Commit fcd6a446 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Merge branch '299215-add-ci-configuration-processor' into 'master'

Add new processor to CI Configuration with Security Policies [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!54419
parents 9b9ba6b8 15ddb251
...@@ -15,12 +15,18 @@ module EE ...@@ -15,12 +15,18 @@ module EE
override :build_config override :build_config
def build_config(config) def build_config(config)
process_required_includes(super) super
.then(&method(:process_required_includes))
.then(&method(:process_security_orchestration_policy_includes))
end end
def process_required_includes(config) def process_required_includes(config)
::Gitlab::Ci::Config::Required::Processor.new(config).perform ::Gitlab::Ci::Config::Required::Processor.new(config).perform
end end
def process_security_orchestration_policy_includes(config)
::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref).perform
end
end end
end end
end end
......
# frozen_string_literal: true
module Gitlab
module Ci
class Config
module SecurityOrchestrationPolicies
class Processor
def initialize(config, project, ref)
@config = config
@project = project
@ref = ref
end
def perform
return @config unless project&.feature_available?(:security_orchestration_policies)
return @config unless security_orchestration_policy_configuration&.enabled?
@config
.deep_merge(on_demand_scans_template)
end
def on_demand_scans_template
::Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConfigurationService
.new(project)
.execute(security_orchestration_policy_configuration.on_demand_scan_actions(@ref))
end
private
attr_reader :project
delegate :security_orchestration_policy_configuration, to: :project, allow_nil: true
end
end
end
end
end
...@@ -3,33 +3,152 @@ ...@@ -3,33 +3,152 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe Gitlab::Ci::Config do RSpec.describe Gitlab::Ci::Config do
let(:template_name) { 'test_template' } let_it_be(:ci_yml) do
let(:template_repository) { create(:project, :custom_repo, files: { "gitlab-ci/#{template_name}.yml" => template_yml }) }
let(:ci_yml) do
<<-EOS <<-EOS
sample_job: sample_job:
script: script:
- echo 'test' - echo 'test'
EOS EOS
end end
let(:template_yml) do describe 'with required instance template' do
<<-EOS let(:template_name) { 'test_template' }
sample_job: let(:template_repository) { create(:project, :custom_repo, files: { "gitlab-ci/#{template_name}.yml" => template_yml }) }
script:
- echo 'not test'
EOS
end
subject { described_class.new(ci_yml) } let(:template_yml) do
<<-EOS
sample_job:
script:
- echo 'not test'
EOS
end
before do subject(:config) { described_class.new(ci_yml) }
stub_application_setting(file_template_project: template_repository, required_instance_ci_template: template_name)
stub_licensed_features(custom_file_templates: true, required_ci_templates: true) before do
stub_application_setting(file_template_project: template_repository, required_instance_ci_template: template_name)
stub_licensed_features(custom_file_templates: true, required_ci_templates: true)
end
it 'processes the required includes' do
expect(config.to_hash[:sample_job][:script]).to eq(["echo 'not test'"])
end
end end
it 'processes the required includes' do describe 'with security orchestration policy' do
expect(subject.to_hash[:sample_job][:script]).to eq(["echo 'not test'"]) let_it_be(:ref) { 'master' }
let_it_be_with_refind(:project) { create(:project, :repository) }
let_it_be(:policies_repository) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
subject(:config) { described_class.new(ci_yml, ref: ref, project: project) }
before do
allow_next_instance_of(Repository) do |repository|
# allow(repository).to receive(:ls_files).and_return(['.gitlab/security-policies/enforce-dast.yml'])
allow(repository).to receive(:blob_data_at).and_return(policy_yml)
end
end
context 'when feature is not licensed' do
it 'does not modify the config' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
end
end
context 'when feature is licensed' do
before do
stub_licensed_features(security_orchestration_policies: true)
end
context 'when feature is not enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not modify the config' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
end
end
context 'when feature is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when policy is not applicable on branch from the pipeline' do
it 'does not modify the config' do
expect(config.to_hash).to eq(sample_job: { script: ["echo 'test'"] })
end
end
context 'when policy is not applicable on branch from the pipeline' do
let_it_be(:ref) { 'production' }
context 'when DAST profiles are not found' do
it 'adds a job with error message' do
expect(config.to_hash).to eq(
sample_job: { script: ["echo 'test'"] },
'dast-on-demand-0': { allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' }
)
end
end
context 'when DAST profiles are found' do
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
let(:expected_configuration) do
{
sample_job: {
script: ["echo 'test'"]
},
'dast-on-demand-0': {
stage: 'test',
image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
variables: {
DAST_VERSION: 1,
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
DAST_WEBSITE: dast_site_profile.dast_site.url,
DAST_FULL_SCAN_ENABLED: 'false',
DAST_USE_AJAX_SPIDER: 'false',
DAST_DEBUG: 'false',
DAST_USERNAME: dast_site_profile.auth_username,
DAST_EXCLUDE_URLS: dast_site_profile.excluded_urls.join(','),
DAST_USERNAME_FIELD: 'session[username]',
DAST_PASSWORD_FIELD: 'session[password]'
},
allow_failure: true,
script: ['/analyze'],
artifacts: { reports: { dast: 'gl-dast-report.json' } }
}
}
end
it 'extends config with additional jobs' do
expect(config.to_hash).to include(expected_configuration)
end
end
end
end
end
end end
end end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
subject { described_class.new(config, project, ref).perform }
let_it_be(:config) { { image: 'ruby:2.5.3' } }
let_it_be(:ref) { 'master' }
let_it_be_with_refind(:project) { create(:project, :repository) }
let_it_be(:policies_repository) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
before do
allow_next_instance_of(Repository) do |repository|
allow(repository).to receive(:blob_data_at).and_return(policy_yml)
end
end
context 'when feature is not licensed' do
it 'does not modify the config' do
expect(subject).to eq(config)
end
end
context 'when feature is licensed' do
before do
stub_licensed_features(security_orchestration_policies: true)
end
context 'when feature is not enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: false)
end
it 'does not modify the config' do
expect(subject).to eq(config)
end
end
context 'when feature is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
end
context 'when policy is not applicable on branch from the pipeline' do
it 'does not modify the config' do
expect(subject).to eq(config)
end
end
context 'when policy is not applicable on branch from the pipeline' do
let_it_be(:ref) { 'production' }
context 'when DAST profiles are not found' do
it 'does not modify the config' do
expect(subject).to eq(
image: 'ruby:2.5.3',
'dast-on-demand-0': { allow_failure: true, script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false' }
)
end
end
context 'when DAST profiles are found' do
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, name: 'Scanner Profile') }
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, name: 'Site Profile') }
let(:expected_configuration) do
{
image: 'ruby:2.5.3',
'dast-on-demand-0': {
stage: 'test',
image: {
name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION'
},
variables: {
DAST_VERSION: 1,
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
DAST_WEBSITE: dast_site_profile.dast_site.url,
DAST_FULL_SCAN_ENABLED: 'false',
DAST_USE_AJAX_SPIDER: 'false',
DAST_DEBUG: 'false',
DAST_USERNAME: dast_site_profile.auth_username,
DAST_EXCLUDE_URLS: dast_site_profile.excluded_urls.join(','),
DAST_USERNAME_FIELD: 'session[username]',
DAST_PASSWORD_FIELD: 'session[password]'
},
allow_failure: true,
script: ['/analyze'],
artifacts: {
reports: {
dast: 'gl-dast-report.json'
}
}
}
}
end
it 'extends config with additional jobs' do
expect(subject).to include(expected_configuration)
end
end
end
end
end
end
...@@ -29,6 +29,10 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do ...@@ -29,6 +29,10 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
subject { security_orchestration_policy_configuration.enabled? } subject { security_orchestration_policy_configuration.enabled? }
context 'when feature is enabled' do context 'when feature is enabled' do
before do
stub_feature_flags(security_orchestration_policies_configuration: true)
end
it { is_expected.to eq(true) } it { is_expected.to eq(true) }
end end
......
...@@ -17,12 +17,14 @@ module Gitlab ...@@ -17,12 +17,14 @@ module Gitlab
Config::Yaml::Tags::TagError Config::Yaml::Tags::TagError
].freeze ].freeze
attr_reader :root attr_reader :root, :context, :ref
def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil) def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil)
@context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline) @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline)
@context.set_deadline(TIMEOUT_SECONDS) @context.set_deadline(TIMEOUT_SECONDS)
@ref = ref
@config = expand_config(config) @config = expand_config(config)
@root = Entry::Root.new(@config) @root = Entry::Root.new(@config)
......
...@@ -14,6 +14,7 @@ module Gitlab ...@@ -14,6 +14,7 @@ module Gitlab
result = ::Gitlab::Ci::YamlProcessor.new( result = ::Gitlab::Ci::YamlProcessor.new(
@command.config_content, { @command.config_content, {
project: project, project: project,
ref: @pipeline.ref,
sha: @pipeline.sha, sha: @pipeline.sha,
user: current_user, user: current_user,
parent_pipeline: parent_pipeline parent_pipeline: parent_pipeline
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment