Merge branch 'replace_yaml_info_with_persisted_data_backend' into 'master'

Replace YAML approver info with persisted data See merge request gitlab-org/gitlab!90742

Merge branch 'replace_yaml_info_with_persisted_data_backend' into 'master'
84718f12 · Heinrich Lee Yu · 5628a281 · 4ce9d1d7 · 84718f12 · 84718f12
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -16719,8 +16719,10 @@ Represents the scan result policy.
 | ---- | ---- | ----------- |
 | <a id="scanresultpolicydescription"></a>`description` | [`String!`](#string) | Description of the policy. |
 | <a id="scanresultpolicyenabled"></a>`enabled` | [`Boolean!`](#boolean) | Indicates whether this policy is enabled. |
+| <a id="scanresultpolicygroupapprovers"></a>`groupApprovers` | [`[Group!]`](#group) | Approvers of the group type. |
 | <a id="scanresultpolicyname"></a>`name` | [`String!`](#string) | Name of the policy. |
 | <a id="scanresultpolicyupdatedat"></a>`updatedAt` | [`Time!`](#time) | Timestamp of when the policy YAML was last updated. |
+| <a id="scanresultpolicyuserapprovers"></a>`userApprovers` | [`[UserCore!]`](#usercore) | Approvers of the user type. |
 | <a id="scanresultpolicyyaml"></a>`yaml` | [`String!`](#string) | YAML definition of the policy. |
 ### `ScannedResource`
--- a/ee/app/graphql/resolvers/security_orchestration/scan_result_policy_resolver.rb
+++ b/ee/app/graphql/resolvers/security_orchestration/scan_result_policy_resolver.rb
@@ -13,15 +13,26 @@ def resolve(**args)
        authorize!
        policy_configuration.scan_result_policies.map do |policy|
+          approvers = approvers(policy)
          {
            name: policy[:name],
            description: policy[:description],
            enabled: policy[:enabled],
            yaml: YAML.dump(policy.deep_stringify_keys),
-            updated_at: policy_configuration.policy_last_updated_at
+            updated_at: policy_configuration.policy_last_updated_at,
+            user_approvers: approvers[:users],
+            group_approvers: approvers[:groups]
          }
        end
      end
+      private
+      def approvers(policy)
+        Security::SecurityOrchestrationPolicies::FetchPolicyApproversService
+          .new(policy: policy, project: project, current_user: context[:current_user])
+          .execute
+      end
    end
  end
 end
--- a/ee/app/graphql/types/security_orchestration/scan_result_policy_type.rb
+++ b/ee/app/graphql/types/security_orchestration/scan_result_policy_type.rb
@@ -10,6 +10,9 @@ class ScanResultPolicyType < BaseObject
      description 'Represents the scan result policy'
      implements OrchestrationPolicyType
+      field :group_approvers, ['::Types::GroupType'], null: true, description: 'Approvers of the group type.'
+      field :user_approvers, [::Types::UserType], null: true, description: 'Approvers of the user type.'
    end
    # rubocop: enable Graphql/AuthorizeTypes
  end

--- a/ee/spec/graphql/resolvers/security_orchestration/scan_result_policy_resolver_spec.rb
+++ b/ee/spec/graphql/resolvers/security_orchestration/scan_result_policy_resolver_spec.rb
@@ -16,7 +16,9 @@
        description: 'This policy considers only container scanning and critical severities',
        enabled: true,
        yaml: YAML.dump(policy.deep_stringify_keys),
-        updated_at: policy_last_updated_at
+        updated_at: policy_last_updated_at,
+        user_approvers: [],
+        group_approvers: []
      }
    ]
  end

--- a/ee/spec/requests/api/graphql/project/security_orchestration/scan_result_policy_spec.rb
+++ b/ee/spec/requests/api/graphql/project/security_orchestration/scan_result_policy_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe 'Query.project(fullPath).scanResultPolicies' do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:policy_management_project) { create(:project, :repository) }
+  let_it_be(:user) { policy_management_project.first_owner }
+  let_it_be(:group) { create(:group, :public) }
+  let_it_be(:action) do
+    { type: 'require_approval', approvals_required: 1, user_approvers_ids: [user.id], group_approvers_ids: [group.id] }
+  end
+  let_it_be(:policy) { build(:scan_result_policy, actions: [action]) }
+  let_it_be(:policy_yaml) { build(:orchestration_policy_yaml, scan_result_policy: [policy]) }
+  let_it_be(:policy_configuration) do
+    create(:security_orchestration_policy_configuration,
+      security_policy_management_project: policy_management_project,
+      project: project)
+  end
+  let_it_be(:query) do
+    %(
+      query {
+        project(fullPath: "#{project.full_path}") {
+          scanResultPolicies {
+            nodes{
+              userApprovers{
+                id
+                webUrl
+              }
+              groupApprovers{
+                id
+                webUrl
+              }
+            }
+          }
+        }
+      }
+    )
+  end
+  let_it_be(:expected_data) do
+    [
+      {
+        "userApprovers" => [
+          {
+            "id" => "gid://gitlab/User/#{user.id}",
+            "webUrl" => "http://localhost/#{user.full_path}"
+          }
+        ],
+        "groupApprovers" => [
+          {
+            "id" => "gid://gitlab/Group/#{group.id}",
+            "webUrl" => "http://localhost/groups/#{group.full_path}"
+          }
+        ]
+      }
+    ]
+  end
+  before do
+    stub_licensed_features(security_orchestration_policies: true)
+    project.add_maintainer(user)
+    project.invited_groups = [group]
+    allow_next_instance_of(Repository) do |repository|
+      allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
+    end
+  end
+  subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+  it "returns both user and group approvers" do
+    result = subject.dig('data', 'project', 'scanResultPolicies', 'nodes')
+    expect(result).to eq(expected_data)
+  end
+end