Merge branch '343268-add-mutation-to-unlink-policy-project' into 'master'

Add mutation to unlink policy project

See merge request gitlab-org/gitlab!72831

doc/api/graphql/reference/index.md

@@ -4097,6 +4097,26 @@ Input type: `SecurityPolicyProjectCreateInput`
 | <a id="mutationsecuritypolicyprojectcreateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
 | <a id="mutationsecuritypolicyprojectcreateproject"></a>`project` | [`Project`](#project) | Security Policy Project that was created. |
 
+### `Mutation.securityPolicyProjectUnassign`
+
+Unassigns the security policy project for the given project(`project_path`).
+
+Input type: `SecurityPolicyProjectUnassignInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationsecuritypolicyprojectunassignclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationsecuritypolicyprojectunassignprojectpath"></a>`projectPath` | [`ID!`](#id) | Full path of the project. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationsecuritypolicyprojectunassignclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationsecuritypolicyprojectunassignerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+
 ### `Mutation.terraformStateDelete`
 
 Input type: `TerraformStateDeleteInput`

ee/app/graphql/ee/types/mutation_type.rb

@@ -81,6 +81,7 @@ module MutationType
         mount_mutation ::Mutations::Projects::SetComplianceFramework
         mount_mutation ::Mutations::SecurityPolicy::CommitScanExecutionPolicy
         mount_mutation ::Mutations::SecurityPolicy::AssignSecurityPolicyProject
+        mount_mutation ::Mutations::SecurityPolicy::UnassignSecurityPolicyProject
         mount_mutation ::Mutations::SecurityPolicy::CreateSecurityPolicyProject
         mount_mutation ::Mutations::Security::CiConfiguration::ConfigureDependencyScanning
         mount_mutation ::Mutations::AuditEvents::ExternalAuditEventDestinations::Create

ee/app/graphql/mutations/security_policy/unassign_security_policy_project.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Mutations
+  module SecurityPolicy
+    class UnassignSecurityPolicyProject < BaseMutation
+      include FindsProject
+
+      graphql_name 'SecurityPolicyProjectUnassign'
+
+      description 'Unassigns the security policy project for the given project(`project_path`).'
+
+      authorize :update_security_orchestration_policy_project
+
+      argument :project_path, GraphQL::Types::ID,
+               required: true,
+               description: 'Full path of the project.'
+
+      def resolve(args)
+        project = authorized_find!(args[:project_path])
+
+        result = unassign_project(project)
+        {
+          errors: result.success? ? [] : [result.message]
+        }
+      end
+
+      private
+
+      def unassign_project(project)
+        ::Security::Orchestration::UnassignService
+          .new(project, current_user)
+          .execute
+      end
+    end
+  end
+end

ee/app/services/security/orchestration/unassign_service.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Security
+  module Orchestration
+    class UnassignService < ::BaseService
+      def execute
+        return error(_('Policy project doesn\'t exist')) unless security_orchestration_policy_configuration
+
+        result = security_orchestration_policy_configuration.delete
+        return success if result
+
+        error(project.security_orchestration_policy_configuration.errors.full_messages.to_sentence)
+      end
+
+      private
+
+      delegate :security_orchestration_policy_configuration, to: :project
+
+      def success
+        ServiceResponse.success
+      end
+
+      def error(message)
+        ServiceResponse.error(message: message)
+      end
+    end
+  end
+end

ee/spec/factories/projects.rb

@@ -62,5 +62,9 @@
         project.project_setting.save!
       end
     end
+
+    trait :with_security_orchestration_policy_configuration do
+      association :security_orchestration_policy_configuration, factory: :security_orchestration_policy_configuration
+    end
   end
 end

ee/spec/graphql/mutations/security_policy/unassign_security_policy_project_spec.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Mutations::SecurityPolicy::UnassignSecurityPolicyProject do
+  let(:mutation) { described_class.new(object: nil, context: { current_user: current_user }, field: nil) }
+
+  describe '#resolve' do
+    let_it_be(:owner) { create(:user) }
+    let_it_be(:user) { create(:user) }
+    let_it_be(:project) { create(:project, :with_security_orchestration_policy_configuration, namespace: owner.namespace) }
+    let_it_be(:project_without_policy_project) { create(:project, namespace: owner.namespace) }
+
+    let(:project_full_path) { project.full_path }
+    let(:current_user) { owner }
+
+    subject { mutation.resolve(project_path: project_full_path) }
+
+    context 'when permission is set for user' do
+      before do
+        stub_licensed_features(security_orchestration_policies: true)
+      end
+
+      context 'when user is an owner of the project' do
+        context 'when policy project is assigned to a project' do
+          it 'assigns the security policy project' do
+            result = subject
+
+            expect(result[:errors]).to be_empty
+            expect(project.reload.security_orchestration_policy_configuration).to be_blank
+          end
+        end
+
+        context 'when policy project is not assigned to a project' do
+          let(:project_full_path) { project_without_policy_project.full_path }
+
+          it 'respond with an error' do
+            result = subject
+
+            expect(result[:errors]).to match_array(["Policy project doesn't exist"])
+          end
+        end
+      end
+
+      context 'when user is not an owner' do
+        let(:current_user) { user }
+
+        before do
+          project.add_maintainer(user)
+        end
+
+        it 'raises exception' do
+          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+        end
+      end
+    end
+
+    context 'when feature is not licensed' do
+      before do
+        stub_licensed_features(security_orchestration_policies: false)
+      end
+
+      it 'raises exception' do
+        expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+  end
+end

ee/spec/services/security/orchestration/unassign_service_spec.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Security::Orchestration::UnassignService do
+  let_it_be(:project, reload: true) { create(:project, :with_security_orchestration_policy_configuration) }
+  let_it_be(:project_without_policy_project, reload: true) { create(:project) }
+
+  let(:service) { described_class.new(project, nil) }
+
+  describe '#execute' do
+    subject(:result) { service.execute }
+
+    context 'when policy project is assigned to a project' do
+      let(:service) { described_class.new(project, nil) }
+
+      it 'unassigns policy project from the project', :aggregate_failures do
+        expect(result).to be_success
+        expect(project.security_orchestration_policy_configuration).to be_destroyed
+      end
+    end
+
+    context 'when policy project is not assigned to a project' do
+      let(:service) { described_class.new(project_without_policy_project, nil) }
+
+      it 'respond with an error', :aggregate_failures do
+        expect(result).not_to be_success
+        expect(result.message).to eq("Policy project doesn't exist")
+      end
+    end
+  end
+end