Merge branch 'andysoiron/move-security-policy-bot-policies-to-ee' into 'master'

Move security policy bot policies to EE

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134740



Merged-by: Kerri Miller <kerrizor@kerrizor.com>
Approved-by: Marcos Rocha <mrocha@gitlab.com>
Approved-by: Kerri Miller <kerrizor@kerrizor.com>
Co-authored-by: Andy Soiron <asoiron@gitlab.com>

app/policies/base_policy.rb

@@ -37,7 +37,7 @@ class BasePolicy < DeclarativePolicy::Base
 
   desc "User is security policy bot"
   with_options scope: :user, score: 0
-  condition(:security_policy_bot) { @user&.security_policy_bot? }
+  condition(:security_policy_bot) { false }
 
   desc "User is automation bot"
   with_options scope: :user, score: 0

app/policies/concerns/policy_actor.rb

@@ -53,10 +53,6 @@ def security_bot?
     false
   end
 
-  def security_policy_bot?
-    false
-  end
-
   def automation_bot?
     false
   end

app/policies/global_policy.rb

@@ -63,10 +63,6 @@ class GlobalPolicy < BasePolicy
     prevent :access_git
   end
 
-  rule { security_policy_bot }.policy do
-    enable :access_git
-  end
-
   rule { project_bot | service_account }.policy do
     prevent :log_in
     prevent :receive_notifications

app/policies/project_policy.rb

@@ -38,9 +38,6 @@ class ProjectPolicy < BasePolicy
   desc "User is a project bot"
   condition(:project_bot) { user.project_bot? && team_member? }
 
-  desc "User is a security policy bot on the project"
-  condition(:security_policy_bot) { user&.security_policy_bot? && team_member? }
-
   desc "Project is public"
   condition(:public_project, scope: :subject, score: 0) { project.public? }
 

ee/app/policies/ee/base_policy.rb

@@ -18,6 +18,10 @@ module BasePolicy
       with_scope :global
       condition(:license_block) { License.block_changes? }
 
+      desc "User is security policy bot"
+      with_options scope: :user, score: 0
+      condition(:security_policy_bot) { @user&.security_policy_bot? }
+
       rule { auditor }.enable :read_all_resources
 
       with_scope :global

ee/app/policies/ee/global_policy.rb

@@ -132,6 +132,10 @@ module GlobalPolicy
       rule { code_suggestions_disabled_by_group }.prevent :access_code_suggestions
 
       rule { runner_upgrade_management_available | user_belongs_to_paid_namespace }.enable :read_runner_upgrade_status
+
+      rule { security_policy_bot }.policy do
+        enable :access_git
+      end
     end
   end
 end

ee/app/policies/ee/policy_actor.rb

@@ -17,5 +17,9 @@ def suggested_reviewers_bot?
     def group_sso?(_)
       false
     end
+
+    def security_policy_bot?
+      false
+    end
   end
 end

ee/app/policies/ee/project_policy.rb

@@ -8,6 +8,9 @@ module ProjectPolicy
     prepended do
       include ReadonlyAbilities
 
+      desc "User is a security policy bot on the project"
+      condition(:security_policy_bot) { user&.security_policy_bot? && team_member? }
+
       with_scope :subject
       condition(:auto_fix_enabled) { @subject.security_setting&.auto_fix_enabled? }
 

ee/spec/policies/ee/policy_actor_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe PolicyActor, feature_category: :shared do
+  let(:policy_actor_test_class) do
+    Class.new do
+      include PolicyActor
+    end
+  end
+
+  before do
+    stub_const('PolicyActorTestClass', policy_actor_test_class)
+  end
+
+  describe '#security_policy_bot?' do
+    subject { PolicyActorTestClass.new.security_policy_bot? }
+
+    it { is_expected.to eq(false) }
+  end
+end

ee/spec/policies/global_policy_spec.rb

@@ -9,6 +9,7 @@
   let_it_be(:admin) { create(:admin) }
   let_it_be(:current_user) { create(:user) }
   let_it_be(:user) { create(:user) }
+  let_it_be(:security_policy_bot) { create(:user, :security_policy_bot) }
 
   subject { described_class.new(current_user, [user]) }
 
@@ -546,4 +547,12 @@
       end
     end
   end
+
+  describe 'git access' do
+    context 'security policy bot' do
+      let(:current_user) { security_policy_bot }
+
+      it { is_expected.to be_allowed(:access_git) }
+    end
+  end
 end

spec/policies/concerns/policy_actor_spec.rb

@@ -20,10 +20,4 @@
     # initialized. So here we just use an instance
     expect(build(:user).methods).to include(*methods)
   end
-
-  describe '#security_policy_bot?' do
-    subject { PolicyActorTestClass.new.security_policy_bot? }
-
-    it { is_expected.to eq(false) }
-  end
 end

spec/policies/global_policy_spec.rb

@@ -10,7 +10,6 @@
   let_it_be(:service_account) { create(:user, :service_account) }
   let_it_be(:migration_bot) { create(:user, :migration_bot) }
   let_it_be(:security_bot) { create(:user, :security_bot) }
-  let_it_be(:security_policy_bot) { create(:user, :security_policy_bot) }
   let_it_be(:llm_bot) { create(:user, :llm_bot) }
   let_it_be_with_reload(:current_user) { create(:user) }
   let_it_be(:user) { create(:user) }
@@ -411,12 +410,6 @@
       it { is_expected.to be_allowed(:access_git) }
     end
 
-    context 'security policy bot' do
-      let(:current_user) { security_policy_bot }
-
-      it { is_expected.to be_allowed(:access_git) }
-    end
-
     describe 'deactivated user' do
       before do
         current_user.deactivate