Commit 07826546 authored by Sashi Kumar Kumaresan's avatar Sashi Kumar Kumaresan Committed by Andy Soiron

Move security policy yaml in specs to factory

This commit moves the hardcoded policy yaml content
in specs into a new factory.

This commit is a follow-up from
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69108.
parent 1e0dcf3a
......@@ -10,22 +10,7 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
let_it_be(:policy_management_project) { create(:project, :repository, namespace: user.namespace) }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
let_it_be(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
let_it_be(:policy_yaml) do
<<-EOS
name: Run DAST in every pipeline
type: scan_execution_policy
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) }
......
......@@ -11,17 +11,8 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
let_it_be(:policy_last_updated_at) { Time.now }
let_it_be(:user) { policy_management_project.owner }
let_it_be(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy) { build(:scan_execution_policy, name: 'Run DAST in every pipeline') }
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
let(:repository) { instance_double(Repository, root_ref: 'master') }
......@@ -33,7 +24,7 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
commit.committed_date = policy_last_updated_at
allow(policy_management_project).to receive(:repository).and_return(repository)
allow(repository).to receive(:last_commit_for_path).and_return(commit)
allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml)
allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end
context 'when feature is not licensed' do
......
......@@ -73,43 +73,25 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
let_it_be(:policies_project) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: #{dast_scanner_profile.name}
- scan: dast
site_profile: Site Profile 2
scanner_profile: Scanner Profile 2
- name: Run DAST in every pipeline 2
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile 3
scanner_profile: Scanner Profile 3
- scan: dast
site_profile: Site Profile 4
scanner_profile: Scanner Profile 4
EOS
let(:policy1) do
build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: dast_scanner_profile.name },
{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
])
end
let(:policy2) do
build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
{ scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
])
end
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
before do
create_list(:dast_scanner_profile, 30, project: project)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
end
it 'only calls Gitaly twice when multiple profiles are present', :request_store do
......
......@@ -138,43 +138,25 @@ RSpec.describe GitlabSchema.types['DastSiteProfile'] do
let_it_be(:policies_project) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- scan: dast
site_profile: Site Profile 2
scanner_profile: Scanner Profile 2
- name: Run DAST in every pipeline 2
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile 3
scanner_profile: Scanner Profile 3
- scan: dast
site_profile: Site Profile 4
scanner_profile: Scanner Profile 4
EOS
let(:policy1) do
build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
])
end
let(:policy2) do
build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
{ scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
])
end
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
before do
create_list(:dast_site_profile, 30, project: project)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
end
it 'only calls Gitaly twice when multiple profiles are present', :request_store do
......
......@@ -45,30 +45,14 @@ RSpec.describe Gitlab::Ci::Config do
let_it_be(:policies_repository) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy)]) }
subject(:config) { described_class.new(ci_yml, source_ref_path: ref, project: project, source: source) }
before do
allow_next_instance_of(Repository) do |repository|
# allow(repository).to receive(:ls_files).and_return(['.gitlab/security-policies/enforce-dast.yml'])
allow(repository).to receive(:blob_data_at).and_return(policy_yml)
allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end
end
......
......@@ -16,28 +16,18 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
let_it_be(:policies_repository) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- scan: secret_detection
EOS
let_it_be(:policy) do
build(:scan_execution_policy, actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
{ scan: 'secret_detection' }
])
end
let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
before do
allow_next_instance_of(Repository) do |repository|
allow(repository).to receive(:blob_data_at).and_return(policy_yml)
allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end
end
......@@ -56,20 +46,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
end
shared_examples 'when policy is invalid' do
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches: "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
let_it_be(:policy_yaml) do
build(:scan_execution_policy_yaml, policies:
[build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: 'production' }])])
end
it 'does not modify the config', :aggregate_failures do
......
......@@ -11,22 +11,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
let(:default_branch) { security_policy_management_project.default_branch }
let(:repository) { instance_double(Repository, root_ref: 'master') }
let(:policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline')]) }
before do
allow(security_policy_management_project).to receive(:repository).and_return(repository)
......@@ -153,22 +138,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end
context 'when policy is present' do
let(:policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline' )]) }
it 'retrieves policy by type' do
expect(subject.first[:name]).to eq('Run DAST in every pipeline')
......@@ -189,19 +159,8 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
context 'when file is invalid' do
let(:policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branch: "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
build(:scan_execution_policy_yaml, policies:
[build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: 'production' }])])
end
it { is_expected.to eq(false) }
......@@ -213,21 +172,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
context 'when policy is passed as argument' do
let_it_be(:policy_yaml) { nil }
let_it_be(:policy) do
{
scan_execution_policy: [
{
name: 'Run Scan in every pipeline',
description: 'This policy enforces to security scan for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
]
}
end
let_it_be(:policy) { { scan_execution_policy: [build(:scan_execution_policy)] } }
context 'when scan type is secret_detection' do
it 'returns false if extra fields are present' do
......@@ -248,72 +193,16 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end
describe '#active_policies' do
let(:enforce_dast_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:enforce_dast_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy)]) }
let(:policy_yaml) { fixture_file('security_orchestration.yml', dir: 'ee') }
let(:expected_active_policies) do
[
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
},
{
name: 'Run DAST in every pipeline_v1',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[master] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
},
{
name: 'Run DAST in every pipeline_v3',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[master] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
},
{
name: 'Run DAST in every pipeline_v4',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[master] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
},
{
name: 'Run DAST in every pipeline_v5',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[master] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
build(:scan_execution_policy, name: 'Run DAST in every pipeline'),
build(:scan_execution_policy, name: 'Run DAST in every pipeline_v1', rules: [{ type: 'pipeline', branches: %w[master] }]),
build(:scan_execution_policy, name: 'Run DAST in every pipeline_v3', rules: [{ type: 'pipeline', branches: %w[master] }]),
build(:scan_execution_policy, name: 'Run DAST in every pipeline_v4', rules: [{ type: 'pipeline', branches: %w[master] }]),
build(:scan_execution_policy, name: 'Run DAST in every pipeline_v5', rules: [{ type: 'pipeline', branches: %w[master] }])
]
end
......@@ -340,49 +229,11 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end
describe '#on_demand_scan_actions' do
let(:policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Run DAST in every pipeline
enabled: true
rules:
- type: pipeline
branches:
- "release/*"
actions:
- scan: dast
site_profile: Site Profile 2
scanner_profile: Scanner Profile 2
- name: Run DAST in every pipeline
enabled: true
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: dast
site_profile: Site Profile 3
scanner_profile: Scanner Profile 3
- name: Run SAST in every pipeline
enabled: true
rules:
- type: pipeline
branches:
- "release/*"
actions:
- scan: sast
EOS
end
let(:policy1) { build(:scan_execution_policy) }
let(:policy2) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['release/*'] }], actions: [{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }]) }
let(:policy3) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['*'] }], actions: [{ scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' }]) }
let(:policy4) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['release/*'] }], actions: [{ scan: 'sast' }]) }
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2, policy3, policy4]) }
let(:expected_actions) do
[
......@@ -411,49 +262,11 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end
describe '#pipeline_scan_actions' do
let(:policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST and Secret Detection in every pipeline
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile 2
scanner_profile: Scanner Profile 2
- scan: secret_detection
- name: Run DAST in every pipeline
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Run Secret Detection for all branches
enabled: true
rules:
- type: pipeline
branches:
- "*"
actions:
- scan: secret_detection
- name: Scheduled scan
enabled: true
rules:
- type: schedule
cadence: '*/15 * * * *'
branches:
- "*"
actions:
- scan: secret_detection
EOS
end
let(:policy1) { build(:scan_execution_policy) }
let(:policy2) { build(:scan_execution_policy, actions: [{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }, { scan: 'secret_detection' }]) }
let(:policy3) { build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: ['*'] }], actions: [{ scan: 'secret_detection' }]) }
let(:policy4) { build(:scan_execution_policy, :with_schedule, actions: [{ scan: 'secret_detection' }]) }
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2, policy3, policy4]) }
let(:expected_actions) do
[{ scan: 'secret_detection' }, { scan: 'secret_detection' }]
......@@ -470,23 +283,10 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
describe '#active_policy_names_with_dast_site_profile' do
let(:policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile 2
EOS
build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline', actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile 2' }
])])
end
it 'returns list of policy names where site profile is referenced' do
......@@ -496,24 +296,10 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
describe '#active_policy_names_with_dast_scanner_profile' do
let(:enforce_dast_yaml) do
<<-EOS
scan_execution_policy:
- type: scan_execution_policy
name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- scan: dast
site_profile: Site Profile 2
scanner_profile: Scanner Profile
EOS
build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy, name: 'Run DAST in every pipeline', actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile' }
])])
end
before do
......
......@@ -7,22 +7,7 @@ RSpec.describe 'Create scan execution policy for a project' do
let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project, :repository, namespace: current_user.namespace) }
let_it_be(:policy_yaml) do
<<-EOS
name: Run DAST in every pipeline
type: scan_execution_policy
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
def mutation
variables = { project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: 'APPEND' }
......
......@@ -8,18 +8,7 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
let_it_be(:project) { create(:project, :repository, namespace: owner.namespace) }
let_it_be(:policy_management_project) { create(:project, :repository, namespace: owner.namespace) }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
let_it_be(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let_it_be(:policy) { build(:scan_execution_policy) }
let_it_be(:type) { 'scan_execution_policy' }
let_it_be(:index) { project_security_policies_url(project) }
let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment