Add API Fuzzing CI template

ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
+  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('API-Fuzzing') }
+
+  describe 'the created pipeline' do
+    let(:user) { create(:admin) }
+    let(:default_branch) { 'master' }
+    let(:pipeline_branch) { default_branch }
+    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
+    let(:pipeline) { service.execute!(:push) }
+    let(:build_names) { pipeline.builds.pluck(:name) }
+
+    before do
+      stub_ci_pipeline_yaml_file(template.content)
+      allow_any_instance_of(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
+      allow(project).to receive(:default_branch).and_return(default_branch)
+    end
+
+    context 'when project has no license' do
+      before do
+        create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+        create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+      end
+
+      it 'includes no jobs' do
+        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+      end
+    end
+
+    context 'when project has Ultimate license' do
+      let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
+
+      before do
+        allow(License).to receive(:current).and_return(license)
+      end
+
+      context 'by default' do
+        it 'includes no jobs' do
+          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+        end
+      end
+
+      context 'when FUZZAPI_HAR is present' do
+        before do
+          create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+          create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+        end
+
+        it 'includes job' do
+          expect(build_names).to match_array(%w[apifuzzer_fuzz])
+        end
+      end
+
+      context 'when FUZZAPI_OPENAPI is present' do
+        before do
+          create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'openapi.json')
+          create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+        end
+
+        it 'includes job' do
+          expect(build_names).to match_array(%w[apifuzzer_fuzz])
+        end
+      end
+    end
+
+    context 'when API_FUZZING_DISABLED=1' do
+      before do
+        create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+        create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+        create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
+      end
+
+      it 'includes no jobs' do
+        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+      end
+    end
+  end
+end

lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml

+stages:
+    - build
+    - test
+    - deploy
+    - fuzz
+
+variables:
+    FUZZAPI_PROFILE: Quick
+    FUZZAPI_VERSION: latest
+    FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml"
+    FUZZAPI_TIMEOUT: 30
+    FUZZAPI_REPORT: gl-api-fuzzing-report.xml
+    #
+    FUZZAPI_D_NETWORK: testing-net
+    #
+    # Wait up to 5 minutes for API Fuzzer and target url to become
+    # available (non 500 response to HTTP(s))
+    FUZZAPI_SERVICE_START_TIMEOUT: "300"
+    #
+
+apifuzzer_fuzz:
+    stage: fuzz
+    image: docker:19.03.12
+    variables:
+        DOCKER_DRIVER: overlay2
+        DOCKER_TLS_CERTDIR: ""
+        FUZZAPI_PROJECT: $CI_PROJECT_PATH
+        FUZZAPI_API: http://apifuzzer:80
+    allow_failure: true
+    rules:
+        - if: $API_FUZZING_DISABLED
+          when: never
+        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
+              $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+          when: never
+        - if: $FUZZAPI_HAR == null &&
+              $FUZZAPI_OPENAPI == null &&
+              $FUZZAPI_D_WORKER_IMAGE == null
+          when: never
+        - if: $FUZZAPI_D_WORKER_IMAGE == null &&
+              $FUZZAPI_TARGET_URL == null
+          when: never
+        - if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
+    services:
+        - docker:19.03.12-dind
+    script:
+        #
+        - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
+        #
+        - docker network create --driver bridge $FUZZAPI_D_NETWORK
+        #
+        # Run user provided pre-script
+        - sh -c "$FUZZAPI_PRE_SCRIPT"
+        #
+        # Start peach testing engine container
+        - |
+            docker run -d \
+            --name apifuzzer \
+            --network $FUZZAPI_D_NETWORK \
+            -e Proxy:Port=8000 \
+            -e TZ=America/Los_Angeles \
+            -e FUZZAPI_API=http://127.0.0.1:80 \
+            -e FUZZAPI_PROJECT \
+            -e FUZZAPI_PROFILE \
+            -e FUZZAPI_CONFIG \
+            -e FUZZAPI_REPORT \
+            -e FUZZAPI_HAR \
+            -e FUZZAPI_OPENAPI \
+            -e FUZZAPI_TARGET_URL \
+            -e FUZZAPI_OVERRIDES_FILE \
+            -e FUZZAPI_OVERRIDES_ENV \
+            -e FUZZAPI_OVERRIDES_CMD \
+            -e FUZZAPI_OVERRIDES_INTERVAL \
+            -e FUZZAPI_TIMEOUT \
+            -e FUZZAPI_VERBOSE \
+            -e FUZZAPI_SERVICE_START_TIMEOUT \
+            -e GITLAB_FEATURES \
+            -v $CI_PROJECT_DIR:/app \
+            -p 80:80 \
+            -p 8000:8000 \
+            -p 514:514 \
+            --restart=no \
+            registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing-src:${FUZZAPI_VERSION}-engine
+        #
+        # Start target container
+        - |
+            if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then \
+                docker run -d \
+                    --name target \
+                    --network $FUZZAPI_D_NETWORK \
+                    $FUZZAPI_D_TARGET_ENV \
+                    $FUZZAPI_D_TARGET_PORTS \
+                    $FUZZAPI_D_TARGET_VOLUME \
+                    --restart=no \
+                    $FUZZAPI_D_TARGET_IMAGE \
+                ; fi
+        #
+        # Start worker container
+        - |
+            if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
+                echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \
+                docker run \
+                    --name worker \
+                    --network $FUZZAPI_D_NETWORK \
+                    -e FUZZAPI_API=http://apifuzzer:80 \
+                    -e FUZZAPI_PROJECT \
+                    -e FUZZAPI_PROFILE \
+                    -e FUZZAPI_AUTOMATION_CMD \
+                    -e FUZZAPI_CONFIG \
+                    -e FUZZAPI_REPORT \
+                    -e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
+                    $FUZZAPI_D_WORKER_ENV \
+                    $FUZZAPI_D_WORKER_PORTS \
+                    $FUZZAPI_D_WORKER_VOLUME \
+                    --restart=no \
+                    $FUZZAPI_D_WORKER_IMAGE \
+                ; fi
+        #
+        # Wait for testing to complete if api fuzzer is scanning
+        - if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi
+        #
+        # Run user provided pre-script
+        - sh -c "$FUZZAPI_POST_SCRIPT"
+        #
+    after_script:
+        #
+        # Shutdown all containers
+        - echo "Stopping all containers"
+        - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
+        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi
+        - docker stop apifuzzer
+        #
+        # Save docker logs
+        - docker logs apifuzzer &> gl-api_fuzzing-logs.log
+        - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
+        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi
+        #
+    artifacts:
+        when: always
+        paths:
+            - ./gl-api_fuzzing*.log
+            - ./gl-api_fuzzing*.zip
+        reports:
+            junit: $FUZZAPI_REPORT
+
+# end