Commit 1e0dcf3a authored by Dylan Griffith's avatar Dylan Griffith

Merge branch 'sk/337728-add-security-policy-factory' into 'master'

Move security policy yaml in specs to factory

See merge request gitlab-org/gitlab!69108
parents ca670a32 25b5dc36
# frozen_string_literal: true
FactoryBot.define do
factory :scan_execution_policy, class: Struct.new(:name, :description, :enabled, :actions, :rules) do
skip_create
initialize_with do
name = attributes[:name]
description = attributes[:description]
enabled = attributes[:enabled]
actions = attributes[:actions]
rules = attributes[:rules]
new(name, description, enabled, actions, rules).to_h
end
sequence(:name) { |n| "test-policy-#{n}" }
description { 'This policy enforces to run DAST for every pipeline within the project' }
enabled { true }
rules { [{ type: 'pipeline', branches: %w[production] }] }
actions { [{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }] }
trait :with_schedule do
rules { [{ type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }] }
end
end
factory :scan_execution_policy_yaml, class: Struct.new(:scan_execution_policy) do
skip_create
initialize_with do
policies = attributes[:policies]
YAML.dump(new(policies).to_h.deep_stringify_keys)
end
end
end
...@@ -6,22 +6,10 @@ RSpec.describe Security::SecurityOrchestrationPolicies::FetchPolicyService do ...@@ -6,22 +6,10 @@ RSpec.describe Security::SecurityOrchestrationPolicies::FetchPolicyService do
describe '#execute' do describe '#execute' do
let(:project) { create(:project) } let(:project) { create(:project) }
let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) } let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
let(:policy) { build(:scan_execution_policy) }
let(:policy) do let(:policy_blob) { build(:scan_execution_policy_yaml, policies: [policy]) }
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy_blob) { { scan_execution_policy: [policy] }.to_yaml }
let(:type) { :scan_execution_policy } let(:type) { :scan_execution_policy }
let(:name) { 'Run DAST in every pipeline' } let(:name) { policy[:name] }
subject(:service) do subject(:service) do
described_class.new(policy_configuration: policy_configuration, name: name, type: type) described_class.new(policy_configuration: policy_configuration, name: name, type: type)
......
...@@ -8,42 +8,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do ...@@ -8,42 +8,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
let_it_be(:current_user) { project.owner } let_it_be(:current_user) { project.owner }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) } let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
let(:policy_yaml) do let(:policy_hash) { build(:scan_execution_policy, name: 'Test Policy') }
<<-EOS let(:input_policy_yaml) { policy_hash.merge(type: 'scan_execution_policy').to_yaml }
name: Run DAST in every pipeline let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy_hash])}
type: scan_execution_policy
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:policy) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:operation) { :append } let(:operation) { :append }
let(:params) { { policy_yaml: policy_yaml, operation: operation } } let(:params) { { policy_yaml: input_policy_yaml, operation: operation } }
subject(:service) do subject(:service) do
described_class.new(project: project, current_user: current_user, params: params) described_class.new(project: project, current_user: current_user, params: params)
...@@ -51,19 +21,19 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do ...@@ -51,19 +21,19 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
before do before do
allow_next_instance_of(Repository) do |repository| allow_next_instance_of(Repository) do |repository|
allow(repository).to receive(:blob_data_at).and_return(policy) allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end end
end end
context 'when policy_yaml is invalid' do context 'when policy_yaml is invalid' do
let(:invalid_policy_yaml) do let(:invalid_input_policy_yaml) do
<<-EOS <<-EOS
invalid_name: invalid invalid_name: invalid
type: scan_execution_policy type: scan_execution_policy
EOS EOS
end end
let(:params) { { policy_yaml: invalid_policy_yaml, operation: operation } } let(:params) { { policy_yaml: invalid_input_policy_yaml, operation: operation } }
it 'returns error' do it 'returns error' do
response = service.execute response = service.execute
...@@ -85,23 +55,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do ...@@ -85,23 +55,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
end end
context 'when policy already exists in policy project' do context 'when policy already exists in policy project' do
let(:policy) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
before do before do
allow_next_instance_of(::Files::UpdateService) do |instance| allow_next_instance_of(::Files::UpdateService) do |instance|
allow(instance).to receive(:execute).and_return({ status: :success }) allow(instance).to receive(:execute).and_return({ status: :success })
......
...@@ -7,19 +7,8 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyConfigurationValid ...@@ -7,19 +7,8 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyConfigurationValid
let(:project) { create(:project) } let(:project) { create(:project) }
let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) } let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
let(:policy) do let(:policy) { build(:scan_execution_policy) }
{ let(:policy_blob) { build(:scan_execution_policy_yaml, policies: [policy]) }
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy_blob) { { scan_execution_policy: [policy] }.to_yaml }
let(:type) { :scan_execution_policy } let(:type) { :scan_execution_policy }
let(:environment_id) { nil } let(:environment_id) { nil }
......
...@@ -6,92 +6,26 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessPolicyService do ...@@ -6,92 +6,26 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessPolicyService do
describe '#execute' do describe '#execute' do
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration) } let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration) }
let(:policy) do let(:policy) { build(:scan_execution_policy, name: 'Test Policy', enabled: false) }
<<-EOS let(:scheduled_policy) { build(:scan_execution_policy, :with_schedule, name: 'Scheduled DAST') }
name: Run DAST in every pipeline let(:policy_yaml) { Gitlab::Config::Loader::Yaml.new(policy.to_yaml).load! }
description: This policy enforces to run DAST for every pipeline within the project let(:type) { :scan_execution_policy }
enabled: false let(:operation) { :append }
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:repository_with_existing_policy_yaml) do let(:repository_with_existing_policy_yaml) do
<<-EOS pipeline_policy = build(:scan_execution_policy, name: 'Test Policy')
scan_execution_policy: build(:scan_execution_policy_yaml, policies: [pipeline_policy, scheduled_policy])
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Scheduled DAST
description: This policy executes DAST in a scheduled pipeline
enabled: true
rules:
- type: schedule
branches:
- "production"
cadence: '*/15 * * * *'
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end end
let(:repository_policy_yaml) do let(:repository_policy_yaml) do
<<-EOS pipeline_policy = build(:scan_execution_policy, name: "Execute DAST in every pipeline")
scan_execution_policy: build(:scan_execution_policy_yaml, policies: [pipeline_policy, scheduled_policy])
- name: Execute DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Scheduled DAST
description: This policy executes DAST in a scheduled pipeline
enabled: true
rules:
- type: schedule
branches:
- "production"
cadence: '*/15 * * * *'
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end end
let(:policy_yaml) { Gitlab::Config::Loader::Yaml.new(policy).load! }
let(:type) { :scan_execution_policy }
let(:operation) { :append }
subject(:service) { described_class.new(policy_configuration: policy_configuration, params: { policy: policy_yaml, operation: operation, type: type }) } subject(:service) { described_class.new(policy_configuration: policy_configuration, params: { policy: policy_yaml, operation: operation, type: type }) }
context 'when policy is invalid' do context 'when policy is invalid' do
let(:policy) do let(:policy) { { invalid_name: 'invalid' } }
<<-EOS
invalid_name: invalid
EOS
end
it 'raises StandardError' do it 'raises StandardError' do
expect { service.execute }.to raise_error(StandardError, 'Invalid policy yaml') expect { service.execute }.to raise_error(StandardError, 'Invalid policy yaml')
......
...@@ -13,18 +13,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do ...@@ -13,18 +13,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
end end
let(:policy) do let(:policy) do
{ rules = [
name: 'DAST Scan', { type: 'pipeline', branches: %w[production] },
description: 'This policy runs DAST on pipeline and for every 15 mins', { type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }
enabled: true, ]
rules: [
{ type: 'pipeline', branches: %w[production] }, build(:scan_execution_policy, rules: rules)
{ type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }
],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end end
subject(:service) { described_class.new(policy_configuration: policy_configuration, policy_index: 0, policy: policy) } subject(:service) { described_class.new(policy_configuration: policy_configuration, policy_index: 0, policy: policy) }
...@@ -58,17 +52,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do ...@@ -58,17 +52,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
end end
context 'when policy is not of type scheduled' do context 'when policy is not of type scheduled' do
let(:policy) do let(:policy) { build(:scan_execution_policy) }
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: false,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
it 'deletes schedules' do it 'deletes schedules' do
expect { service.execute }.to change(Security::OrchestrationPolicyRuleSchedule, :count).by(-1) expect { service.execute }.to change(Security::OrchestrationPolicyRuleSchedule, :count).by(-1)
......
...@@ -10,17 +10,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do ...@@ -10,17 +10,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do
let(:schedule) { create(:security_orchestration_policy_rule_schedule, security_orchestration_policy_configuration: policy_configuration) } let(:schedule) { create(:security_orchestration_policy_rule_schedule, security_orchestration_policy_configuration: policy_configuration) }
let!(:scanner_profile) { create(:dast_scanner_profile, name: 'Scanner Profile', project: project) } let!(:scanner_profile) { create(:dast_scanner_profile, name: 'Scanner Profile', project: project) }
let!(:site_profile) { create(:dast_site_profile, name: 'Site Profile', project: project) } let!(:site_profile) { create(:dast_site_profile, name: 'Site Profile', project: project) }
let(:policy) do let(:policy) { build(:scan_execution_policy, enabled: true, rules: [{ type: 'schedule', branches: %w[master production], cadence: '*/20 * * * *' }]) }
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'schedule', branches: %w[master production], cadence: '*/20 * * * *' }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
subject(:service) { described_class.new(container: project, current_user: current_user) } subject(:service) { described_class.new(container: project, current_user: current_user) }
...@@ -69,44 +59,22 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do ...@@ -69,44 +59,22 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do
context 'when the branch in rules does not exist' do context 'when the branch in rules does not exist' do
let(:policy) do let(:policy) do
{ build(:scan_execution_policy,
name: 'Run DAST in every pipeline', enabled: true,
description: 'This policy enforces to run DAST for every pipeline within the project', rules: [{ type: 'schedule', branches: %w[invalid_branch], cadence: '*/20 * * * *' }])
enabled: true,
rules: [{ type: 'schedule', branches: %w[invalid_branch], cadence: '*/20 * * * *' }],
actions: []
}
end end
it_behaves_like 'does not execute scan' it_behaves_like 'does not execute scan'
end end
context 'when policy actions does not exist' do context 'when policy actions does not exist' do
let(:policy) do let(:policy) { build(:scan_execution_policy, :with_schedule, enabled: true, actions: []) }
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'schedule', branches: %w[production], cadence: '*/20 * * * *' }],
actions: []
}
end
it_behaves_like 'does not execute scan' it_behaves_like 'does not execute scan'
end end
context 'when policy scan type is invalid' do context 'when policy scan type is invalid' do
let(:policy) do let(:policy) { build(:scan_execution_policy, :with_schedule, enabled: true, actions: [{ scan: 'invalid' }]) }
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'schedule', branches: %w[production], cadence: '*/20 * * * *' }],
actions: [
{ scan: 'invalid' }
]
}
end
it_behaves_like 'does not execute scan' it_behaves_like 'does not execute scan'
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment