Merge branch '355526-dast-submit-field' into 'master'

Add option to add DAST_SUBMIT_FIELD

See merge request gitlab-org/gitlab!84100

doc/api/graphql/reference/index.md

@@ -10023,6 +10023,7 @@ Input type for DastSiteProfile authentication.
 | <a id="dastsiteprofileauthenabled"></a>`enabled` | [`Boolean`](#boolean) | Indicates whether authentication is enabled. |
 | <a id="dastsiteprofileauthpassword"></a>`password` | [`String`](#string) | Redacted password to authenticate with on the target website. |
 | <a id="dastsiteprofileauthpasswordfield"></a>`passwordField` | [`String`](#string) | Name of password field at the sign-in HTML form. |
+| <a id="dastsiteprofileauthsubmitfield"></a>`submitField` | [`String`](#string) | Name or ID of sign-in submit button at the sign-in HTML form. |
 | <a id="dastsiteprofileauthurl"></a>`url` | [`String`](#string) | The URL of the page containing the sign-in HTML form on the target website. |
 | <a id="dastsiteprofileauthusername"></a>`username` | [`String`](#string) | Username to authenticate with on the target website. |
 | <a id="dastsiteprofileauthusernamefield"></a>`usernameField` | [`String`](#string) | Name of username field at the sign-in HTML form. |
@@ -20608,6 +20609,7 @@ Input type for DastSiteProfile authentication.
 | <a id="dastsiteprofileauthinputenabled"></a>`enabled` | [`Boolean`](#boolean) | Indicates whether authentication is enabled. |
 | <a id="dastsiteprofileauthinputpassword"></a>`password` | [`String`](#string) | Password to authenticate with on the target website. |
 | <a id="dastsiteprofileauthinputpasswordfield"></a>`passwordField` | [`String`](#string) | Name of password field at the sign-in HTML form. |
+| <a id="dastsiteprofileauthinputsubmitfield"></a>`submitField` | [`String`](#string) | Name or ID of sign-in submit button at the sign-in HTML form. |
 | <a id="dastsiteprofileauthinputurl"></a>`url` | [`String`](#string) | The URL of the page containing the sign-in HTML form on the target website. |
 | <a id="dastsiteprofileauthinputusername"></a>`username` | [`String`](#string) | Username to authenticate with on the target website. |
 | <a id="dastsiteprofileauthinputusernamefield"></a>`usernameField` | [`String`](#string) | Name of username field at the sign-in HTML form. |

ee/app/graphql/mutations/dast_site_profiles/create.rb

@@ -44,7 +44,8 @@ module Mutations
           auth_username_field: auth_params[:username_field],
           auth_password_field: auth_params[:password_field],
           auth_username: auth_params[:username],
-          auth_password: auth_params[:password]
+          auth_password: auth_params[:password],
+          auth_submit_field: auth_params[:submit_field]
         }.compact
 
         if Feature.enabled?(:dast_api_scanner, project, default_enabled: :yaml)

ee/app/graphql/mutations/dast_site_profiles/update.rb

@@ -51,7 +51,8 @@ module Mutations
           auth_username_field: auth_params[:username_field],
           auth_password_field: auth_params[:password_field],
           auth_username: auth_params[:username],
-          auth_password: auth_params[:password]
+          auth_password: auth_params[:password],
+          auth_submit_field: auth_params[:submit_field]
         }.compact
 
         if Feature.enabled?(:dast_api_scanner, dast_site_profile.project, default_enabled: :yaml)

ee/app/graphql/types/dast/site_profile_auth_input_type.rb

@@ -30,6 +30,10 @@ module Types
       argument :password, GraphQL::Types::String,
                required: false,
                description: 'Password to authenticate with on the target website.'
+
+      argument :submit_field, GraphQL::Types::String,
+               required: false,
+               description: 'Name or ID of sign-in submit button at the sign-in HTML form.'
     end
   end
 end

ee/app/graphql/types/dast/site_profile_auth_type.rb

@@ -39,6 +39,11 @@ module Types
       field :password, GraphQL::Types::String,
             null: true,
             description: 'Redacted password to authenticate with on the target website.'
+
+      field :submit_field, GraphQL::Types::String,
+            null: true,
+            method: :auth_submit_field,
+            description: 'Name or ID of sign-in submit button at the sign-in HTML form.'
     end
   end
 end

ee/spec/graphql/mutations/dast_site_profiles/create_spec.rb

@@ -22,6 +22,7 @@ RSpec.describe Mutations::DastSiteProfiles::Create do
       url: "#{target_url}/login",
       username_field: 'session[username]',
       password_field: 'session[password]',
+      submit_field: 'css:button[type="submit"]',
       username: generate(:email),
       password: SecureRandom.hex
     }
@@ -97,6 +98,7 @@ RSpec.describe Mutations::DastSiteProfiles::Create do
             auth_url: auth[:url],
             auth_username_field: auth[:username_field],
             auth_password_field: auth[:password_field],
+            auth_submit_field: auth[:submit_field],
             auth_username: auth[:username],
             dast_site: have_attributes(url: target_url),
             target_type: target_type,
@@ -133,6 +135,7 @@ RSpec.describe Mutations::DastSiteProfiles::Create do
             auth_url: auth[:url],
             auth_username_field: auth[:username_field],
             auth_password_field: auth[:password_field],
+            auth_submit_field: auth[:submit_field],
             auth_username: auth[:username],
             auth_password: auth[:password]
           }

ee/spec/graphql/mutations/dast_site_profiles/update_spec.rb

@@ -21,6 +21,7 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
       url: "#{new_target_url}/login",
       username_field: 'login[username]',
       password_field: 'login[password]',
+      submit_field: 'css:button[type="submit_other"]',
       username: generate(:email),
       password: SecureRandom.hex
     }
@@ -70,6 +71,7 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
             auth_url: new_auth[:url],
             auth_username_field: new_auth[:username_field],
             auth_password_field: new_auth[:password_field],
+            auth_submit_field: new_auth[:submit_field],
             auth_username: new_auth[:username],
             auth_password: new_auth[:password]
           }
@@ -90,6 +92,7 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
             auth_url: new_auth[:url],
             auth_username_field: new_auth[:username_field],
             auth_password_field: new_auth[:password_field],
+            auth_submit_field: new_auth[:submit_field],
             auth_username: new_auth[:username],
             scan_method: new_scan_method,
             dast_site: have_attributes(url: new_target_url)

ee/spec/graphql/types/dast/site_profile_auth_input_type_spec.rb

@@ -6,6 +6,8 @@ RSpec.describe Types::Dast::SiteProfileAuthInputType do
   specify { expect(described_class.graphql_name).to eq('DastSiteProfileAuthInput') }
 
   it 'has the correct arguments' do
-    expect(described_class.arguments.keys).to match_array(%w[enabled url usernameField passwordField username password])
+    expect(
+      described_class.arguments.keys
+    ).to match_array(%w[enabled url usernameField passwordField username password submitField])
   end
 end

ee/spec/graphql/types/dast/site_profile_auth_type_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe GitlabSchema.types['DastSiteProfileAuth'] do
   let_it_be(:project) { create(:project) }
   let_it_be(:user) { create(:user, developer_projects: [project]) }
   let_it_be(:object, reload: true) { create(:dast_site_profile, project: project) }
-  let_it_be(:fields) { %i[enabled url usernameField passwordField username password] }
+  let_it_be(:fields) { %i[enabled url usernameField passwordField username password submitField] }
 
   before do
     stub_licensed_features(security_on_demand_scans: true)
@@ -43,6 +43,12 @@ RSpec.describe GitlabSchema.types['DastSiteProfileAuth'] do
     end
   end
 
+  describe 'submitField field' do
+    it 'is auth_submit_field' do
+      expect(resolve_field(:submit_field, object, current_user: user)).to eq(object.auth_submit_field)
+    end
+  end
+
   describe 'username field' do
     it 'is auth_username' do
       expect(resolve_field(:username, object, current_user: user)).to eq(object.auth_username)

ee/spec/models/dast_site_profile_spec.rb

@@ -236,7 +236,6 @@ RSpec.describe DastSiteProfile, type: :model do
             { key: 'DAST_USERNAME', value: subject.auth_username, public: true, masked: false },
             { key: 'DAST_USERNAME_FIELD', value: subject.auth_username_field, public: true, masked: false },
             { key: 'DAST_PASSWORD_FIELD', value: subject.auth_password_field, public: true, masked: false }
-
           ]
 
           expect(collection.to_runner_variables).to eq(expected_variables)

ee/spec/requests/api/graphql/mutations/dast_site_profiles/create_spec.rb

@@ -28,6 +28,7 @@ RSpec.describe 'Creating a DAST Site Profile' do
         url: "#{target_url}/login",
         username_field: 'session[username]',
         password_field: 'session[password]',
+        submit_field: 'css:button[type="submit"]',
         username: generate(:email),
         password: SecureRandom.hex
       }

ee/spec/requests/api/graphql/mutations/dast_site_profiles/update_spec.rb

@@ -30,6 +30,7 @@ RSpec.describe 'Creating a DAST Site Profile' do
         url: "#{new_target_url}/login",
         username_field: 'session[username]',
         password_field: 'session[password]',
+        submit_field: 'css:button[type="submit"]',
         username: generate(:email),
         password: SecureRandom.hex
       }

ee/spec/services/app_sec/dast/scan_configs/build_service_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
   let_it_be(:project) { create(:project, :repository) }
-  let_it_be_with_reload(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: 'website') }
+  let_it_be_with_reload(:dast_site_profile) { create(:dast_site_profile, :with_dast_submit_field, project: project, target_type: 'website') }
   let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, spider_timeout: 5, target_timeout: 20) }
   let_it_be(:dast_profile) { create(:dast_profile, project: project, dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile, branch_name: 'master') }
 
@@ -13,6 +13,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
   let(:dast_auth_url) { dast_site_profile.auth_url }
   let(:dast_username) { dast_site_profile.auth_username }
   let(:dast_username_field) { dast_site_profile.auth_username_field }
+  let(:dast_submit_field) { dast_site_profile.auth_submit_field }
   let(:dast_password_field) { dast_site_profile.auth_password_field }
   let(:dast_spider_mins) { dast_scanner_profile.spider_timeout }
   let(:dast_target_availability_timeout) { dast_scanner_profile.target_timeout }

ee/spec/services/app_sec/dast/scans/run_service_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe AppSec::Dast::Scans::RunService do
 
   let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project, :repository, creator: user) }
-  let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
+  let_it_be(:dast_site_profile) { create(:dast_site_profile, :with_dast_submit_field, project: project) }
   let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, spider_timeout: 42, target_timeout: 21) }
   let_it_be(:dast_profile) { create(:dast_profile, project: project, dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile) }
 
@@ -156,6 +156,11 @@ RSpec.describe AppSec::Dast::Scans::RunService do
             value: dast_site_profile.auth_username_field,
             public: true,
             masked: false
+          }, {
+            key: 'DAST_SUBMIT_FIELD',
+            value: dast_site_profile.auth_submit_field,
+            public: true,
+            masked: false
           }, {
             key: 'DAST_USE_AJAX_SPIDER',
             value: String(dast_scanner_profile.use_ajax_spider?),

ee/spec/services/app_sec/dast/site_profiles/create_service_spec.rb

@@ -20,6 +20,7 @@ RSpec.describe AppSec::Dast::SiteProfiles::CreateService do
       auth_url: "#{target_url}/login",
       auth_username_field: 'session[username]',
       auth_password_field: 'session[password]',
+      auth_submit_field: 'css:button[type="submit"]',
       auth_username: generate(:email),
       auth_password: SecureRandom.hex
     }
@@ -127,7 +128,7 @@ RSpec.describe AppSec::Dast::SiteProfiles::CreateService do
       end
 
       context 'when auth values are not supplied' do
-        let(:params) { default_params.except(:auth_enabled, :auth_url, :auth_username_field, :auth_password_field, :auth_password_field, :auth_username) }
+        let(:params) { default_params.except(:auth_enabled, :auth_url, :auth_username_field, :auth_submit_field, :auth_password_field, :auth_password_field, :auth_username) }
 
         it 'uses sensible defaults' do
           expect(payload).to have_attributes(
@@ -135,6 +136,7 @@ RSpec.describe AppSec::Dast::SiteProfiles::CreateService do
             auth_url: nil,
             auth_username_field: nil,
             auth_password_field: nil,
+            auth_submit_field: nil,
             auth_username: nil
           )
         end

ee/spec/services/app_sec/dast/site_profiles/update_service_spec.rb

@@ -30,6 +30,7 @@ RSpec.describe AppSec::Dast::SiteProfiles::UpdateService do
       auth_url: new_auth_url,
       auth_username_field: 'login[username]',
       auth_password_field: 'login[password]',
+      auth_submit_field: 'css:button[type="submit_other"]',
       auth_username: new_auth_username,
       auth_password: new_auth_password
     }
@@ -87,7 +88,7 @@ RSpec.describe AppSec::Dast::SiteProfiles::UpdateService do
         audit_events = AuditEvent.where(author_id: user.id)
 
         aggregate_failures do
-          expect(audit_events.count).to be(9)
+          expect(audit_events.count).to be(10)
 
           audit_events.each do |event|
             expect(event.author).to eq(user)
@@ -98,12 +99,14 @@ RSpec.describe AppSec::Dast::SiteProfiles::UpdateService do
           end
 
           custom_messages = audit_events.map(&:details).pluck(:custom_message)
+
           expected_custom_messages = [
             "Changed DAST site profile name from #{dast_profile.name} to #{new_profile_name}",
             "Changed DAST site profile target_url from #{dast_profile.dast_site.url} to #{new_target_url}",
             'Changed DAST site profile excluded_urls (long value omitted)',
             "Changed DAST site profile auth_url from #{dast_profile.auth_url} to #{new_auth_url}",
             "Changed DAST site profile auth_username_field from #{dast_profile.auth_username_field} to login[username]",
+            "Changed DAST site profile auth_submit_field from #{dast_profile.auth_submit_field} to css:button[type=\"submit_other\"]",
             "Changed DAST site profile auth_password_field from #{dast_profile.auth_password_field} to login[password]",
             "Changed DAST site profile auth_username from #{dast_profile.auth_username} to #{new_auth_username}",
             "Changed DAST site profile auth_password (secret value omitted)",