Merge branch 'djadmin-dast-configuration' into 'master'

Create DAST Configuration page [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!62014

Merge branch 'djadmin-dast-configuration' into 'master'
Create DAST Configuration page [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!62014
3c024aa0 · Bob Van Landuyt · 06f0f9e9 · ca787205 · 3c024aa0 · 3c024aa0
Commit 3c024aa0 authored May 25, 2021 by Bob Van Landuyt
12 changed files
--- a/ee/app/controllers/ee/projects/security/configuration_controller.rb
+++ b/ee/app/controllers/ee/projects/security/configuration_controller.rb
@@ -16,6 +16,7 @@ module EE
            push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false)
            push_frontend_feature_flag(:sec_dependency_scanning_ui_enable, project, default_enabled: :yaml)
            push_frontend_feature_flag(:sec_secret_detection_ui_enable, project, default_enabled: :yaml)
+            push_frontend_feature_flag(:dast_configuration_ui, project, default_enabled: :yaml)
          end

          before_action only: [:auto_fix] do

--- a/ee/app/controllers/projects/security/dast_configuration_controller.rb
+++ b/ee/app/controllers/projects/security/dast_configuration_controller.rb
+# frozen_string_literal: true
+
+module Projects
+  module Security
+    class DastConfigurationController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
+      include SecurityDashboardsPermissions
+
+      alias_method :vulnerable, :project
+
+      feature_category :dynamic_application_security_testing
+
+      def show
+        not_found unless Feature.enabled?(:dast_configuration_ui, @project, default_enabled: :yaml)
+      end
+    end
+  end
+end
--- a/ee/app/presenters/projects/security/configuration_presenter.rb
+++ b/ee/app/presenters/projects/security/configuration_presenter.rb
@@ -90,6 +90,7 @@ module Projects
      def configuration_path(type)
        {
          sast: project_security_configuration_sast_path(project),
+          dast: ::Feature.enabled?(:dast_configuration_ui, project, default_enabled: :yaml) ? project_security_configuration_dast_path(project) : nil,
          dast_profiles: project_security_configuration_dast_scans_path(project),
          api_fuzzing: project_security_configuration_api_fuzzing_path(project)
        }[type]

--- a/ee/app/views/projects/security/dast_configuration/show.html.haml
+++ b/ee/app/views/projects/security/dast_configuration/show.html.haml
+- add_to_breadcrumbs _("Security Configuration"), project_security_configuration_path(@project)
+- breadcrumb_title _("DAST Configuration")
+- page_title _("DAST Configuration")
+
+%h1= _("DAST Settings")
--- a/ee/config/feature_flags/development/dast_configuration_ui.yml
+++ b/ee/config/feature_flags/development/dast_configuration_ui.yml
+---
+name: dast_configuration_ui
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62014
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/330728
+milestone: '14.0'
+type: development
+group: group::dynamic analysis
+default_enabled: false
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -77,6 +77,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
              resources :dast_site_profiles, only: [:new, :edit]
              resources :dast_scanner_profiles, only: [:new, :edit]
            end
+            resource :dast, only: :show, controller: :dast_configuration
          end

          resource :discover, only: [:show], controller: :discover

--- a/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
+++ b/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
@@ -42,6 +42,7 @@ module EE
            super + %w[
              projects/security/sast_configuration#show
              projects/security/api_fuzzing_configuration#show
+              projects/security/dast_configuration#show
              projects/security/dast_profiles#show
              projects/security/dast_site_profiles#new
              projects/security/dast_site_profiles#edit

--- a/ee/spec/features/projects/security/user_views_security_configuration_spec.rb
+++ b/ee/spec/features/projects/security/user_views_security_configuration_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe 'User sees Security Configuration table', :js do
  let_it_be(:user) { create(:user) }
  let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:pipeline) { create(:ci_pipeline, project: project) }

  before_all do
    project.add_developer(user)
@@ -33,7 +34,6 @@ RSpec.describe 'User sees Security Configuration table', :js do

    context 'with SAST report' do
      before do
-        pipeline = create(:ci_pipeline, project: project)
        create(:ci_build, :sast, pipeline: pipeline, status: 'success')
      end

@@ -47,6 +47,43 @@ RSpec.describe 'User sees Security Configuration table', :js do
        end
      end
    end
+
+    context 'with no DAST report' do
+      it 'shows DAST is not enabled' do
+        visit(project_security_configuration_path(project))
+
+        within_dast_row do
+          expect(page).to have_text('DAST')
+          expect(page).to have_text('Not enabled')
+          expect(page).to have_css('[data-testid="enable-button"]')
+        end
+      end
+    end
+
+    context 'with DAST report' do
+      before do
+        create(:ci_build, :dast, pipeline: pipeline, status: 'success')
+      end
+
+      it 'shows DAST is enabled' do
+        visit(project_security_configuration_path(project))
+
+        within_dast_row do
+          expect(page).to have_text('DAST')
+          expect(page).to have_text('Enabled')
+          expect(page).to have_css('[data-testid="configure-button"]')
+        end
+      end
+
+      it 'links to configuration page' do
+        visit(project_security_configuration_path(project))
+
+        within_dast_row do
+          click_link_or_button 'Configure'
+          expect(current_path).to eq(project_security_configuration_dast_path(project))
+        end
+      end
+    end
  end

  def within_sast_row
@@ -54,4 +91,10 @@ RSpec.describe 'User sees Security Configuration table', :js do
      yield
    end
  end
+
+  def within_dast_row
+    within '[data-testid="security-scanner-row"]:nth-of-type(2)' do
+      yield
+    end
+  end
 end
--- a/ee/spec/lib/ee/sidebars/projects/menus/security_compliance_menu_spec.rb
+++ b/ee/spec/lib/ee/sidebars/projects/menus/security_compliance_menu_spec.rb
@@ -80,6 +80,7 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do
            projects/security/configuration#show
            projects/security/sast_configuration#show
            projects/security/api_fuzzing_configuration#show
+            projects/security/dast_configuration#show
            projects/security/dast_profiles#show
            projects/security/dast_site_profiles#new
            projects/security/dast_site_profiles#edit

--- a/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
+++ b/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
@@ -266,6 +266,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do

  def configuration_path(type)
    {
+      dast: project_security_configuration_dast_path(project),
      dast_profiles: project_security_configuration_dast_scans_path(project),
      sast: project_security_configuration_sast_path(project),
      api_fuzzing: project_security_configuration_api_fuzzing_path(project)

--- a/ee/spec/requests/projects/security/dast_configuration_controller_spec.rb
+++ b/ee/spec/requests/projects/security/dast_configuration_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::Security::DastConfigurationController, type: :request do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+
+  describe 'GET #show' do
+    before do
+      stub_licensed_features(security_dashboard: true)
+      stub_feature_flags(dast_configuration_ui: true)
+      login_as(user)
+    end
+
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get project_security_configuration_dast_path(project) }
+
+      before_request do
+        project.add_developer(user)
+      end
+    end
+
+    context 'feature available' do
+      context 'user authorized' do
+        before do
+          project.add_developer(user)
+        end
+
+        it 'can access page' do
+          get project_security_configuration_dast_path(project)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+
+      context 'user not authorized' do
+        before do
+          project.add_guest(user)
+        end
+
+        it 'sees a 404 error' do
+          get project_security_configuration_dast_path(project)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
+    context 'feature not available' do
+      context "license doesn't support the feature" do
+        before do
+          stub_licensed_features(security_dashboard: false)
+          project.add_developer(user)
+        end
+
+        it 'sees a 404 error' do
+          get project_security_configuration_dast_path(project)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'feature flag is disabled' do
+        before do
+          stub_feature_flags(dast_configuration_ui: false)
+          project.add_developer(user)
+        end
+
+        it 'sees a 404 error' do
+          get project_security_configuration_dast_path(project)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
+end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -10051,9 +10051,15 @@ msgstr ""
 msgid "DAG visualization requires at least 3 dependent jobs."
 msgstr ""

+msgid "DAST Configuration"
+msgstr ""
+
 msgid "DAST Scans"
 msgstr ""

+msgid "DAST Settings"
+msgstr ""
+
 msgid "DNS"
 msgstr ""