pull

Author: Itay Paz

internal/commands/project.go

@@ -60,7 +60,8 @@ var (
 )
 
 func NewProjectCommand(applicationsWrapper wrappers.ApplicationsWrapper, projectsWrapper wrappers.ProjectsWrapper, groupsWrapper wrappers.GroupsWrapper,
-	accessManagementWrapper wrappers.AccessManagementWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper) *cobra.Command {
+	accessManagementWrapper wrappers.AccessManagementWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper,
+) *cobra.Command {
 	projCmd := &cobra.Command{
 		Use:   "project",
 		Short: "Manage projects",
@@ -249,17 +250,11 @@ func runCreateProjectCommand(
 		if err != nil {
 			return err
 		}
+
 		groups, err := updateGroupValues(&input, cmd, groupsWrapper)
 		if err != nil {
 			return err
 		}
-		// Validate groups access before creating the project.
-		// This validation will only be performed if the ACCESS_MANAGEMENT_PHASE2 flag is ON.
-		err = services.ValidateGroupsAccessPhase2(groups, accessManagementWrapper, featureFlagsWrapper)
-		if err != nil {
-			return err
-		}
-
 		setupScanTags(&input, cmd)
 		err = validateConfiguration(cmd)
 		if err != nil {
@@ -291,7 +286,9 @@ func runCreateProjectCommand(
 				return errors.Wrapf(err, "%s", services.FailedCreatingProj)
 			}
 		}
+
 		err = services.AssignGroupsToProjectNewAccessManagement(projResponseModel.ID, projResponseModel.Name, groups, accessManagementWrapper, featureFlagsWrapper)
+
 		if err != nil {
 			return err
 		}

internal/commands/result.go

@@ -2704,6 +2704,8 @@ func parseSarifResultsSscs(result *wrappers.ScanResult, scanResults []wrappers.S
 	var properties wrappers.SarifResultProperties
 	properties.Severity = result.Severity
 	properties.Validity = result.ScanResultData.Validity
+	properties.IsInSource = result.ScanResultData.IsInSource
+	properties.CommitURL = result.ScanResultData.CommitURL
 	scanResult.Properties = &properties
 
 	scanResults = append(scanResults, scanResult)

internal/commands/util/import_test.go

@@ -16,7 +16,7 @@ func TestImport_ImportSarifFileWithCorrectFlags_CreateImportSuccessfully(t *test
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},
@@ -32,7 +32,7 @@ func TestImport_ImportSarifFileProjectDoesntExist_CreateImportWithProvidedNewNam
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},
@@ -48,7 +48,7 @@ func TestImport_ImportSarifFileMissingImportFilePath_CreateImportReturnsErrorWit
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},
@@ -63,7 +63,7 @@ func TestImport_ImportSarifFileEmptyImportFilePathValue_CreateImportReturnsError
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},
@@ -78,7 +78,7 @@ func TestImport_ImportSarifFileMissingImportProjectName_CreateImportReturnsError
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},
@@ -93,7 +93,7 @@ func TestImport_ImportSarifFileProjectNameNotProvided_CreateImportWithProvidedNe
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},
@@ -108,7 +108,7 @@ func TestImport_ImportSarifFileUnacceptedFileExtension_CreateImportReturnsErrorW
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},
@@ -123,7 +123,7 @@ func TestImport_ImportSarifFileMissingExtension_CreateImportReturnsErrorWithCorr
 		&mock.ProjectsMockWrapper{},
 		&mock.UploadsMockWrapper{},
 		&mock.GroupsMockWrapper{},
-		mock.AccessManagementMockWrapper{},
+		&mock.AccessManagementMockWrapper{},
 		&mock.ByorMockWrapper{},
 		mock.ApplicationsMockWrapper{},
 		&mock.FeatureFlagsMockWrapper{},

internal/constants/feature-flags/feature-flags.go

@@ -2,5 +2,5 @@ package featureflags
 
 const (
 	AccessManagementEnabled = "ACCESS_MANAGEMENT_ENABLED"
-	AccessManagementPhase2  = "ACCESS_MANAGEMENT_PHASE_2"
+	GroupValidationEnabled  = "GROUPS_VALIDATION_ENABLED"
 )

internal/services/groups.go

@@ -47,18 +47,34 @@ func CreateGroupsMap(groupsStr string, groupsWrapper wrappers.GroupsWrapper) ([]
 	}
 	return groupsMap, nil
 }
+func getGroupsToAssign(receivedGroups, existingGroups []*wrappers.Group) []*wrappers.Group {
+	var groupsToAssign []*wrappers.Group
+	var groupsMap = make(map[string]bool)
+	for _, existingGroup := range existingGroups {
+		groupsMap[existingGroup.ID] = true
+	}
+	for _, receivedGroup := range receivedGroups {
+		find := groupsMap[receivedGroup.ID]
+		if !find {
+			groupsToAssign = append(groupsToAssign, receivedGroup)
+		}
+	}
+	return groupsToAssign
+}
 
 func AssignGroupsToProjectNewAccessManagement(projectID string, projectName string, groups []*wrappers.Group,
 	accessManagement wrappers.AccessManagementWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper) error {
 
 	amEnabledFlag, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, featureFlagsConstants.AccessManagementEnabled)
-	amPhase2Flag, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, featureFlagsConstants.AccessManagementPhase2)
+	groupValidationEnabledFlag, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, featureFlagsConstants.GroupValidationEnabled)
 
-	// If ACCESS_MANAGEMENT_PHASE2 flag is ON and if the ACCESS_MANAGEMENT_ENABLED flag is OFF
+	// If  ACCESS_MANAGEMENT_ENABLED flag is OFF or (GROUP_VALIDATION_ENABLED is on and ACCESS_MANAGEMENT_ENABLED is also on )
 	// In both cases, we do not need to assign groups through the CreateGroupsAssignment call.
-	if !amEnabledFlag.Status || amPhase2Flag.Status {
+
+	if !amEnabledFlag.Status || (amEnabledFlag.Status && groupValidationEnabledFlag.Status) {
 		return nil
 	}
+
 	groupsAssignedToTheProject, err := accessManagement.GetGroups(projectID)
 	if err != nil {
 		return err
@@ -75,21 +91,6 @@ func AssignGroupsToProjectNewAccessManagement(projectID string, projectName stri
 	return nil
 }
 
-func getGroupsToAssign(receivedGroups, existingGroups []*wrappers.Group) []*wrappers.Group {
-	var groupsToAssign []*wrappers.Group
-	var groupsMap = make(map[string]bool)
-	for _, existingGroup := range existingGroups {
-		groupsMap[existingGroup.ID] = true
-	}
-	for _, receivedGroup := range receivedGroups {
-		find := groupsMap[receivedGroup.ID]
-		if !find {
-			groupsToAssign = append(groupsToAssign, receivedGroup)
-		}
-	}
-	return groupsToAssign
-}
-
 func GetGroupIds(groups []*wrappers.Group) []string {
 	var groupIds []string
 	for _, group := range groups {

internal/services/groups_test.go

@@ -1,17 +1,22 @@
 package services
 
 import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
 	"reflect"
+	"strings"
 	"testing"
 
 	featureFlagsConstants "github.com/checkmarx/ast-cli/internal/constants/feature-flags"
-
 	"github.com/checkmarx/ast-cli/internal/wrappers"
 	"github.com/checkmarx/ast-cli/internal/wrappers/mock"
 )
 
 func setup() {
 	wrappers.ClearCache()
+
 }
 
 func TestAssignGroupsToProject(t *testing.T) {
@@ -29,7 +34,7 @@ func TestAssignGroupsToProject(t *testing.T) {
 		wantErr bool
 	}{
 		{
-			name: "When assigning group to project, no error should be returned",
+			name: "When assigning group to project, no error should be returned when AM1 is ON",
 			args: args{
 				projectID:   "project-id",
 				projectName: "project-name",
@@ -45,12 +50,74 @@ func TestAssignGroupsToProject(t *testing.T) {
 	}
 	for _, tt := range tests {
 		ttt := tt
-		mock.Flag = wrappers.FeatureFlagResponseModel{Name: featureFlagsConstants.AccessManagementEnabled, Status: true}
 		t.Run(tt.name, func(t *testing.T) {
-			if err := AssignGroupsToProjectNewAccessManagement(ttt.args.projectID, ttt.args.projectName, ttt.args.groups,
-				ttt.args.accessManagement, ttt.args.featureFlagsWrapper); (err != nil) != ttt.wantErr {
-				t.Errorf("AssignGroupsToProjectNewAccessManagement() error = %v, wantErr %v", err, ttt.wantErr)
-			}
+			mock.Flag = wrappers.FeatureFlagResponseModel{Name: featureFlagsConstants.AccessManagementEnabled, Status: true}
+			mock.Flag = wrappers.FeatureFlagResponseModel{Name: featureFlagsConstants.GroupValidationEnabled, Status: false}
+			var output string
+			output, _ = captureStdout(func() {
+				if err := AssignGroupsToProjectNewAccessManagement(ttt.args.projectID, ttt.args.projectName, ttt.args.groups,
+					ttt.args.accessManagement, ttt.args.featureFlagsWrapper); (err != nil) != ttt.wantErr {
+					t.Errorf("AssignGroupsToProjectNewAccessManagement() error = %v, wantErr %v", err, ttt.wantErr)
+					if err != nil {
+						t.Errorf("failed to close file")
+					}
+
+					if output != "" && !strings.Contains(output, "Called CreateGroupsAssignment in AccessManagementMockWrapper") {
+						t.Errorf("Create GroupAssignment should not get called when GroupValidation Flag is ON")
+					}
+				}
+			})
+		})
+	}
+}
+
+func TestAssignGroupsToProjectWithGroupValidationFlag(t *testing.T) {
+	setup() // Clear the map before starting this test
+	type args struct {
+		projectID           string
+		projectName         string
+		groups              []*wrappers.Group
+		accessManagement    wrappers.AccessManagementWrapper
+		featureFlagsWrapper wrappers.FeatureFlagsWrapper
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "When assigning group to project,error should be returned when Access_management_enabled is ON and GroupValidationFlag is also On",
+			args: args{
+				projectID:   "project-id",
+				projectName: "project-name",
+				groups: []*wrappers.Group{{
+					ID:   "group-id-to-assign",
+					Name: "group-name-to-assign",
+				}},
+				accessManagement:    &mock.AccessManagementMockWrapper{},
+				featureFlagsWrapper: &mock.FeatureFlagsMockWrapper{},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		ttt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			mock.Flag = wrappers.FeatureFlagResponseModel{Name: featureFlagsConstants.AccessManagementEnabled, Status: true}
+			mock.Flag = wrappers.FeatureFlagResponseModel{Name: featureFlagsConstants.GroupValidationEnabled, Status: true}
+			var output string
+			output, _ = captureStdout(func() {
+				if err := AssignGroupsToProjectNewAccessManagement(ttt.args.projectID, ttt.args.projectName, ttt.args.groups,
+					ttt.args.accessManagement, ttt.args.featureFlagsWrapper); (err != nil) != ttt.wantErr {
+					t.Errorf("AssignGroupsToProjectNewAccessManagement() error = %v, wantErr %v", err, ttt.wantErr)
+					if err != nil {
+						t.Errorf("failed to close file")
+					}
+					if output != "" && strings.Contains(output, "Called CreateGroupsAssignment in AccessManagementMockWrapper") {
+						t.Errorf("Create GroupAssignment should not get called when GroupValidation Flag is ON")
+					}
+				}
+			})
 		})
 	}
 }
@@ -201,3 +268,19 @@ func Test_getGroupsToAssign(t *testing.T) {
 		})
 	}
 }
+
+func captureStdout(fn func()) (string, error) {
+	originalStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+	fn()
+	w.Close()
+	os.Stdout = originalStdout
+	var buf bytes.Buffer
+	_, err := io.Copy(&buf, r)
+	if err != nil {
+		return "", fmt.Errorf("Cannot copy the pipe ouput into buffer: %v", err)
+	}
+
+	return buf.String(), nil
+}

internal/services/projects.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 	"time"
 
-	featureFlagsConstants "github.com/checkmarx/ast-cli/internal/constants/feature-flags"
 	"github.com/checkmarx/ast-cli/internal/logger"
 	commonParams "github.com/checkmarx/ast-cli/internal/params"
 	"github.com/checkmarx/ast-cli/internal/wrappers"
@@ -110,6 +109,7 @@ func createProject(
 	var projModel = wrappers.Project{}
 	projModel.Name = projectName
 	projModel.ApplicationIds = applicationID
+
 	if isBranchPrimary {
 		logger.PrintIfVerbose(fmt.Sprintf("Setting the branch in project : %s", branchName))
 		projModel.MainBranch = branchName
@@ -122,12 +122,6 @@ func createProject(
 		if groupErr != nil {
 			return "", groupErr
 		}
-		// Validate groups access before assigning them to the project.
-		// This validation will only be performed if the ACCESS_MANAGEMENT_PHASE2 flag is ON.
-		err := ValidateGroupsAccessPhase2(groupsMap, accessManagementWrapper, featureFlagsWrapper)
-		if err != nil {
-			return "", err
-		}
 		projModel.Groups = groups
 	}
 
@@ -234,7 +228,6 @@ func updateProject(project *wrappers.ProjectResponseModel,
 
 	return projectID, nil
 }
-
 func UpsertProjectGroups(projModel *wrappers.Project, projectsWrapper wrappers.ProjectsWrapper,
 	accessManagementWrapper wrappers.AccessManagementWrapper, projectID string, projectName string,
 	featureFlagsWrapper wrappers.FeatureFlagsWrapper, groupsMap []*wrappers.Group) error {
@@ -250,33 +243,3 @@ func UpsertProjectGroups(projModel *wrappers.Project, projectsWrapper wrappers.P
 	}
 	return nil
 }
-
-func ValidateGroupsAccessPhase2(groups []*wrappers.Group, accessManagementWrapper wrappers.AccessManagementWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper) error {
-	// If no groups to validate, return
-	if len(groups) == 0 {
-		return nil
-	}
-
-	amPhase2Flag, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, featureFlagsConstants.AccessManagementPhase2)
-	if !amPhase2Flag.Status {
-		return nil
-	}
-
-	// Extract group IDs
-	var groupIDs []string
-	for _, group := range groups {
-		groupIDs = append(groupIDs, group.ID)
-	}
-
-	// Validate groups access
-	hasAccess, err := accessManagementWrapper.HasEntityAccessToGroups(groupIDs)
-	if err != nil {
-		return errors.Wrap(err, "Failed to validate groups access")
-	}
-
-	if !hasAccess {
-		return errors.New("One or more groups are not authorized for assignment")
-	}
-
-	return nil
-}