Add Duo permission ability to vulnerability report

Add permission ability for the Group and Security Control (Instance).
This check will allow the frontend to display the VR filter only for
allowed groups and instance level.

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/496332

Changelog: added
EE: true

ee/app/controllers/groups/security/vulnerabilities_controller.rb

@@ -14,6 +14,8 @@ class VulnerabilitiesController < Groups::ApplicationController
       before_action do
         push_frontend_feature_flag(:vulnerability_report_owasp_2021, @group)
         push_frontend_feature_flag(:owasp_top_10_null_filtering, @group)
+
+        push_frontend_ability(ability: :resolve_vulnerability_with_ai, resource: @group, user: current_user)
       end
 
       def index

ee/app/policies/ee/group_policy.rb

@@ -535,6 +535,14 @@ module GroupPolicy
         enable :admin_vulnerability
       end
 
+      condition(:resolve_vulnerability_authorized) do
+        ::Gitlab::Llm::Utils::UserAuthorizer.new(@user, subject, :resolve_vulnerability).allowed?
+      end
+
+      rule { can?(:read_security_resource) & resolve_vulnerability_authorized }.policy do
+        enable :resolve_vulnerability_with_ai
+      end
+
       rule { custom_role_enables_admin_group_member }.policy do
         enable :admin_group_member
         enable :update_group_member

ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb

@@ -11,7 +11,7 @@
   end
 
   describe 'GET index' do
-    subject { get :index, params: { group_id: group.to_param } }
+    subject(:show_security_dashboard) { get :index, params: { group_id: group.to_param } }
 
     context 'when security dashboard feature is enabled' do
       before do
@@ -26,7 +26,7 @@
         it { is_expected.to have_gitlab_http_status(:ok) }
 
         it_behaves_like 'tracks govern usage event', 'users_visiting_security_vulnerabilities' do
-          let(:request) { subject }
+          let(:request) { show_security_dashboard }
         end
       end
 
@@ -35,7 +35,7 @@
         it { is_expected.to render_template(:unavailable) }
 
         it_behaves_like "doesn't track govern usage event", 'users_visiting_security_vulnerabilities' do
-          let(:request) { subject }
+          let(:request) { show_security_dashboard }
         end
       end
     end
@@ -45,7 +45,37 @@
       it { is_expected.to render_template(:unavailable) }
 
       it_behaves_like "doesn't track govern usage event", 'users_visiting_security_vulnerabilities' do
-        let(:request) { subject }
+        let(:request) { show_security_dashboard }
+      end
+    end
+
+    context "when resolveVulnerabilityWithAi ability is allowed" do
+      before do
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?).with(user, :resolve_vulnerability_with_ai, group).and_return(true)
+
+        show_security_dashboard
+      end
+
+      render_views
+
+      it 'sets the frontend ability to true when allowed' do
+        expect(response.body).to have_pushed_frontend_ability(resolveVulnerabilityWithAi: true)
+      end
+    end
+
+    context "when resolveVulnerabilityWithAi ability is not allowed" do
+      before do
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?).with(user, :resolve_vulnerability_with_ai, group).and_return(false)
+
+        show_security_dashboard
+      end
+
+      render_views
+
+      it 'sets the frontend ability to false not allowed' do
+        expect(response.body).to have_pushed_frontend_ability(resolveVulnerabilityWithAi: false)
       end
     end
   end