Add basic dependencies endpoint

This endpoint provides infromation about project dependencies. It's behind feature flag because some important parts are missing.

Add basic dependencies endpoint
This endpoint provides infromation about project dependencies. It's behind feature flag because some important parts are missing.
a855ea95 · Tetiana Chupryna · Mayra Cabrera · 875f6552 · a855ea95 · a855ea95
Commit a855ea95 authored Jul 15, 2019 by Tetiana Chupryna Committed by Mayra Cabrera Jul 15, 2019
6 changed files
--- a/ee/changelogs/unreleased/10078-dependency-list-api-basic.yml
+++ b/ee/changelogs/unreleased/10078-dependency-list-api-basic.yml
+---
+title: Add dependency list public endpoint
+merge_request: 14612
+author:
+type: added
--- a/ee/lib/api/dependencies.rb
+++ b/ee/lib/api/dependencies.rb
+# frozen_string_literal: true
+
+module API
+  class Dependencies < Grape::API
+    helpers do
+      def dependencies_by(params)
+        pipeline = user_project.all_pipelines.latest_successful_for(user_project.default_branch)
+
+        return [] unless pipeline
+
+        ::Security::DependencyListService.new(pipeline: pipeline, params: params).execute
+      end
+    end
+
+    before do
+      authenticate!
+    end
+
+    params do
+      requires :id, type: String, desc: 'The ID of a project'
+    end
+
+    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      desc 'Get a list of project dependencies' do
+        success ::EE::API::Entities::Dependency
+      end
+
+      params do
+        optional :package_manager,
+                 type: Array[String],
+                 desc: "Returns dependencies belonging to specified package managers: #{::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES.join(', ')}.",
+                 values: ::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES
+      end
+
+      get ':id/dependencies' do
+        authorize! :read_dependencies, user_project
+
+        dependencies = dependencies_by(declared_params.merge(project: user_project))
+
+        present dependencies, with: ::EE::API::Entities::Dependency
+      end
+    end
+  end
+end
--- a/ee/lib/ee/api/endpoints.rb
+++ b/ee/lib/ee/api/endpoints.rb
@@ -32,6 +32,7 @@ module EE
        mount ::API::Vulnerabilities
        mount ::API::MergeRequestApprovals
        mount ::API::ProjectAliases
+        mount ::API::Dependencies

        version 'v3', using: :path do
          # Although the following endpoints are kept behind V3 namespace,

--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -706,6 +706,13 @@ module EE
      class ProjectAlias < Grape::Entity
        expose :id, :project_id, :name
      end
+
+      class Dependency < Grape::Entity
+        expose :name, :version, :package_manager, :dependency_file_path
+        expose :dependency_file_path do |dependency|
+          dependency[:location][:path]
+        end
+      end
    end
  end
 end
--- a/ee/spec/fixtures/api/schemas/public_api/v4/dependencies.json
+++ b/ee/spec/fixtures/api/schemas/public_api/v4/dependencies.json
+{
+  "type": "array",
+  "items": {
+    "type": "object",
+    "required": [
+      "name",
+      "version",
+      "package_manager",
+      "dependency_file_path"
+    ],
+    "properties": {
+      "name": {
+        "type": "string"
+      },
+      "package_manager": {
+        "type": "string"
+      },
+      "version": {
+        "type": "string"
+      },
+      "dependency_file_path": {
+        "type": "string"
+      }
+    }
+  }
+}
--- a/ee/spec/requests/api/dependencies_spec.rb
+++ b/ee/spec/requests/api/dependencies_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::Dependencies do
+  set(:project) { create(:project, :public) }
+  set(:user) { create(:user) }
+
+  describe "GET /projects/:id/dependencies" do
+    let(:request) { get api("/projects/#{project.id}/dependencies", user), params: params }
+    let(:params) { {} }
+
+    before do
+      stub_licensed_features(dependency_list: true, security_dashboard: true)
+    end
+
+    context 'with an authorized user with proper permissions' do
+      before do
+        create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
+        request
+      end
+
+      it 'returns all dependencies' do
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to match_response_schema('public_api/v4/dependencies', dir: 'ee')
+
+        expect(json_response.length).to eq(21)
+      end
+
+      context 'with filter options' do
+        let(:params) { { package_manager: 'yarn' } }
+
+        it 'returns yarn dependencies' do
+          expect(json_response.length).to eq(19)
+        end
+
+        context 'with wrong key' do
+          let(:params) { { package_manager: %w(nray yarn) } }
+
+          it 'returns error message' do
+            expect(json_response['error']).to eq('package_manager does not have a valid value')
+          end
+        end
+      end
+    end
+
+    context 'with authorized user without read permissions' do
+      let(:project) { create(:project, :private) }
+
+      before do
+        project.add_guest(user)
+        request
+      end
+
+      it 'responds with 403 Forbidden' do
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+
+    context 'with no project access' do
+      let(:project) { create(:project, :private) }
+
+      before do
+        request
+      end
+
+      it 'responds with 404 Not Found' do
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+end