Commit 5017c011 authored by Philip Cunningham's avatar Philip Cunningham Committed by Heinrich Lee Yu

Add support for setting DAST_API_SPECIFICATION

parent 24909597
...@@ -6,6 +6,7 @@ module Ci ...@@ -6,6 +6,7 @@ module Ci
spider_timeout: 'DAST_SPIDER_MINS', spider_timeout: 'DAST_SPIDER_MINS',
target_timeout: 'DAST_TARGET_AVAILABILITY_TIMEOUT', target_timeout: 'DAST_TARGET_AVAILABILITY_TIMEOUT',
target_url: 'DAST_WEBSITE', target_url: 'DAST_WEBSITE',
api_specification_url: 'DAST_API_SPECIFICATION',
use_ajax_spider: 'DAST_USE_AJAX_SPIDER', use_ajax_spider: 'DAST_USE_AJAX_SPIDER',
show_debug_messages: 'DAST_DEBUG', show_debug_messages: 'DAST_DEBUG',
full_scan_enabled: 'DAST_FULL_SCAN_ENABLED', full_scan_enabled: 'DAST_FULL_SCAN_ENABLED',
......
...@@ -9,7 +9,7 @@ module DastOnDemandScans ...@@ -9,7 +9,7 @@ module DastOnDemandScans
return ServiceResponse.error(message: 'Cannot run active scan against unvalidated target') unless active_scan_allowed? return ServiceResponse.error(message: 'Cannot run active scan against unvalidated target') unless active_scan_allowed?
ServiceResponse.success( ServiceResponse.success(
payload: default_config.merge(site_profile_config, scanner_profile_config) payload: default_config.merge(target_config, site_profile_config, scanner_profile_config)
) )
end end
...@@ -62,11 +62,17 @@ module DastOnDemandScans ...@@ -62,11 +62,17 @@ module DastOnDemandScans
end end
def default_config def default_config
{ { dast_profile: dast_profile, branch: branch }
dast_profile: dast_profile, end
branch: branch,
target_url: dast_site&.url def target_config
} url = dast_site&.url
if dast_site_profile.target_type == 'website'
{ target_url: url }
else
{ api_specification_url: url }
end
end end
def site_profile_config def site_profile_config
......
...@@ -12,6 +12,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do ...@@ -12,6 +12,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
spider_timeout: 1000, spider_timeout: 1000,
target_timeout: 100, target_timeout: 100,
target_url: 'https://gitlab.local', target_url: 'https://gitlab.local',
api_specification_url: 'https://gitlab.local/api.json',
use_ajax_spider: true, use_ajax_spider: true,
show_debug_messages: true, show_debug_messages: true,
full_scan_enabled: true, full_scan_enabled: true,
...@@ -34,6 +35,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do ...@@ -34,6 +35,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
DAST_SPIDER_MINS: 1000 DAST_SPIDER_MINS: 1000
DAST_TARGET_AVAILABILITY_TIMEOUT: 100 DAST_TARGET_AVAILABILITY_TIMEOUT: 100
DAST_WEBSITE: https://gitlab.local DAST_WEBSITE: https://gitlab.local
DAST_API_SPECIFICATION: https://gitlab.local/api.json
DAST_USE_AJAX_SPIDER: 'true' DAST_USE_AJAX_SPIDER: 'true'
DAST_DEBUG: 'true' DAST_DEBUG: 'true'
DAST_FULL_SCAN_ENABLED: 'true' DAST_FULL_SCAN_ENABLED: 'true'
...@@ -45,12 +47,12 @@ RSpec.describe Ci::DastScanCiConfigurationService do ...@@ -45,12 +47,12 @@ RSpec.describe Ci::DastScanCiConfigurationService do
YAML YAML
end end
it 'return YAML configuration of the On-Demand DAST scan' do it 'returns the YAML configuration of the On-Demand DAST scan' do
expect(yaml_configuration).to eq(expected_yaml_configuration) expect(yaml_configuration).to eq(expected_yaml_configuration)
end end
end end
context 'when additional variables are provided' do context 'when unknown variables are provided' do
let(:params) do let(:params) do
{ {
target_url: 'https://gitlab.local', target_url: 'https://gitlab.local',
...@@ -75,12 +77,37 @@ RSpec.describe Ci::DastScanCiConfigurationService do ...@@ -75,12 +77,37 @@ RSpec.describe Ci::DastScanCiConfigurationService do
YAML YAML
end end
it 'return YAML configuration of the On-Demand DAST scan' do it 'returns the YAML configuration of the On-Demand DAST scan' do
expect(yaml_configuration).to eq(expected_yaml_configuration) expect(yaml_configuration).to eq(expected_yaml_configuration)
end end
end end
context 'when no variable is provided' do context 'when a variable is set to nil' do
let(:params) do
{
target_url: 'https://gitlab.local',
api_specification_url: nil
}
end
let(:expected_yaml_configuration) do
<<~YAML
---
stages:
- dast
include:
- template: DAST-On-Demand-Scan.gitlab-ci.yml
variables:
DAST_WEBSITE: https://gitlab.local
YAML
end
it 'returns the YAML configuration of the On-Demand DAST scan' do
expect(yaml_configuration).to eq(expected_yaml_configuration)
end
end
context 'when no variables are provided' do
let(:params) { {} } let(:params) { {} }
let(:expected_yaml_configuration) do let(:expected_yaml_configuration) do
...@@ -94,7 +121,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do ...@@ -94,7 +121,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
YAML YAML
end end
it 'return YAML configuration of the On-Demand DAST scan' do it 'returns the YAML configuration of the On-Demand DAST scan' do
expect(yaml_configuration).to eq(expected_yaml_configuration) expect(yaml_configuration).to eq(expected_yaml_configuration)
end end
end end
......
...@@ -109,6 +109,15 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do ...@@ -109,6 +109,15 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
) )
end end
end end
context 'when target_type=api' do
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: :api) }
it 'returns params including the api_specification_url and omitting the target_url', :aggregate_failures do
expect(subject.payload[:api_specification_url]).to eq(dast_site_profile.dast_site.url)
expect(subject.payload[:target_url]).to be_nil
end
end
end end
context 'when the dast_profile is provided' do context 'when the dast_profile is provided' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment