Add support for setting DAST_API_SPECIFICATION

5017c011 · Philip Cunningham · Heinrich Lee Yu · 24909597 · 5017c011 · 5017c011
Commit 5017c011 authored Apr 23, 2021 by Philip Cunningham Committed by Heinrich Lee Yu Apr 23, 2021
4 changed files
--- a/ee/app/services/ci/dast_scan_ci_configuration_service.rb
+++ b/ee/app/services/ci/dast_scan_ci_configuration_service.rb
@@ -6,6 +6,7 @@ module Ci
      spider_timeout: 'DAST_SPIDER_MINS',
      target_timeout: 'DAST_TARGET_AVAILABILITY_TIMEOUT',
      target_url: 'DAST_WEBSITE',
+      api_specification_url: 'DAST_API_SPECIFICATION',
      use_ajax_spider: 'DAST_USE_AJAX_SPIDER',
      show_debug_messages: 'DAST_DEBUG',
      full_scan_enabled: 'DAST_FULL_SCAN_ENABLED',

--- a/ee/app/services/dast_on_demand_scans/params_create_service.rb
+++ b/ee/app/services/dast_on_demand_scans/params_create_service.rb
@@ -9,7 +9,7 @@ module DastOnDemandScans
      return ServiceResponse.error(message: 'Cannot run active scan against unvalidated target') unless active_scan_allowed?

      ServiceResponse.success(
-        payload: default_config.merge(site_profile_config, scanner_profile_config)
+        payload: default_config.merge(target_config, site_profile_config, scanner_profile_config)
      )
    end

@@ -62,11 +62,17 @@ module DastOnDemandScans
    end

    def default_config
-      {
-        dast_profile: dast_profile,
-        branch: branch,
-        target_url: dast_site&.url
-      }
+      { dast_profile: dast_profile, branch: branch }
+    end
+
+    def target_config
+      url = dast_site&.url
+
+      if dast_site_profile.target_type == 'website'
+        { target_url: url }
+      else
+        { api_specification_url: url }
+      end
    end

    def site_profile_config

--- a/ee/spec/services/ci/dast_scan_ci_configuration_service_spec.rb
+++ b/ee/spec/services/ci/dast_scan_ci_configuration_service_spec.rb
@@ -12,6 +12,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
          spider_timeout: 1000,
          target_timeout: 100,
          target_url: 'https://gitlab.local',
+          api_specification_url: 'https://gitlab.local/api.json',
          use_ajax_spider: true,
          show_debug_messages: true,
          full_scan_enabled: true,
@@ -34,6 +35,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
          DAST_SPIDER_MINS: 1000
          DAST_TARGET_AVAILABILITY_TIMEOUT: 100
          DAST_WEBSITE: https://gitlab.local
+          DAST_API_SPECIFICATION: https://gitlab.local/api.json
          DAST_USE_AJAX_SPIDER: 'true'
          DAST_DEBUG: 'true'
          DAST_FULL_SCAN_ENABLED: 'true'
@@ -45,12 +47,12 @@ RSpec.describe Ci::DastScanCiConfigurationService do
        YAML
      end

-      it 'return YAML configuration of the On-Demand DAST scan' do
+      it 'returns the YAML configuration of the On-Demand DAST scan' do
        expect(yaml_configuration).to eq(expected_yaml_configuration)
      end
    end

-    context 'when additional variables are provided' do
+    context 'when unknown variables are provided' do
      let(:params) do
        {
          target_url: 'https://gitlab.local',
@@ -75,12 +77,37 @@ RSpec.describe Ci::DastScanCiConfigurationService do
        YAML
      end

-      it 'return YAML configuration of the On-Demand DAST scan' do
+      it 'returns the YAML configuration of the On-Demand DAST scan' do
        expect(yaml_configuration).to eq(expected_yaml_configuration)
      end
    end

-    context 'when no variable is provided' do
+    context 'when a variable is set to nil' do
+      let(:params) do
+        {
+          target_url: 'https://gitlab.local',
+          api_specification_url: nil
+        }
+      end
+
+      let(:expected_yaml_configuration) do
+        <<~YAML
+        ---
+        stages:
+        - dast
+        include:
+        - template: DAST-On-Demand-Scan.gitlab-ci.yml
+        variables:
+          DAST_WEBSITE: https://gitlab.local
+        YAML
+      end
+
+      it 'returns the YAML configuration of the On-Demand DAST scan' do
+        expect(yaml_configuration).to eq(expected_yaml_configuration)
+      end
+    end
+
+    context 'when no variables are provided' do
      let(:params) { {} }

      let(:expected_yaml_configuration) do
@@ -94,7 +121,7 @@ RSpec.describe Ci::DastScanCiConfigurationService do
        YAML
      end

-      it 'return YAML configuration of the On-Demand DAST scan' do
+      it 'returns the YAML configuration of the On-Demand DAST scan' do
        expect(yaml_configuration).to eq(expected_yaml_configuration)
      end
    end

--- a/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
+++ b/ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb
@@ -109,6 +109,15 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
          )
        end
      end
+
+      context 'when target_type=api' do
+        let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: :api) }
+
+        it 'returns params including the api_specification_url and omitting the target_url', :aggregate_failures do
+          expect(subject.payload[:api_specification_url]).to eq(dast_site_profile.dast_site.url)
+          expect(subject.payload[:target_url]).to be_nil
+        end
+      end
    end

    context 'when the dast_profile is provided' do