1 files changed, 170 insertions, 2 deletions

diff --git a/spec/graphql/types/project_type_spec.rb b/spec/graphql/types/project_type_spec.rb
index 9d0d7a3918a..9579ef8b99b 100644
--- a/spec/graphql/types/project_type_spec.rb
+++ b/spec/graphql/types/project_type_spec.rb
@@ -31,12 +31,171 @@ RSpec.describe GitlabSchema.types['Project'] do
       container_expiration_policy service_desk_enabled service_desk_address
       issue_status_counts terraform_states alert_management_integrations
       container_repositories container_repositories_count
-      pipeline_analytics squash_read_only
+      pipeline_analytics squash_read_only sast_ci_configuration
     ]
 
     expect(described_class).to include_graphql_fields(*expected_fields)
   end
 
+  describe 'sast_ci_configuration' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:user) { create(:user) }
+
+    before do
+      stub_licensed_features(security_dashboard: true)
+      project.add_developer(user)
+      allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_content)
+    end
+
+    include_context 'read ci configuration for sast enabled project'
+
+    let(:query) do
+      %(
+        query {
+            project(fullPath: "#{project.full_path}") {
+                sastCiConfiguration {
+                  global {
+                    nodes {
+                      type
+                      options {
+                        nodes {
+                          label
+                          value
+                        }
+                      }
+                      field
+                      label
+                      defaultValue
+                      value
+                      size
+                    }
+                  }
+                  pipeline {
+                    nodes {
+                      type
+                      options {
+                        nodes {
+                          label
+                          value
+                        }
+                      }
+                      field
+                      label
+                      defaultValue
+                      value
+                      size
+                    }
+                  }
+                  analyzers {
+                    nodes {
+                      name
+                      label
+                      enabled
+                    }
+                  }
+                }
+              }
+        }
+      )
+    end
+
+    subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+
+    it "returns the project's sast configuration for global variables" do
+      secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
+      expect(secure_analyzers_prefix['type']).to eq('string')
+      expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
+      expect(secure_analyzers_prefix['label']).to eq('Image prefix')
+      expect(secure_analyzers_prefix['defaultValue']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
+      expect(secure_analyzers_prefix['value']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
+      expect(secure_analyzers_prefix['size']).to eq('LARGE')
+      expect(secure_analyzers_prefix['options']).to be_nil
+    end
+
+    it "returns the project's sast configuration for pipeline variables" do
+      pipeline_stage = subject.dig('data', 'project', 'sastCiConfiguration', 'pipeline', 'nodes').first
+      expect(pipeline_stage['type']).to eq('string')
+      expect(pipeline_stage['field']).to eq('stage')
+      expect(pipeline_stage['label']).to eq('Stage')
+      expect(pipeline_stage['defaultValue']).to eq('test')
+      expect(pipeline_stage['value']).to eq('test')
+      expect(pipeline_stage['size']).to eq('MEDIUM')
+    end
+
+    it "returns the project's sast configuration for analyzer variables" do
+      analyzer = subject.dig('data', 'project', 'sastCiConfiguration', 'analyzers', 'nodes').first
+      expect(analyzer['name']).to eq('brakeman')
+      expect(analyzer['label']).to eq('Brakeman')
+      expect(analyzer['enabled']).to eq(true)
+    end
+
+    context "with guest user" do
+      before do
+        project.add_guest(user)
+      end
+
+      context 'when project is private' do
+        let(:project) { create(:project, :private, :repository) }
+
+        it "returns no configuration" do
+          secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
+          expect(secure_analyzers_prefix).to be_nil
+        end
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :public, :repository) }
+
+        context 'when repository is accessible by everyone' do
+          it "returns the project's sast configuration for global variables" do
+            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
+
+            expect(secure_analyzers_prefix['type']).to eq('string')
+            expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
+          end
+        end
+      end
+    end
+
+    context "with non-member user" do
+      before do
+        project.team.truncate
+      end
+
+      context 'when project is private' do
+        let(:project) { create(:project, :private, :repository) }
+
+        it "returns no configuration" do
+          secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
+          expect(secure_analyzers_prefix).to be_nil
+        end
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :public, :repository) }
+
+        context 'when repository is accessible by everyone' do
+          it "returns the project's sast configuration for global variables" do
+            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
+            expect(secure_analyzers_prefix['type']).to eq('string')
+            expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
+          end
+        end
+
+        context 'when repository is accessible only by team members' do
+          it "returns no configuration" do
+            project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED,
+                                                   builds_access_level: ProjectFeature::DISABLED,
+                                                   repository_access_level: ProjectFeature::PRIVATE)
+
+            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
+            expect(secure_analyzers_prefix).to be_nil
+          end
+        end
+      end
+    end
+  end
+
   describe 'issue field' do
     subject { described_class.fields['issue'] }
 
@@ -159,6 +318,13 @@ RSpec.describe GitlabSchema.types['Project'] do
     it { is_expected.to have_graphql_type(Types::ContainerExpirationPolicyType) }
   end
 
+  describe 'terraform state field' do
+    subject { described_class.fields['terraformState'] }
+
+    it { is_expected.to have_graphql_type(Types::Terraform::StateType) }
+    it { is_expected.to have_graphql_resolver(Resolvers::Terraform::StatesResolver.single) }
+  end
+
   describe 'terraform states field' do
     subject { described_class.fields['terraformStates'] }
 
@@ -166,7 +332,9 @@ RSpec.describe GitlabSchema.types['Project'] do
     it { is_expected.to have_graphql_resolver(Resolvers::Terraform::StatesResolver) }
   end
 
-  it_behaves_like 'a GraphQL type with labels'
+  it_behaves_like 'a GraphQL type with labels' do
+    let(:labels_resolver_arguments) { [:search_term, :includeAncestorGroups] }
+  end
 
   describe 'jira_imports' do
     subject { resolve_field(:jira_imports, project) }