diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index 1a4d182c3d1ebf4e1dfe7e02c2e419a92e31fda7..e4fa6713a900159dfc55ad64a9238c9e78d2810a 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -116,8 +116,6 @@ Dangerfile @gl-quality/eng-prod
/ee/spec/services/network_policies/** @gitlab-org/protect/container-security-backend
/app/models/clusters/applications/cilium.rb @gitlab-org/protect/container-security-backend
/spec/models/clusters/applications/cilium_spec.rb @gitlab-org/protect/container-security-backend
-/ee/app/controllers/projects/security/network_policies_controller.rb @gitlab-org/protect/container-security-backend
-/ee/spec/controllers/projects/security/network_policies_controller_spec.rb @gitlab-org/protect/container-security-backend
/ee/app/services/network_policies/** @gitlab-org/protect/container-security-backend
/ee/spec/services/network_policies/** @gitlab-org/protect/container-security-backend
/ee/app/services/security/orchestration/** @gitlab-org/protect/container-security-backend
diff --git a/.rubocop_todo/layout/hash_alignment.yml b/.rubocop_todo/layout/hash_alignment.yml
index b13a561958e977e03b62c51bdf66ee882f60f6d2..137f6cb7a05925715b66a59c2fd53e9c0f505b9d 100644
--- a/.rubocop_todo/layout/hash_alignment.yml
+++ b/.rubocop_todo/layout/hash_alignment.yml
@@ -386,7 +386,6 @@ Layout/HashAlignment:
- 'ee/spec/controllers/ee/projects/variables_controller_spec.rb'
- 'ee/spec/controllers/groups/epic_boards_controller_spec.rb'
- 'ee/spec/controllers/groups/issues_controller_spec.rb'
- - 'ee/spec/controllers/projects/security/network_policies_controller_spec.rb'
- 'ee/spec/controllers/projects/settings/operations_controller_spec.rb'
- 'ee/spec/controllers/trials_controller_spec.rb'
- 'ee/spec/factories/dependencies.rb'
diff --git a/.rubocop_todo/layout/line_length.yml b/.rubocop_todo/layout/line_length.yml
index d46c7a6da62582c25ed9fa491540b3b8b1f9924d..8124b129c2575e18aa50db6fc67858777e48a393 100644
--- a/.rubocop_todo/layout/line_length.yml
+++ b/.rubocop_todo/layout/line_length.yml
@@ -1179,7 +1179,6 @@ Layout/LineLength:
- 'ee/app/controllers/projects/licenses_controller.rb'
- 'ee/app/controllers/projects/protected_environments_controller.rb'
- 'ee/app/controllers/projects/requirements_management/requirements_controller.rb'
- - 'ee/app/controllers/projects/security/network_policies_controller.rb'
- 'ee/app/controllers/projects/security/policies_controller.rb'
- 'ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb'
- 'ee/app/controllers/projects/threat_monitoring_controller.rb'
@@ -1904,7 +1903,6 @@ Layout/LineLength:
- 'ee/spec/controllers/projects/push_rules_controller_spec.rb'
- 'ee/spec/controllers/projects/runners_controller_spec.rb'
- 'ee/spec/controllers/projects/security/configuration_controller_spec.rb'
- - 'ee/spec/controllers/projects/security/network_policies_controller_spec.rb'
- 'ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb'
- 'ee/spec/controllers/projects/subscriptions_controller_spec.rb'
- 'ee/spec/controllers/projects/threat_monitoring_controller_spec.rb'
diff --git a/.rubocop_todo/rspec/verified_doubles.yml b/.rubocop_todo/rspec/verified_doubles.yml
index 70fb8414f5573fb4cb8e719f8cc0425664ad5363..a2cca0b5b29bdf76142737fc204aa65ecc81d381 100644
--- a/.rubocop_todo/rspec/verified_doubles.yml
+++ b/.rubocop_todo/rspec/verified_doubles.yml
@@ -7,7 +7,6 @@ RSpec/VerifiedDoubles:
- ee/spec/controllers/groups/sso_controller_spec.rb
- ee/spec/controllers/oauth/geo_auth_controller_spec.rb
- ee/spec/controllers/projects/clusters_controller_spec.rb
- - ee/spec/controllers/projects/security/network_policies_controller_spec.rb
- ee/spec/db/production/license_spec.rb
- ee/spec/elastic/migrate/20210510113500_delete_merge_requests_from_original_index_spec.rb
- ee/spec/elastic/migrate/20210510143200_delete_notes_from_original_index_spec.rb
diff --git a/ee/app/controllers/projects/security/network_policies_controller.rb b/ee/app/controllers/projects/security/network_policies_controller.rb
deleted file mode 100644
index 0915bb969ce6939dddf895a241b870f89fb6b9f7..0000000000000000000000000000000000000000
--- a/ee/app/controllers/projects/security/network_policies_controller.rb
+++ /dev/null
@@ -1,106 +0,0 @@
-# frozen_string_literal: true
-
-module Projects
- module Security
- class NetworkPoliciesController < Projects::ApplicationController
- include SecurityAndCompliancePermissions
-
- POLLING_INTERVAL = 5_000
-
- before_action :authorize_read_threat_monitoring!
- before_action :set_polling_interval, only: [:summary]
-
- # This controller is being removed in https://gitlab.com/gitlab-org/gitlab/-/issues/352285
- feature_category :not_owned # rubocop:todo Gitlab/AvoidFeatureCategoryNotOwned
-
- def summary
- return not_found unless environment.has_metrics?
-
- adapter = environment.prometheus_adapter
- return not_found unless adapter.can_query?
-
- result = adapter.query(
- :packet_flow, environment.deployment_namespace,
- params[:interval] || "minute",
- parse_time(params[:from], 1.hour.ago).to_s,
- parse_time(params[:to], Time.current).to_s
- )
-
- respond_to do |format|
- format.json do
- if result
- status = result[:success] ? :ok : :bad_request
- render status: status, json: result[:data]
- else
- render status: :accepted, json: {}
- end
- end
- end
- end
-
- def index
- response = NetworkPolicies::ResourcesService.new(project: project, environment_id: params[:environment_id]).execute
- respond_with_service_response(response)
- end
-
- def create
- response = NetworkPolicies::DeployResourceService.new(
- manifest: params[:manifest],
- environment: environment
- ).execute
-
- respond_with_service_response(response)
- end
-
- def update
- response = NetworkPolicies::DeployResourceService.new(
- resource_name: params[:id],
- manifest: params[:manifest],
- environment: environment,
- enabled: params[:enabled]
- ).execute
-
- respond_with_service_response(response)
- end
-
- def destroy
- response = NetworkPolicies::DeleteResourceService.new(
- resource_name: params[:id],
- manifest: params[:manifest],
- environment: environment
- ).execute
-
- respond_with_service_response(response)
- end
-
- private
-
- def parse_time(params, fallback)
- Time.zone.parse(params) || fallback
- rescue StandardError
- fallback
- end
-
- def environment
- @environment ||= project.environments.find(params[:environment_id])
- end
-
- def set_polling_interval
- Gitlab::PollingInterval.set_header(response, interval: POLLING_INTERVAL)
- end
-
- def authorize_read_threat_monitoring!
- render_403 unless can?(current_user, :read_threat_monitoring, project)
- end
-
- def respond_with_service_response(response)
- payload = response.success? ? response.payload : { payload: response.payload, error: response.message }
- respond_to do |format|
- format.json do
- render status: response.http_status, json: payload
- end
- end
- end
- end
- end
-end
diff --git a/ee/app/helpers/ee/security_orchestration_helper.rb b/ee/app/helpers/ee/security_orchestration_helper.rb
index 4e31f48b7d9250e64c53992b9795790c2dca33f7..530dfa201c7da74c79a9e28cb2fe7b4603eb1fb3 100644
--- a/ee/app/helpers/ee/security_orchestration_helper.rb
+++ b/ee/app/helpers/ee/security_orchestration_helper.rb
@@ -39,7 +39,6 @@ def orchestration_policy_data(container, policy_type = nil, policy = nil, enviro
project_path: container.full_path,
project_id: container.id,
default_environment_id: container.default_environment&.id || -1,
- network_policies_endpoint: project_security_network_policies_path(container),
create_agent_help_path: help_page_url('user/clusters/agent/install/index'),
network_documentation_path: help_page_path('user/application_security/policies/index'),
environments_endpoint: project_environments_path(container),
diff --git a/ee/app/views/projects/threat_monitoring/show.html.haml b/ee/app/views/projects/threat_monitoring/show.html.haml
index a0d580fdc2320309e1d875573310a3994fea2292..6cd192d947068d60d2f7fb37a03fbdaf307f4675 100644
--- a/ee/app/views/projects/threat_monitoring/show.html.haml
+++ b/ee/app/views/projects/threat_monitoring/show.html.haml
@@ -9,7 +9,6 @@
#js-threat-monitoring-app{ data: { documentation_path: 'https://docs.gitlab.com/ee/user/application_security/threat_monitoring/',
empty_state_svg_path: image_path('illustrations/monitoring/unable_to_connect.svg'),
network_policy_no_data_svg_path: image_path('illustrations/network-policies-not-detected-sm.svg'),
- network_policy_statistics_endpoint: summary_project_security_network_policies_path(@project, format: :json),
environments_endpoint: project_environments_path(@project),
new_policy_path: new_project_threat_monitoring_policy_path(@project),
default_environment_id: default_environment_id,
diff --git a/ee/config/routes/project.rb b/ee/config/routes/project.rb
index 334c2e44275d47026693405e9f866f8c17ccd3db..efba032ae2bfe23ad91e28a2f6fd3e178809be72 100644
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -48,10 +48,6 @@
resources :audit_events, only: [:index]
namespace :security do
- resources :network_policies, only: [:index, :create, :update, :destroy], constraints: { id: %r{[^/]+} } do
- get :summary, on: :collection
- end
-
resources :dashboard, only: [:index], controller: :dashboard
resources :vulnerability_report, only: [:index], controller: :vulnerability_report
resources :policies, only: [:index, :new, :edit], constraints: { id: %r{[^/]+} }
diff --git a/ee/spec/controllers/projects/security/network_policies_controller_spec.rb b/ee/spec/controllers/projects/security/network_policies_controller_spec.rb
deleted file mode 100644
index 6b22bd83795ffb9a54f5f0975f41fef71c1dd678..0000000000000000000000000000000000000000
--- a/ee/spec/controllers/projects/security/network_policies_controller_spec.rb
+++ /dev/null
@@ -1,357 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Projects::Security::NetworkPoliciesController do
- let_it_be(:group) { create(:group) }
- let_it_be(:user) { create(:user) }
-
- let_it_be(:project) { create(:project, :public, :repository, group: group) }
- let_it_be(:environment) { create(:environment, :with_review_app, project: project) }
-
- let_it_be(:action_params) { { project_id: project, namespace_id: project.namespace, environment_id: environment.id } }
-
- let_it_be(:manifest) do
- <<~POLICY
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
- name: example-name
- namespace: example-namespace
- spec:
- podSelector:
- matchLabels:
- role: db
- policyTypes:
- - Ingress
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- project: myproject
- POLICY
- end
-
- shared_examples 'CRUD service errors' do
- context 'with an error service response' do
- before do
- allow(service).to receive(:execute) { ServiceResponse.error(http_status: :bad_request, message: 'error') }
- end
-
- it 'responds with bad_request' do
- subject
-
- expect(response).to have_gitlab_http_status(:bad_request)
- expect(response.body).to eq('{"payload":{},"error":"error"}')
- end
- end
- end
-
- before do
- stub_licensed_features(threat_monitoring: true)
-
- sign_in(user)
- end
-
- describe 'GET #summary' do
- subject(:request) { get :summary, params: action_params, format: :json }
-
- let_it_be(:kubernetes_namespace) { environment.deployment_namespace }
-
- include_context '"Security & Compliance" permissions' do
- let(:valid_request) { request }
-
- before_request do
- group.add_developer(user)
- end
- end
-
- context 'with authorized user' do
- before do
- group.add_developer(user)
- end
-
- context 'with prometheus configured' do
- let(:adapter) { double("configured?" => true, "can_query?" => true) }
-
- before do
- allow_next_instance_of(Gitlab::Prometheus::Adapter) do |instance|
- allow(instance).to receive(:prometheus_adapter) { adapter }
- end
- end
-
- it 'returns network policies summary' do
- freeze_time do
- expect(adapter).to(
- receive(:query)
- .with(:packet_flow, kubernetes_namespace, "minute", 1.hour.ago.to_s, Time.current.to_s)
- .and_return({ success: true, data: { ops_rate: [[Time.zone.at(0).to_i, 10]], ops_total: 10 } })
- )
- subject
- end
-
- expect(response).to have_gitlab_http_status(:ok)
- expect(json_response['ops_total']).to equal(10)
- expect(json_response['ops_rate']).to eq([[0, 10]])
- end
-
- context 'with additional parameters' do
- let(:action_params) do
- {
- project_id: project, namespace_id: project.namespace, environment_id: environment,
- interval: "day", from: Time.zone.at(0), to: Time.zone.at(100)
- }
- end
-
- it 'queries with requested arguments' do
- expect(adapter).to(
- receive(:query)
- .with(:packet_flow, kubernetes_namespace, "day", Time.zone.at(0).to_s, Time.zone.at(100).to_s)
- .and_return({ success: true, data: {} })
- )
- subject
- end
- end
-
- context 'with invalid Time range' do
- let(:action_params) do
- {
- project_id: project, namespace_id: project.namespace, environment_id: environment,
- from: "not a time", to: "not a time"
- }
- end
-
- it 'queries with default arguments' do
- freeze_time do
- expect(adapter).to(
- receive(:query)
- .with(:packet_flow, kubernetes_namespace, "minute", 1.hour.ago.to_s, Time.current.to_s)
- .and_return({ success: true, data: {} })
- )
- subject
- end
- end
- end
-
- context 'with nil results' do
- it 'responds with accepted' do
- allow(adapter).to receive(:query).and_return(nil)
- subject
-
- expect(response).to have_gitlab_http_status(:accepted)
- end
- end
- end
-
- context 'without prometheus configured' do
- it 'returns not found' do
- subject
-
- expect(response).to have_gitlab_http_status(:not_found)
- end
- end
-
- it 'sets a polling interval header' do
- subject
-
- expect(response.headers['Poll-Interval']).to eq('5000')
- end
- end
-
- context 'with unauthorized user' do
- it 'returns unauthorized' do
- subject
-
- expect(response).to have_gitlab_http_status(:forbidden)
- end
- end
- end
-
- describe 'GET #index' do
- subject(:request) { get :index, params: action_params, format: :json }
-
- include_context '"Security & Compliance" permissions' do
- let(:valid_request) { request }
-
- before_request do
- group.add_developer(user)
- end
- end
-
- context 'with authorized user' do
- let(:service) { instance_double('NetworkPolicies::ResourcesService', execute: ServiceResponse.success(payload: [policy])) }
- let(:policy) do
- Gitlab::Kubernetes::NetworkPolicy.new(
- name: 'policy',
- namespace: 'another',
- selector: { matchLabels: { role: 'db' } },
- ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
- )
- end
-
- before do
- group.add_developer(user)
- allow(NetworkPolicies::ResourcesService).to receive(:new).with(environment_id: environment.id.to_s, project: project) { service }
- end
-
- it 'responds with policies' do
- subject
-
- expect(response).to have_gitlab_http_status(:success)
- expect(response.body).to eq([policy].to_json)
- end
-
- include_examples 'CRUD service errors'
- end
-
- context 'with unauthorized user' do
- it 'returns unauthorized' do
- subject
-
- expect(response).to have_gitlab_http_status(:forbidden)
- end
- end
- end
-
- describe 'POST #create' do
- subject(:request) { post :create, params: action_params.merge(manifest: manifest), format: :json }
-
- let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
- let(:policy) do
- Gitlab::Kubernetes::NetworkPolicy.new(
- name: 'policy',
- namespace: 'another',
- selector: { matchLabels: { role: 'db' } },
- ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
- )
- end
-
- include_context '"Security & Compliance" permissions' do
- let(:valid_request) { request }
-
- before_request do
- group.add_developer(user)
- end
- end
-
- context 'with authorized user' do
- before do
- group.add_developer(user)
- allow(NetworkPolicies::DeployResourceService).to(
- receive(:new)
- .with(manifest: manifest, environment: environment)
- .and_return(service)
- )
- end
-
- it 'responds with success' do
- subject
-
- expect(response).to have_gitlab_http_status(:success)
- expect(response.body).to eq(policy.to_json)
- end
-
- include_examples 'CRUD service errors'
- end
-
- context 'with unauthorized user' do
- it 'returns unauthorized' do
- subject
-
- expect(response).to have_gitlab_http_status(:forbidden)
- end
- end
- end
-
- describe 'PUT #update' do
- subject(:request) { put :update, params: action_params.merge(id: 'example-policy', manifest: manifest, enabled: enabled), as: :json }
-
- let(:enabled) { nil }
- let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
- let(:policy) do
- Gitlab::Kubernetes::NetworkPolicy.new(
- name: 'policy',
- namespace: 'another',
- selector: { matchLabels: { role: 'db' } },
- ingress: [{ from: [{ namespaceSelector: { matchLabels: { project: 'myproject' } } }] }]
- )
- end
-
- include_context '"Security & Compliance" permissions' do
- let(:valid_request) { request }
-
- before_request do
- group.add_developer(user)
- end
- end
-
- context 'with authorized user' do
- before do
- group.add_developer(user)
- allow(NetworkPolicies::DeployResourceService).to(
- receive(:new)
- .with(manifest: manifest, environment: environment, enabled: enabled, resource_name: 'example-policy')
- .and_return(service)
- )
- end
-
- it 'responds with success' do
- subject
-
- expect(response).to have_gitlab_http_status(:success)
- expect(response.body).to eq(policy.to_json)
- end
-
- include_examples 'CRUD service errors'
- end
-
- context 'with unauthorized user' do
- it 'returns unauthorized' do
- subject
-
- expect(response).to have_gitlab_http_status(:forbidden)
- end
- end
- end
-
- describe 'DELETE #destroy' do
- subject(:request) { delete :destroy, params: action_params.merge(id: 'example-policy', manifest: manifest), format: :json }
-
- let(:service) { instance_double('NetworkPolicies::DeleteResourceService', execute: ServiceResponse.success) }
-
- include_context '"Security & Compliance" permissions' do
- let(:valid_request) { request }
-
- before_request do
- group.add_developer(user)
- end
- end
-
- context 'with authorized user' do
- before do
- group.add_developer(user)
- allow(NetworkPolicies::DeleteResourceService).to(
- receive(:new)
- .with(environment: environment, manifest: manifest, resource_name: 'example-policy')
- .and_return(service)
- )
- end
-
- it 'responds with success' do
- subject
-
- expect(response).to have_gitlab_http_status(:success)
- end
-
- include_examples 'CRUD service errors'
- end
-
- context 'with unauthorized user' do
- it 'returns unauthorized' do
- subject
-
- expect(response).to have_gitlab_http_status(:forbidden)
- end
- end
- end
-end
diff --git a/ee/spec/helpers/ee/security_orchestration_helper_spec.rb b/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
index 9360bb0a004d83843a3ff29030ecd3db7d857ada..9490cc6b8bad3a7cfbaea4906e4de7ef8827fbe6 100644
--- a/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
+++ b/ee/spec/helpers/ee/security_orchestration_helper_spec.rb
@@ -97,7 +97,6 @@
assigned_policy_project: nil.to_json,
default_environment_id: -1,
disable_scan_policy_update: 'false',
- network_policies_endpoint: kind_of(String),
create_agent_help_path: kind_of(String),
environments_endpoint: kind_of(String),
network_documentation_path: kind_of(String),
diff --git a/ee/spec/routing/project_routing_spec.rb b/ee/spec/routing/project_routing_spec.rb
index ed8ec6a27948c7104876fe9c85b54d375b920346..ae47aed8cc76541d2f8382aad2699d116ed32195 100644
--- a/ee/spec/routing/project_routing_spec.rb
+++ b/ee/spec/routing/project_routing_spec.rb
@@ -84,16 +84,4 @@
end
end
end
-
- describe Projects::Security::NetworkPoliciesController, 'routing' do
- where(:id) do
- %w[test.1.2 test-policy test:policy]
- end
-
- with_them do
- it "to #update" do
- expect(put("/gitlab/gitlabhq/-/security/network_policies/#{id}")).to route_to('projects/security/network_policies#update', namespace_id: 'gitlab', project_id: 'gitlabhq', id: id)
- end
- end
- end
end