Merge branch '331631-apifuzzing-update-ci' into 'master'

Promote unstable API Fuzzing CI template to stable (breaking)

See merge request gitlab-org/gitlab!62407

ee/spec/lib/ee/gitlab/ci/templates/templates_spec.rb

@@ -4,12 +4,9 @@ require 'spec_helper'
 
 RSpec.describe "CI YML Templates" do
   using RSpec::Parameterized::TableSyntax
-
   subject { Gitlab::Ci::YamlProcessor.new(content).execute }
 
-  where(:template_name) do
-    Gitlab::Template::GitlabCiYmlTemplate.all.map(&:full_name)
-  end
+  let(:all_templates) { Gitlab::Template::GitlabCiYmlTemplate.all.map(&:full_name) }
 
   before do
     stub_feature_flags(
@@ -19,27 +16,24 @@ RSpec.describe "CI YML Templates" do
       redirect_to_latest_template_jobs_browser_performance_testing: false)
   end
 
-  with_them do
-    let(:content) do
-      if template_name == 'Security/DAST-API.gitlab-ci.yml'
-        # The DAST-API template purposly excludes a stages
-        # definition.
+  shared_examples 'require default stages to be included' do
+    it 'require default stages to be included' do
+      expect(subject.stages).to include(*Gitlab::Ci::Config::Entry::Stages.default)
+    end
+  end
 
-        <<~EOS
-          include:
-            - template: #{template_name}
+  context 'that support autodevops' do
+    non_autodevops_templates = [
+      'Security/DAST-API.gitlab-ci.yml',
+      'Security/API-Fuzzing.gitlab-ci.yml'
+    ]
 
-          stages:
-            - build
-            - test
-            - deploy
-            - dast
+    where(:template_name) do
+      all_templates - non_autodevops_templates
+    end
 
-          concrete_build_implemented_by_a_user:
-            stage: test
-            script: do something
-        EOS
-      else
+    with_them do
+      let(:content) do
         <<~EOS
           include:
             - template: #{template_name}
@@ -49,14 +43,104 @@ RSpec.describe "CI YML Templates" do
             script: do something
         EOS
       end
+
+      it 'are valid with default stages' do
+        expect(subject).to be_valid
+      end
+
+      include_examples 'require default stages to be included'
     end
+  end
+
+  context 'that do not support autodevops' do
+    context 'when DAST API template' do
+      # The DAST API template purposly excludes a stages
+      # definition.
+
+      let(:template_name) { 'Security/DAST-API.gitlab-ci.yml' }
+
+      context 'with default stages' do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
 
-    it 'is valid' do
-      expect(subject).to be_valid
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
+
+        it { is_expected.not_to be_valid }
+      end
+
+      context 'with defined stages' do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
+
+            stages:
+              - build
+              - test
+              - deploy
+              - dast
+
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
+
+        it { is_expected.to be_valid }
+
+        include_examples 'require default stages to be included'
+      end
     end
 
-    it 'require default stages to be included' do
-      expect(subject.stages).to include(*Gitlab::Ci::Config::Entry::Stages.default)
+    context 'when API Fuzzing template' do
+      # The API Fuzzing template purposly excludes a stages
+      # definition.
+
+      let(:template_name) { 'Security/API-Fuzzing.gitlab-ci.yml' }
+
+      context 'with default stages' do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
+
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
+
+        it { is_expected.not_to be_valid }
+      end
+
+      context 'with defined stages' do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
+
+            stages:
+              - build
+              - test
+              - deploy
+              - fuzz
+
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
+
+        it { is_expected.to be_valid }
+
+        include_examples 'require default stages to be included'
+      end
     end
   end
 end

ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb

@@ -5,6 +5,8 @@ require 'spec_helper'
 RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('API-Fuzzing') }
 
+  specify { expect(template).not_to be_nil }
+
   describe 'the template file' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
@@ -36,106 +38,103 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }
 
-    before do
-      stub_ci_pipeline_yaml_file(template.content)
-      allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
-        allow(worker).to receive(:perform).and_return(true)
-      end
-      allow(project).to receive(:default_branch).and_return(default_branch)
-    end
-
-    context 'when project has no license' do
+    context 'when no stages' do
       before do
-        create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
-        create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+        stub_ci_pipeline_yaml_file(template.content)
+        allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
+          allow(worker).to receive(:perform).and_return(true)
+        end
+        allow(project).to receive(:default_branch).and_return(default_branch)
       end
 
-      it 'includes job to display error' do
-        expect(build_names).to match_array(%w[apifuzzer_fuzz_unlicensed])
+      context 'when project has no stages' do
+        it 'includes no jobs' do
+          expect(build_names).to be_empty
+        end
       end
     end
 
-    context 'when project has Ultimate license' do
-      let(:license) { build(:license, plan: License::ULTIMATE_PLAN) }
+    context 'when stages includes fuzz' do
+      let(:ci_pipeline_yaml) { "stages: [\"fuzz\"]\n" }
 
       before do
-        allow(License).to receive(:current).and_return(license)
-      end
+        stub_ci_pipeline_yaml_file(ci_pipeline_yaml + template.content)
 
-      context 'by default' do
-        it 'includes a job' do
-          expect(build_names).to match_array(%w[apifuzzer_fuzz])
+        allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
+          allow(worker).to receive(:perform).and_return(true)
         end
+
+        allow(project).to receive(:default_branch).and_return(default_branch)
       end
 
-      context 'when configured with HAR' do
+      context 'when project has no license' do
         before do
           create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
           create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
         end
 
-        it 'includes job' do
+        it 'includes job to display error' do
           expect(build_names).to match_array(%w[apifuzzer_fuzz])
         end
       end
 
-      context 'when configured with OpenAPI' do
+      context 'when project has Ultimate license' do
+        let(:license) { build(:license, plan: License::ULTIMATE_PLAN) }
+
         before do
-          create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'testing.json')
-          create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+          allow(License).to receive(:current).and_return(license)
         end
 
-        it 'includes job' do
-          expect(build_names).to match_array(%w[apifuzzer_fuzz])
+        context 'by default' do
+          it 'includes a job' do
+            expect(build_names).to match_array(%w[apifuzzer_fuzz])
+          end
         end
-      end
 
-      context 'when configured with Postman' do
-        before do
-          create(:ci_variable, project: project, key: 'FUZZAPI_POSTMAN_COLLECTION', value: 'testing.json')
-          create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
-        end
+        context 'when configured with HAR' do
+          before do
+            create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+            create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+          end
 
-        it 'includes job' do
-          expect(build_names).to match_array(%w[apifuzzer_fuzz])
+          it 'includes job' do
+            expect(build_names).to match_array(%w[apifuzzer_fuzz])
+          end
         end
-      end
 
-      context 'when FUZZAPI_D_TARGET_IMAGE is present' do
-        before do
-          create(:ci_variable, project: project, key: 'FUZZAPI_D_TARGET_IMAGE', value: 'imagename:latest')
-          create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
-          create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
-        end
+        context 'when configured with OpenAPI' do
+          before do
+            create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'testing.json')
+            create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+          end
 
-        it 'includes dnd job' do
-          expect(build_names).to match_array(%w[apifuzzer_fuzz_dnd])
+          it 'includes job' do
+            expect(build_names).to match_array(%w[apifuzzer_fuzz])
+          end
         end
-      end
-    end
 
-    context 'when API_FUZZING_DISABLED=1' do
-      before do
-        create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
-        create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
-        create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
-      end
+        context 'when configured with Postman' do
+          before do
+            create(:ci_variable, project: project, key: 'FUZZAPI_POSTMAN_COLLECTION', value: 'testing.json')
+            create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+          end
 
-      it 'includes no jobs' do
-        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
-      end
-    end
+          it 'includes job' do
+            expect(build_names).to match_array(%w[apifuzzer_fuzz])
+          end
+        end
 
-    context 'when API_FUZZING_DISABLED=1 with DnD' do
-      before do
-        create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
-        create(:ci_variable, project: project, key: 'FUZZAPI_D_TARGET_IMAGE', value: 'imagename:latest')
-        create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
-        create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
-      end
+        context 'when API_FUZZING_DISABLED=1' do
+          before do
+            create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
+            create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+            create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+          end
 
-      it 'includes no jobs' do
-        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+          it 'includes no jobs' do
+            expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+          end
+        end
       end
     end
   end

spec/lib/gitlab/ci/templates/templates_spec.rb

@@ -6,33 +6,104 @@ RSpec.describe 'CI YML Templates' do
   subject { Gitlab::Ci::YamlProcessor.new(content).execute }
 
   let(:all_templates) { Gitlab::Template::GitlabCiYmlTemplate.all.map(&:full_name) }
-
   let(:excluded_templates) do
     all_templates.select do |name|
       Gitlab::Template::GitlabCiYmlTemplate.excluded_patterns.any? { |pattern| pattern.match?(name) }
     end
   end
 
-  context 'when including available templates in a CI YAML configuration' do
-    using RSpec::Parameterized::TableSyntax
+  before do
+    stub_feature_flags(
+      redirect_to_latest_template_terraform: false,
+      redirect_to_latest_template_security_api_fuzzing: false,
+      redirect_to_latest_template_security_dast: false)
+  end
+
+  shared_examples 'require default stages to be included' do
+    it 'require default stages to be included' do
+      expect(subject.stages).to include(*Gitlab::Ci::Config::Entry::Stages.default)
+    end
+  end
+
+  context 'that support autodevops' do
+    non_autodevops_templates = [
+      'Security/DAST-API.gitlab-ci.yml',
+      'Security/API-Fuzzing.gitlab-ci.yml'
+    ]
+
+    context 'when including available templates in a CI YAML configuration' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:template_name) do
+        all_templates - excluded_templates - non_autodevops_templates
+      end
+
+      with_them do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
+
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
+
+        it { is_expected.to be_valid }
 
-    where(:template_name) do
-      all_templates - excluded_templates
+        include_examples 'require default stages to be included'
+      end
     end
 
-    before do
-      stub_feature_flags(
-        redirect_to_latest_template_terraform: false,
-        redirect_to_latest_template_security_api_fuzzing: false,
-        redirect_to_latest_template_security_dast: false)
+    context 'when including unavailable templates in a CI YAML configuration' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:template_name) do
+        excluded_templates
+      end
+
+      with_them do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
+
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
+
+        it { is_expected.not_to be_valid }
+      end
     end
+  end
+
+  describe 'that do not support autodevops' do
+    context 'when DAST API template' do
+      # The DAST API template purposly excludes a stages
+      # definition.
+
+      let(:template_name) { 'Security/DAST-API.gitlab-ci.yml' }
 
-    with_them do
-      let(:content) do
-        if template_name == 'Security/DAST-API.gitlab-ci.yml'
-          # The DAST-API template purposly excludes a stages
-          # definition.
+      context 'with default stages' do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
+
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
 
+        it { is_expected.not_to be_valid }
+      end
+
+      context 'with defined stages' do
+        let(:content) do
           <<~EOS
             include:
               - template: #{template_name}
@@ -47,7 +118,22 @@ RSpec.describe 'CI YML Templates' do
               stage: test
               script: do something
           EOS
-        else
+        end
+
+        it { is_expected.to be_valid }
+
+        include_examples 'require default stages to be included'
+      end
+    end
+
+    context 'when API Fuzzing template' do
+      # The API Fuzzing template purposly excludes a stages
+      # definition.
+
+      let(:template_name) { 'Security/API-Fuzzing.gitlab-ci.yml' }
+
+      context 'with default stages' do
+        let(:content) do
           <<~EOS
             include:
               - template: #{template_name}
@@ -57,39 +143,31 @@ RSpec.describe 'CI YML Templates' do
               script: do something
           EOS
         end
-      end
-
-      it 'is valid' do
-        expect(subject).to be_valid
-      end
 
-      it 'require default stages to be included' do
-        expect(subject.stages).to include(*Gitlab::Ci::Config::Entry::Stages.default)
+        it { is_expected.not_to be_valid }
       end
-    end
-  end
 
-  context 'when including unavailable templates in a CI YAML configuration' do
-    using RSpec::Parameterized::TableSyntax
+      context 'with defined stages' do
+        let(:content) do
+          <<~EOS
+            include:
+              - template: #{template_name}
 
-    where(:template_name) do
-      excluded_templates
-    end
+            stages:
+              - build
+              - test
+              - deploy
+              - fuzz
 
-    with_them do
-      let(:content) do
-        <<~EOS
-          include:
-            - template: #{template_name}
+            concrete_build_implemented_by_a_user:
+              stage: test
+              script: do something
+          EOS
+        end
 
-          concrete_build_implemented_by_a_user:
-            stage: test
-            script: do something
-        EOS
-      end
+        it { is_expected.to be_valid }
 
-      it 'is not valid' do
-        expect(subject).not_to be_valid
+        include_examples 'require default stages to be included'
       end
     end
   end