Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
332e511a
Commit
332e511a
authored
Nov 08, 2019
by
Sean McGivern
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Revert "Merge branch '34422-get-single-vulnerability-api' into 'master'"
This reverts merge request !19079
parent
3c2abdbe
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
28 additions
and
94 deletions
+28
-94
ee/lib/api/vulnerabilities.rb
ee/lib/api/vulnerabilities.rb
+1
-15
ee/spec/requests/api/vulnerabilities_spec.rb
ee/spec/requests/api/vulnerabilities_spec.rb
+19
-65
ee/spec/requests/api/vulnerability_findings_spec.rb
ee/spec/requests/api/vulnerability_findings_spec.rb
+1
-1
ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
..._examples/requests/api/vulnerabilities_shared_examples.rb
+7
-13
No files found.
ee/lib/api/vulnerabilities.rb
View file @
332e511a
...
...
@@ -13,14 +13,9 @@ module API
Vulnerability
.
with_findings
.
find
(
params
[
:id
])
end
def
authorize_vulnerability!
(
vulnerability
,
action
)
authorize!
action
,
vulnerability
.
project
vulnerability
end
def
find_and_authorize_vulnerability!
(
action
)
find_vulnerability!
.
tap
do
|
vulnerability
|
authorize
_vulnerability!
(
vulnerability
,
action
)
authorize
!
action
,
vulnerability
.
project
end
end
...
...
@@ -43,15 +38,6 @@ module API
requires
:id
,
type:
String
,
desc:
'The ID of a vulnerability'
end
resource
:vulnerabilities
do
desc
'Get a vulnerability'
do
success
VulnerabilityEntity
end
get
':id'
do
vulnerability
=
Vulnerability
.
find
(
params
[
:id
])
authorize_vulnerability!
(
vulnerability
,
:read_project_security_dashboard
)
render_vulnerability
(
vulnerability
)
end
desc
'Resolve a vulnerability'
do
success
EE
::
API
::
Entities
::
Vulnerability
end
...
...
ee/spec/requests/api/vulnerabilities_spec.rb
View file @
332e511a
...
...
@@ -9,8 +9,6 @@ describe API::Vulnerabilities do
let_it_be
(
:project
)
{
create
(
:project
,
:with_vulnerabilities
)
}
let_it_be
(
:user
)
{
create
(
:user
)
}
let_it_be
(
:vulnerability
)
{
project
.
vulnerabilities
.
first
}
let
(
:vulnerability_id
)
{
vulnerability
.
id
}
shared_examples
'forbids actions on vulnerability in case of disabled features'
do
context
'when "first-class vulnerabilities" feature is disabled'
do
...
...
@@ -38,20 +36,10 @@ describe API::Vulnerabilities do
end
end
shared_examples
'responds with "not found" for an unknown vulnerability ID'
do
let
(
:vulnerability_id
)
{
0
}
it
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
404
)
end
end
describe
'GET /projects/:id/vulnerabilities'
do
let
(
:project_vulnerabilities_path
)
{
"/projects/
#{
project
.
id
}
/vulnerabilities"
}
subject
(
:get_vulnerabilities
)
{
get
api
(
project_vulnerabilities_path
,
user
)
}
subject
{
get
api
(
project_vulnerabilities_path
,
user
)
}
context
'with an authorized user with proper permissions'
do
before
do
...
...
@@ -59,7 +47,7 @@ describe API::Vulnerabilities do
end
it
'returns all vulnerabilities of a project'
do
get_vulnerabilities
subject
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
include_pagination_headers
...
...
@@ -71,7 +59,7 @@ describe API::Vulnerabilities do
let
(
:project_vulnerabilities_path
)
{
"
#{
super
()
}
?page=2&per_page=1"
}
it
'paginates the vulnerabilities according to the pagination params'
do
get_vulnerabilities
subject
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
json_response
.
map
{
|
v
|
v
[
'id'
]
}).
to
contain_exactly
(
project
.
vulnerabilities
.
second
.
id
)
...
...
@@ -82,47 +70,17 @@ describe API::Vulnerabilities do
end
it_behaves_like
'responds with "not found" when there is no access to the project'
it_behaves_like
'prevents working with vulnerabilities in case of insufficient access level'
end
shared_examples
'prevents working with vulnerabilities for anonymous users'
do
it
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
403
)
end
it_behaves_like
'prevents working with vulnerabilities in case of insufficient privileges'
end
describe
'GET /vulnerabilities/:id'
do
subject
(
:get_vulnerability
)
{
get
api
(
"/vulnerabilities/
#{
vulnerability_id
}
"
,
user
)
}
context
'with an authorized user with proper permissions'
do
before
do
project
.
add_developer
(
user
)
end
it
'returns the desired vulnerability'
do
get_vulnerability
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
match_response_schema
(
'vulnerability'
,
dir:
'ee'
)
expect
(
json_response
[
'id'
]).
to
eq
vulnerability_id
end
it_behaves_like
'responds with "not found" for an unknown vulnerability ID'
it_behaves_like
'forbids actions on vulnerability in case of disabled features'
end
it_behaves_like
'prevents working with vulnerabilities in case of insufficient access level'
it_behaves_like
'prevents working with vulnerabilities for anonymous users'
end
describe
'POST /vulnerabilities/:id/dismiss'
do
describe
"POST /vulnerabilities:id/dismiss"
do
before
do
create_list
(
:vulnerabilities_occurrence
,
2
,
vulnerability:
vulnerability
,
project:
vulnerability
.
project
)
end
subject
(
:dismiss_vulnerability
)
{
post
api
(
"/vulnerabilities/
#{
vulnerability_id
}
/dismiss"
,
user
)
}
let
(
:vulnerability
)
{
project
.
vulnerabilities
.
first
}
subject
{
post
api
(
"/vulnerabilities/
#{
vulnerability
.
id
}
/dismiss"
,
user
)
}
context
'with an authorized user with proper permissions'
do
before
do
...
...
@@ -131,7 +89,7 @@ describe API::Vulnerabilities do
it
'dismisses a vulnerability and its associated findings'
do
Timecop
.
freeze
do
dismiss_vulnerability
subject
expect
(
response
).
to
have_gitlab_http_status
(
201
)
expect
(
response
).
to
match_response_schema
(
'public_api/v4/vulnerability'
,
dir:
'ee'
)
...
...
@@ -142,8 +100,6 @@ describe API::Vulnerabilities do
end
end
it_behaves_like
'responds with "not found" for an unknown vulnerability ID'
context
'when there is a dismissal error'
do
before
do
Grape
::
Endpoint
.
before_each
do
|
endpoint
|
...
...
@@ -167,7 +123,7 @@ describe API::Vulnerabilities do
end
it
'responds with error'
do
dismiss_vulnerability
subject
expect
(
response
).
to
have_gitlab_http_status
(
400
)
expect
(
json_response
[
'message'
]).
to
eq
(
'base'
=>
[
'something went wrong'
])
...
...
@@ -178,7 +134,7 @@ describe API::Vulnerabilities do
let
(
:vulnerability
)
{
create
(
:vulnerability
,
:closed
,
project:
project
)
}
it
'responds with 304 Not Modified'
do
dismiss_vulnerability
subject
expect
(
response
).
to
have_gitlab_http_status
(
304
)
end
...
...
@@ -187,16 +143,17 @@ describe API::Vulnerabilities do
it_behaves_like
'forbids actions on vulnerability in case of disabled features'
end
it_behaves_like
'prevents working with vulnerabilities in case of insufficient access level'
it_behaves_like
'prevents working with vulnerabilities for anonymous users'
it_behaves_like
'prevents working with vulnerabilities in case of insufficient privileges'
end
describe
'POST /vulnerabilities/:id/resolve'
do
describe
"POST /vulnerabilities:id/resolve"
do
before
do
create_list
(
:vulnerabilities_finding
,
2
,
vulnerability:
vulnerability
)
end
subject
(
:resolve_vulnerability
)
{
post
api
(
"/vulnerabilities/
#{
vulnerability_id
}
/resolve"
,
user
)
}
let
(
:vulnerability
)
{
project
.
vulnerabilities
.
first
}
subject
{
post
api
(
"/vulnerabilities/
#{
vulnerability
.
id
}
/resolve"
,
user
)
}
context
'with an authorized user with proper permissions'
do
before
do
...
...
@@ -205,7 +162,7 @@ describe API::Vulnerabilities do
it
'resolves a vulnerability and its associated findings'
do
Timecop
.
freeze
do
resolve_vulnerability
subject
expect
(
response
).
to
have_gitlab_http_status
(
201
)
expect
(
response
).
to
match_response_schema
(
'public_api/v4/vulnerability'
,
dir:
'ee'
)
...
...
@@ -216,13 +173,11 @@ describe API::Vulnerabilities do
end
end
it_behaves_like
'responds with "not found" for an unknown vulnerability ID'
context
'when the vulnerability is already resolved'
do
let
(
:vulnerability
)
{
create
(
:vulnerability
,
:closed
,
project:
project
)
}
it
'responds with 304 Not Modified response'
do
resolve_vulnerability
subject
expect
(
response
).
to
have_gitlab_http_status
(
304
)
end
...
...
@@ -231,7 +186,6 @@ describe API::Vulnerabilities do
it_behaves_like
'forbids actions on vulnerability in case of disabled features'
end
it_behaves_like
'prevents working with vulnerabilities in case of insufficient access level'
it_behaves_like
'prevents working with vulnerabilities for anonymous users'
it_behaves_like
'prevents working with vulnerabilities in case of insufficient privileges'
end
end
ee/spec/requests/api/vulnerability_findings_spec.rb
View file @
332e511a
...
...
@@ -181,7 +181,7 @@ describe API::VulnerabilityFindings do
subject
{
get
api
(
project_vulnerability_findings_path
,
user
)
}
end
it_behaves_like
'prevents working with vulnerabilities in case of insufficient
access level
'
do
it_behaves_like
'prevents working with vulnerabilities in case of insufficient
privileges
'
do
subject
{
get
api
(
project_vulnerability_findings_path
,
user
)
}
end
end
...
...
ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
View file @
332e511a
# frozen_string_literal: true
shared_examples
'prevents working with vulnerabilities in case of insufficient access level'
do
it
'responds 403 Forbidden when accessed by reporter'
do
shared_examples
'prevents working with vulnerabilities in case of insufficient privileges'
do
context
'with lesser access level than required'
do
it
'responds with 403 Forbidden'
do
project
.
add_reporter
(
user
)
subject
expect
(
response
).
to
have_gitlab_http_status
(
403
)
end
it
'responds 403 Forbidden when accessed by guest'
do
project
.
add_guest
(
user
)
subject
expect
(
response
).
to
have_gitlab_http_status
(
403
)
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment