Commit 47fefba2 authored by Michael Eddington's avatar Michael Eddington Committed by Heinrich Lee Yu

Add API Fuzzing CI template

parent 2984b7c2
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('API-Fuzzing') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
before do
stub_ci_pipeline_yaml_file(template.content)
allow_any_instance_of(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
allow(project).to receive(:default_branch).and_return(default_branch)
end
context 'when project has no license' do
before do
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
context 'when project has Ultimate license' do
let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
before do
allow(License).to receive(:current).and_return(license)
end
context 'by default' do
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
context 'when FUZZAPI_HAR is present' do
before do
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end
it 'includes job' do
expect(build_names).to match_array(%w[apifuzzer_fuzz])
end
end
context 'when FUZZAPI_OPENAPI is present' do
before do
create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'openapi.json')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end
it 'includes job' do
expect(build_names).to match_array(%w[apifuzzer_fuzz])
end
end
end
context 'when API_FUZZING_DISABLED=1' do
before do
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
end
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
end
end
stages:
- build
- test
- deploy
- fuzz
variables:
FUZZAPI_PROFILE: Quick
FUZZAPI_VERSION: latest
FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml"
FUZZAPI_TIMEOUT: 30
FUZZAPI_REPORT: gl-api-fuzzing-report.xml
#
FUZZAPI_D_NETWORK: testing-net
#
# Wait up to 5 minutes for API Fuzzer and target url to become
# available (non 500 response to HTTP(s))
FUZZAPI_SERVICE_START_TIMEOUT: "300"
#
apifuzzer_fuzz:
stage: fuzz
image: docker:19.03.12
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
FUZZAPI_PROJECT: $CI_PROJECT_PATH
FUZZAPI_API: http://apifuzzer:80
allow_failure: true
rules:
- if: $API_FUZZING_DISABLED
when: never
- if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never
- if: $FUZZAPI_HAR == null &&
$FUZZAPI_OPENAPI == null &&
$FUZZAPI_D_WORKER_IMAGE == null
when: never
- if: $FUZZAPI_D_WORKER_IMAGE == null &&
$FUZZAPI_TARGET_URL == null
when: never
- if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
services:
- docker:19.03.12-dind
script:
#
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
#
- docker network create --driver bridge $FUZZAPI_D_NETWORK
#
# Run user provided pre-script
- sh -c "$FUZZAPI_PRE_SCRIPT"
#
# Start peach testing engine container
- |
docker run -d \
--name apifuzzer \
--network $FUZZAPI_D_NETWORK \
-e Proxy:Port=8000 \
-e TZ=America/Los_Angeles \
-e FUZZAPI_API=http://127.0.0.1:80 \
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
-e FUZZAPI_HAR \
-e FUZZAPI_OPENAPI \
-e FUZZAPI_TARGET_URL \
-e FUZZAPI_OVERRIDES_FILE \
-e FUZZAPI_OVERRIDES_ENV \
-e FUZZAPI_OVERRIDES_CMD \
-e FUZZAPI_OVERRIDES_INTERVAL \
-e FUZZAPI_TIMEOUT \
-e FUZZAPI_VERBOSE \
-e FUZZAPI_SERVICE_START_TIMEOUT \
-e GITLAB_FEATURES \
-v $CI_PROJECT_DIR:/app \
-p 80:80 \
-p 8000:8000 \
-p 514:514 \
--restart=no \
registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing-src:${FUZZAPI_VERSION}-engine
#
# Start target container
- |
if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then \
docker run -d \
--name target \
--network $FUZZAPI_D_NETWORK \
$FUZZAPI_D_TARGET_ENV \
$FUZZAPI_D_TARGET_PORTS \
$FUZZAPI_D_TARGET_VOLUME \
--restart=no \
$FUZZAPI_D_TARGET_IMAGE \
; fi
#
# Start worker container
- |
if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \
docker run \
--name worker \
--network $FUZZAPI_D_NETWORK \
-e FUZZAPI_API=http://apifuzzer:80 \
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_AUTOMATION_CMD \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
-e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
$FUZZAPI_D_WORKER_ENV \
$FUZZAPI_D_WORKER_PORTS \
$FUZZAPI_D_WORKER_VOLUME \
--restart=no \
$FUZZAPI_D_WORKER_IMAGE \
; fi
#
# Wait for testing to complete if api fuzzer is scanning
- if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi
#
# Run user provided pre-script
- sh -c "$FUZZAPI_POST_SCRIPT"
#
after_script:
#
# Shutdown all containers
- echo "Stopping all containers"
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
- if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi
- docker stop apifuzzer
#
# Save docker logs
- docker logs apifuzzer &> gl-api_fuzzing-logs.log
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
- if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi
#
artifacts:
when: always
paths:
- ./gl-api_fuzzing*.log
- ./gl-api_fuzzing*.zip
reports:
junit: $FUZZAPI_REPORT
# end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment