Commit 08d0e691 authored by Philip Cunningham's avatar Philip Cunningham Committed by Mark Chao

Inject additional site profile config into CI yaml

- Extend services
- Update specs
parent 82a7f898
......@@ -8,7 +8,12 @@ module Ci
target_url: 'DAST_WEBSITE',
use_ajax_spider: 'DAST_USE_AJAX_SPIDER',
show_debug_messages: 'DAST_DEBUG',
full_scan_enabled: 'DAST_FULL_SCAN_ENABLED'
full_scan_enabled: 'DAST_FULL_SCAN_ENABLED',
excluded_urls: 'DAST_EXCLUDE_URLS',
auth_url: 'DAST_AUTH_URL',
auth_username_field: 'DAST_USERNAME_FIELD',
auth_password_field: 'DAST_PASSWORD_FIELD',
auth_username: 'DAST_USERNAME'
}.freeze
def self.execute(args)
......
......@@ -5,11 +5,11 @@ module DastOnDemandScans
include Gitlab::Utils::StrongMemoize
def execute
return ServiceResponse.error(message: 'Site Profile was not provided') unless dast_site.present?
return ServiceResponse.error(message: 'Dast site profile was not provided') unless dast_site_profile.present?
return ServiceResponse.error(message: 'Cannot run active scan against unvalidated target') unless active_scan_allowed?
ServiceResponse.success(
payload: default_config.merge(scanner_profile_config)
payload: default_config.merge(site_profile_config, scanner_profile_config)
)
end
......@@ -33,7 +33,13 @@ module DastOnDemandScans
def dast_site
strong_memoize(:dast_site) do
params[:dast_site_profile]&.dast_site
dast_site_profile&.dast_site
end
end
def dast_site_profile
strong_memoize(:dast_site_profile) do
params[:dast_site_profile]
end
end
......@@ -56,6 +62,17 @@ module DastOnDemandScans
}
end
def site_profile_config
return {} unless dast_site_profile
{
excluded_urls: dast_site_profile.excluded_urls.join(','),
auth_username_field: dast_site_profile.auth_username_field,
auth_password_field: dast_site_profile.auth_password_field,
auth_username: dast_site_profile.auth_username
}
end
def scanner_profile_config
return {} unless dast_scanner_profile
......
......@@ -14,7 +14,12 @@ RSpec.describe Ci::DastScanCiConfigurationService do
target_url: 'https://gitlab.local',
use_ajax_spider: true,
show_debug_messages: true,
full_scan_enabled: true
full_scan_enabled: true,
excluded_urls: 'https://gitlab.local/hello,https://gitlab.local/world',
auth_url: 'https://gitlab.local/login',
auth_username_field: 'session[username]',
auth_password_field: 'session[password]',
auth_username: 'tanuki'
}
end
......@@ -32,6 +37,11 @@ RSpec.describe Ci::DastScanCiConfigurationService do
DAST_USE_AJAX_SPIDER: 'true'
DAST_DEBUG: 'true'
DAST_FULL_SCAN_ENABLED: 'true'
DAST_EXCLUDE_URLS: https://gitlab.local/hello,https://gitlab.local/world
DAST_AUTH_URL: https://gitlab.local/login
DAST_USERNAME_FIELD: session[username]
DAST_PASSWORD_FIELD: session[password]
DAST_USERNAME: tanuki
YAML
end
......
......@@ -6,17 +6,36 @@ RSpec.describe Ci::RunDastScanService do
let(:user) { create(:user) }
let(:project) { create(:project, :repository, creator: user) }
let(:branch) { project.default_branch }
let(:spider_timeout) { 42 }
let(:target_timeout) { 21 }
let(:target_url) { generate(:url) }
let(:use_ajax_spider) { true }
let(:show_debug_messages) { false }
let(:full_scan_enabled) { true }
let(:excluded_urls) { "#{target_url}/hello,#{target_url}/world" }
let(:auth_url) { "#{target_url}/login" }
before do
stub_licensed_features(security_on_demand_scans: true)
end
describe '#execute' do
subject { described_class.new(project, user).execute(branch: branch, target_url: target_url, spider_timeout: 42, target_timeout: 21, use_ajax_spider: use_ajax_spider, show_debug_messages: show_debug_messages, full_scan_enabled: full_scan_enabled) }
subject do
described_class.new(project, user).execute(
branch: branch,
target_url: target_url,
spider_timeout: spider_timeout,
target_timeout: target_timeout,
use_ajax_spider: use_ajax_spider,
show_debug_messages: show_debug_messages,
full_scan_enabled: full_scan_enabled,
excluded_urls: excluded_urls,
auth_url: auth_url,
auth_username_field: 'session[username]',
auth_password_field: 'session[password]',
auth_username: 'tanuki'
)
end
let(:status) { subject.status }
let(:pipeline) { subject.payload }
......@@ -90,46 +109,67 @@ RSpec.describe Ci::RunDastScanService do
it 'creates a build with appropriate variables' do
build = pipeline.builds.first
expected_variables = [
{
'key' => 'DAST_VERSION',
'value' => '1',
'key' => 'DAST_AUTH_URL',
'value' => auth_url,
'public' => true
}, {
'key' => 'SECURE_ANALYZERS_PREFIX',
'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers',
'key' => 'DAST_DEBUG',
'value' => 'false',
'public' => true
}, {
'key' => 'DAST_WEBSITE',
'value' => target_url,
'key' => 'DAST_EXCLUDE_URLS',
'value' => excluded_urls,
'public' => true
},
{
}, {
'key' => 'DAST_FULL_SCAN_ENABLED',
'value' => 'true',
'public' => true
}, {
'key' => 'DAST_PASSWORD_FIELD',
'value' => 'session[password]',
'public' => true
}, {
'key' => 'DAST_SPIDER_MINS',
'value' => '42',
'value' => spider_timeout.to_s,
'public' => true
}, {
'key' => 'DAST_TARGET_AVAILABILITY_TIMEOUT',
'value' => '21',
'value' => target_timeout.to_s,
'public' => true
}, {
'key' => "DAST_USE_AJAX_SPIDER",
'public' => true,
'value' => 'true'
'key' => 'DAST_USERNAME',
'value' => 'tanuki',
'public' => true
}, {
'key' => "DAST_DEBUG",
'public' => true,
'value' => 'false'
'key' => 'DAST_USERNAME_FIELD',
'value' => 'session[username]',
'public' => true
}, {
'key' => 'DAST_USE_AJAX_SPIDER',
'value' => 'true',
'public' => true
}, {
'key' => "DAST_FULL_SCAN_ENABLED",
'public' => true,
'value' => 'true'
'key' => 'DAST_VERSION',
'value' => '1',
'public' => true
}, {
'key' => 'DAST_WEBSITE',
'value' => target_url,
'public' => true
}, {
'key' => 'GIT_STRATEGY',
'value' => 'none',
'public' => true
}, {
'key' => 'SECURE_ANALYZERS_PREFIX',
'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers',
'public' => true
}
]
expect(build.yaml_variables).to contain_exactly(*expected_variables)
end
......
......@@ -51,7 +51,11 @@ RSpec.describe DastOnDemandScans::CreateService do
it 'delegates pipeline creation to Ci::RunDastScanService', :aggregate_failures do
expected_params = {
branch: 'master',
auth_password_field: dast_site_profile.auth_password_field,
auth_username: dast_site_profile.auth_username,
auth_username_field: dast_site_profile.auth_username_field,
branch: project.default_branch_or_master,
excluded_urls: dast_site_profile.excluded_urls.join(','),
full_scan_enabled: false,
show_debug_messages: false,
spider_timeout: nil,
......
......@@ -17,7 +17,7 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
it 'responds with error message', :aggregate_failures do
expect(subject).not_to be_success
expect(subject.message).to eq('Site Profile was not provided')
expect(subject.message).to eq('Dast site profile was not provided')
end
end
......@@ -39,8 +39,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
it 'returns prepared scanner params in the payload' do
expect(subject.payload).to eq(
branch: 'master',
target_url: dast_site_profile.dast_site.url
branch: project.default_branch,
target_url: dast_site_profile.dast_site.url,
excluded_urls: dast_site_profile.excluded_urls.join(','),
auth_username_field: dast_site_profile.auth_username_field,
auth_password_field: dast_site_profile.auth_password_field,
auth_username: dast_site_profile.auth_username
)
end
end
......@@ -51,11 +55,15 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
it 'returns prepared scanner params in the payload' do
expect(subject.payload).to eq(
branch: project.default_branch,
target_url: dast_site_profile.dast_site.url,
excluded_urls: dast_site_profile.excluded_urls.join(','),
auth_username_field: dast_site_profile.auth_username_field,
auth_password_field: dast_site_profile.auth_password_field,
auth_username: dast_site_profile.auth_username,
full_scan_enabled: false,
show_debug_messages: false,
spider_timeout: nil,
target_timeout: nil,
target_url: dast_site_profile.dast_site.url,
use_ajax_spider: false
)
end
......
......@@ -50,7 +50,11 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
it 'delegates variables preparation to ::Ci::DastScanCiConfigurationService' do
expected_params = {
auth_password_field: site_profile.auth_password_field,
auth_username: site_profile.auth_username,
auth_username_field: site_profile.auth_username_field,
branch: project.default_branch_or_master,
excluded_urls: site_profile.excluded_urls.join(','),
full_scan_enabled: false,
show_debug_messages: false,
spider_timeout: nil,
......@@ -76,19 +80,23 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
stage: 'test',
image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
variables: {
DAST_VERSION: 1,
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
DAST_WEBSITE: site_profile.dast_site.url,
DAST_DEBUG: 'false',
DAST_EXCLUDE_URLS: site_profile.excluded_urls.join(','),
DAST_FULL_SCAN_ENABLED: 'false',
DAST_PASSWORD_FIELD: site_profile.auth_password_field,
DAST_USERNAME: site_profile.auth_username,
DAST_USERNAME_FIELD: site_profile.auth_username_field,
DAST_USE_AJAX_SPIDER: 'false',
DAST_DEBUG: 'false'
DAST_VERSION: 1,
DAST_WEBSITE: site_profile.dast_site.url,
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers'
},
allow_failure: true,
script: ['/analyze'],
artifacts: { reports: { dast: 'gl-dast-report.json' } }
},
'dast-on-demand-1': {
script: 'echo "Error during On-Demand Scan execution: Site Profile was not provided" && false',
script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false',
allow_failure: true
}
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment