + ignore_column :pre_receive_secret_detection_enabled, remove_with: '17.9', remove_after: '2025-02-15' + def set_continuous_vulnerability_scans!(enabled:) enabled if update!(continuous_vulnerability_scans_enabled: enabled) end -- GitLab From 8d28d3f8d5f1caa0f29e9775c702b791e6cabf80 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 16 Jan 2025 16:02:49 -0600 Subject: [PATCH 03/20] Remove batch column from down step --- ...ecret_detection_enabled_to_secret_push_protection_enabled.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb index 27942e60e0e61a..a7966414a7f7a8 100644 --- a/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb +++ b/db/migrate/20250114030220_rename_pre_receive_secret_detection_enabled_to_secret_push_protection_enabled.rb @@ -13,6 +13,6 @@ def up def down undo_rename_column_concurrently TABLE, :pre_receive_secret_detection_enabled, - :secret_push_protection_enabled, batch_column_name: :project_id + :secret_push_protection_enabled end end -- GitLab From 1ec28a47142a51ecbd38ef2c1034bc4787888e77 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 16 Jan 2025 17:44:07 -0600 Subject: [PATCH 04/20] Move ignore_column to ce --- app/models/application_setting.rb | 2 ++ ee/app/models/ee/application_setting.rb | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index be80a38d8bfbb3..3bb5ed7d3c3a1d 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -19,6 +19,8 @@ class ApplicationSetting < ApplicationRecord encrypted_vertex_ai_access_token_iv ], remove_with: '17.10', remove_after: '2025-02-15' + ignore_column :pre_receive_secret_detection_enabled, remove_with: '17.9', remove_after: '2025-02-15' + ignore_columns %i[ elasticsearch_aws elasticsearch_search diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb index c8c45f817d8473..50ddaf034aca98 100644 --- a/ee/app/models/ee/application_setting.rb +++ b/ee/app/models/ee/application_setting.rb @@ -278,8 +278,6 @@ module ApplicationSetting inclusion: { in: [true, false], message: N_('must be a boolean value') }, if: :gitlab_dedicated_instance - ignore_column :pre_receive_secret_detection_enabled, remove_with: '17.9', remove_after: '2025-02-15' - validates :instance_level_ai_beta_features_enabled, allow_nil: false, inclusion: { in: [true, false], message: N_('must be a boolean value') } -- GitLab From ba1b3df49b8f95c4aa2681ec01d4670c33f788e9 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Tue, 14 Jan 2025 19:00:27 -0600 Subject: [PATCH 05/20] Code changes to rename prsd to spp Changelog: changed --- .../security/configuration_presenter.rb | 6 +++--- .../admin/application_settings_controller.rb | 6 ++++-- ...cret_detection_configuration_controller.rb | 2 +- ee/app/graphql/ee/types/project_type.rb | 4 ++-- .../helpers/ee/application_settings_helper.rb | 2 +- ee/app/models/ee/application_setting.rb | 2 +- .../models/gitlab_subscriptions/features.rb | 2 +- ee/app/models/project_security_setting.rb | 4 ++-- ee/app/policies/ee/group_policy.rb | 8 ++++---- ee/app/policies/ee/project_policy.rb | 12 +++++------ .../security/configuration_presenter.rb | 6 +++--- ...set_secret_push_protection_base_service.rb | 6 +++--- .../_pre_receive_secret_detection.html.haml | 4 ++-- .../security_and_compliance.html.haml | 2 +- ee/lib/api/group_security_settings.rb | 6 +++--- ee/lib/api/project_security_settings.rb | 12 +++++------ ee/lib/ee/api/entities/application_setting.rb | 2 +- ee/lib/ee/api/entities/project.rb | 4 ++-- ee/lib/gitlab/checks/secrets_check.rb | 10 +++++----- ...h_secret_push_protection_enabled_metric.rb | 2 +- .../application_settings_controller_spec.rb | 8 ++++---- .../factories/project_security_settings.rb | 2 +- .../user_views_security_configuration_spec.rb | 10 +++++----- ee/spec/graphql/types/project_type_spec.rb | 12 +++++------ .../ee/application_settings_helper_spec.rb | 4 ++-- ee/spec/lib/ee/api/entities/project_spec.rb | 10 +++++----- .../lib/gitlab/checks/secrets_check_spec.rb | 10 +++++----- ...ret_push_protection_enabled_metric_spec.rb | 2 +- .../models/project_security_setting_spec.rb | 8 ++++---- ee/spec/policies/group_policy_spec.rb | 18 ++++++++--------- ee/spec/policies/project_policy_spec.rb | 19 ++++++++++++++++++ .../security/configuration_presenter_spec.rb | 4 ++-- .../set_group_secret_push_protection_spec.rb | 2 +- .../set_pre_receive_secret_detection_spec.rb | 18 ++++++++--------- .../api/project_security_settings_spec.rb | 10 +++++----- ee/spec/requests/api/settings_spec.rb | 6 +++--- ...detection_configuration_controller_spec.rb | 4 ++-- ...oup_secret_push_protection_service_spec.rb | 20 +++++++++---------- ...ect_secret_push_protection_service_spec.rb | 12 +++++------ ...ecret_push_protection_base_service_spec.rb | 4 ++-- ...set_secret_push_protection_service_spec.rb | 14 ++++++------- .../security_and_compliance.html.haml_spec.rb | 2 +- lib/gitlab/security/features.rb | 4 ++-- .../page/project/secure/configuration_form.rb | 4 ++-- .../cells/application-settings-analysis.rb | 2 +- .../security/scan_configuration_spec.rb | 4 ++-- .../security/configuration_presenter_spec.rb | 8 ++++---- 47 files changed, 172 insertions(+), 151 deletions(-) diff --git a/app/presenters/projects/security/configuration_presenter.rb b/app/presenters/projects/security/configuration_presenter.rb index 7df38dd7d6f654..b1a0dd63c02d42 100644 --- a/app/presenters/projects/security/configuration_presenter.rb +++ b/app/presenters/projects/security/configuration_presenter.rb @@ -21,9 +21,9 @@ def to_h gitlab_ci_history_path: gitlab_ci_history_path, security_training_enabled: project.security_training_available?, container_scanning_for_registry_enabled: container_scanning_for_registry_enabled, - pre_receive_secret_detection_available: - Gitlab::CurrentSettings.current_application_settings.pre_receive_secret_detection_enabled, - pre_receive_secret_detection_enabled: pre_receive_secret_detection_enabled, + secret_push_protection_available: + Gitlab::CurrentSettings.current_application_settings.secret_push_protection_available, + secret_push_protection_enabled: secret_push_protection_enabled, user_is_project_admin: user_is_project_admin?, secret_detection_configuration_path: secret_detection_configuration_path } diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index a7912a6e312843..d15296d6c44472 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -154,9 +154,11 @@ def visible_application_setting_attributes end # Remove the inline rubocop disablement of Metrics/PerceivedComplexity when we can move - # pre_receive_secret_detection_enabled to the simple License feature => attribute name + # secret_push_protection_available to the simple License feature => attribute name # hash above. - attrs << :pre_receive_secret_detection_enabled if License.feature_available?(:pre_receive_secret_detection) + if License.feature_available?(:secret_push_protection) + attrs << :secret_push_protection_available + end if License.feature_available?(:admin_merge_request_approvers_rules) attrs += EE::ApplicationSettingsHelper.merge_request_appovers_rules_attributes diff --git a/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb b/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb index dadbe3bc7f0660..87034427741d60 100644 --- a/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb +++ b/ee/app/controllers/projects/security/secret_detection_configuration_controller.rb @@ -16,7 +16,7 @@ def show; end private def ensure_feature_is_available! - not_found unless project.licensed_feature_available?(:pre_receive_secret_detection) + not_found unless project.licensed_feature_available?(:secret_push_protection) end def authorize_read_project_security_exclusions! diff --git a/ee/app/graphql/ee/types/project_type.rb b/ee/app/graphql/ee/types/project_type.rb index 3bd3a6517c58ee..c69bda1c54ec06 100644 --- a/ee/app/graphql/ee/types/project_type.rb +++ b/ee/app/graphql/ee/types/project_type.rb @@ -577,8 +577,8 @@ def tracking_key object.project_setting.product_analytics_instrumentation_key end - def pre_receive_secret_detection_enabled - object.security_setting.pre_receive_secret_detection_enabled + def secret_push_protection_enabled + object.security_setting.secret_push_protection_enabled end def api_fuzzing_ci_configuration diff --git a/ee/app/helpers/ee/application_settings_helper.rb b/ee/app/helpers/ee/application_settings_helper.rb index 8db630d360465f..ae000149706a36 100644 --- a/ee/app/helpers/ee/application_settings_helper.rb +++ b/ee/app/helpers/ee/application_settings_helper.rb @@ -145,7 +145,7 @@ def self.possible_licensed_attributes updating_name_disabled_for_users maven_package_requests_forwarding npm_package_requests_forwarding - pre_receive_secret_detection_enabled + secret_push_protection_available pypi_package_requests_forwarding maintenance_mode maintenance_mode_message diff --git a/ee/app/models/ee/application_setting.rb b/ee/app/models/ee/application_setting.rb index 50ddaf034aca98..6bbe52b7b263b2 100644 --- a/ee/app/models/ee/application_setting.rb +++ b/ee/app/models/ee/application_setting.rb @@ -274,7 +274,7 @@ module ApplicationSetting numericality: { only_integer: true, greater_than: proc { Devise.allow_unconfirmed_access_for.in_days.to_i } }, if: :email_confirmation_setting_soft? - validates :pre_receive_secret_detection_enabled, + validates :secret_push_protection_available, inclusion: { in: [true, false], message: N_('must be a boolean value') }, if: :gitlab_dedicated_instance diff --git a/ee/app/models/gitlab_subscriptions/features.rb b/ee/app/models/gitlab_subscriptions/features.rb index 3d2bdd5559b440..2b063996a0e004 100644 --- a/ee/app/models/gitlab_subscriptions/features.rb +++ b/ee/app/models/gitlab_subscriptions/features.rb @@ -240,7 +240,7 @@ class Features license_scanning okrs personal_access_token_expiration_policy - pre_receive_secret_detection + secret_push_protection product_analytics project_quality_summary project_level_analytics_dashboard diff --git a/ee/app/models/project_security_setting.rb b/ee/app/models/project_security_setting.rb index a1a210bc5ac734..3afe2c610eade0 100644 --- a/ee/app/models/project_security_setting.rb +++ b/ee/app/models/project_security_setting.rb @@ -17,7 +17,7 @@ def set_container_scanning_for_registry!(enabled:) enabled if update!(container_scanning_for_registry_enabled: enabled) end - def set_pre_receive_secret_detection!(enabled:) - enabled if update!(pre_receive_secret_detection_enabled: enabled) + def set_secret_push_protection!(enabled:) + enabled if update!(secret_push_protection_enabled: enabled) end end diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index d88d7393feb2de..112b01dd02e6ca 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -878,12 +878,12 @@ module GroupPolicy rule { ~clickhouse_main_database_available }.prevent :read_runner_usage - condition(:pre_receive_secret_detection_available) do - @subject.licensed_feature_available?(:pre_receive_secret_detection) + condition(:secret_push_protection_available) do + @subject.licensed_feature_available?(:secret_push_protection) end - rule { pre_receive_secret_detection_available & can?(:maintainer_access) }.policy do - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:maintainer_access) }.policy do + enable :enable_secret_push_protection end rule { can?(:admin_group) }.policy do diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index aa37a94b3a353d..865fddb3d7af56 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -1061,12 +1061,12 @@ module ProjectPolicy enable :update_saved_replies end - condition(:pre_receive_secret_detection_available) do - @subject.licensed_feature_available?(:pre_receive_secret_detection) + condition(:secret_push_protection_available) do + @subject.licensed_feature_available?(:secret_push_protection) end - rule { pre_receive_secret_detection_available & can?(:maintainer_access) }.policy do - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:maintainer_access) }.policy do + enable :enable_secret_push_protection end condition(:container_scanning_for_registry_available) do @@ -1076,8 +1076,8 @@ module ProjectPolicy enable :enable_container_scanning_for_registry end - rule { pre_receive_secret_detection_available & can?(:developer_access) }.policy do - enable :read_pre_receive_secret_detection_info + rule { secret_push_protection_available & can?(:developer_access) }.policy do + enable :read_secret_push_protection_info end condition(:duo_workflow_enabled) do diff --git a/ee/app/presenters/ee/projects/security/configuration_presenter.rb b/ee/app/presenters/ee/projects/security/configuration_presenter.rb index 217f93bad54daa..be9a0558de78c5 100644 --- a/ee/app/presenters/ee/projects/security/configuration_presenter.rb +++ b/ee/app/presenters/ee/projects/security/configuration_presenter.rb @@ -13,9 +13,9 @@ def container_scanning_for_registry_enabled project_settings&.container_scanning_for_registry_enabled end - override :pre_receive_secret_detection_enabled - def pre_receive_secret_detection_enabled - project_settings&.pre_receive_secret_detection_enabled + override :secret_push_protection_enabled + def secret_push_protection_enabled + project_settings&.secret_push_protection_enabled end override :features diff --git a/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb b/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb index 929dd21e7c444e..5ad1acbc95d4b6 100644 --- a/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb +++ b/ee/app/services/security/configuration/set_secret_push_protection_base_service.rb @@ -36,8 +36,8 @@ def valid_request? def update_security_setting(project_ids) # rubocop:disable CodeReuse/ActiveRecord -- Specific use-case for this service updated_records = ProjectSecuritySetting.for_projects(project_ids) - .where(pre_receive_secret_detection_enabled: !@enable) - .update_all(pre_receive_secret_detection_enabled: @enable, + .where(secret_push_protection_enabled: !@enable) + .update_all(secret_push_protection_enabled: @enable, updated_at: Time.current) # rubocop:enable CodeReuse/ActiveRecord @@ -49,7 +49,7 @@ def create_missing_security_setting(project_ids) security_setting_attributes = projects_without_security_setting.map do |project| { project_id: project.id, - pre_receive_secret_detection_enabled: @enable, + secret_push_protection_enabled: @enable, updated_at: Time.current } end diff --git a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml index 839e1522911367..956404ffbc5f79 100644 --- a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml +++ b/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml @@ -3,8 +3,8 @@ %fieldset .form-group.gl-mb-0 - = f.label :pre_receive_secret_detection_enabled, s_('AdminSettings|Secret Push Protection'), class: 'label-bold' + = f.label :secret_push_protection_available, s_('AdminSettings|Secret Push Protection'), class: 'label-bold' %span.form-text.gl-mt-0.gl-mb-3#pre_receive_secret_detection-help = _('Prevent secrets such as keys and API tokens from being committed to any repository in this GitLab instance.') - = f.gitlab_ui_checkbox_component :pre_receive_secret_detection_enabled, _('Allow secret push protection'), help_text: _('Allow projects to enable secret push protection. This does not enable secret push protection.'), checkbox_options: { data: { testid: 'secret-push-protection-checkbox' } } + = f.gitlab_ui_checkbox_component :secret_push_protection_available, _('Allow secret push protection'), help_text: _('Allow projects to enable secret push protection. This does not enable secret push protection.'), checkbox_options: { data: { testid: 'secret-push-protection-checkbox' } } = f.submit _('Save changes'), pajamas_button: true diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index aca12b443b1575..40dd1cd41a474c 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -13,7 +13,7 @@ - c.with_body do = render 'license_compliance' -- if License.feature_available?(:pre_receive_secret_detection) +- if License.feature_available?(:secret_push_protection) = render ::Layouts::SettingsBlockComponent.new(_('Secret Detection'), id: 'js-secret-detection-settings', testid: 'admin-secret-detection-settings', diff --git a/ee/lib/api/group_security_settings.rb b/ee/lib/api/group_security_settings.rb index 3ad01005ece0db..0627b72b096390 100644 --- a/ee/lib/api/group_security_settings.rb +++ b/ee/lib/api/group_security_settings.rb @@ -11,7 +11,7 @@ class GroupSecuritySettings < ::API::Base helpers do def check_feature_availability - forbidden! unless ::License.feature_available?(:pre_receive_secret_detection) + forbidden! unless ::License.feature_available?(:secret_push_protection) end end @@ -22,7 +22,7 @@ def check_feature_availability resource :groups, requirements: ::API::API::NAMESPACE_OR_PROJECT_REQUIREMENTS do segment ':id/security_settings' do desc 'Update group security settings' do - detail 'Updates pre_receive_secret_detection_enabled for all projects to the new value' + detail 'Updates secret_push_protection_enabled for all projects to the new value' tags %w[groups] end params do @@ -30,7 +30,7 @@ def check_feature_availability optional :projects_to_exclude, type: Array[Integer], desc: 'IDs of projects to exclude from the feature' end put do - unauthorized! unless can?(current_user, :enable_pre_receive_secret_detection, user_group) + unauthorized! unless can?(current_user, :enable_secret_push_protection, user_group) enabled = params[:secret_push_protection_enabled] projects_to_exclude = params[:projects_to_exclude] diff --git a/ee/lib/api/project_security_settings.rb b/ee/lib/api/project_security_settings.rb index bb5c1bd041fd33..095834140aa52e 100644 --- a/ee/lib/api/project_security_settings.rb +++ b/ee/lib/api/project_security_settings.rb @@ -7,7 +7,7 @@ class ProjectSecuritySettings < ::API::Base helpers do def check_feature_availability - forbidden! unless ::License.feature_available?(:pre_receive_secret_detection) + forbidden! unless ::License.feature_available?(:secret_push_protection) end end @@ -30,26 +30,26 @@ def check_feature_availability end desc 'Update project security settings' do - detail 'Updates pre_receive_secret_detection_enabled to the new value & returns new project security setting' + detail 'Updates secret_push_protection_enabled to the new value & returns new project security setting' tags %w[projects] end params do - requires :pre_receive_secret_detection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' + requires :secret_push_protection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' end put do unauthorized! unless can?(current_user, :manage_security_settings, user_project) - enabled = params[:pre_receive_secret_detection_enabled] + enabled = params[:secret_push_protection_enabled] audit_context = { name: 'project_security_setting_updated', author: current_user, target: user_project, scope: user_project, - message: "User #{current_user.name} updated `pre_receive_secret_detection_enabled` to #{enabled}" + message: "User #{current_user.name} updated `secret_push_protection_enabled` to #{enabled}" } ::Gitlab::Audit::Auditor.audit(audit_context) security_setting = user_project&.security_setting - security_setting.set_pre_receive_secret_detection!(enabled: enabled) + security_setting.set_secret_push_protection!(enabled: enabled) present security_setting end end diff --git a/ee/lib/ee/api/entities/application_setting.rb b/ee/lib/ee/api/entities/application_setting.rb index 2ac46574a868d4..f04d8640261622 100644 --- a/ee/lib/ee/api/entities/application_setting.rb +++ b/ee/lib/ee/api/entities/application_setting.rb @@ -24,7 +24,7 @@ module ApplicationSetting expose :updating_name_disabled_for_users, if: ->(_instance, _opts) { ::License.feature_available?(:disable_name_update_for_users) } expose :maven_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } expose :npm_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } - expose :pre_receive_secret_detection_enabled, if: ->(_instance, _opts) { ::License.feature_available?(:pre_receive_secret_detection) } + expose :secret_push_protection_available, if: ->(_instance, _opts) { ::License.feature_available?(:secret_push_protection) } expose :pypi_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } expose :group_owners_can_manage_default_branch_protection, if: ->(_instance, _opts) { ::License.feature_available?(:default_branch_protection_restriction_in_groups) } expose :maintenance_mode, if: ->(_instance, _opts) { RegistrationFeatures::MaintenanceMode.feature_available? } diff --git a/ee/lib/ee/api/entities/project.rb b/ee/lib/ee/api/entities/project.rb index 3578d54d536b11..dee7833fd31faf 100644 --- a/ee/lib/ee/api/entities/project.rb +++ b/ee/lib/ee/api/entities/project.rb @@ -38,8 +38,8 @@ def preload_relation(projects_relation, options = {}) expose :security_and_compliance_enabled do |project, options| project.feature_available?(:security_and_compliance, options[:current_user]) end - expose :pre_receive_secret_detection_enabled, documentation: { type: 'boolean' }, if: ->(project, options) { Ability.allowed?(options[:current_user], :read_pre_receive_secret_detection_info, project) } do |project| - project.security_setting&.pre_receive_secret_detection_enabled + expose :secret_push_protection_enabled, documentation: { type: 'boolean' }, if: ->(project, options) { Ability.allowed?(options[:current_user], :read_secret_push_protection_info, project) } do |project| + project.security_setting&.secret_push_protection_enabled end expose :compliance_frameworks do |project, _| project.compliance_management_frameworks_names diff --git a/ee/lib/gitlab/checks/secrets_check.rb b/ee/lib/gitlab/checks/secrets_check.rb index 77a839b2ac89e2..456c11e492c838 100644 --- a/ee/lib/gitlab/checks/secrets_check.rb +++ b/ee/lib/gitlab/checks/secrets_check.rb @@ -69,9 +69,9 @@ def validate! # 4. if it is a delete branch/tag operation, as it would require scanning the entire revision history # 5. if options are passed for us to skip the check - return unless project.licensed_feature_available?(:pre_receive_secret_detection) + return unless project.licensed_feature_available?(:secret_push_protection) - return unless run_pre_receive_secret_detection? + return unless run_secret_push_protection? return if includes_full_revision_history? @@ -176,9 +176,9 @@ def ruleset ############################## # Project Eligibility Checks - def run_pre_receive_secret_detection? - ::Gitlab::CurrentSettings.current_application_settings.pre_receive_secret_detection_enabled && - project.security_setting&.pre_receive_secret_detection_enabled + def run_secret_push_protection? + ::Gitlab::CurrentSettings.current_application_settings.secret_push_protection_available && + project.security_setting&.secret_push_protection end def use_secret_detection_service? diff --git a/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb b/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb index b73308bd6f3aef..04f3601f603d5e 100644 --- a/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb +++ b/ee/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric.rb @@ -8,7 +8,7 @@ class CountProjectsWithSecretPushProtectionEnabledMetric < DatabaseMetric operation :count relation do - ProjectSecuritySetting.where(pre_receive_secret_detection_enabled: true) + ProjectSecuritySetting.where(secret_push_protection_enabled: true) end end end diff --git a/ee/spec/controllers/admin/application_settings_controller_spec.rb b/ee/spec/controllers/admin/application_settings_controller_spec.rb index 6ce9e17a3c3d44..85eb1ef35a10bc 100644 --- a/ee/spec/controllers/admin/application_settings_controller_spec.rb +++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb @@ -339,8 +339,8 @@ end context 'with secret detection settings' do - let(:settings) { { pre_receive_secret_detection_enabled: true } } - let(:license_feature) { :pre_receive_secret_detection } + let(:settings) { { secret_push_protection_available: true } } + let(:license_feature) { :secret_push_protection } before do stub_licensed_features(license_feature => true) @@ -348,9 +348,9 @@ it_behaves_like 'settings for licensed features' - it 'updates pre_receive_secret_detection_enabled setting' do + it 'updates secret_push_protection_available setting' do expect { put :update, params: { application_setting: settings } } - .to change { ApplicationSetting.current.reload.attributes['pre_receive_secret_detection_enabled'] } + .to change { ApplicationSetting.current.reload.attributes['secret_push_protection_available'] } end end diff --git a/ee/spec/factories/project_security_settings.rb b/ee/spec/factories/project_security_settings.rb index e32d4a463c7b6c..9ed8787e6f11d5 100644 --- a/ee/spec/factories/project_security_settings.rb +++ b/ee/spec/factories/project_security_settings.rb @@ -5,6 +5,6 @@ project { association :project, security_setting: instance } continuous_vulnerability_scans_enabled { false } container_scanning_for_registry_enabled { false } - pre_receive_secret_detection_enabled { false } + secret_push_protection_enabled { false } end end diff --git a/ee/spec/features/projects/security/user_views_security_configuration_spec.rb b/ee/spec/features/projects/security/user_views_security_configuration_spec.rb index 6a63b1e9053a52..27970e5cd2ef77 100644 --- a/ee/spec/features/projects/security/user_views_security_configuration_spec.rb +++ b/ee/spec/features/projects/security/user_views_security_configuration_spec.rb @@ -24,7 +24,7 @@ coverage_fuzzing: true, api_fuzzing: true, security_configuration_in_ui: true, - pre_receive_secret_detection: true + secret_push_protection: true ) end @@ -158,7 +158,7 @@ it 'shows secret push protection disabled' do visit_configuration_page - within_pre_receive_secret_detection_card do + within_secret_push_protection_card do expect(page).to have_text('Secret push protection') expect(page).to have_text('Not enabled') @@ -171,13 +171,13 @@ context 'with Secret push protection' do before do - stub_application_setting(pre_receive_secret_detection_enabled: true) + stub_application_setting(secret_push_protection_available: true) end it 'shows secret push protection' do visit_configuration_page - within_pre_receive_secret_detection_card do + within_secret_push_protection_card do expect(page).to have_text('Secret push protection') expect(page).to have_text('Not enabled') @@ -271,7 +271,7 @@ def within_container_scanning_card end end - def within_pre_receive_secret_detection_card + def within_secret_push_protection_card within '[data-testid="security-testing-card"]:nth-of-type(7)' do yield end diff --git a/ee/spec/graphql/types/project_type_spec.rb b/ee/spec/graphql/types/project_type_spec.rb index 4aecd189bfc5c0..4b46996c0d29cd 100644 --- a/ee/spec/graphql/types/project_type_spec.rb +++ b/ee/spec/graphql/types/project_type_spec.rb @@ -87,10 +87,10 @@ end describe 'secret push protection' do - let_it_be(:security_setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: true) } + let_it_be(:security_setting) { create(:project_security_setting, secret_push_protection_enabled: true) } let_it_be(:project) { security_setting.project } - describe 'pre_receive_secret_detection_enabled' do + describe 'secret_push_protection_enabled' do where(:user_role, :licensed_feature, :expected) do :guest | true | nil :developer | true | true @@ -99,7 +99,7 @@ with_them do before do - stub_licensed_features(pre_receive_secret_detection: licensed_feature) + stub_licensed_features(secret_push_protection: licensed_feature) project.add_role(user, user_role) end @@ -115,9 +115,9 @@ subject(:response) { GitlabSchema.execute(query, context: { current_user: user }).as_json } - it 'returns the expected pre_receive_secret_detection_enabled value' do - pre_receive_secret_detection_enabled = response.dig('data', 'project', 'preReceiveSecretDetectionEnabled') - expect(pre_receive_secret_detection_enabled).to eq(expected) + it 'returns the expected secret_push_protection_enabled value' do + secret_push_protection_enabled = response.dig('data', 'project', 'preReceiveSecretDetectionEnabled') + expect(secret_push_protection_enabled).to eq(expected) end end end diff --git a/ee/spec/helpers/ee/application_settings_helper_spec.rb b/ee/spec/helpers/ee/application_settings_helper_spec.rb index d583559c99ed00..6c5a6b25a28169 100644 --- a/ee/spec/helpers/ee/application_settings_helper_spec.rb +++ b/ee/spec/helpers/ee/application_settings_helper_spec.rb @@ -69,9 +69,9 @@ end describe '.possible_licensed_attributes' do - it 'contains pre_receive_secret_detection_enabled' do + it 'contains secret_push_protection_enabled' do expect(described_class.possible_licensed_attributes).to include( - :pre_receive_secret_detection_enabled + :secret_push_protection_available ) end end diff --git a/ee/spec/lib/ee/api/entities/project_spec.rb b/ee/spec/lib/ee/api/entities/project_spec.rb index ea2a119af8b09c..13f6cc84c74e3e 100644 --- a/ee/spec/lib/ee/api/entities/project_spec.rb +++ b/ee/spec/lib/ee/api/entities/project_spec.rb @@ -83,17 +83,17 @@ def mock_available end end - describe 'pre_receive_secret_detection_enabled' do + describe 'secret_push_protection_enabled' do let_it_be(:project) { create(:project) } let(:options) { { current_user: current_user } } before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end shared_examples 'returning nil' do it 'returns nil' do - expect(subject[:pre_receive_secret_detection_enabled]).to be(nil) + expect(subject[:secret_push_protection_enabled]).to be(nil) end end @@ -102,7 +102,7 @@ def mock_available let(:current_user) { developer } before do - stub_licensed_features(pre_receive_secret_detection: false) + stub_licensed_features(secret_push_protection: false) end it_behaves_like 'returning nil' @@ -119,7 +119,7 @@ def mock_available let(:current_user) { developer } it 'returns a boolean' do - expect(subject[:pre_receive_secret_detection_enabled]).to be_in([true, false]) + expect(subject[:secret_push_protection_enabled]).to be_in([true, false]) end end end diff --git a/ee/spec/lib/gitlab/checks/secrets_check_spec.rb b/ee/spec/lib/gitlab/checks/secrets_check_spec.rb index 3acc720dc0f6a5..8763188a3174c2 100644 --- a/ee/spec/lib/gitlab/checks/secrets_check_spec.rb +++ b/ee/spec/lib/gitlab/checks/secrets_check_spec.rb @@ -10,7 +10,7 @@ describe '#validate!' do context 'when application setting is disabled' do before do - Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: false) + Gitlab::CurrentSettings.update!(secret_push_protection_available: false) end it_behaves_like 'skips the push check' @@ -18,12 +18,12 @@ context 'when application setting is enabled' do before do - Gitlab::CurrentSettings.update!(pre_receive_secret_detection_enabled: true) + Gitlab::CurrentSettings.update!(secret_push_protection_available: true) end context 'when project setting is disabled' do before do - project.security_setting.update!(pre_receive_secret_detection_enabled: false) + project.security_setting.update!(secret_push_protection_available: false) end it_behaves_like 'skips the push check' @@ -31,7 +31,7 @@ context 'when project setting is enabled' do before do - project.security_setting.update!(pre_receive_secret_detection_enabled: true) + project.security_setting.update!(secret_push_protection_available: true) end context 'when license is not ultimate' do @@ -40,7 +40,7 @@ context 'when license is ultimate' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end context 'when SDS should be called (on SaaS)' do diff --git a/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb index 1808574e1f4a7e..b2f90577092949 100644 --- a/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb +++ b/ee/spec/lib/gitlab/usage/metrics/instrumentations/count_projects_with_secret_push_protection_enabled_metric_spec.rb @@ -7,7 +7,7 @@ before do 3.times do - create(:project).security_setting.update!(pre_receive_secret_detection_enabled: true) + create(:project).security_setting.update!(secret_push_protection_enabled: true) end create(:project) end diff --git a/ee/spec/models/project_security_setting_spec.rb b/ee/spec/models/project_security_setting_spec.rb index d7dc0b0ba44942..23d48facb725ef 100644 --- a/ee/spec/models/project_security_setting_spec.rb +++ b/ee/spec/models/project_security_setting_spec.rb @@ -47,7 +47,7 @@ end end - describe '#set_pre_receive_secret_detection' do + describe '#set_secret_push_protection' do where(:value_before, :enabled, :value_after) do true | false | false true | true | true @@ -56,11 +56,11 @@ end with_them do - let(:setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: value_before) } + let(:setting) { create(:project_security_setting, secret_push_protection_enabled: value_before) } it 'updates the attribute and returns the new value' do - expect(setting.set_pre_receive_secret_detection!(enabled: enabled)).to eq(value_after) - expect(setting.reload.pre_receive_secret_detection_enabled).to eq(value_after) + expect(setting.set_secret_push_protection!(enabled: enabled)).to eq(value_after) + expect(setting.reload.secret_push_protection_enabled).to eq(value_after) end end end diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index ce737440e5976d..594c97a5735059 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -4358,21 +4358,21 @@ def create_member_role(member, abilities = member_role_abilities) end end - describe 'enable_pre_receive_secret_detection' do + describe 'enable_secret_push_protection' do using RSpec::Parameterized::TableSyntax where(:current_user, :licensed, :match_expected_result) do - ref(:owner) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:developer) | true | be_disallowed(:enable_pre_receive_secret_detection) - ref(:owner) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:developer) | false | be_disallowed(:enable_pre_receive_secret_detection) + ref(:owner) | true | be_allowed(:enable_secret_push_protection) + ref(:maintainer) | true | be_allowed(:enable_secret_push_protection) + ref(:developer) | true | be_disallowed(:enable_secret_push_protection) + ref(:owner) | false | be_disallowed(:enable_secret_push_protection) + ref(:maintainer) | false | be_disallowed(:enable_secret_push_protection) + ref(:developer) | false | be_disallowed(:enable_secret_push_protection) end with_them do before do - stub_licensed_features(pre_receive_secret_detection: licensed) + stub_licensed_features(secret_push_protection: licensed) end it { is_expected.to match_expected_result } @@ -4381,7 +4381,7 @@ def create_member_role(member, abilities = member_role_abilities) describe 'when the group does not have the correct license' do let(:current_user) { owner } - it { is_expected.to be_disallowed(:enable_pre_receive_secret_detection) } + it { is_expected.to be_disallowed(:enable_secret_push_protection) } end end diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 3d34a18de58007..5d6008e0fca259 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -4664,4 +4664,23 @@ def create_member_role(member, abilities = member_role_abilities) end end end + + describe 'read_secret_push_protection_info' do + where(:current_user, :match_expected_result) do + ref(:owner) | be_allowed(:read_secret_push_protection_info) + ref(:maintainer) | be_allowed(:read_secret_push_protection_info) + ref(:developer) | be_allowed(:read_secret_push_protection_info) + ref(:planner) | be_disallowed(:read_secret_push_protection_info) + ref(:guest) | be_disallowed(:read_secret_push_protection_info) + ref(:non_member) | be_disallowed(:read_secret_push_protection_info) + end + + with_them do + before do + stub_licensed_features(secret_push_protection: true) + end + + it { is_expected.to match_expected_result } + end + end end diff --git a/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb b/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb index f5aa7d79d0b640..bec53708631052 100644 --- a/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb +++ b/ee/spec/presenters/ee/projects/security/configuration_presenter_spec.rb @@ -22,8 +22,8 @@ expect(result[:container_scanning_for_registry_enabled]).to eq(false) end - it 'includes a default value for pre_receive_secret_detection_enabled' do - expect(result[:pre_receive_secret_detection_enabled]).to eq(false) + it 'includes a default value for secret_push_protection_enabled' do + expect(result[:secret_push_protection_enabled]).to eq(false) end end diff --git a/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb b/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb index 33ac8d05f55933..7ca37ea31bf542 100644 --- a/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/configuration/set_group_secret_push_protection_spec.rb @@ -27,7 +27,7 @@ context 'with group' do before do allow(::Security::Configuration::SetGroupSecretPushProtectionWorker).to receive(:perform_async) - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end # user is not a member of the group at all, so they're got an unauthorized error diff --git a/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb b/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb index 21b294fe1ee35a..37054013c97e87 100644 --- a/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb @@ -7,8 +7,8 @@ include GraphqlHelpers let(:current_user) { create(:user) } - let(:security_setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: value_before) } - let(:mutation_name) { :set_pre_receive_secret_detection } + let(:security_setting) { create(:project_security_setting, secret_push_protection_enabled: value_before) } + let(:mutation_name) { :set_secret_push_protection } let(:value_before) { false } let(:enable) { true } @@ -25,7 +25,7 @@ before do stub_licensed_features( - pre_receive_secret_detection: true + secret_push_protection: true ) end @@ -34,7 +34,7 @@ it 'does not enable pre receive secret detection' do expect { post_graphql_mutation(mutation, current_user: current_user) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end @@ -57,21 +57,21 @@ response = graphql_mutation_response(mutation_name) expect(response).to include({ 'preReceiveSecretDetectionEnabled' => value_after, 'errors' => [] }) - expect(security_setting.reload.pre_receive_secret_detection_enabled).to eq(value_after) + expect(security_setting.reload.secret_push_protection_enabled).to eq(value_after) end end end context 'when Secret Push Protection is not available for the project' do before do - stub_licensed_features(pre_receive_secret_detection: false) + stub_licensed_features(secret_push_protection: false) end it_behaves_like 'a mutation that returns a top-level access error' it 'does not enable pre receive secret detection' do expect { post_graphql_mutation(mutation, current_user: current_user) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end end @@ -91,7 +91,7 @@ it 'does not enable pre receive secret detection' do expect { post_graphql_mutation(mutation, current_user: current_user) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end @@ -99,7 +99,7 @@ before do group.add_maintainer(current_user) stub_licensed_features( - pre_receive_secret_detection: true + secret_push_protection: true ) end diff --git a/ee/spec/requests/api/project_security_settings_spec.rb b/ee/spec/requests/api/project_security_settings_spec.rb index 739df49fd589b8..fdc09952ee75fd 100644 --- a/ee/spec/requests/api/project_security_settings_spec.rb +++ b/ee/spec/requests/api/project_security_settings_spec.rb @@ -20,7 +20,7 @@ context 'when user is authenticated' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end it 'returns project security settings when the user has at least the Developer role' do @@ -59,20 +59,20 @@ context 'when user is authenticated' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end it 'updates project security settings for users with Maintainer role' do project.add_maintainer(user) - put api(url, user), params: { pre_receive_secret_detection_enabled: true } + put api(url, user), params: { secret_push_protection_enabled: true } expect(response).to have_gitlab_http_status(:ok) - expect(json_response['pre_receive_secret_detection_enabled']).to be(true) + expect(json_response['secret_push_protection_enabled']).to be(true) end it 'returns 401 Unauthorized for users with Developer role' do project.add_developer(user) - put api(url, user), params: { pre_receive_secret_detection_enabled: true } + put api(url, user), params: { secret_push_protection: true } expect(response).to have_gitlab_http_status(:unauthorized) end diff --git a/ee/spec/requests/api/settings_spec.rb b/ee/spec/requests/api/settings_spec.rb index c0cb2cd5430ce8..70f5c83bb11c3d 100644 --- a/ee/spec/requests/api/settings_spec.rb +++ b/ee/spec/requests/api/settings_spec.rb @@ -356,9 +356,9 @@ it_behaves_like 'settings for licensed features' end - context 'pre_receive_secret_detection_enabled' do - let(:settings) { { pre_receive_secret_detection_enabled: true } } - let(:feature) { :pre_receive_secret_detection } + context 'secret_push_protection_enabled' do + let(:settings) { { secret_push_protection_enabled: true } } + let(:feature) { :secret_push_protection } it_behaves_like 'settings for licensed features' end diff --git a/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb b/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb index e6edc23f612c90..13dbcc4e3fcf39 100644 --- a/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb +++ b/ee/spec/requests/projects/security/secret_detection_configuration_controller_spec.rb @@ -10,7 +10,7 @@ describe 'GET #show' do before do - stub_licensed_features(security_dashboard: true, pre_receive_secret_detection: true) + stub_licensed_features(security_dashboard: true, secret_push_protection: true) login_as(user) end @@ -43,7 +43,7 @@ context 'when feature is not available' do context "when license doesn't support the feature" do before do - stub_licensed_features(pre_receive_secret_detection: false) + stub_licensed_features(secret_push_protection: false) end before_all do diff --git a/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb b/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb index aa421aa84386b9..dc2715f589cf01 100644 --- a/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb +++ b/ee/spec/services/security/configuration/set_group_secret_push_protection_service_spec.rb @@ -30,12 +30,12 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro security_setting = project.security_setting boolean_values.each do |enable_value| - expect { execute_service(subject: top_level_group, enable: enable_value, excluded_projects_ids: nil) } - .to change { security_setting.reload.pre_receive_secret_detection_enabled } - .from(!enable_value).to(enable_value) + expect { execute_service(subject: top_level_group, enable: enable_value) }.to change { + security_setting.reload.secret_push_protection_enabled + }.from(!enable_value).to(enable_value) expect { execute_service(subject: top_level_group, enable: enable_value) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end end @@ -49,17 +49,17 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro it 'doesnt change the attribute for projects in excluded list' do security_setting = excluded_project.security_setting expect { execute_service(subject: top_level_group) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } expect { execute_service(subject: mid_level_group, enable: false) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } end it 'rolls back changes when an error occurs' do initial_values = projects_to_change.map do |project| - project.security_setting.pre_receive_secret_detection_enabled + project.security_setting.secret_push_protection_enabled end call_counter = 0 @@ -78,7 +78,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro projects_to_change.each_with_index do |project, index| project.reload - expect(project.security_setting.pre_receive_secret_detection_enabled).to eq(initial_values[index]) + expect(project.security_setting.secret_push_protection_enabled).to eq(initial_values[index]) end end @@ -141,7 +141,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro bottom_level_group_project.reload.security_setting }.from(nil).to(be_a(ProjectSecuritySetting)) - expect(bottom_level_group_project.reload.security_setting.pre_receive_secret_detection_enabled) + expect(bottom_level_group_project.reload.security_setting.secret_push_protection_enabled) .to be(true) expect(AuditEvent.last.details[:custom_message]).to eq( "Secret push protection has been enabled for group #{bottom_level_group.name} and all of its inherited \ @@ -153,7 +153,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro context 'when arguments are invalid' do it 'does not change the attribute' do expect { execute_service(subject: top_level_group, enable: nil) } - .not_to change { top_level_group_project.reload.security_setting.pre_receive_secret_detection_enabled } + .not_to change { top_level_group_project.reload.security_setting.secret_push_protection_enabled } end end end diff --git a/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb b/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb index 2047f9602bf631..30055e5e98d523 100644 --- a/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb +++ b/ee/spec/services/security/configuration/set_project_secret_push_protection_service_spec.rb @@ -19,19 +19,19 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro it 'changes the attribute' do security_setting = project_2.security_setting expect { execute_service(subject: project_2) }.to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled }.from(false).to(true) expect { execute_service(subject: project_2) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } expect { execute_service(subject: project_2, enable: false) }.to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled }.from(true).to(false) expect { execute_service(subject: project_2, enable: false) }.not_to change { - security_setting.reload.pre_receive_secret_detection_enabled + security_setting.reload.secret_push_protection_enabled } end @@ -81,7 +81,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro .to change { project_without_security_setting.reload.security_setting } .from(nil).to(be_a(ProjectSecuritySetting)) - expect(project_without_security_setting.reload.security_setting.pre_receive_secret_detection_enabled) + expect(project_without_security_setting.reload.security_setting.secret_push_protection_enabled) .to be(true) expect(AuditEvent.last.details[:custom_message]).to eq("Secret push protection has been enabled") @@ -92,7 +92,7 @@ def execute_service(subject:, enable: true, excluded_projects_ids: [excluded_pro context 'when arguments are invalid' do it 'does not change the attribute' do expect { execute_service(subject: project_2, enable: nil) } - .not_to change { project_2.reload.security_setting.pre_receive_secret_detection_enabled } + .not_to change { project_2.reload.security_setting.secret_push_protection_enabled } end end end diff --git a/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb b/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb index cba77e9541a000..735be582e10b60 100644 --- a/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb +++ b/ee/spec/services/security/configuration/set_secret_push_protection_base_service_spec.rb @@ -13,7 +13,7 @@ allow(service).to receive_messages(valid_request?: true, subject_project_ids: [project_1.id], audit: nil) expect { service.execute }.to change { - project_1.security_setting.reload.pre_receive_secret_detection_enabled + project_1.security_setting.reload.secret_push_protection_enabled }.from(false).to(true) expect(service.execute).to be(true) end @@ -24,7 +24,7 @@ allow(service).to receive_messages(valid_request?: false, subject_project_ids: [project_1.id], audit: nil) expect { service.execute }.not_to change { - project_1.security_setting.reload.pre_receive_secret_detection_enabled + project_1.security_setting.reload.secret_push_protection_enabled } expect(service.execute).to be_nil end diff --git a/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb b/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb index c79b71825d48bd..8466974ef5d516 100644 --- a/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb +++ b/ee/spec/services/security/configuration/set_secret_push_protection_service_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Security::Configuration::SetSecretPushProtectionService, feature_category: :secret_detection do describe '#execute' do - let_it_be(:security_setting) { create(:project_security_setting, pre_receive_secret_detection_enabled: false) } + let_it_be(:security_setting) { create(:project_security_setting, secret_push_protection_enabled: false) } let_it_be(:current_user) { create(:user, :admin) } let_it_be(:project) { security_setting.project } @@ -17,15 +17,15 @@ it 'changes the attribute' do expect { described_class.execute(current_user: current_user, project: project, enable: true) } - .to change { security_setting.reload.pre_receive_secret_detection_enabled } + .to change { security_setting.reload.secret_push_protection_enabled } .from(false).to(true) expect { described_class.execute(current_user: current_user, project: project, enable: true) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } expect { described_class.execute(current_user: current_user, project: project, enable: false) } - .to change { security_setting.reload.pre_receive_secret_detection_enabled } + .to change { security_setting.reload.secret_push_protection_enabled } .from(true).to(false) expect { described_class.execute(current_user: current_user, project: project, enable: false) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end context 'when security_setting record does not yet exist' do @@ -51,7 +51,7 @@ end context 'when attribute changes from true to false' do - let(:security_setting2) { create(:project_security_setting, pre_receive_secret_detection_enabled: true) } + let(:security_setting2) { create(:project_security_setting, secret_push_protection_enabled: true) } let(:project2) { security_setting2.project } it 'creates an audit event with the correct message' do @@ -70,7 +70,7 @@ it 'does not change the attribute' do expect { described_class.execute(current_user: current_user, project: project, enable: nil) } - .not_to change { security_setting.reload.pre_receive_secret_detection_enabled } + .not_to change { security_setting.reload.secret_push_protection_enabled } end end end diff --git a/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb b/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb index c0d327eb87359a..55862cb78fa336 100644 --- a/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb +++ b/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb @@ -14,7 +14,7 @@ assign(:application_setting, app_settings) allow(view).to receive(:current_user).and_return(user) - stub_licensed_features(pre_receive_secret_detection: feature_available) + stub_licensed_features(secret_push_protection: feature_available) end shared_examples 'renders pre receive secret detection setting' do diff --git a/lib/gitlab/security/features.rb b/lib/gitlab/security/features.rb index 32abe9acbc7b19..a623dcfba5cb40 100644 --- a/lib/gitlab/security/features.rb +++ b/lib/gitlab/security/features.rb @@ -87,14 +87,14 @@ def self.data 'user/application_security/container_scanning/index.md', anchor: 'container-scanning-for-registry'), type: 'container_scanning_for_registry' }, - pre_receive_secret_detection: { + secret_push_protection: { name: _('Secret push protection'), description: _('Block secrets such as keys and API tokens from being pushed to your repositories. ' \ 'Secret push protection is triggered when commits are pushed to a repository. ' \ 'If any secrets are detected, the push is blocked.'), help_path: Gitlab::Routing.url_helpers.help_page_path( 'user/application_security/secret_detection/secret_push_protection/index.md'), - type: 'pre_receive_secret_detection' + type: 'secret_push_protection' }, secret_detection: { name: _('Pipeline Secret Detection'), diff --git a/qa/qa/page/project/secure/configuration_form.rb b/qa/qa/page/project/secure/configuration_form.rb index 762b4566641503..6fa0f921df5ea7 100644 --- a/qa/qa/page/project/secure/configuration_form.rb +++ b/qa/qa/page/project/secure/configuration_form.rb @@ -59,11 +59,11 @@ def has_false_dependency_scanning_status? end def has_true_secret_detection_status? - has_element?('feature-status', feature: 'pre_receive_secret_detection_true_status') + has_element?('feature-status', feature: 'secret_push_protection_true_status') end def has_false_secret_detection_status? - has_element?('feature-status', feature: 'pre_receive_secret_detection_false_status') + has_element?('feature-status', feature: 'secret_push_protection_false_status') end def has_auto_devops_container? diff --git a/scripts/cells/application-settings-analysis.rb b/scripts/cells/application-settings-analysis.rb index 7b82bd7073cc87..5b1562af8b12cf 100755 --- a/scripts/cells/application-settings-analysis.rb +++ b/scripts/cells/application-settings-analysis.rb @@ -182,7 +182,7 @@ class ApplicationSetting < ApplicationSettingPrototype pipeline_limit_per_project_user_sha plantuml_enabled plantuml_url - pre_receive_secret_detection_enabled + secret_push_protection_available product_analytics_data_collector_host product_analytics_enabled productivity_analytics_start_date diff --git a/spec/lib/gitlab/security/scan_configuration_spec.rb b/spec/lib/gitlab/security/scan_configuration_spec.rb index 159096df4bca23..a844ae7899e01e 100644 --- a/spec/lib/gitlab/security/scan_configuration_spec.rb +++ b/spec/lib/gitlab/security/scan_configuration_spec.rb @@ -137,13 +137,13 @@ help_path: "/help/user/application_security/container_scanning/index.md", configuration_help_path: "/help/user/application_security/container_scanning/index.md#configuration", type: "container_scanning" } - :pre_receive_secret_detection | { name: _("Secret push protection"), + :secret_push_protection | { name: _("Secret push protection"), description: "Block secrets such as keys and API tokens from being pushed to your repositories. " \ "Secret push protection is triggered when commits are pushed to a repository. " \ "If any secrets are detected, the push is blocked.", help_path: Gitlab::Routing.url_helpers.help_page_path( "user/application_security/secret_detection/secret_push_protection/index.md"), - type: "pre_receive_secret_detection" } + type: "secret_push_protection" } :secret_detection | { name: "Pipeline Secret Detection", description: "Analyze your source code and Git history for secrets by using CI/CD pipelines.", help_path: "/help/user/application_security/secret_detection/pipeline/index.md", diff --git a/spec/presenters/projects/security/configuration_presenter_spec.rb b/spec/presenters/projects/security/configuration_presenter_spec.rb index 5767c9e5a4c42d..c527ea6b69687f 100644 --- a/spec/presenters/projects/security/configuration_presenter_spec.rb +++ b/spec/presenters/projects/security/configuration_presenter_spec.rb @@ -12,7 +12,7 @@ before do stub_licensed_features(licensed_scan_types.index_with { true }) - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end describe '#to_html_data_attribute' do @@ -305,14 +305,14 @@ end end - describe 'pre_receive_secret_detection' do + describe 'secret_push_protection' do let_it_be(:project) { create(:project, :repository) } let(:features) { Gitlab::Json.parse(html_data[:features]) } - it 'feature includes pre_receive_secret_detection' do + it 'feature includes secret_push_protection' do skip unless Gitlab.ee? - feature = features.find { |scan| scan["type"] == 'pre_receive_secret_detection' } + feature = features.find { |scan| scan["type"] == 'secret_push_protection' } expect(feature).not_to be_nil end end -- GitLab From 0d9517e3b45352233562aea5467e44f89420a48a Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Wed, 15 Jan 2025 20:26:41 -0600 Subject: [PATCH 06/20] Rename more prsd to spp Rename more prsd to spp Rename more prsd to spp --- .../security_configuration/components/app.vue | 8 +++--- ...> secret_push_protection_feature_card.vue} | 28 +++++++++---------- .../security_configuration/constants.js | 6 ++-- .../set_pre_receive_secret_detection.graphql | 6 ---- .../set_secret_push_protection.graphql | 6 ++++ .../security_configuration/index.js | 4 +-- .../security/configuration_presenter.rb | 6 ++-- doc/api/graphql/reference/index.md | 18 ++++++------ ee/app/graphql/ee/types/mutation_type.rb | 2 +- ee/app/graphql/ee/types/project_type.rb | 7 ++++- .../set_group_secret_push_protection.rb | 2 +- ...ction.rb => set_secret_push_protection.rb} | 12 +++++--- ...haml => _secret_push_protection.html.haml} | 2 +- .../security_and_compliance.html.haml | 2 +- ee/spec/graphql/types/project_type_spec.rb | 4 +-- ....rb => set_secret_push_protection_spec.rb} | 2 +- .../admin/settings/securityandcompliance.rb | 2 +- .../components/app_spec.js | 15 ++++------ ...cret_push_protection_feature_card_spec.js} | 28 +++++++++---------- .../security_configuration/mock_data.js | 6 ++-- spec/requests/api/projects_spec.rb | 2 +- 21 files changed, 87 insertions(+), 81 deletions(-) rename app/assets/javascripts/security_configuration/components/{pre_receive_secret_detection_feature_card.vue => secret_push_protection_feature_card.vue} (85%) delete mode 100644 app/assets/javascripts/security_configuration/graphql/set_pre_receive_secret_detection.graphql create mode 100644 app/assets/javascripts/security_configuration/graphql/set_secret_push_protection.graphql rename ee/app/graphql/mutations/security/ci_configuration/{set_pre_receive_secret_detection.rb => set_secret_push_protection.rb} (74%) rename ee/app/views/admin/application_settings/{_pre_receive_secret_detection.html.haml => _secret_push_protection.html.haml} (92%) rename ee/spec/requests/api/graphql/mutations/security/configuration/{set_pre_receive_secret_detection_spec.rb => set_secret_push_protection_spec.rb} (96%) rename spec/frontend/security_configuration/components/{pre_receive_secret_detection_feature_card_spec.js => secret_push_protection_feature_card_spec.js} (84%) diff --git a/app/assets/javascripts/security_configuration/components/app.vue b/app/assets/javascripts/security_configuration/components/app.vue index 9a71cf5cd06d93..63afed2d4cd6d2 100644 --- a/app/assets/javascripts/security_configuration/components/app.vue +++ b/app/assets/javascripts/security_configuration/components/app.vue @@ -12,12 +12,12 @@ import { AUTO_DEVOPS_ENABLED_ALERT_DISMISSED_STORAGE_KEY, TAB_VULNERABILITY_MANAGEMENT_INDEX, i18n, - PRE_RECEIVE_SECRET_DETECTION, + SECRET_PUSH_PROTECTION, } from '../constants'; import AutoDevOpsAlert from './auto_dev_ops_alert.vue'; import AutoDevOpsEnabledAlert from './auto_dev_ops_enabled_alert.vue'; import FeatureCard from './feature_card.vue'; -import PreReceiveSecretDetectionFeatureCard from './pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from './secret_push_protection_feature_card.vue'; import TrainingProviderList from './training_provider_list.vue'; export default { @@ -26,7 +26,7 @@ export default { AutoDevOpsAlert, AutoDevOpsEnabledAlert, FeatureCard, - PreReceiveSecretDetectionFeatureCard, + SecretPushProtectionFeatureCard, GlAlert, GlLink, GlSprintf, @@ -106,7 +106,7 @@ export default { }, methods: { getComponentName(feature) { - if (feature.type === PRE_RECEIVE_SECRET_DETECTION) { + if (feature.type === SECRET_PUSH_PROTECTION) { return 'pre-receive-secret-detection-feature-card'; } if (feature.type === REPORT_TYPE_CONTAINER_SCANNING_FOR_REGISTRY) { diff --git a/app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue similarity index 85% rename from app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue rename to app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue index 6552c34a79726f..d05000cf672994 100644 --- a/app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue +++ b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue @@ -9,11 +9,11 @@ import { GlButton, GlTooltipDirective, } from '@gitlab/ui'; -import ProjectSetPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; +import ProjectSetSecretPushProtection from '~/security_configuration/graphql/set_secret_push_protection.graphql'; import { __, s__ } from '~/locale'; export default { - name: 'PreReceiveSecretDetectionFeatureCard', + name: 'SecretPushProtectionFeatureCard', components: { GlCard, GlIcon, @@ -27,8 +27,8 @@ export default { GlTooltip: GlTooltipDirective, }, inject: [ - 'preReceiveSecretDetectionAvailable', - 'preReceiveSecretDetectionEnabled', + 'secretPushProtectionAvailable', + 'secretPushProtectionEnabled', 'userIsProjectAdmin', 'projectFullPath', 'secretDetectionConfigurationPath', @@ -41,7 +41,7 @@ export default { }, data() { return { - toggleValue: this.preReceiveSecretDetectionEnabled, + toggleValue: this.secretPushProtectionEnabled, errorMessage: '', isAlertDismissed: false, }; @@ -73,13 +73,13 @@ export default { }; }, isToggleDisabled() { - return !this.preReceiveSecretDetectionAvailable || !this.userIsProjectAdmin; + return !this.secretPushProtectionAvailable || !this.userIsProjectAdmin; }, showLock() { return this.isToggleDisabled && this.available; }, featureLockDescription() { - if (!this.preReceiveSecretDetectionAvailable) { + if (!this.secretPushProtectionAvailable) { return this.$options.i18n.tooltipDescription; } if (!this.userIsProjectAdmin) { @@ -96,10 +96,10 @@ export default { this.errorMessage = error; this.isAlertDismissed = false; }, - async togglePreReceiveSecretDetection(checked) { + async toggleSecretPushProtection(checked) { try { const { data } = await this.$apollo.mutate({ - mutation: ProjectSetPreReceiveSecretDetection, + mutation: ProjectSetSecretPushProtection, variables: { input: { namespacePath: this.projectFullPath, @@ -108,15 +108,15 @@ export default { }, }); - const { errors, preReceiveSecretDetectionEnabled } = data.setPreReceiveSecretDetection; + const { errors, secretPushProtectionEnabled } = data.setSecretPushProtection; if (errors.length > 0) { this.reportError(errors[0].message); } - if (preReceiveSecretDetectionEnabled !== null) { - this.toggleValue = preReceiveSecretDetectionEnabled; + if (secretPushProtectionEnabled !== null) { + this.toggleValue = secretPushProtectionEnabled; this.$toast.show( - preReceiveSecretDetectionEnabled + secretPushProtectionEnabled ? this.$options.i18n.toastMessageEnabled : this.$options.i18n.toastMessageDisabled, ); @@ -203,7 +203,7 @@ export default { :value="toggleValue" :label="s__('SecurityConfiguration|Toggle secret push protection')" label-position="hidden" - @change="togglePreReceiveSecretDetection" + @change="toggleSecretPushProtection" /> { containerScanningForRegistryEnabled, secretDetectionConfigurationPath, ...parseBooleanDataAttributes(el, [ - 'preReceiveSecretDetectionAvailable', - 'preReceiveSecretDetectionEnabled', + 'secretPushProtectionAvailable', + 'secretPushProtectionEnabled', 'userIsProjectAdmin', ]), }, diff --git a/app/presenters/projects/security/configuration_presenter.rb b/app/presenters/projects/security/configuration_presenter.rb index b1a0dd63c02d42..8d81c2f2ad7364 100644 --- a/app/presenters/projects/security/configuration_presenter.rb +++ b/app/presenters/projects/security/configuration_presenter.rb @@ -65,9 +65,9 @@ def features scans << scan(:dast_profiles, configured: true) # Add pre-receive before secret detection - if project.licensed_feature_available?(:pre_receive_secret_detection) + if project.licensed_feature_available?(:secret_push_protection) secret_detection_index = scans.index { |scan| scan[:type] == :secret_detection } || -1 - scans.insert(secret_detection_index, scan(:pre_receive_secret_detection, configured: true)) + scans.insert(secret_detection_index, scan(:secret_push_protection, configured: true)) end scans @@ -103,7 +103,7 @@ def project_settings end def container_scanning_for_registry_enabled; end - def pre_receive_secret_detection_enabled; end + def secret_push_protection_enabled; end def secret_detection_configuration_path; end end end diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 1453ff25e2a8a8..0edced19f1a389 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -10005,27 +10005,28 @@ Input type: `SetGroupSecretPushProtectionInput` | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | -### `Mutation.setPreReceiveSecretDetection` +### `Mutation.setSecretPushProtection` Enable/disable secret push protection for the given project. -Input type: `SetPreReceiveSecretDetectionInput` +Input type: `SetSecretPushProtectionInput` #### Arguments | Name | Type | Description | | ---- | ---- | ----------- | -| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | -| `enable` | [`Boolean!`](#boolean) | Desired status for secret push protection feature. | -| `namespacePath` | [`ID!`](#id) | Full path of the namespace (project). | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `enable` | [`Boolean!`](#boolean) | Desired status for secret push protection feature. | +| `namespacePath` | [`ID!`](#id) | Full path of the namespace (project). | #### Fields | Name | Type | Description | | ---- | ---- | ----------- | -| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | -| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | -| `preReceiveSecretDetectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | +| `preReceiveSecretDetectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | ### `Mutation.starProject` @@ -32596,6 +32597,7 @@ Project-level settings for product analytics provider. | `requirementStatesCount` | [`RequirementStatesCount`](#requirementstatescount) | Number of requirements for the project by their state. | | `sastCiConfiguration` | [`SastCiConfiguration`](#sastciconfiguration) | SAST CI configuration for the project. | | `savedReplies` | [`ProjectSavedReplyConnection`](#projectsavedreplyconnection) | Saved replies available to the project. (see [Connections](#connections)) | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Indicates whether Secret Push Protection is on or not for the project. | | `securityDashboardPath` | [`String`](#string) | Path to project's security dashboard. | | `securityPolicyProject` | [`Project`](#project) | Security policy project assigned to the project, absent if assigned to a parent group. | | `securityPolicyProjectLinkedNamespaces` **{warning-solid}** | [`NamespaceConnection`](#namespaceconnection) | **Deprecated** in GitLab 17.4. This was renamed. Use: `security_policy_project_linked_groups`. | diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb index b857ec8ea9aa9f..8fadaab9b2a8af 100644 --- a/ee/app/graphql/ee/types/mutation_type.rb +++ b/ee/app/graphql/ee/types/mutation_type.rb @@ -197,7 +197,7 @@ def self.authorization_scopes reason: 'CVS has been enabled permanently. See [this ' \ 'epic](https://gitlab.com/groups/gitlab-org/-/epics/11474) for more information' } - mount_mutation ::Mutations::Security::CiConfiguration::SetPreReceiveSecretDetection + mount_mutation ::Mutations::Security::CiConfiguration::SetSecretPushProtection mount_mutation ::Mutations::Security::CiConfiguration::SetGroupSecretPushProtection mount_mutation ::Mutations::Security::CiConfiguration::SetContainerScanningForRegistry mount_mutation ::Mutations::AuditEvents::Instance::GoogleCloudLoggingConfigurations::Destroy diff --git a/ee/app/graphql/ee/types/project_type.rb b/ee/app/graphql/ee/types/project_type.rb index c69bda1c54ec06..a8e40694e106c4 100644 --- a/ee/app/graphql/ee/types/project_type.rb +++ b/ee/app/graphql/ee/types/project_type.rb @@ -386,7 +386,12 @@ module ProjectType field :pre_receive_secret_detection_enabled, GraphQL::Types::Boolean, null: true, description: 'Indicates whether Secret Push Protection is on or not for the project.', - authorize: :read_pre_receive_secret_detection_info + authorize: :read_secret_push_protection_info + + field :secret_push_protection_enabled, GraphQL::Types::Boolean, # duplicating the field for now + null: true, + description: 'Indicates whether Secret Push Protection is on or not for the project.', + authorize: :read_secret_push_protection_info field :prevent_merge_without_jira_issue_enabled, GraphQL::Types::Boolean, null: false, diff --git a/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb b/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb index fb2191512661ec..72e56e9050ef25 100644 --- a/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb +++ b/ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb @@ -20,7 +20,7 @@ class SetGroupSecretPushProtection < BaseMutation argument :projects_to_exclude, [GraphQL::Types::Int], required: false, description: 'IDs of projects to exclude from the feature.' - authorize :enable_pre_receive_secret_detection + authorize :enable_secret_push_protection def resolve(namespace_path:, secret_push_protection_enabled:, projects_to_exclude: []) group = authorized_find!(group_path: namespace_path) diff --git a/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb b/ee/app/graphql/mutations/security/ci_configuration/set_secret_push_protection.rb similarity index 74% rename from ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb rename to ee/app/graphql/mutations/security/ci_configuration/set_secret_push_protection.rb index 0332a226cd6a31..2b9851850c5476 100644 --- a/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb +++ b/ee/app/graphql/mutations/security/ci_configuration/set_secret_push_protection.rb @@ -3,8 +3,8 @@ module Mutations module Security module CiConfiguration - class SetPreReceiveSecretDetection < BaseMutation - graphql_name 'SetPreReceiveSecretDetection' + class SetSecretPushProtection < BaseMutation + graphql_name 'SetSecretPushProtection' include ResolvesProject @@ -24,7 +24,11 @@ class SetPreReceiveSecretDetection < BaseMutation null: true, description: 'Whether the feature is enabled.' - authorize :enable_pre_receive_secret_detection + field :secret_push_protection_enabled, GraphQL::Types::Boolean, + null: true, + description: 'Whether the feature is enabled.' + + authorize :enable_secret_push_protection def resolve(namespace_path:, enable:) project = authorized_find!(project_path: namespace_path) @@ -32,7 +36,7 @@ def resolve(namespace_path:, enable:) response = ::Security::Configuration::SetSecretPushProtectionService .execute(current_user: current_user, project: project, enable: enable) - { pre_receive_secret_detection_enabled: response.payload[:enabled], errors: response.errors } + { secret_push_protection_enabled: response.payload[:enabled], errors: response.errors } end private diff --git a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml b/ee/app/views/admin/application_settings/_secret_push_protection.html.haml similarity index 92% rename from ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml rename to ee/app/views/admin/application_settings/_secret_push_protection.html.haml index 956404ffbc5f79..250e4dd4ccc027 100644 --- a/ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml +++ b/ee/app/views/admin/application_settings/_secret_push_protection.html.haml @@ -4,7 +4,7 @@ %fieldset .form-group.gl-mb-0 = f.label :secret_push_protection_available, s_('AdminSettings|Secret Push Protection'), class: 'label-bold' - %span.form-text.gl-mt-0.gl-mb-3#pre_receive_secret_detection-help + %span.form-text.gl-mt-0.gl-mb-3#secret_push_protection-help = _('Prevent secrets such as keys and API tokens from being committed to any repository in this GitLab instance.') = f.gitlab_ui_checkbox_component :secret_push_protection_available, _('Allow secret push protection'), help_text: _('Allow projects to enable secret push protection. This does not enable secret push protection.'), checkbox_options: { data: { testid: 'secret-push-protection-checkbox' } } = f.submit _('Save changes'), pajamas_button: true diff --git a/ee/app/views/admin/application_settings/security_and_compliance.html.haml b/ee/app/views/admin/application_settings/security_and_compliance.html.haml index 40dd1cd41a474c..a5e4d22fc3e466 100644 --- a/ee/app/views/admin/application_settings/security_and_compliance.html.haml +++ b/ee/app/views/admin/application_settings/security_and_compliance.html.haml @@ -21,4 +21,4 @@ - c.with_description do = _('Manage secret detection behavior for all projects in your GitLab instance') - c.with_body do - = render 'pre_receive_secret_detection' + = render 'secret_push_protection' diff --git a/ee/spec/graphql/types/project_type_spec.rb b/ee/spec/graphql/types/project_type_spec.rb index 4b46996c0d29cd..1730444e1a6b2f 100644 --- a/ee/spec/graphql/types/project_type_spec.rb +++ b/ee/spec/graphql/types/project_type_spec.rb @@ -107,7 +107,7 @@ %( query { project(fullPath: "#{project.full_path}") { - preReceiveSecretDetectionEnabled + secretPushProtectionEnabled } } ) @@ -116,7 +116,7 @@ subject(:response) { GitlabSchema.execute(query, context: { current_user: user }).as_json } it 'returns the expected secret_push_protection_enabled value' do - secret_push_protection_enabled = response.dig('data', 'project', 'preReceiveSecretDetectionEnabled') + secret_push_protection_enabled = response.dig('data', 'project', 'secretPushProtectionEnabled') expect(secret_push_protection_enabled).to eq(expected) end end diff --git a/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb b/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb similarity index 96% rename from ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb rename to ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb index 37054013c97e87..38729b7fb9b3fc 100644 --- a/ee/spec/requests/api/graphql/mutations/security/configuration/set_pre_receive_secret_detection_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb @@ -55,7 +55,7 @@ post_graphql_mutation(mutation, current_user: current_user) response = graphql_mutation_response(mutation_name) - expect(response).to include({ 'preReceiveSecretDetectionEnabled' => value_after, 'errors' => [] }) + expect(response).to include({ 'secretPushProtectionEnabled' => value_after, 'errors' => [] }) expect(security_setting.reload.secret_push_protection_enabled).to eq(value_after) end diff --git a/qa/qa/ee/page/admin/settings/securityandcompliance.rb b/qa/qa/ee/page/admin/settings/securityandcompliance.rb index 2756a4a8b7aa8a..e7bebd97136ca1 100644 --- a/qa/qa/ee/page/admin/settings/securityandcompliance.rb +++ b/qa/qa/ee/page/admin/settings/securityandcompliance.rb @@ -16,7 +16,7 @@ class Securityandcompliance < QA::Page::Base element 'save-package-registry-button' end - view 'ee/app/views/admin/application_settings/_pre_receive_secret_detection.html.haml' do + view 'ee/app/views/admin/application_settings/_secret_push_protection.html.haml' do element 'secret-push-protection-checkbox' end diff --git a/spec/frontend/security_configuration/components/app_spec.js b/spec/frontend/security_configuration/components/app_spec.js index 1df91e09c7bd9d..524c571ff4bc5e 100644 --- a/spec/frontend/security_configuration/components/app_spec.js +++ b/spec/frontend/security_configuration/components/app_spec.js @@ -11,9 +11,9 @@ import AutoDevopsAlert from '~/security_configuration/components/auto_dev_ops_al import AutoDevopsEnabledAlert from '~/security_configuration/components/auto_dev_ops_enabled_alert.vue'; import { AUTO_DEVOPS_ENABLED_ALERT_DISMISSED_STORAGE_KEY } from '~/security_configuration/constants'; import FeatureCard from '~/security_configuration/components/feature_card.vue'; -import PreReceiveSecretDetectionFeatureCard from '~/security_configuration/components/pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import TrainingProviderList from '~/security_configuration/components/training_provider_list.vue'; -import { securityFeaturesMock, provideMock, preReceiveSecretDetectionMock } from '../mock_data'; +import { securityFeaturesMock, provideMock, secretPushProtectionMock } from '../mock_data'; const gitlabCiHistoryPath = 'test/historyPath'; const { vulnerabilityTrainingDocsPath, projectFullPath } = provideMock; @@ -58,8 +58,7 @@ describe('~/security_configuration/components/app', () => { const findGlTabs = () => wrapper.findComponent(GlTabs); const findByTestId = (id) => wrapper.findByTestId(id); const findFeatureCards = () => wrapper.findAllComponents(FeatureCard); - const findPreReceiveSecretDetection = () => - wrapper.findComponent(PreReceiveSecretDetectionFeatureCard); + const findSecretPushProtection = () => wrapper.findComponent(SecretPushProtectionFeatureCard); const findTrainingProviderList = () => wrapper.findComponent(TrainingProviderList); const findManageViaMRErrorAlert = () => wrapper.findByTestId('manage-via-mr-error-alert'); const findLink = ({ href, text, container = wrapper }) => { @@ -288,7 +287,7 @@ describe('~/security_configuration/components/app', () => { describe('With pre receive secret detection', () => { beforeEach(() => { createComponent({ - augmentedSecurityFeatures: [preReceiveSecretDetectionMock], + augmentedSecurityFeatures: [secretPushProtectionMock], }); }); @@ -296,10 +295,8 @@ describe('~/security_configuration/components/app', () => { expect(findFeatureCards().length).toBe(0); }); it('renders component with correct props', () => { - expect(findPreReceiveSecretDetection().exists()).toBe(true); - expect(findPreReceiveSecretDetection().props('feature')).toEqual( - preReceiveSecretDetectionMock, - ); + expect(findSecretPushProtection().exists()).toBe(true); + expect(findSecretPushProtection().props('feature')).toEqual(secretPushProtectionMock); }); }); diff --git a/spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js similarity index 84% rename from spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js rename to spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js index f6311a977a82ca..ce584db7f1b38e 100644 --- a/spec/frontend/security_configuration/components/pre_receive_secret_detection_feature_card_spec.js +++ b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js @@ -3,33 +3,33 @@ import { shallowMount } from '@vue/test-utils'; import VueApollo from 'vue-apollo'; import Vue from 'vue'; import { extendedWrapper } from 'helpers/vue_test_utils_helper'; -import PreReceiveSecretDetectionFeatureCard from '~/security_configuration/components/pre_receive_secret_detection_feature_card.vue'; +import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import createMockApollo from 'helpers/mock_apollo_helper'; -import ProjectSetPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; +import ProjectSetSecretPushProtection from '~/security_configuration/graphql/set_secret_push_protection.graphql'; import waitForPromises from 'helpers/wait_for_promises'; -import { preReceiveSecretDetectionMock } from '../mock_data'; +import { secretPushProtectionMock } from '../mock_data'; Vue.use(VueApollo); const setMockResponse = { data: { - setPreReceiveSecretDetection: { - preReceiveSecretDetectionEnabled: true, + setSecretPushProtection: { + secretPushProtectionEnabled: true, errors: [], }, }, }; -const feature = preReceiveSecretDetectionMock; +const feature = secretPushProtectionMock; const defaultProvide = { - preReceiveSecretDetectionAvailable: true, - preReceiveSecretDetectionEnabled: false, + secretPushProtectionAvailable: true, + secretPushProtectionEnabled: false, userIsProjectAdmin: true, projectFullPath: 'flightjs/flight', secretDetectionConfigurationPath: 'flightjs/Flight/-/security/configuration/secret_detection', }; -describe('PreReceiveSecretDetectionFeatureCard component', () => { +describe('SecretPushProtectionFeatureCard component', () => { let wrapper; let apolloProvider; let requestHandlers; @@ -38,16 +38,14 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { requestHandlers = { setMutationHandler: jest.fn().mockResolvedValue(setMockResponse), }; - return createMockApollo([ - [ProjectSetPreReceiveSecretDetection, requestHandlers.setMutationHandler], - ]); + return createMockApollo([[ProjectSetSecretPushProtection, requestHandlers.setMutationHandler]]); }; const createComponent = ({ props = {}, provide = {} } = {}) => { apolloProvider = createMockApolloProvider(); wrapper = extendedWrapper( - shallowMount(PreReceiveSecretDetectionFeatureCard, { + shallowMount(SecretPushProtectionFeatureCard, { propsData: { feature, ...props, @@ -134,7 +132,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { beforeEach(() => { createComponent({ provide: { - preReceiveSecretDetectionAvailable: false, + secretPushProtectionAvailable: false, }, }); }); @@ -165,7 +163,7 @@ describe('PreReceiveSecretDetectionFeatureCard component', () => { createComponent({ props: { feature: { - ...preReceiveSecretDetectionMock, + ...secretPushProtectionMock, available: false, }, }, diff --git a/spec/frontend/security_configuration/mock_data.js b/spec/frontend/security_configuration/mock_data.js index 10435aecf7e0ed..3a02aedee52c0e 100644 --- a/spec/frontend/security_configuration/mock_data.js +++ b/spec/frontend/security_configuration/mock_data.js @@ -3,7 +3,7 @@ import { SAST_SHORT_NAME, SAST_IAC_NAME, SAST_IAC_SHORT_NAME, - PRE_RECEIVE_SECRET_DETECTION, + SECRET_PUSH_PROTECTION, } from '~/security_configuration/constants'; import { helpPagePath } from '~/helpers/help_page_helper'; @@ -149,7 +149,7 @@ export const securityFeaturesMock = [ }, ]; -export const preReceiveSecretDetectionMock = { +export const secretPushProtectionMock = { name: 'Secret push protection', description: `Block secrets such as keys and API tokens from being pushed to your repositories. 'Secret push protection is triggered when commits are pushed to a repository. ' \ @@ -158,7 +158,7 @@ export const preReceiveSecretDetectionMock = { configurationHelpPath: helpPagePath( 'user/application_security/secret_detection/secret_push_protection/index', ), - type: PRE_RECEIVE_SECRET_DETECTION, + type: SECRET_PUSH_PROTECTION, available: true, }; diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index c8ccfa20b69fd7..da0d520a53f4b0 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -2671,7 +2671,7 @@ def request security_and_compliance_enabled issues_template merge_requests_template - pre_receive_secret_detection_enabled + secret_push_protection_enabled ] end -- GitLab From 50b9b6af15e2c26653afce5487f05e857451f54d Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Wed, 15 Jan 2025 21:20:53 -0600 Subject: [PATCH 07/20] Change spec names prsd to spp --- .../configuration/set_secret_push_protection_spec.rb | 8 ++++---- .../security_and_compliance.html.haml_spec.rb | 8 ++++---- .../security_configuration/components/app_spec.js | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb b/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb index 38729b7fb9b3fc..709500a0ac9c1f 100644 --- a/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/configuration/set_secret_push_protection_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe 'Setting Project Pre Receive Secret Detection', feature_category: :secret_detection do +RSpec.describe 'Setting Project Secret Push Protection', feature_category: :secret_detection do using RSpec::Parameterized::TableSyntax include GraphqlHelpers @@ -32,7 +32,7 @@ context 'when the user does not have permission' do it_behaves_like 'a mutation that returns a top-level access error' - it 'does not enable pre receive secret detection' do + it 'does not enable secret push protection' do expect { post_graphql_mutation(mutation, current_user: current_user) } .not_to change { security_setting.reload.secret_push_protection_enabled } end @@ -69,7 +69,7 @@ it_behaves_like 'a mutation that returns a top-level access error' - it 'does not enable pre receive secret detection' do + it 'does not enable secret push protection' do expect { post_graphql_mutation(mutation, current_user: current_user) } .not_to change { security_setting.reload.secret_push_protection_enabled } end @@ -89,7 +89,7 @@ context 'when the user does not have permission' do it_behaves_like 'a mutation that returns a top-level access error' - it 'does not enable pre receive secret detection' do + it 'does not enable secret push protection' do expect { post_graphql_mutation(mutation, current_user: current_user) } .not_to change { security_setting.reload.secret_push_protection_enabled } end diff --git a/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb b/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb index 55862cb78fa336..76b2f79d8b3da9 100644 --- a/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb +++ b/ee/spec/views/admin/application_settings/security_and_compliance.html.haml_spec.rb @@ -17,7 +17,7 @@ stub_licensed_features(secret_push_protection: feature_available) end - shared_examples 'renders pre receive secret detection setting' do + shared_examples 'renders secret push protection setting' do it do render @@ -25,7 +25,7 @@ end end - shared_examples 'does not render pre receive secret detection setting' do + shared_examples 'does not render secret push protection setting' do it do render @@ -36,12 +36,12 @@ describe 'feature available' do let(:feature_available) { true } - it_behaves_like 'renders pre receive secret detection setting' + it_behaves_like 'renders secret push protection setting' end describe 'feature not available' do let(:feature_available) { false } - it_behaves_like 'does not render pre receive secret detection setting' + it_behaves_like 'does not render secret push protection setting' end end diff --git a/spec/frontend/security_configuration/components/app_spec.js b/spec/frontend/security_configuration/components/app_spec.js index 524c571ff4bc5e..7f8fef23127f99 100644 --- a/spec/frontend/security_configuration/components/app_spec.js +++ b/spec/frontend/security_configuration/components/app_spec.js @@ -284,7 +284,7 @@ describe('~/security_configuration/components/app', () => { }); }); - describe('With pre receive secret detection', () => { + describe('With secret push protection', () => { beforeEach(() => { createComponent({ augmentedSecurityFeatures: [secretPushProtectionMock], -- GitLab From f8c7a8a9b61fb336bcfbdf3283e4fac57843fb2a Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 16 Jan 2025 18:50:45 -0600 Subject: [PATCH 08/20] Fix a few specs --- ee/lib/gitlab/checks/secrets_check.rb | 2 +- ee/spec/lib/gitlab/checks/secrets_check_spec.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ee/lib/gitlab/checks/secrets_check.rb b/ee/lib/gitlab/checks/secrets_check.rb index 456c11e492c838..83801da22959ca 100644 --- a/ee/lib/gitlab/checks/secrets_check.rb +++ b/ee/lib/gitlab/checks/secrets_check.rb @@ -178,7 +178,7 @@ def ruleset def run_secret_push_protection? ::Gitlab::CurrentSettings.current_application_settings.secret_push_protection_available && - project.security_setting&.secret_push_protection + project.security_setting&.secret_push_protection_enabled end def use_secret_detection_service? diff --git a/ee/spec/lib/gitlab/checks/secrets_check_spec.rb b/ee/spec/lib/gitlab/checks/secrets_check_spec.rb index 8763188a3174c2..9fcf9930880395 100644 --- a/ee/spec/lib/gitlab/checks/secrets_check_spec.rb +++ b/ee/spec/lib/gitlab/checks/secrets_check_spec.rb @@ -23,7 +23,7 @@ context 'when project setting is disabled' do before do - project.security_setting.update!(secret_push_protection_available: false) + project.security_setting.update!(secret_push_protection_enabled: false) end it_behaves_like 'skips the push check' @@ -31,7 +31,7 @@ context 'when project setting is enabled' do before do - project.security_setting.update!(secret_push_protection_available: true) + project.security_setting.update!(secret_push_protection_enabled: true) end context 'when license is not ultimate' do -- GitLab From 0d562f25fafb1da06a64ccc0221a6dfa263c4975 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 16 Jan 2025 19:45:49 -0600 Subject: [PATCH 09/20] Fix prsd to spp feature card --- .../javascripts/security_configuration/components/app.vue | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/assets/javascripts/security_configuration/components/app.vue b/app/assets/javascripts/security_configuration/components/app.vue index 63afed2d4cd6d2..079be610f27810 100644 --- a/app/assets/javascripts/security_configuration/components/app.vue +++ b/app/assets/javascripts/security_configuration/components/app.vue @@ -107,7 +107,7 @@ export default { methods: { getComponentName(feature) { if (feature.type === SECRET_PUSH_PROTECTION) { - return 'pre-receive-secret-detection-feature-card'; + return 'secret-push-protection-feature-card'; } if (feature.type === REPORT_TYPE_CONTAINER_SCANNING_FOR_REGISTRY) { return 'container-scanning-for-registry-feature-card'; -- GitLab From 1732e34f2c9428655a668a02460e8b5c5c984970 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Fri, 17 Jan 2025 10:11:10 -0600 Subject: [PATCH 10/20] Fix settings spec --- ee/spec/requests/api/settings_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/spec/requests/api/settings_spec.rb b/ee/spec/requests/api/settings_spec.rb index 70f5c83bb11c3d..24c73217e1acb2 100644 --- a/ee/spec/requests/api/settings_spec.rb +++ b/ee/spec/requests/api/settings_spec.rb @@ -357,7 +357,7 @@ end context 'secret_push_protection_enabled' do - let(:settings) { { secret_push_protection_enabled: true } } + let(:settings) { { secret_push_protection_available: true } } let(:feature) { :secret_push_protection } it_behaves_like 'settings for licensed features' -- GitLab From 7526a64e07a19af1478986ad29efae87e6a0c525 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Fri, 17 Jan 2025 11:37:26 -0600 Subject: [PATCH 11/20] Fix group and project security settings specs --- ee/spec/requests/api/group_security_settings_spec.rb | 2 +- ee/spec/requests/api/project_security_settings_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/spec/requests/api/group_security_settings_spec.rb b/ee/spec/requests/api/group_security_settings_spec.rb index bef9faa0816271..f1d7914fe3c2e8 100644 --- a/ee/spec/requests/api/group_security_settings_spec.rb +++ b/ee/spec/requests/api/group_security_settings_spec.rb @@ -20,7 +20,7 @@ context 'when user is authenticated' do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) allow(::Security::Configuration::SetGroupSecretPushProtectionWorker).to receive(:perform_async) end diff --git a/ee/spec/requests/api/project_security_settings_spec.rb b/ee/spec/requests/api/project_security_settings_spec.rb index fdc09952ee75fd..ffe83513f17ebb 100644 --- a/ee/spec/requests/api/project_security_settings_spec.rb +++ b/ee/spec/requests/api/project_security_settings_spec.rb @@ -72,7 +72,7 @@ it 'returns 401 Unauthorized for users with Developer role' do project.add_developer(user) - put api(url, user), params: { secret_push_protection: true } + put api(url, user), params: { secret_push_protection_enabled: true } expect(response).to have_gitlab_http_status(:unauthorized) end -- GitLab From 83fca524d07d86ef93e5e73f21dfacea586000ac Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Tue, 21 Jan 2025 17:36:48 -0600 Subject: [PATCH 12/20] Add prsd enabled back to api Graphql and rest api changes Graphql and rest api changes --- doc/api/graphql/reference/index.md | 23 +++++++++ ee/app/graphql/ee/types/mutation_type.rb | 1 + .../set_pre_receive_secret_detection.rb | 49 +++++++++++++++++++ ee/lib/api/group_security_settings.rb | 6 ++- ee/lib/api/project_security_settings.rb | 12 ++++- ee/lib/ee/api/entities/application_setting.rb | 3 ++ ee/lib/ee/api/entities/project.rb | 6 +++ 7 files changed, 97 insertions(+), 3 deletions(-) create mode 100644 ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 0edced19f1a389..106418fec35dbd 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -10005,6 +10005,29 @@ Input type: `SetGroupSecretPushProtectionInput` | `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | +### `Mutation.setPreReceiveSecretDetection` + +Enable/disable secret push protection for the given project. + +Input type: `SetPreReceiveSecretDetectionInput` + +#### Arguments + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `enable` | [`Boolean!`](#boolean) | Desired status for secret push protection feature. | +| `namespacePath` | [`ID!`](#id) | Full path of the namespace (project). | + +#### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | +| `preReceiveSecretDetectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | +| `secretPushProtectionEnabled` | [`Boolean`](#boolean) | Whether the feature is enabled. | + ### `Mutation.setSecretPushProtection` Enable/disable secret push protection for the given project. diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb index 8fadaab9b2a8af..91310873022ebd 100644 --- a/ee/app/graphql/ee/types/mutation_type.rb +++ b/ee/app/graphql/ee/types/mutation_type.rb @@ -198,6 +198,7 @@ def self.authorization_scopes 'epic](https://gitlab.com/groups/gitlab-org/-/epics/11474) for more information' } mount_mutation ::Mutations::Security::CiConfiguration::SetSecretPushProtection + mount_mutation ::Mutations::Security::CiConfiguration::SetPreReceiveSecretDetection mount_mutation ::Mutations::Security::CiConfiguration::SetGroupSecretPushProtection mount_mutation ::Mutations::Security::CiConfiguration::SetContainerScanningForRegistry mount_mutation ::Mutations::AuditEvents::Instance::GoogleCloudLoggingConfigurations::Destroy diff --git a/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb b/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb new file mode 100644 index 00000000000000..2a4529fa1967ab --- /dev/null +++ b/ee/app/graphql/mutations/security/ci_configuration/set_pre_receive_secret_detection.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +module Mutations + module Security + module CiConfiguration + class SetPreReceiveSecretDetection < BaseMutation + graphql_name 'SetPreReceiveSecretDetection' + + include ResolvesProject + + description <<~DESC + Enable/disable secret push protection for the given project. + DESC + + argument :namespace_path, GraphQL::Types::ID, + required: true, + description: 'Full path of the namespace (project).' + + argument :enable, GraphQL::Types::Boolean, + required: true, + description: 'Desired status for secret push protection feature.' + + field :pre_receive_secret_detection_enabled, GraphQL::Types::Boolean, + null: true, + description: 'Whether the feature is enabled.' + + field :secret_push_protection_enabled, GraphQL::Types::Boolean, + null: true, + description: 'Whether the feature is enabled.' + + authorize :enable_secret_push_protection + + def resolve(namespace_path:, enable:) + project = authorized_find!(project_path: namespace_path) + response = ::Security::Configuration::SetSecretPushProtectionService + .execute(current_user: current_user, project: project, enable: enable) + + { pre_receive_secret_detection_enabled: response.payload[:enabled], errors: response.errors } + end + + private + + def find_object(project_path:) + resolve_project(full_path: project_path) + end + end + end + end +end diff --git a/ee/lib/api/group_security_settings.rb b/ee/lib/api/group_security_settings.rb index 0627b72b096390..6a5ad05327b953 100644 --- a/ee/lib/api/group_security_settings.rb +++ b/ee/lib/api/group_security_settings.rb @@ -26,7 +26,11 @@ def check_feature_availability tags %w[groups] end params do - requires :secret_push_protection_enabled, type: Boolean, desc: 'Whether to enable the feature' + optional :secret_push_protection_enabled, type: Boolean, + desc: 'Whether to enable the feature secret_push_protection' + optional :pre_receive_secret_detection_enabled, type: Boolean, + desc: 'Whether to enable the feature secret_push_protection' + at_least_one_of :secret_push_protection_enabled, :pre_receive_secret_detection_enabled optional :projects_to_exclude, type: Array[Integer], desc: 'IDs of projects to exclude from the feature' end put do diff --git a/ee/lib/api/project_security_settings.rb b/ee/lib/api/project_security_settings.rb index 095834140aa52e..87d1b027108baa 100644 --- a/ee/lib/api/project_security_settings.rb +++ b/ee/lib/api/project_security_settings.rb @@ -34,11 +34,19 @@ def check_feature_availability tags %w[projects] end params do - requires :secret_push_protection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' + optional :secret_push_protection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' + optional :pre_receive_secret_detection_enabled, type: Boolean, desc: 'Enable/disable secret push protection' + at_least_one_of :secret_push_protection_enabled, :pre_receive_secret_detection_enabled end put do unauthorized! unless can?(current_user, :manage_security_settings, user_project) - enabled = params[:secret_push_protection_enabled] + + enabled = if params.key?(:secret_push_protection_enabled) + params[:secret_push_protection_enabled] + else + params[:pre_receive_secret_detection_enabled] + end + audit_context = { name: 'project_security_setting_updated', author: current_user, diff --git a/ee/lib/ee/api/entities/application_setting.rb b/ee/lib/ee/api/entities/application_setting.rb index f04d8640261622..ba4b10a28080ba 100644 --- a/ee/lib/ee/api/entities/application_setting.rb +++ b/ee/lib/ee/api/entities/application_setting.rb @@ -25,6 +25,9 @@ module ApplicationSetting expose :maven_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } expose :npm_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } expose :secret_push_protection_available, if: ->(_instance, _opts) { ::License.feature_available?(:secret_push_protection) } + expose :secret_push_protection_available, + if: ->(_instance, _opts) { ::License.feature_available?(:secret_push_protection) }, + as: :pre_receive_secret_detection_enabled expose :pypi_package_requests_forwarding, if: ->(_instance, _opts) { ::License.feature_available?(:package_forwarding) } expose :group_owners_can_manage_default_branch_protection, if: ->(_instance, _opts) { ::License.feature_available?(:default_branch_protection_restriction_in_groups) } expose :maintenance_mode, if: ->(_instance, _opts) { RegistrationFeatures::MaintenanceMode.feature_available? } diff --git a/ee/lib/ee/api/entities/project.rb b/ee/lib/ee/api/entities/project.rb index dee7833fd31faf..3bc7a648fca2be 100644 --- a/ee/lib/ee/api/entities/project.rb +++ b/ee/lib/ee/api/entities/project.rb @@ -41,6 +41,12 @@ def preload_relation(projects_relation, options = {}) expose :secret_push_protection_enabled, documentation: { type: 'boolean' }, if: ->(project, options) { Ability.allowed?(options[:current_user], :read_secret_push_protection_info, project) } do |project| project.security_setting&.secret_push_protection_enabled end + expose :secret_push_protection_enabled, + as: :pre_receive_secret_detection_enabled, + documentation: { type: 'boolean' }, + if: ->(project, options) { Ability.allowed?(options[:current_user], :read_secret_push_protection_info, project) } do |project| + project.security_setting&.secret_push_protection_enabled + end expose :compliance_frameworks do |project, _| project.compliance_management_frameworks_names end -- GitLab From 640a1e9fe6bb891b056456a354b3b9d5d93f917f Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Tue, 21 Jan 2025 22:32:47 -0600 Subject: [PATCH 13/20] Add prsd mutation back Add prsd mutation back --- .../graphql/set_pre_receive_secret_detection.graphql | 6 ++++++ ee/app/graphql/ee/types/project_type.rb | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 app/assets/javascripts/security_configuration/graphql/set_pre_receive_secret_detection.graphql diff --git a/app/assets/javascripts/security_configuration/graphql/set_pre_receive_secret_detection.graphql b/app/assets/javascripts/security_configuration/graphql/set_pre_receive_secret_detection.graphql new file mode 100644 index 00000000000000..179e6602146a25 --- /dev/null +++ b/app/assets/javascripts/security_configuration/graphql/set_pre_receive_secret_detection.graphql @@ -0,0 +1,6 @@ +mutation SetPreReceiveSecretDetection($input: SetPreReceiveSecretDetectionInput!) { + setPreReceiveSecretDetection(input: $input) { + preReceiveSecretDetectionEnabled + errors + } +} diff --git a/ee/app/graphql/ee/types/project_type.rb b/ee/app/graphql/ee/types/project_type.rb index a8e40694e106c4..634c8de3eb285f 100644 --- a/ee/app/graphql/ee/types/project_type.rb +++ b/ee/app/graphql/ee/types/project_type.rb @@ -388,7 +388,7 @@ module ProjectType description: 'Indicates whether Secret Push Protection is on or not for the project.', authorize: :read_secret_push_protection_info - field :secret_push_protection_enabled, GraphQL::Types::Boolean, # duplicating the field for now + field :secret_push_protection_enabled, GraphQL::Types::Boolean, null: true, description: 'Indicates whether Secret Push Protection is on or not for the project.', authorize: :read_secret_push_protection_info -- GitLab From 23ee6f72c1ab7c85b9063a89e0a7b001c81d3a79 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Tue, 21 Jan 2025 23:57:43 -0600 Subject: [PATCH 14/20] Fix undercoverage spec --- .../api/project_security_settings_spec.rb | 23 +++++++++++++++---- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/ee/spec/requests/api/project_security_settings_spec.rb b/ee/spec/requests/api/project_security_settings_spec.rb index ffe83513f17ebb..80ccf1d8f6c384 100644 --- a/ee/spec/requests/api/project_security_settings_spec.rb +++ b/ee/spec/requests/api/project_security_settings_spec.rb @@ -62,12 +62,25 @@ stub_licensed_features(secret_push_protection: true) end - it 'updates project security settings for users with Maintainer role' do - project.add_maintainer(user) - put api(url, user), params: { secret_push_protection_enabled: true } + context 'when the user is a Maintainer' do + before do + project.add_maintainer(user) + end - expect(response).to have_gitlab_http_status(:ok) - expect(json_response['secret_push_protection_enabled']).to be(true) + it 'updates project security settings using the secret_push_protection_enabled param' do + put api(url, user), params: { secret_push_protection_enabled: true } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['secret_push_protection_enabled']).to be(true) + end + + it 'updates project security settings using the pre_receive_secret_detection_enabled param' do + project.add_maintainer(user) + put api(url, user), params: { pre_receive_secret_detection_enabled: true } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['secret_push_protection_enabled']).to be(true) + end end it 'returns 401 Unauthorized for users with Developer role' do -- GitLab From e9df3fdbdd49ebd38032d30689ffd761de8c1506 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Wed, 22 Jan 2025 20:34:29 -0600 Subject: [PATCH 15/20] Move graphql change to next milestone --- .../graphql/set_secret_push_protection.graphql | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 app/assets/javascripts/security_configuration/graphql/set_secret_push_protection.graphql diff --git a/app/assets/javascripts/security_configuration/graphql/set_secret_push_protection.graphql b/app/assets/javascripts/security_configuration/graphql/set_secret_push_protection.graphql deleted file mode 100644 index bae41b9d3ace6d..00000000000000 --- a/app/assets/javascripts/security_configuration/graphql/set_secret_push_protection.graphql +++ /dev/null @@ -1,6 +0,0 @@ -mutation SetSecretPushProtection($input: SetSecretPushProtectionInput!) { - setSecretPushProtection(input: $input) { - secretPushProtectionEnabled - errors - } -} -- GitLab From 7e0dfabd76e72ebaabd74739502e1f91ed2b7062 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 23 Jan 2025 17:48:15 -0600 Subject: [PATCH 16/20] Switch feature card to use prsd graphql --- .../secret_push_protection_feature_card.vue | 12 ++++++------ .../secret_push_protection_feature_card_spec.js | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue index d05000cf672994..925e533e992876 100644 --- a/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue +++ b/app/assets/javascripts/security_configuration/components/secret_push_protection_feature_card.vue @@ -9,7 +9,7 @@ import { GlButton, GlTooltipDirective, } from '@gitlab/ui'; -import ProjectSetSecretPushProtection from '~/security_configuration/graphql/set_secret_push_protection.graphql'; +import ProjectPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; import { __, s__ } from '~/locale'; export default { @@ -99,7 +99,7 @@ export default { async toggleSecretPushProtection(checked) { try { const { data } = await this.$apollo.mutate({ - mutation: ProjectSetSecretPushProtection, + mutation: ProjectPreReceiveSecretDetection, variables: { input: { namespacePath: this.projectFullPath, @@ -108,15 +108,15 @@ export default { }, }); - const { errors, secretPushProtectionEnabled } = data.setSecretPushProtection; + const { errors, preReceiveSecretDetectionEnabled } = data.setPreReceiveSecretDetection; if (errors.length > 0) { this.reportError(errors[0].message); } - if (secretPushProtectionEnabled !== null) { - this.toggleValue = secretPushProtectionEnabled; + if (preReceiveSecretDetectionEnabled !== null) { + this.toggleValue = preReceiveSecretDetectionEnabled; this.$toast.show( - secretPushProtectionEnabled + preReceiveSecretDetectionEnabled ? this.$options.i18n.toastMessageEnabled : this.$options.i18n.toastMessageDisabled, ); diff --git a/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js index ce584db7f1b38e..6817307cdf5b14 100644 --- a/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js +++ b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js @@ -5,7 +5,7 @@ import Vue from 'vue'; import { extendedWrapper } from 'helpers/vue_test_utils_helper'; import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import createMockApollo from 'helpers/mock_apollo_helper'; -import ProjectSetSecretPushProtection from '~/security_configuration/graphql/set_secret_push_protection.graphql'; +import ProjectSetSecretPushProtection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; import waitForPromises from 'helpers/wait_for_promises'; import { secretPushProtectionMock } from '../mock_data'; -- GitLab From 2d0c5678affa0c8bc2d9c6e7c91806dbe9195848 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Thu, 23 Jan 2025 18:12:06 -0600 Subject: [PATCH 17/20] Update feature card spec --- .../secret_push_protection_feature_card_spec.js | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js index 6817307cdf5b14..3b0d30cc1aa2bd 100644 --- a/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js +++ b/spec/frontend/security_configuration/components/secret_push_protection_feature_card_spec.js @@ -5,7 +5,7 @@ import Vue from 'vue'; import { extendedWrapper } from 'helpers/vue_test_utils_helper'; import SecretPushProtectionFeatureCard from '~/security_configuration/components/secret_push_protection_feature_card.vue'; import createMockApollo from 'helpers/mock_apollo_helper'; -import ProjectSetSecretPushProtection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; +import ProjectPreReceiveSecretDetection from '~/security_configuration/graphql/set_pre_receive_secret_detection.graphql'; import waitForPromises from 'helpers/wait_for_promises'; import { secretPushProtectionMock } from '../mock_data'; @@ -13,8 +13,8 @@ Vue.use(VueApollo); const setMockResponse = { data: { - setSecretPushProtection: { - secretPushProtectionEnabled: true, + setPreReceiveSecretDetection: { + preReceiveSecretDetectionEnabled: true, errors: [], }, }, @@ -38,7 +38,9 @@ describe('SecretPushProtectionFeatureCard component', () => { requestHandlers = { setMutationHandler: jest.fn().mockResolvedValue(setMockResponse), }; - return createMockApollo([[ProjectSetSecretPushProtection, requestHandlers.setMutationHandler]]); + return createMockApollo([ + [ProjectPreReceiveSecretDetection, requestHandlers.setMutationHandler], + ]); }; const createComponent = ({ props = {}, provide = {} } = {}) => { -- GitLab From bb2b248ab4b682c9bef1186977f013e5a108c8d4 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Wed, 29 Jan 2025 18:28:48 +0000 Subject: [PATCH 18/20] Remove unnecessary optional param --- ee/lib/api/group_security_settings.rb | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/ee/lib/api/group_security_settings.rb b/ee/lib/api/group_security_settings.rb index 6a5ad05327b953..30ff6974851dc2 100644 --- a/ee/lib/api/group_security_settings.rb +++ b/ee/lib/api/group_security_settings.rb @@ -26,11 +26,8 @@ def check_feature_availability tags %w[groups] end params do - optional :secret_push_protection_enabled, type: Boolean, - desc: 'Whether to enable the feature secret_push_protection' - optional :pre_receive_secret_detection_enabled, type: Boolean, - desc: 'Whether to enable the feature secret_push_protection' - at_least_one_of :secret_push_protection_enabled, :pre_receive_secret_detection_enabled + requires :secret_push_protection_enabled, type: Boolean, + desc: 'Whether to enable the feature' optional :projects_to_exclude, type: Array[Integer], desc: 'IDs of projects to exclude from the feature' end put do -- GitLab From 65b69610d1546ef916064e19950c0a03bab75da0 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Fri, 31 Jan 2025 12:36:00 -0600 Subject: [PATCH 19/20] Fix rubocop error --- .../controllers/ee/admin/application_settings_controller.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ee/app/controllers/ee/admin/application_settings_controller.rb b/ee/app/controllers/ee/admin/application_settings_controller.rb index d15296d6c44472..57697f32912809 100644 --- a/ee/app/controllers/ee/admin/application_settings_controller.rb +++ b/ee/app/controllers/ee/admin/application_settings_controller.rb @@ -156,9 +156,7 @@ def visible_application_setting_attributes # Remove the inline rubocop disablement of Metrics/PerceivedComplexity when we can move # secret_push_protection_available to the simple License feature => attribute name # hash above. - if License.feature_available?(:secret_push_protection) - attrs << :secret_push_protection_available - end + attrs << :secret_push_protection_available if License.feature_available?(:secret_push_protection) if License.feature_available?(:admin_merge_request_approvers_rules) attrs += EE::ApplicationSettingsHelper.merge_request_appovers_rules_attributes -- GitLab From 52c74e8bf6d3f906ace31814a7a2423b47976a00 Mon Sep 17 00:00:00 2001 From: Serena Fang Date: Fri, 31 Jan 2025 14:23:23 -0600 Subject: [PATCH 20/20] Fix bad rebase --- ee/app/policies/ee/group_policy.rb | 4 +- ee/app/policies/ee/project_policy.rb | 6 +-- ee/spec/policies/group_policy_spec.rb | 4 +- ee/spec/policies/project_policy_spec.rb | 40 +++++++++---------- .../admin_security_testing/request_spec.rb | 2 +- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index 112b01dd02e6ca..4c8a77b2815537 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -586,8 +586,8 @@ module GroupPolicy enable :read_security_resource end - rule { pre_receive_secret_detection_available & can?(:admin_security_testing) }.policy do - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:admin_security_testing) }.policy do + enable :enable_secret_push_protection end rule { custom_role_enables_admin_group_member }.policy do diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 865fddb3d7af56..7c6221d16340d2 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -477,9 +477,9 @@ module ProjectPolicy enable :create_merge_request_from end - rule { pre_receive_secret_detection_available & can?(:admin_security_testing) }.policy do - enable :read_pre_receive_secret_detection_info - enable :enable_pre_receive_secret_detection + rule { secret_push_protection_available & can?(:admin_security_testing) }.policy do + enable :read_secret_push_protection_info + enable :enable_secret_push_protection enable :read_project_security_exclusions end diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index 594c97a5735059..03e692f861a8ed 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -3960,7 +3960,7 @@ def create_member_role(member, abilities = member_role_abilities) let(:member_role_abilities) { { admin_security_testing: true } } let(:licensed_features) do { security_dashboard: true, - pre_receive_secret_detection: true, + secret_push_protection: true, group_level_compliance_dashboard: true } end @@ -3970,7 +3970,7 @@ def create_member_role(member, abilities = member_role_abilities) :read_security_configuration, :read_group_security_dashboard, :read_security_resource, - :enable_pre_receive_secret_detection + :enable_secret_push_protection ] end diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 5d6008e0fca259..b03db9e6664a36 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -3120,7 +3120,7 @@ def create_member_role(member, abilities = member_role_abilities) security_scans_api: true, security_on_demand_scans: true, coverage_fuzzing: true, - pre_receive_secret_detection: true, + secret_push_protection: true, container_scanning_for_registry: true, project_level_compliance_dashboard: true } end @@ -3133,7 +3133,7 @@ def create_member_role(member, abilities = member_role_abilities) :read_on_demand_dast_scan, :create_on_demand_dast_scan, :edit_on_demand_dast_scan, - :enable_pre_receive_secret_detection, + :enable_secret_push_protection, :read_project_security_dashboard, :read_project_security_exclusions, :read_coverage_fuzzing, @@ -3146,7 +3146,7 @@ def create_member_role(member, abilities = member_role_abilities) :read_merge_request, :download_code, :read_project_runners, - :read_pre_receive_secret_detection_info + :read_secret_push_protection_info ] end @@ -4364,19 +4364,19 @@ def create_member_role(member, abilities = member_role_abilities) end end - describe 'enable_pre_receive_secret_detection' do + describe 'enable_secret_push_protection' do where(:current_user, :licensed, :match_expected_result) do - ref(:owner) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | true | be_allowed(:enable_pre_receive_secret_detection) - ref(:developer) | true | be_disallowed(:enable_pre_receive_secret_detection) - ref(:owner) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:maintainer) | false | be_disallowed(:enable_pre_receive_secret_detection) - ref(:developer) | false | be_disallowed(:enable_pre_receive_secret_detection) + ref(:owner) | true | be_allowed(:enable_secret_push_protection) + ref(:maintainer) | true | be_allowed(:enable_secret_push_protection) + ref(:developer) | true | be_disallowed(:enable_secret_push_protection) + ref(:owner) | false | be_disallowed(:enable_secret_push_protection) + ref(:maintainer) | false | be_disallowed(:enable_secret_push_protection) + ref(:developer) | false | be_disallowed(:enable_secret_push_protection) end with_them do before do - stub_licensed_features(pre_receive_secret_detection: licensed) + stub_licensed_features(secret_push_protection: licensed) end it { is_expected.to match_expected_result } @@ -4385,7 +4385,7 @@ def create_member_role(member, abilities = member_role_abilities) describe 'when the project does not have the correct license' do let(:current_user) { owner } - it { is_expected.to be_disallowed(:enable_pre_receive_secret_detection) } + it { is_expected.to be_disallowed(:enable_secret_push_protection) } end end @@ -4470,19 +4470,19 @@ def create_member_role(member, abilities = member_role_abilities) end end - describe 'read_pre_receive_secret_detection_info' do + describe 'read_secret_push_protection_info' do where(:current_user, :match_expected_result) do - ref(:owner) | be_allowed(:read_pre_receive_secret_detection_info) - ref(:maintainer) | be_allowed(:read_pre_receive_secret_detection_info) - ref(:developer) | be_allowed(:read_pre_receive_secret_detection_info) - ref(:planner) | be_disallowed(:read_pre_receive_secret_detection_info) - ref(:guest) | be_disallowed(:read_pre_receive_secret_detection_info) - ref(:non_member) | be_disallowed(:read_pre_receive_secret_detection_info) + ref(:owner) | be_allowed(:read_secret_push_protection_info) + ref(:maintainer) | be_allowed(:read_secret_push_protection_info) + ref(:developer) | be_allowed(:read_secret_push_protection_info) + ref(:planner) | be_disallowed(:read_secret_push_protection_info) + ref(:guest) | be_disallowed(:read_secret_push_protection_info) + ref(:non_member) | be_disallowed(:read_secret_push_protection_info) end with_them do before do - stub_licensed_features(pre_receive_secret_detection: true) + stub_licensed_features(secret_push_protection: true) end it { is_expected.to match_expected_result } diff --git a/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb b/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb index 9172925f6f8e1d..eb3cf68a5768be 100644 --- a/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb +++ b/ee/spec/requests/custom_roles/admin_security_testing/request_spec.rb @@ -16,7 +16,7 @@ security_dashboard: true, security_on_demand_scans: true, security_scans_api: true, - pre_receive_secret_detection: true, + secret_push_protection: true, container_scanning_for_registry: true, coverage_fuzzing: true) stub_feature_flags(custom_ability_admin_security_testing: true) -- GitLab