Inject additional site profile config into CI yaml

- Extend services - Update specs

Inject additional site profile config into CI yaml
- Extend services - Update specs
08d0e691 · Philip Cunningham · Mark Chao · 82a7f898 · 08d0e691 · 08d0e691
Commit 08d0e691 authored Mar 29, 2021 by Philip Cunningham Committed by Mark Chao Mar 29, 2021
7 changed files
--- a/ee/app/services/ci/dast_scan_ci_configuration_service.rb
+++ b/ee/app/services/ci/dast_scan_ci_configuration_service.rb
@@ -8,7 +8,12 @@ module Ci
      target_url: 'DAST_WEBSITE',
      use_ajax_spider: 'DAST_USE_AJAX_SPIDER',
      show_debug_messages: 'DAST_DEBUG',
-      full_scan_enabled: 'DAST_FULL_SCAN_ENABLED'
+      full_scan_enabled: 'DAST_FULL_SCAN_ENABLED',
+      excluded_urls: 'DAST_EXCLUDE_URLS',
+      auth_url: 'DAST_AUTH_URL',
+      auth_username_field: 'DAST_USERNAME_FIELD',
+      auth_password_field: 'DAST_PASSWORD_FIELD',
+      auth_username: 'DAST_USERNAME'
    }.freeze
    def self.execute(args)

--- a/ee/app/services/dast_on_demand_scans/params_create_service.rb
+++ b/ee/app/services/dast_on_demand_scans/params_create_service.rb
@@ -5,11 +5,11 @@ module DastOnDemandScans
    include Gitlab::Utils::StrongMemoize
    def execute
-      return ServiceResponse.error(message: 'Site Profile was not provided') unless dast_site.present?
+      return ServiceResponse.error(message: 'Dast site profile was not provided') unless dast_site_profile.present?
      return ServiceResponse.error(message: 'Cannot run active scan against unvalidated target') unless active_scan_allowed?
      ServiceResponse.success(
-        payload: default_config.merge(scanner_profile_config)
+        payload: default_config.merge(site_profile_config, scanner_profile_config)
      )
    end
@@ -33,7 +33,13 @@ module DastOnDemandScans
    def dast_site
      strong_memoize(:dast_site) do
-        params[:dast_site_profile]&.dast_site
+        dast_site_profile&.dast_site
+      end
+    end
+    def dast_site_profile
+      strong_memoize(:dast_site_profile) do
+        params[:dast_site_profile]
      end
    end
@@ -56,6 +62,17 @@ module DastOnDemandScans
      }
    end
+    def site_profile_config
+      return {} unless dast_site_profile
+      {
+        excluded_urls: dast_site_profile.excluded_urls.join(','),
+        auth_username_field: dast_site_profile.auth_username_field,
+        auth_password_field: dast_site_profile.auth_password_field,
+        auth_username: dast_site_profile.auth_username
+      }
+    end
    def scanner_profile_config
      return {} unless dast_scanner_profile

--- a/ee/spec/services/ci/dast_scan_ci_configuration_service_spec.rb
+++ b/ee/spec/services/ci/dast_scan_ci_configuration_service_spec.rb
@@ -14,7 +14,12 @@ RSpec.describe Ci::DastScanCiConfigurationService do
          target_url: 'https://gitlab.local',
          use_ajax_spider: true,
          show_debug_messages: true,
-          full_scan_enabled: true
+          full_scan_enabled: true,
+          excluded_urls: 'https://gitlab.local/hello,https://gitlab.local/world',
+          auth_url: 'https://gitlab.local/login',
+          auth_username_field: 'session[username]',
+          auth_password_field: 'session[password]',
+          auth_username: 'tanuki'
        }
      end
@@ -32,6 +37,11 @@ RSpec.describe Ci::DastScanCiConfigurationService do
          DAST_USE_AJAX_SPIDER: 'true'
          DAST_DEBUG: 'true'
          DAST_FULL_SCAN_ENABLED: 'true'
+          DAST_EXCLUDE_URLS: https://gitlab.local/hello,https://gitlab.local/world
+          DAST_AUTH_URL: https://gitlab.local/login
+          DAST_USERNAME_FIELD: session[username]
+          DAST_PASSWORD_FIELD: session[password]
+          DAST_USERNAME: tanuki
        YAML
      end

--- a/ee/spec/services/ci/run_dast_scan_service_spec.rb
+++ b/ee/spec/services/ci/run_dast_scan_service_spec.rb
@@ -6,17 +6,36 @@ RSpec.describe Ci::RunDastScanService do
  let(:user) { create(:user) }
  let(:project) { create(:project, :repository, creator: user) }
  let(:branch) { project.default_branch }
+  let(:spider_timeout) { 42 }
+  let(:target_timeout) { 21 }
  let(:target_url) { generate(:url) }
  let(:use_ajax_spider) { true }
  let(:show_debug_messages) { false }
  let(:full_scan_enabled) { true }
+  let(:excluded_urls) { "#{target_url}/hello,#{target_url}/world" }
+  let(:auth_url) { "#{target_url}/login" }
  before do
    stub_licensed_features(security_on_demand_scans: true)
  end
  describe '#execute' do
-    subject { described_class.new(project, user).execute(branch: branch, target_url: target_url, spider_timeout: 42, target_timeout: 21, use_ajax_spider: use_ajax_spider, show_debug_messages: show_debug_messages, full_scan_enabled: full_scan_enabled) }
+    subject do
+      described_class.new(project, user).execute(
+        branch: branch,
+        target_url: target_url,
+        spider_timeout: spider_timeout,
+        target_timeout: target_timeout,
+        use_ajax_spider: use_ajax_spider,
+        show_debug_messages: show_debug_messages,
+        full_scan_enabled: full_scan_enabled,
+        excluded_urls: excluded_urls,
+        auth_url: auth_url,
+        auth_username_field: 'session[username]',
+        auth_password_field: 'session[password]',
+        auth_username: 'tanuki'
+      )
+    end
    let(:status) { subject.status }
    let(:pipeline) { subject.payload }
@@ -90,46 +109,67 @@ RSpec.describe Ci::RunDastScanService do
      it 'creates a build with appropriate variables' do
        build = pipeline.builds.first
        expected_variables = [
          {
-            'key' => 'DAST_VERSION',
+            'key' => 'DAST_AUTH_URL',
-            'value' => '1',
+            'value' => auth_url,
            'public' => true
          }, {
-            'key' => 'SECURE_ANALYZERS_PREFIX',
+            'key' => 'DAST_DEBUG',
-            'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+            'value' => 'false',
            'public' => true
          }, {
-            'key' => 'DAST_WEBSITE',
+            'key' => 'DAST_EXCLUDE_URLS',
-            'value' => target_url,
+            'value' => excluded_urls,
            'public' => true
-          },
+          }, {
-          {
+            'key' => 'DAST_FULL_SCAN_ENABLED',
+            'value' => 'true',
+            'public' => true
+          }, {
+            'key' => 'DAST_PASSWORD_FIELD',
+            'value' => 'session[password]',
+            'public' => true
+          }, {
            'key' => 'DAST_SPIDER_MINS',
-            'value' => '42',
+            'value' => spider_timeout.to_s,
            'public' => true
          }, {
            'key' => 'DAST_TARGET_AVAILABILITY_TIMEOUT',
-            'value' => '21',
+            'value' => target_timeout.to_s,
            'public' => true
          }, {
-            'key' => "DAST_USE_AJAX_SPIDER",
+            'key' => 'DAST_USERNAME',
-            'public' => true,
+            'value' => 'tanuki',
-            'value' => 'true'
+            'public' => true
          }, {
-            'key' => "DAST_DEBUG",
+            'key' => 'DAST_USERNAME_FIELD',
-            'public' => true,
+            'value' => 'session[username]',
-            'value' => 'false'
+            'public' => true
+          }, {
+            'key' => 'DAST_USE_AJAX_SPIDER',
+            'value' => 'true',
+            'public' => true
          }, {
-            'key' => "DAST_FULL_SCAN_ENABLED",
+            'key' => 'DAST_VERSION',
-            'public' => true,
+            'value' => '1',
-            'value' => 'true'
+            'public' => true
+          }, {
+            'key' => 'DAST_WEBSITE',
+            'value' => target_url,
+            'public' => true
          }, {
            'key' => 'GIT_STRATEGY',
            'value' => 'none',
            'public' => true
+          }, {
+            'key' => 'SECURE_ANALYZERS_PREFIX',
+            'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+            'public' => true
          }
        ]
        expect(build.yaml_variables).to contain_exactly(*expected_variables)
      end

--- a/ee/spec/services/dast_on_demand_scans/create_service_spec.rb
+++ b/ee/spec/services/dast_on_demand_scans/create_service_spec.rb
@@ -51,7 +51,11 @@ RSpec.describe DastOnDemandScans::CreateService do
        it 'delegates pipeline creation to Ci::RunDastScanService', :aggregate_failures do
          expected_params = {
-            branch: 'master',
+            auth_password_field: dast_site_profile.auth_password_field,
+            auth_username: dast_site_profile.auth_username,
+            auth_username_field: dast_site_profile.auth_username_field,
+            branch: project.default_branch_or_master,
+            excluded_urls: dast_site_profile.excluded_urls.join(','),
            full_scan_enabled: false,
            show_debug_messages: false,
            spider_timeout: nil,

--- a/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
+++ b/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
@@ -17,7 +17,7 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
      it 'responds with error message', :aggregate_failures do
        expect(subject).not_to be_success
-        expect(subject.message).to eq('Site Profile was not provided')
+        expect(subject.message).to eq('Dast site profile was not provided')
      end
    end
@@ -39,8 +39,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
        it 'returns prepared scanner params in the payload' do
          expect(subject.payload).to eq(
-            branch: 'master',
+            branch: project.default_branch,
-            target_url: dast_site_profile.dast_site.url
+            target_url: dast_site_profile.dast_site.url,
+            excluded_urls: dast_site_profile.excluded_urls.join(','),
+            auth_username_field: dast_site_profile.auth_username_field,
+            auth_password_field: dast_site_profile.auth_password_field,
+            auth_username: dast_site_profile.auth_username
          )
        end
      end
@@ -51,11 +55,15 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
        it 'returns prepared scanner params in the payload' do
          expect(subject.payload).to eq(
            branch: project.default_branch,
+            target_url: dast_site_profile.dast_site.url,
+            excluded_urls: dast_site_profile.excluded_urls.join(','),
+            auth_username_field: dast_site_profile.auth_username_field,
+            auth_password_field: dast_site_profile.auth_password_field,
+            auth_username: dast_site_profile.auth_username,
            full_scan_enabled: false,
            show_debug_messages: false,
            spider_timeout: nil,
            target_timeout: nil,
-            target_url: dast_site_profile.dast_site.url,
            use_ajax_spider: false
          )
        end

--- a/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
@@ -50,7 +50,11 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
    it 'delegates variables preparation to ::Ci::DastScanCiConfigurationService' do
      expected_params = {
+        auth_password_field: site_profile.auth_password_field,
+        auth_username: site_profile.auth_username,
+        auth_username_field: site_profile.auth_username_field,
        branch: project.default_branch_or_master,
+        excluded_urls: site_profile.excluded_urls.join(','),
        full_scan_enabled: false,
        show_debug_messages: false,
        spider_timeout: nil,
@@ -76,19 +80,23 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
          stage: 'test',
          image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
          variables: {
-            DAST_VERSION: 1,
+            DAST_DEBUG: 'false',
-            SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+            DAST_EXCLUDE_URLS: site_profile.excluded_urls.join(','),
-            DAST_WEBSITE: site_profile.dast_site.url,
            DAST_FULL_SCAN_ENABLED: 'false',
+            DAST_PASSWORD_FIELD: site_profile.auth_password_field,
+            DAST_USERNAME: site_profile.auth_username,
+            DAST_USERNAME_FIELD: site_profile.auth_username_field,
            DAST_USE_AJAX_SPIDER: 'false',
-            DAST_DEBUG: 'false'
+            DAST_VERSION: 1,
+            DAST_WEBSITE: site_profile.dast_site.url,
+            SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers'
          },
          allow_failure: true,
          script: ['/analyze'],
          artifacts: { reports: { dast: 'gl-dast-report.json' } }
        },
        'dast-on-demand-1': {
-          script: 'echo "Error during On-Demand Scan execution: Site Profile was not provided" && false',
+          script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false',
          allow_failure: true
        }
      }