Commit 960e0f97 authored by Kerri Miller's avatar Kerri Miller

Merge branch '241736-dont-use-dnd-by-default-apifuzzin' into 'master'

Don't use DnD by default for API Fuzzing

See merge request gitlab-org/gitlab!45827
parents 733ce4aa 6dd7bd9b
---
title: Don't use docker-in-docker by default for API Fuzzing
merge_request: 45827
author:
type: changed
...@@ -9,6 +9,7 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do ...@@ -9,6 +9,7 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) } let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) } let(:contents) { File.read(template_filename) }
let(:production_registry) { 'registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine' } let(:production_registry) { 'registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine' }
let(:staging_registry) { 'registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing-src:${FUZZAPI_VERSION}-engine' }
# Make sure future changes to the template use the production container registry. # Make sure future changes to the template use the production container registry.
# #
...@@ -19,6 +20,10 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do ...@@ -19,6 +20,10 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
it 'uses the production repository' do it 'uses the production repository' do
expect( contents.include?(production_registry) ).to be true expect( contents.include?(production_registry) ).to be true
end end
it 'doesn\'t use the staging repository' do
expect( contents.include?(staging_registry) ).to be false
end
end end
describe 'the created pipeline' do describe 'the created pipeline' do
...@@ -55,12 +60,12 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do ...@@ -55,12 +60,12 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
end end
context 'by default' do context 'by default' do
it 'includes no jobs' do it 'includes no job' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError) expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end end
end end
context 'when FUZZAPI_HAR is present' do context 'when configured with HAR' do
before do before do
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har') create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com') create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
...@@ -71,9 +76,9 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do ...@@ -71,9 +76,9 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
end end
end end
context 'when FUZZAPI_OPENAPI is present' do context 'when configured with OpenAPI' do
before do before do
create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'openapi.json') create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'testing.json')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com') create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end end
...@@ -81,13 +86,38 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do ...@@ -81,13 +86,38 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
expect(build_names).to match_array(%w[apifuzzer_fuzz]) expect(build_names).to match_array(%w[apifuzzer_fuzz])
end end
end end
context 'when FUZZAPI_D_TARGET_IMAGE is present' do
before do
create(:ci_variable, project: project, key: 'FUZZAPI_D_TARGET_IMAGE', value: 'imagename:latest')
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end
it 'includes dnd job' do
expect(build_names).to match_array(%w[apifuzzer_fuzz_dnd])
end
end
end end
context 'when API_FUZZING_DISABLED=1' do context 'when API_FUZZING_DISABLED=1' do
before do before do
create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har') create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com') create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
context 'when API_FUZZING_DISABLED=1 with DnD' do
before do
create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1') create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
create(:ci_variable, project: project, key: 'FUZZAPI_D_TARGET_IMAGE', value: 'imagename:latest')
create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
end end
it 'includes no jobs' do it 'includes no jobs' do
......
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/
# Configure the scanning tool through the environment variables.
# List of the variables: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#available-variables
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
stages: stages:
- build - build
- test - test
...@@ -7,7 +13,7 @@ stages: ...@@ -7,7 +13,7 @@ stages:
variables: variables:
FUZZAPI_PROFILE: Quick FUZZAPI_PROFILE: Quick
FUZZAPI_VERSION: latest FUZZAPI_VERSION: latest
FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml" FUZZAPI_CONFIG: .gitlab-api-fuzzing.yml
FUZZAPI_TIMEOUT: 30 FUZZAPI_TIMEOUT: 30
FUZZAPI_REPORT: gl-api-fuzzing-report.xml FUZZAPI_REPORT: gl-api-fuzzing-report.xml
# #
...@@ -17,8 +23,52 @@ variables: ...@@ -17,8 +23,52 @@ variables:
# available (non 500 response to HTTP(s)) # available (non 500 response to HTTP(s))
FUZZAPI_SERVICE_START_TIMEOUT: "300" FUZZAPI_SERVICE_START_TIMEOUT: "300"
# #
FUZZAPI_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine
#
apifuzzer_fuzz: apifuzzer_fuzz:
stage: fuzz
image:
name: $FUZZAPI_IMAGE
entrypoint: ["/bin/bash", "-l", "-c"]
variables:
FUZZAPI_PROJECT: $CI_PROJECT_PATH
FUZZAPI_API: http://apifuzzer:80
TZ: America/Los_Angeles
services:
- name: $FUZZAPI_IMAGE
alias: apifuzzer
entrypoint: ["dotnet", "/peach/Peach.Web.dll"]
allow_failure: true
rules:
- if: $FUZZAPI_D_TARGET_IMAGE
when: never
- if: $FUZZAPI_D_WORKER_IMAGE
when: never
- if: $API_FUZZING_DISABLED
when: never
- if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never
- if: $FUZZAPI_HAR == null && $FUZZAPI_OPENAPI == null
when: never
- if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
script:
#
# Run user provided pre-script
- sh -c "$FUZZAPI_PRE_SCRIPT"
#
# Start scanning
- worker-entry
#
# Run user provided post-script
- sh -c "$FUZZAPI_POST_SCRIPT"
#
artifacts:
reports:
junit: $FUZZAPI_REPORT
apifuzzer_fuzz_dnd:
stage: fuzz stage: fuzz
image: docker:19.03.12 image: docker:19.03.12
variables: variables:
...@@ -28,19 +78,20 @@ apifuzzer_fuzz: ...@@ -28,19 +78,20 @@ apifuzzer_fuzz:
FUZZAPI_API: http://apifuzzer:80 FUZZAPI_API: http://apifuzzer:80
allow_failure: true allow_failure: true
rules: rules:
- if: $FUZZAPI_D_TARGET_IMAGE == null && $FUZZAPI_D_WORKER_IMAGE == null
when: never
- if: $API_FUZZING_DISABLED - if: $API_FUZZING_DISABLED
when: never when: never
- if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH && - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when: never when: never
- if: $FUZZAPI_HAR == null && - if: $FUZZAPI_HAR == null && $FUZZAPI_OPENAPI == null
$FUZZAPI_OPENAPI == null &&
$FUZZAPI_D_WORKER_IMAGE == null
when: never when: never
- if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/ - if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
services: services:
- docker:19.03.12-dind - docker:19.03.12-dind
script: script:
#
# #
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
# #
...@@ -56,30 +107,13 @@ apifuzzer_fuzz: ...@@ -56,30 +107,13 @@ apifuzzer_fuzz:
--network $FUZZAPI_D_NETWORK \ --network $FUZZAPI_D_NETWORK \
-e Proxy:Port=8000 \ -e Proxy:Port=8000 \
-e TZ=America/Los_Angeles \ -e TZ=America/Los_Angeles \
-e FUZZAPI_API=http://127.0.0.1:80 \
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
-e FUZZAPI_HAR \
-e FUZZAPI_OPENAPI \
-e FUZZAPI_TARGET_URL \
-e FUZZAPI_OVERRIDES_FILE \
-e FUZZAPI_OVERRIDES_ENV \
-e FUZZAPI_OVERRIDES_CMD \
-e FUZZAPI_OVERRIDES_INTERVAL \
-e FUZZAPI_TIMEOUT \
-e FUZZAPI_VERBOSE \
-e FUZZAPI_SERVICE_START_TIMEOUT \
-e FUZZAPI_HTTP_USERNAME \
-e FUZZAPI_HTTP_PASSWORD \
-e GITLAB_FEATURES \ -e GITLAB_FEATURES \
-v $CI_PROJECT_DIR:/app \
-p 80:80 \ -p 80:80 \
-p 8000:8000 \ -p 8000:8000 \
-p 514:514 \ -p 514:514 \
--restart=no \ --restart=no \
registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine $FUZZAPI_IMAGE \
dotnet /peach/Peach.Web.dll
# #
# Start target container # Start target container
- | - |
...@@ -94,7 +128,7 @@ apifuzzer_fuzz: ...@@ -94,7 +128,7 @@ apifuzzer_fuzz:
$FUZZAPI_D_TARGET_IMAGE \ $FUZZAPI_D_TARGET_IMAGE \
; fi ; fi
# #
# Start worker container # Start worker container if provided
- | - |
if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \ if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \ echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \
...@@ -104,9 +138,20 @@ apifuzzer_fuzz: ...@@ -104,9 +138,20 @@ apifuzzer_fuzz:
-e FUZZAPI_API=http://apifuzzer:80 \ -e FUZZAPI_API=http://apifuzzer:80 \
-e FUZZAPI_PROJECT \ -e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \ -e FUZZAPI_PROFILE \
-e FUZZAPI_AUTOMATION_CMD \
-e FUZZAPI_CONFIG \ -e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \ -e FUZZAPI_REPORT \
-e FUZZAPI_HAR \
-e FUZZAPI_OPENAPI \
-e FUZZAPI_TARGET_URL \
-e FUZZAPI_OVERRIDES_FILE \
-e FUZZAPI_OVERRIDES_ENV \
-e FUZZAPI_OVERRIDES_CMD \
-e FUZZAPI_OVERRIDES_INTERVAL \
-e FUZZAPI_TIMEOUT \
-e FUZZAPI_VERBOSE \
-e FUZZAPI_SERVICE_START_TIMEOUT \
-e FUZZAPI_HTTP_USERNAME \
-e FUZZAPI_HTTP_PASSWORD \
-e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \ -e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
$FUZZAPI_D_WORKER_ENV \ $FUZZAPI_D_WORKER_ENV \
$FUZZAPI_D_WORKER_PORTS \ $FUZZAPI_D_WORKER_PORTS \
...@@ -115,13 +160,43 @@ apifuzzer_fuzz: ...@@ -115,13 +160,43 @@ apifuzzer_fuzz:
$FUZZAPI_D_WORKER_IMAGE \ $FUZZAPI_D_WORKER_IMAGE \
; fi ; fi
# #
# Wait for testing to complete if api fuzzer is scanning # Start API Fuzzing provided worker if no other worker present
- if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi - |
if [ "$FUZZAPI_D_WORKER_IMAGE" == "" ]; then \
docker run \
--name worker \
--network $FUZZAPI_D_NETWORK \
-e TZ=America/Los_Angeles \
-e FUZZAPI_API=http://apifuzzer:80 \
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
-e FUZZAPI_HAR \
-e FUZZAPI_OPENAPI \
-e FUZZAPI_TARGET_URL \
-e FUZZAPI_OVERRIDES_FILE \
-e FUZZAPI_OVERRIDES_ENV \
-e FUZZAPI_OVERRIDES_CMD \
-e FUZZAPI_OVERRIDES_INTERVAL \
-e FUZZAPI_TIMEOUT \
-e FUZZAPI_VERBOSE \
-e FUZZAPI_SERVICE_START_TIMEOUT \
-e FUZZAPI_HTTP_USERNAME \
-e FUZZAPI_HTTP_PASSWORD \
-v $CI_PROJECT_DIR:/app \
-p 81:80 \
-p 8001:8000 \
-p 515:514 \
--restart=no \
$FUZZAPI_IMAGE \
worker-entry \
; fi
# #
# Propagate exit code from api fuzzer (if any) # Propagate exit code from api fuzzing scanner (if any)
- if [[ $(docker inspect apifuzzer --format='{{.State.ExitCode}}') != "0" ]]; then echo "API Fuzzing exited with an error. Logs are available as job artifacts."; docker logs apifuzzer; exit 1; fi - if [[ $(docker inspect apifuzzer --format='{{.State.ExitCode}}') != "0" ]]; then echo "API Fuzzing scanner exited with an error. Logs are available as job artifacts."; exit 1; fi
# #
# Run user provided pre-script # Run user provided post-script
- sh -c "$FUZZAPI_POST_SCRIPT" - sh -c "$FUZZAPI_POST_SCRIPT"
# #
after_script: after_script:
...@@ -129,13 +204,13 @@ apifuzzer_fuzz: ...@@ -129,13 +204,13 @@ apifuzzer_fuzz:
# Shutdown all containers # Shutdown all containers
- echo "Stopping all containers" - echo "Stopping all containers"
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
- if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi - docker stop worker
- docker stop apifuzzer - docker stop apifuzzer
# #
# Save docker logs # Save docker logs
- docker logs apifuzzer &> gl-api_fuzzing-logs.log - docker logs apifuzzer &> gl-api_fuzzing-logs.log
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
- if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi - docker logs worker &> gl-api_fuzzing-worker-logs.log
# #
artifacts: artifacts:
when: always when: always
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment