Merge branch 'philipcunningham-disable-authentication-225406' into 'master'

Filter auth params from DAST config when disabled See merge request gitlab-org/gitlab!58622

Merge branch 'philipcunningham-disable-authentication-225406' into 'master'
Filter auth params from DAST config when disabled See merge request gitlab-org/gitlab!58622
a1e4b7c1 · Alex Kalderimis · e7b108d9 · 1304b47e · a1e4b7c1 · a1e4b7c1
Commit a1e4b7c1 authored Apr 09, 2021 by Alex Kalderimis
8 changed files
--- a/ee/app/services/dast_on_demand_scans/params_create_service.rb
+++ b/ee/app/services/dast_on_demand_scans/params_create_service.rb
@@ -72,11 +72,15 @@ module DastOnDemandScans
    def site_profile_config
      return {} unless dast_site_profile

+      excluded_urls = dast_site_profile.excluded_urls.presence&.join(',')
+      return { excluded_urls: excluded_urls } unless dast_site_profile.auth_enabled
+
      {
-        excluded_urls: dast_site_profile.excluded_urls.presence&.join(','),
+        excluded_urls: excluded_urls,
        auth_username_field: dast_site_profile.auth_username_field,
        auth_password_field: dast_site_profile.auth_password_field,
-        auth_username: dast_site_profile.auth_username
+        auth_username: dast_site_profile.auth_username,
+        auth_url: dast_site_profile.auth_url
      }
    end


--- a/ee/spec/factories/dast_site_profiles.rb
+++ b/ee/spec/factories/dast_site_profiles.rb
@@ -10,7 +10,7 @@ FactoryBot.define do
      "#{FFaker::Product.product_name.truncate(200)} - #{i}"
    end

-    auth_enabled { false }
+    auth_enabled { true }
    auth_url { "#{dast_site.url}/sign-in" }
    auth_username_field { 'session[username]' }
    auth_password_field { 'session[password]' }

--- a/ee/spec/graphql/mutations/dast_site_profiles/update_spec.rb
+++ b/ee/spec/graphql/mutations/dast_site_profiles/update_spec.rb
@@ -16,7 +16,7 @@ RSpec.describe Mutations::DastSiteProfiles::Update do

  let(:new_auth) do
    {
-      enabled: true,
+      enabled: false,
      url: "#{new_target_url}/login",
      username_field: 'login[username]',
      password_field: 'login[password]',

--- a/ee/spec/lib/ee/gitlab/ci/config_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/config_spec.rb
@@ -125,6 +125,7 @@ RSpec.describe Gitlab::Ci::Config do
                  stage: 'test',
                  image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
                  variables: {
+                    DAST_AUTH_URL: dast_site_profile.auth_url,
                    DAST_VERSION: 1,
                    SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
                    DAST_WEBSITE: dast_site_profile.dast_site.url,

--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -93,6 +93,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
                  name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION'
                },
                variables: {
+                  DAST_AUTH_URL: dast_site_profile.auth_url,
                  DAST_VERSION: 1,
                  SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
                  DAST_WEBSITE: dast_site_profile.dast_site.url,

--- a/ee/spec/services/dast_on_demand_scans/create_service_spec.rb
+++ b/ee/spec/services/dast_on_demand_scans/create_service_spec.rb
@@ -65,6 +65,7 @@ RSpec.describe DastOnDemandScans::CreateService do
          let(:expected_params) do
            {
              auth_password_field: dast_site_profile.auth_password_field,
+              auth_url: dast_site_profile.auth_url,
              auth_username: dast_site_profile.auth_username,
              auth_username_field: dast_site_profile.auth_username_field,
              branch: project.default_branch_or_master,

--- a/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
+++ b/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
@@ -42,6 +42,7 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
            auth_password_field: dast_site_profile.auth_password_field,
            auth_username: dast_site_profile.auth_username,
            auth_username_field: dast_site_profile.auth_username_field,
+            auth_url: dast_site_profile.auth_url,
            branch: project.default_branch,
            dast_profile: nil,
            excluded_urls: dast_site_profile.excluded_urls.join(','),
@@ -58,6 +59,7 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
            auth_password_field: dast_site_profile.auth_password_field,
            auth_username: dast_site_profile.auth_username,
            auth_username_field: dast_site_profile.auth_username_field,
+            auth_url: dast_site_profile.auth_url,
            branch: project.default_branch,
            dast_profile: nil,
            excluded_urls: dast_site_profile.excluded_urls.join(','),
@@ -89,6 +91,24 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
          end
        end
      end
+
+      context 'when authentication is not enabled' do
+        let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, auth_enabled: false) }
+
+        it 'returns prepared scanner params excluding auth params in the payload' do
+          expect(subject.payload).to eq(
+            branch: project.default_branch,
+            dast_profile: nil,
+            excluded_urls: dast_site_profile.excluded_urls.join(','),
+            full_scan_enabled: false,
+            show_debug_messages: false,
+            spider_timeout: nil,
+            target_timeout: nil,
+            target_url: dast_site_profile.dast_site.url,
+            use_ajax_spider: false
+          )
+        end
+      end
    end

    context 'when the dast_profile is provided' do
@@ -102,6 +122,7 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
          auth_username: dast_site_profile.auth_username,
          auth_username_field: dast_site_profile.auth_username_field,
          branch: dast_profile.branch_name,
+          auth_url: dast_site_profile.auth_url,
          dast_profile: dast_profile,
          excluded_urls: dast_site_profile.excluded_urls.join(','),
          full_scan_enabled: false,

--- a/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb
@@ -51,6 +51,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
    it 'delegates variables preparation to ::Ci::DastScanCiConfigurationService' do
      expected_params = {
        auth_password_field: site_profile.auth_password_field,
+        auth_url: site_profile.auth_url,
        auth_username: site_profile.auth_username,
        auth_username_field: site_profile.auth_username_field,
        dast_profile: nil,
@@ -81,6 +82,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
          stage: 'test',
          image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
          variables: {
+            DAST_AUTH_URL: site_profile.auth_url,
            DAST_DEBUG: 'false',
            DAST_EXCLUDE_URLS: site_profile.excluded_urls.join(','),
            DAST_FULL_SCAN_ENABLED: 'false',