Commit 4281600b authored by Mikołaj Wawrzyniak's avatar Mikołaj Wawrzyniak

Merge branch '325410-remove-api-fuzzing-configuration-ui-ff' into 'master'

Remove the api_fuzzing_configuration_ui feature flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!57583
parents 6e5f5388 c844bc75
......@@ -4746,7 +4746,7 @@ An edge in a connection.
| `alertManagementIntegrations` | [`AlertManagementIntegrationConnection`](#alertmanagementintegrationconnection) | Integrations which can receive alerts for the project. |
| `alertManagementPayloadFields` | [`[AlertManagementPayloadAlertField!]`](#alertmanagementpayloadalertfield) | Extract alert fields from payload for custom mapping. |
| `allowMergeOnSkippedPipeline` | [`Boolean`](#boolean) | If `only_allow_merge_if_pipeline_succeeds` is true, indicates if merge requests of the project can also be merged with skipped jobs. |
| `apiFuzzingCiConfiguration` | [`ApiFuzzingCiConfiguration`](#apifuzzingciconfiguration) | API fuzzing configuration for the project. Null unless feature flag `api_fuzzing_configuration_ui` is enabled. |
| `apiFuzzingCiConfiguration` | [`ApiFuzzingCiConfiguration`](#apifuzzingciconfiguration) | API fuzzing configuration for the project. |
| `archived` | [`Boolean`](#boolean) | Indicates the archived status of the project. |
| `autocloseReferencedIssues` | [`Boolean`](#boolean) | Indicates if issues referenced by merge requests and commits within the default branch are closed automatically. |
| `avatarUrl` | [`String`](#string) | URL to avatar image file of the project. |
......
......@@ -74,10 +74,6 @@ starting in GitLab 14.0, GitLab will not check your repository's root for config
### Configuration form
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/299234) in GitLab 13.10.
> - It's [deployed behind a feature flag](../../../user/feature_flags.md), enabled by default.
> - It's enabled on GitLab.com.
> - It's recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-api-fuzzing-configuration-form). **(ULTIMATE)**
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
......@@ -103,25 +99,6 @@ to your project's `.gitlab-ci.yml` file where you can paste the YAML configurati
Select **Copy code only** to copy the snippet to your clipboard and close the modal.
#### Enable or disable API Fuzzing configuration form **(ULTIMATE)**
The API Fuzzing configuration form is under development but ready for production use.
It is deployed behind a feature flag that is **enabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can opt to disable it.
To enable it:
```ruby
Feature.enable(:api_fuzzing_configuration_ui)
```
To disable it:
```ruby
Feature.disable(:api_fuzzing_configuration_ui)
```
### OpenAPI Specification
> Support for OpenAPI Specification v3 was
......
......@@ -14,7 +14,6 @@ module EE
before_action only: [:show] do
push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false)
push_frontend_feature_flag(:api_fuzzing_configuration_ui, project, default_enabled: :yaml)
push_frontend_feature_flag(:sec_dependency_scanning_ui_enable, project, default_enabled: :yaml)
end
......
......@@ -11,7 +11,6 @@ module Projects
feature_category :fuzz_testing
def show
not_found unless Feature.enabled?(:api_fuzzing_configuration_ui, @project, default_enabled: :yaml)
end
end
end
......
......@@ -133,8 +133,7 @@ module EE
field :api_fuzzing_ci_configuration,
::Types::AppSec::Fuzzing::Api::CiConfigurationType,
null: true,
description: 'API fuzzing configuration for the project. '\
'Null unless feature flag `api_fuzzing_configuration_ui` is enabled.'
description: 'API fuzzing configuration for the project. '
field :push_rules,
::Types::PushRulesType,
......@@ -144,8 +143,7 @@ module EE
end
def api_fuzzing_ci_configuration
return unless ::Feature.enabled?(:api_fuzzing_configuration_ui, object, default_enabled: :yaml) && \
Ability.allowed?(current_user, :read_vulnerability, object)
return unless Ability.allowed?(current_user, :read_vulnerability, object)
configuration = ::AppSec::Fuzzing::Api::CiConfiguration.new(project: object)
......
......@@ -53,8 +53,6 @@ module Mutations
def resolve(args)
project = authorized_find!(args[:project_path])
raise_feature_off_error unless feature_enabled?(project)
create_service = ::AppSec::Fuzzing::Api::CiConfigurationCreateService.new(
container: project, current_user: current_user, params: args
)
......@@ -72,10 +70,6 @@ module Mutations
raise ::Gitlab::Graphql::Errors::ResourceNotAvailable,
'The API fuzzing CI configuration feature is off'
end
def feature_enabled?(project)
Feature.enabled?(:api_fuzzing_configuration_ui, project, default_enabled: :yaml)
end
end
end
end
......
......@@ -91,7 +91,7 @@ module Projects
{
sast: project_security_configuration_sast_path(project),
dast_profiles: project_security_configuration_dast_scans_path(project),
api_fuzzing: ::Feature.enabled?(:api_fuzzing_configuration_ui, project, default_enabled: :yaml) ? project_security_configuration_api_fuzzing_path(project) : nil
api_fuzzing: project_security_configuration_api_fuzzing_path(project)
}[type]
end
end
......
---
title: Remove the api_fuzzing_configuration_ui feature flag
merge_request: 57583
author:
type: changed
---
name: api_fuzzing_configuration_ui
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/51940
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/299234
milestone: '13.9'
type: development
group: group::fuzz testing
default_enabled: true
......@@ -51,18 +51,6 @@ RSpec.describe Projects::Security::ApiFuzzingConfigurationController do
expect(response.body).to have_active_sub_navigation('Configuration')
end
context 'with feature flag disabled' do
before do
stub_feature_flags(api_fuzzing_configuration_ui: false)
end
it 'returns a 404 for an HTML request' do
request
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
context 'with unauthorized user' do
......
......@@ -30,42 +30,23 @@ RSpec.describe Mutations::AppSec::Fuzzing::Api::CiConfiguration::Create do
stub_licensed_features(security_dashboard: true)
end
context 'when the api_fuzzing_configuration_ui feature is on' do
before do
stub_feature_flags(api_fuzzing_configuration_ui: true)
end
it 'returns a YAML snippet that can be used to configure API fuzzing scans for the project' do
aggregate_failures do
expect(subject[:errors]).to be_empty
expect(subject[:gitlab_ci_yaml_edit_path]).to eq(
Rails.application.routes.url_helpers.project_ci_pipeline_editor_path(project)
)
expect(Psych.load(subject[:configuration_yaml])).to eq({
'stages' => ['fuzz'],
'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
'variables' => {
'FUZZAPI_HTTP_PASSWORD' => '$PASSWORD',
'FUZZAPI_HTTP_USERNAME' => '$USERNAME',
'FUZZAPI_HAR' => 'https://api.gov/api_spec',
'FUZZAPI_PROFILE' => 'Quick-10',
'FUZZAPI_TARGET_URL' => 'https://api.gov'
}
})
end
end
context 'when the api_fuzzing_configuration_ui feature is off' do
before do
stub_feature_flags(api_fuzzing_configuration_ui: false)
end
it 'errors' do
expect { subject }.to raise_error(
::Gitlab::Graphql::Errors::ResourceNotAvailable,
'The API fuzzing CI configuration feature is off'
)
end
it 'returns a YAML snippet that can be used to configure API fuzzing scans for the project' do
aggregate_failures do
expect(subject[:errors]).to be_empty
expect(subject[:gitlab_ci_yaml_edit_path]).to eq(
Rails.application.routes.url_helpers.project_ci_pipeline_editor_path(project)
)
expect(Psych.load(subject[:configuration_yaml])).to eq({
'stages' => ['fuzz'],
'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
'variables' => {
'FUZZAPI_HTTP_PASSWORD' => '$PASSWORD',
'FUZZAPI_HTTP_USERNAME' => '$USERNAME',
'FUZZAPI_HAR' => 'https://api.gov/api_spec',
'FUZZAPI_PROFILE' => 'Quick-10',
'FUZZAPI_TARGET_URL' => 'https://api.gov'
}
})
end
end
......
......@@ -42,58 +42,38 @@ RSpec.describe 'Query.project(fullPath).apiFuzzingCiConfiguration' do
).to_return(body: profiles_yaml)
end
context 'when the api_fuzzing_configuration_ui feature flag is enabled' do
context 'when the user can read vulnerabilities for the project' do
before do
stub_feature_flags(api_fuzzing_configuration_ui: true)
stub_licensed_features(security_dashboard: true)
end
context 'when the user can read vulnerabilities for the project' do
before do
stub_licensed_features(security_dashboard: true)
end
it 'returns scan modes and scan profiles' do
post_graphql(query, current_user: user)
expect(response).to have_gitlab_http_status(:ok)
fuzzing_config = graphql_data.dig('project', 'apiFuzzingCiConfiguration')
modes = fuzzing_config['scanModes']
profiles = fuzzing_config['scanProfiles']
expect(modes).to contain_exactly('HAR', 'OPENAPI', 'POSTMAN')
expect(profiles).to contain_exactly({
'name' => 'Quick-10',
'description' => 'Fuzzing 10 times per parameter',
'yaml' => "---\nName: Quick-10\n"
})
end
end
context 'when the user cannot read vulnerabilities for the project' do
before do
stub_licensed_features(security_dashboard: false)
end
it 'returns nil' do
post_graphql(query, current_user: user)
it 'returns scan modes and scan profiles' do
post_graphql(query, current_user: user)
expect(response).to have_gitlab_http_status(:ok)
expect(response).to have_gitlab_http_status(:ok)
fuzzing_config = graphql_data.dig('project', 'apiFuzzingCiConfiguration')
expect(fuzzing_config).to be_nil
end
fuzzing_config = graphql_data.dig('project', 'apiFuzzingCiConfiguration')
modes = fuzzing_config['scanModes']
profiles = fuzzing_config['scanProfiles']
expect(modes).to contain_exactly('HAR', 'OPENAPI', 'POSTMAN')
expect(profiles).to contain_exactly({
'name' => 'Quick-10',
'description' => 'Fuzzing 10 times per parameter',
'yaml' => "---\nName: Quick-10\n"
})
end
end
context 'when the api_fuzzing_configuration_ui feature flag is disabled' do
context 'when the user cannot read vulnerabilities for the project' do
before do
stub_feature_flags(api_fuzzing_configuration_ui: false)
stub_licensed_features(security_dashboard: false)
end
it 'returns nil' do
post_graphql(query, current_user: user)
expect(response).to have_gitlab_http_status(:ok)
fuzzing_config = graphql_data.dig('project', 'apiFuzzingCiConfiguration')
expect(fuzzing_config).to be_nil
end
......
......@@ -33,7 +33,6 @@ RSpec.describe 'CreateApiFuzzingCiConfiguration' do
end
before do
stub_feature_flags(api_fuzzing_configuration_ui: true)
stub_licensed_features(security_dashboard: true)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment