Add custom role spec for `Mutation.vulnerabilityCreate`

43c39fa4 · mo khan · Bogdan Denkovych · 6deec947 · 43c39fa4 · 43c39fa4
--- a/ee/spec/factories/member_roles.rb
+++ b/ee/spec/factories/member_roles.rb
@@ -10,7 +10,6 @@
    trait(:guest) { base_access_level { Gitlab::Access::GUEST } }

    trait :admin_vulnerability do
-      guest
      admin_vulnerability { true }
      read_vulnerability { true }
    end

--- a/ee/spec/requests/api/graphql/mutations/vulnerabilities/confirm_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/vulnerabilities/confirm_spec.rb
@@ -27,7 +27,7 @@
    end

    context "with `admin_vulnerability` enabled" do
-      let(:role) { create(:member_role, :admin_vulnerability, namespace: project.group) }
+      let(:role) { create(:member_role, :guest, :admin_vulnerability, namespace: project.group) }

      it "returns a successful response" do
        post_graphql_mutation(mutation, current_user: current_user)

--- a/ee/spec/requests/api/graphql/mutations/vulnerabilities/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/vulnerabilities/create_spec.rb
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe "Mutation.vulnerabilityCreate", feature_category: :vulnerability_management do
+  include GraphqlHelpers
+
+  subject(:mutation) { graphql_mutation(:vulnerability_create, arguments) }
+
+  let_it_be(:current_user) { create(:user) }
+  let_it_be(:project) { create(:project, :in_group) }
+  let(:arguments) do
+    {
+      project: project.to_global_id,
+      name: "Test vulnerability",
+      description: "Test vulnerability created via GraphQL",
+      scanner: {
+        id: "my-custom-scanner",
+        name: "My Custom Scanner",
+        url: "https://superscanner.com",
+        vendor: { name: "Custom Scanner Vendor" },
+        version: "21.37.00"
+      },
+      identifiers: [{
+        name: "Test identifier",
+        url: "https://vulnerabilities.com/test"
+      }],
+      state: "DETECTED",
+      severity: "UNKNOWN",
+      confidence: "UNKNOWN",
+      solution: "rm -rf --no-preserve-root /",
+      message: "You can't fix this"
+    }
+  end
+
+  let(:mutation_response) { graphql_mutation_response(:vulnerability_create) }
+
+  context "with a Maintainer role" do
+    let(:at) { Time.new(2020, 6, 21, 14, 22, 20) }
+
+    before_all do
+      project.add_maintainer(current_user)
+    end
+
+    before do
+      stub_licensed_features(security_dashboard: true)
+    end
+
+    it "returns a successful response" do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(response).to have_gitlab_http_status(:success)
+      expect(mutation_response["vulnerability"]).to be_present
+      expect(mutation_response["vulnerability"]["state"]).to eq("DETECTED")
+      expect(mutation_response["vulnerability"]["description"]).to eq(arguments[:description])
+      expect(mutation_response["vulnerability"]["solution"]).to eq(arguments[:solution])
+      expect(mutation_response["errors"]).to be_empty
+    end
+
+    context "when confirming a vulnerability" do
+      let(:arguments) { super().merge(state: "CONFIRMED", confirmed_at: at) }
+
+      it "returns a successful response" do
+        post_graphql_mutation(mutation, current_user: current_user)
+
+        expect(response).to have_gitlab_http_status(:success)
+        expect(mutation_response["vulnerability"]).to be_present
+        expect(mutation_response["vulnerability"]["state"]).to eq("CONFIRMED")
+        expect(mutation_response["vulnerability"]["confirmedAt"]).to eq(at.utc.iso8601)
+        expect(mutation_response.dig("vulnerability", "confirmedBy", "id")).to eq(current_user.to_global_id.to_s)
+        expect(mutation_response["errors"]).to be_empty
+      end
+    end
+
+    context "when resolving a vulnerability" do
+      let(:arguments) { super().merge(state: "RESOLVED", resolved_at: at) }
+
+      it "returns a successful response" do
+        post_graphql_mutation(mutation, current_user: current_user)
+
+        expect(response).to have_gitlab_http_status(:success)
+        expect(mutation_response["vulnerability"]).to be_present
+        expect(mutation_response["vulnerability"]["state"]).to eq("RESOLVED")
+        expect(mutation_response["vulnerability"]["resolvedAt"]).to eq(at.utc.iso8601)
+        expect(mutation_response.dig("vulnerability", "resolvedBy", "id")).to eq(current_user.to_global_id.to_s)
+        expect(mutation_response["errors"]).to be_empty
+      end
+    end
+
+    context "when dismissing a vulnerability" do
+      let(:arguments) { super().merge(state: "DISMISSED", dismissed_at: at) }
+
+      it "returns a successful response" do
+        post_graphql_mutation(mutation, current_user: current_user)
+
+        expect(response).to have_gitlab_http_status(:success)
+        expect(mutation_response["vulnerability"]).to be_present
+        expect(mutation_response["vulnerability"]["state"]).to eq("DISMISSED")
+        expect(mutation_response["vulnerability"]["dismissedAt"]).to eq(at.utc.iso8601)
+        expect(mutation_response.dig("vulnerability", "dismissedBy", "id")).to eq(current_user.to_global_id.to_s)
+        expect(mutation_response["errors"]).to be_empty
+      end
+    end
+  end
+
+  context "with an unauthorized role" do
+    before_all do
+      project.add_guest(current_user)
+    end
+
+    before do
+      stub_licensed_features(security_dashboard: true)
+    end
+
+    it "returns an empty response" do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(response).to have_gitlab_http_status(:success)
+      expect(mutation_response).to be_blank
+    end
+
+    it "does not create a new vulnerability" do
+      expect do
+        post_graphql_mutation(mutation, current_user: current_user)
+      end.not_to change { Vulnerability.count }
+    end
+  end
+
+  context "with a custom role" do
+    let!(:membership) { create(:project_member, :guest, user: current_user, source: project, member_role: role) }
+
+    before do
+      stub_licensed_features(security_dashboard: true, custom_roles: true)
+    end
+
+    context "with `admin_vulnerability` enabled" do
+      let(:role) { create(:member_role, :guest, :admin_vulnerability, namespace: project.group) }
+
+      it "returns a successful response" do
+        post_graphql_mutation(mutation, current_user: current_user)
+
+        expect(response).to have_gitlab_http_status(:success)
+        expect(mutation_response["vulnerability"]).to be_present
+        expect(mutation_response["errors"]).to be_empty
+      end
+    end
+
+    context "with `admin_vulnerability` disabled" do
+      let(:role) { create(:member_role, :guest, namespace: project.group) }
+
+      it "returns an empty response" do
+        post_graphql_mutation(mutation, current_user: current_user)
+
+        expect(response).to have_gitlab_http_status(:success)
+        expect(mutation_response).to be_nil
+      end
+    end
+  end
+end
--- a/ee/spec/requests/api/graphql/mutations/vulnerabilities/resolve_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/vulnerabilities/resolve_spec.rb
@@ -26,7 +26,7 @@
    end

    context "with `admin_vulnerability` enabled" do
-      let(:role) { create(:member_role, :admin_vulnerability, namespace: project.group) }
+      let(:role) { create(:member_role, :guest, :admin_vulnerability, namespace: project.group) }

      it "returns a successful response" do
        post_graphql_mutation(mutation, current_user: current_user)

--- a/ee/spec/requests/custom_roles/admin_vulnerability/request_spec.rb
+++ b/ee/spec/requests/custom_roles/admin_vulnerability/request_spec.rb
@@ -5,25 +5,18 @@
 RSpec.describe 'User with admin_vulnerability custom role', feature_category: :system_access do
  let_it_be(:user) { create(:user) }
  let_it_be(:project) { create(:project, :repository, :in_group) }
-  let_it_be(:vulnerability) { create(:vulnerability, :with_finding, project: project) }
+  let_it_be(:role) { create(:member_role, :guest, :admin_vulnerability, namespace: project.group) }
+  let_it_be(:membership) { create(:group_member, :guest, user: user, source: project.group, member_role: role) }

  before do
    stub_licensed_features(custom_roles: true, security_dashboard: true)
-
-    group_member = create(:group_member, :guest, user: user, source: project.group)
-    create(
-      :member_role,
-      :guest,
-      admin_vulnerability: true,
-      read_code: false,
-      read_vulnerability: true,
-      members: [group_member],
-      namespace: project.group
-    )
-    sign_in(user)
  end

  describe Projects::Security::VulnerabilitiesController do
+    before do
+      sign_in(user)
+    end
+
    describe "#new" do
      it 'user has access via a custom role' do
        get new_project_security_vulnerability_path(project)
@@ -35,4 +28,37 @@
      end
    end
  end
+
+  describe Mutations::Vulnerabilities::Create do
+    include GraphqlHelpers
+
+    it "has access via a custom role" do
+      post_graphql_mutation(graphql_mutation(:vulnerability_create, {
+        project: project.to_global_id,
+        name: "example",
+        description: "example",
+        scanner: {
+          id: "my-custom-scanner",
+          name: "example",
+          url: "https://example.org",
+          vendor: { name: "example" },
+          version: "1.0.0"
+        },
+        identifiers: [{
+          name: "example",
+          url: "https://example.org/example"
+        }],
+        state: "DETECTED",
+        severity: "UNKNOWN",
+        confidence: "UNKNOWN",
+        solution: "curl -s 'https://unpkg.com/emoji.json@13.1.0/emoji.json' | jq -r '.[] | .char'",
+        message: "example"
+      }), current_user: user)
+
+      expect(response).to have_gitlab_http_status(:success)
+      mutation_response = graphql_mutation_response(:vulnerability_create)
+      expect(mutation_response["vulnerability"]).to be_present
+      expect(mutation_response["errors"]).to be_empty
+    end
+  end
 end
--- a/spec/support/helpers/graphql_helpers.rb
+++ b/spec/support/helpers/graphql_helpers.rb
@@ -2,6 +2,7 @@

 module GraphqlHelpers
  def self.included(base)
+    base.include(::ApiHelpers)
    base.include(::Gitlab::Graphql::Laziness)
  end