Add dast_submit_field to DAST site profile

Adds auth_submit_field of type text to dast_site_profiles.
Adds model validations.

Changelog: added

db/migrate/20220331174026_add_submit_field_to_dast_site_profiles.rb

+# frozen_string_literal: true
+
+class AddSubmitFieldToDastSiteProfiles < Gitlab::Database::Migration[1.0]
+  # rubocop:disable Migration/AddLimitToTextColumns
+  # limit is added in 20220331174459_add_text_limit_to_submit_field_dast_site_profiles
+  def change
+    add_column :dast_site_profiles, :auth_submit_field, :text
+  end
+  # rubocop:enable Migration/AddLimitToTextColumns
+end

db/migrate/20220331174459_add_text_limit_to_submit_field_dast_site_profiles.rb

+# frozen_string_literal: true
+
+class AddTextLimitToSubmitFieldDastSiteProfiles < Gitlab::Database::Migration[1.0]
+  disable_ddl_transaction!
+
+  def up
+    add_text_limit :dast_site_profiles, :auth_submit_field, 255
+  end
+
+  def down
+    remove_text_limit :dast_site_profiles, :auth_submit_field
+  end
+end

db/schema_migrations/20220331174026

+b4f2c1c90447a41d69f08ca2c5cbb5fb0baf1fe04e43d5dc86323d01be9e28ef
\ No newline at end of file

db/schema_migrations/20220331174459

+cc7da5bba5fd42a0c443290791eeee76491a29ab37a06f0a70806dc09ec1ceab
\ No newline at end of file

db/structure.sql

@@ -14054,8 +14054,10 @@ CREATE TABLE dast_site_profiles (
     auth_username text,
     target_type smallint DEFAULT 0 NOT NULL,
     scan_method smallint DEFAULT 0 NOT NULL,
+    auth_submit_field text,
     CONSTRAINT check_5203110fee CHECK ((char_length(auth_username_field) <= 255)),
     CONSTRAINT check_6cfab17b48 CHECK ((char_length(name) <= 255)),
+    CONSTRAINT check_af44f54c96 CHECK ((char_length(auth_submit_field) <= 255)),
     CONSTRAINT check_c329dffdba CHECK ((char_length(auth_password_field) <= 255)),
     CONSTRAINT check_d446f7047b CHECK ((char_length(auth_url) <= 1024)),
     CONSTRAINT check_f22f18002a CHECK ((char_length(auth_username) <= 255))

ee/app/models/dast_site_profile.rb

@@ -10,7 +10,7 @@ class DastSiteProfile < ApplicationRecord
 
   validates :excluded_urls, length: { maximum: 25 }
   validates :auth_url, addressable_url: true, length: { maximum: 1024 }, allow_nil: true
-  validates :auth_username_field, :auth_password_field, :auth_username, length: { maximum: 255 }
+  validates :auth_username_field, :auth_password_field, :auth_username, :auth_submit_field, length: { maximum: 255 }
   validates :name, length: { maximum: 255 }, uniqueness: { scope: :project_id }, presence: true
   validates :project_id, :dast_site_id, presence: true
 
@@ -59,6 +59,7 @@ class DastSiteProfile < ApplicationRecord
         variables.append(key: 'DAST_USERNAME', value: auth_username)
         variables.append(key: 'DAST_USERNAME_FIELD', value: auth_username_field)
         variables.append(key: 'DAST_PASSWORD_FIELD', value: auth_password_field)
+        variables.append(key: 'DAST_SUBMIT_FIELD', value: auth_submit_field)
       end
     end
 

ee/spec/factories/dast_site_profiles.rb

@@ -21,5 +21,9 @@ FactoryBot.define do
     trait :with_dast_site_validation do
       dast_site { association :dast_site, :with_dast_site_validation, project: project }
     end
+
+    trait :with_dast_submit_field do
+      auth_submit_field { 'css:button[type="submit"]' }
+    end
   end
 end

ee/spec/models/dast_site_profile_spec.rb

@@ -23,6 +23,7 @@ RSpec.describe DastSiteProfile, type: :model do
     it { is_expected.to validate_length_of(:auth_url).is_at_most(1024).allow_nil }
     it { is_expected.to validate_length_of(:auth_username).is_at_most(255) }
     it { is_expected.to validate_length_of(:auth_username_field).is_at_most(255) }
+    it { is_expected.to validate_length_of(:auth_submit_field).is_at_most(255) }
     it { is_expected.to validate_length_of(:name).is_at_most(255) }
     it { is_expected.to validate_presence_of(:dast_site_id) }
     it { is_expected.to validate_presence_of(:name) }
@@ -226,17 +227,38 @@ RSpec.describe DastSiteProfile, type: :model do
       let(:keys) { subject.ci_variables.map { |variable| variable[:key] } }
       let(:excluded_urls) { subject.excluded_urls.join(',') }
 
-      it 'returns a collection of variables' do
-        expected_variables = [
-          { key: 'DAST_WEBSITE', value: subject.dast_site.url, public: true, masked: false },
-          { key: 'DAST_EXCLUDE_URLS', value: excluded_urls, public: true, masked: false },
-          { key: 'DAST_AUTH_URL', value: subject.auth_url, public: true, masked: false },
-          { key: 'DAST_USERNAME', value: subject.auth_username, public: true, masked: false },
-          { key: 'DAST_USERNAME_FIELD', value: subject.auth_username_field, public: true, masked: false },
-          { key: 'DAST_PASSWORD_FIELD', value: subject.auth_password_field, public: true, masked: false }
-        ]
-
-        expect(collection.to_runner_variables).to eq(expected_variables)
+      context 'without_dast_submit_field' do
+        it 'returns a collection of variables' do
+          expected_variables = [
+            { key: 'DAST_WEBSITE', value: subject.dast_site.url, public: true, masked: false },
+            { key: 'DAST_EXCLUDE_URLS', value: excluded_urls, public: true, masked: false },
+            { key: 'DAST_AUTH_URL', value: subject.auth_url, public: true, masked: false },
+            { key: 'DAST_USERNAME', value: subject.auth_username, public: true, masked: false },
+            { key: 'DAST_USERNAME_FIELD', value: subject.auth_username_field, public: true, masked: false },
+            { key: 'DAST_PASSWORD_FIELD', value: subject.auth_password_field, public: true, masked: false }
+
+          ]
+
+          expect(collection.to_runner_variables).to eq(expected_variables)
+        end
+      end
+
+      context 'with_dast_submit_field' do
+        subject { create(:dast_site_profile, :with_dast_site_validation, :with_dast_submit_field, project: project) }
+
+        it 'returns a collection of variables' do
+          expected_variables = [
+            { key: 'DAST_WEBSITE', value: subject.dast_site.url, public: true, masked: false },
+            { key: 'DAST_EXCLUDE_URLS', value: excluded_urls, public: true, masked: false },
+            { key: 'DAST_AUTH_URL', value: subject.auth_url, public: true, masked: false },
+            { key: 'DAST_USERNAME', value: subject.auth_username, public: true, masked: false },
+            { key: 'DAST_USERNAME_FIELD', value: subject.auth_username_field, public: true, masked: false },
+            { key: 'DAST_PASSWORD_FIELD', value: subject.auth_password_field, public: true, masked: false },
+            { key: 'DAST_SUBMIT_FIELD', value: subject.auth_submit_field, public: true, masked: false }
+          ]
+
+          expect(collection.to_runner_variables).to eq(expected_variables)
+        end
       end
 
       context 'when target_type=api' do
@@ -254,7 +276,7 @@ RSpec.describe DastSiteProfile, type: :model do
         subject { build(:dast_site_profile, auth_enabled: false) }
 
         it 'returns a collection of variables excluding any auth variables', :aggregate_failures do
-          expect(keys).not_to include('DAST_AUTH_URL', 'DAST_USERNAME', 'DAST_USERNAME_FIELD', 'DAST_PASSWORD_FIELD')
+          expect(keys).not_to include('DAST_AUTH_URL', 'DAST_USERNAME', 'DAST_USERNAME_FIELD', 'DAST_PASSWORD_FIELD', 'DAST_SUBMIT_FIELD')
         end
       end