Merge branch '432513-policies-existing-policy-scope-yaml' into 'master'

Add new query and extend validation for security polices See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144685 Merged-by: Artur Fedorov <afedorov@gitlab.com> Approved-by: Olena Horal-Koretska <ohoralkoretska@gitlab.com> Approved-by: Ross Byrne <robyrne@gitlab.com>

Merge branch '432513-policies-existing-policy-scope-yaml' into 'master'
1542c786 · Artur Fedorov · GitLab · b5e06e36 · 938271e9 · 1542c786
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_execution/lib/from_yaml.js
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_execution/lib/from_yaml.js
@@ -77,13 +77,14 @@ export const fromYaml = ({ manifest, validateRuleMode = false }) => {
        actionsKeys.push('ci_configuration');
      }
+      const hasPolicyScope =
+        gon?.features?.securityPoliciesPolicyScope ||
+        gon?.features?.securityPoliciesPolicyScopeProject;
      /**
       * Can be removed after ff is enabled
       */
-      const primaryKeys = PRIMARY_POLICY_KEYS;
+      const primaryKeys = [...PRIMARY_POLICY_KEYS, ...(hasPolicyScope ? ['policy_scope'] : [])];
-      if (gon?.features?.securityPoliciesPolicyScope) {
-        primaryKeys.push('policy_scope');
-      }
      return isValidPolicy({ policy, primaryKeys, rulesKeys, actionsKeys }) &&
        !hasInvalidCron(policy) &&

--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/from_yaml.js
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result/lib/from_yaml.js
@@ -24,10 +24,11 @@ export const fromYaml = ({ manifest, validateRuleMode = false }) => {
       * the UI for new attributes may not be available.
       */
-      const primaryKeys = [
+      const hasPolicyScope =
-        ...PRIMARY_POLICY_KEYS,
+        gon?.features?.securityPoliciesPolicyScope ||
-        ...(gon?.features?.securityPoliciesPolicyScope ? ['policy_scope'] : []),
+        gon?.features?.securityPoliciesPolicyScopeProject;
-      ];
+      const primaryKeys = [...PRIMARY_POLICY_KEYS, ...(hasPolicyScope ? ['policy_scope'] : [])];
      const rulesKeys = [
        'type',
        'branches',

--- a/ee/app/assets/javascripts/security_orchestration/graphql/queries/get_spp_linked_projects_namespaces.graphql
+++ b/ee/app/assets/javascripts/security_orchestration/graphql/queries/get_spp_linked_projects_namespaces.graphql
+query getSppLinkedProjectsNamespaces($fullPath: ID!) {
+  project(fullPath: $fullPath) {
+    id
+    securityPolicyProjectLinkedProjects {
+      nodes {
+        id
+        name
+      }
+    }
+    securityPolicyProjectLinkedNamespaces {
+      nodes {
+        id
+        name
+      }
+    }
+  }
+}
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_execution/lib/from_yaml_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_execution/lib/from_yaml_spec.js
@@ -34,6 +34,8 @@ describe('fromYaml', () => {
    ${'returns the policy object for branch exceptions'}                                                 | ${{ manifest: mockBranchExceptionsExecutionManifest, validateRuleMode: true }}      | ${mockBranchExceptionsScanExecutionObject}  | ${{}}
    ${'returns the policy object for project scope with disabled ff'}                                    | ${{ manifest: mockPolicyScopeExecutionManifest, validateRuleMode: true }}           | ${{ error: true }}                          | ${{ securityPoliciesPolicyScope: false }}
    ${'returns the policy object for project scope with enabled ff'}                                     | ${{ manifest: mockPolicyScopeExecutionManifest, validateRuleMode: true }}           | ${mockPolicyScopeScanExecutionObject}       | ${{ securityPoliciesPolicyScope: true }}
+    ${'returns the policy object for project scope with disabled ff for project'}                        | ${{ manifest: mockPolicyScopeExecutionManifest, validateRuleMode: true }}           | ${{ error: true }}                          | ${{ securityPoliciesPolicyScopeProject: false }}
+    ${'returns the policy object for project scope with enabled ff for project'}                         | ${{ manifest: mockPolicyScopeExecutionManifest, validateRuleMode: true }}           | ${mockPolicyScopeScanExecutionObject}       | ${{ securityPoliciesPolicyScopeProject: true }}
    ${'returns the policy object for custom code block with file path with enabled ff'}                  | ${{ manifest: mockCodeBlockFilePathScanExecutionManifest, validateRuleMode: true }} | ${mockCodeBlockFilePathScanExecutionObject} | ${{ compliancePipelineInPolicies: true }}
    ${'returns the policy object for custom code block with file path with disabled ff'}                 | ${{ manifest: mockCodeBlockFilePathScanExecutionManifest, validateRuleMode: true }} | ${{ error: true }}                          | ${{ compliancePipelineInPolicies: false }}
  `('$title', ({ input, output, features }) => {

--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/from_yaml_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result/lib/from_yaml_spec.js
@@ -89,6 +89,7 @@ describe('createPolicyObject', () => {
      ${'returns the policy object for a manifest with `approval_settings` with the `scanResultPoliciesBlockUnprotectingBranches` feature flag on'}                                      | ${{ scanResultPoliciesBlockUnprotectingBranches: true }} | ${mockApprovalSettingsScanResultManifest}                 | ${{ policy: mockApprovalSettingsScanResultObject, hasParsingError: false }}
      ${'returns the policy object for a manifest with `approval_settings` containing permitted invalid settings and the `scanResultPoliciesBlockUnprotectingBranches` feature flag on'} | ${{ scanResultPoliciesBlockUnprotectingBranches: true }} | ${mockApprovalSettingsPermittedInvalidScanResultManifest} | ${{ policy: mockApprovalSettingsPermittedInvalidScanResultObject, hasParsingError: false }}
      ${'returns the policy object for a manifest with `policy_scope` feature flag on'}                                                                                                  | ${{ securityPoliciesPolicyScope: true }}                 | ${mockPolicyScopeScanResultManifest}                      | ${{ policy: mockPolicyScopeScanResultObject, hasParsingError: false }}
+      ${'returns the policy object for a manifest with `policy_scope` feature flag on for project'}                                                                                      | ${{ securityPoliciesPolicyScopeProject: true }}          | ${mockPolicyScopeScanResultManifest}                      | ${{ policy: mockPolicyScopeScanResultObject, hasParsingError: false }}
      ${'returns the error object for a manifest with `approval_settings` containing permitted invalid settings and the `scanResultPoliciesBlockUnprotectingBranches` feature flag off'} | ${{}}                                                    | ${mockApprovalSettingsPermittedInvalidScanResultManifest} | ${{ policy: mockApprovalSettingsPermittedInvalidScanResultObject, hasParsingError: false }}
      ${'returns the policy object for a manifest with `approval_settings` with all feature flags off'}                                                                                  | ${{}}                                                    | ${mockApprovalSettingsScanResultManifest}                 | ${{ policy: mockApprovalSettingsScanResultObject, hasParsingError: false }}
      ${'returns the error object for a manifest with `policy_scope` feature flag off'}                                                                                                  | ${{}}                                                    | ${mockPolicyScopeScanResultManifest}                      | ${{ policy: { error: true }, hasParsingError: true }}