Commit 5188faea authored by Marcos Rocha's avatar Marcos Rocha Committed by Bob Van Landuyt

Audit dast schedule owner updates

parent 1222dd09
...@@ -16,7 +16,7 @@ module AppSec ...@@ -16,7 +16,7 @@ module AppSec
author: current_user, author: current_user,
scope: project, scope: project,
target: params[:dast_profile_schedule], target: params[:dast_profile_schedule],
message: "Changed DAST profile schedule #{property} from #{old_value} to #{new_value}" message: "Changed DAST profile schedule #{property} from #{old_value || 'nil'} to #{new_value}"
) )
end end
end end
......
...@@ -52,9 +52,7 @@ module AppSec ...@@ -52,9 +52,7 @@ module AppSec
def update_or_create_schedule! def update_or_create_schedule!
if schedule if schedule
attributes = schedule_input_params schedule.update!(schedule_input_params)
attributes = attributes.merge(user_id: current_user.id) unless schedule.owner_valid?
schedule.update!(attributes)
else else
::Dast::ProfileSchedule.new( ::Dast::ProfileSchedule.new(
dast_profile: dast_profile, dast_profile: dast_profile,
...@@ -93,9 +91,17 @@ module AppSec ...@@ -93,9 +91,17 @@ module AppSec
end end
def schedule_input_params def schedule_input_params
@schedule_input_params ||= build_schedule_input_params
end
def build_schedule_input_params
return unless params[:dast_profile_schedule]
# params[:dast_profile_schedule] is `Types::Dast::ProfileScheduleInputType` object. # params[:dast_profile_schedule] is `Types::Dast::ProfileScheduleInputType` object.
# Using to_h method to convert object into equivalent hash. # Using to_h method to convert object into equivalent hash.
@schedule_input_params ||= params[:dast_profile_schedule]&.to_h dast_profile_schedule_params = params[:dast_profile_schedule]
dast_profile_schedule_params[:user_id] = current_user.id unless schedule&.owner_valid?
dast_profile_schedule_params&.to_h
end end
def build_auditors! def build_auditors!
......
...@@ -63,18 +63,32 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -63,18 +63,32 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
project.add_users([user, scheduler_owner], :developer) project.add_users([user, scheduler_owner], :developer)
end end
it 'communicates success' do context 'without dast_profile_schedule param' do
expect(subject.status).to eq(:success) it 'communicates success' do
end expect(subject.status).to eq(:success)
end
it 'updates the dast_profile' do it 'updates the dast_profile' do
updated_dast_profile = subject.payload[:dast_profile].reload updated_dast_profile = subject.payload[:dast_profile].reload
aggregate_failures do aggregate_failures do
expect(updated_dast_profile.dast_site_profile.id).to eq(params[:dast_site_profile_id]) expect(updated_dast_profile.dast_site_profile.id).to eq(params[:dast_site_profile_id])
expect(updated_dast_profile.dast_scanner_profile.id).to eq(params[:dast_scanner_profile_id]) expect(updated_dast_profile.dast_scanner_profile.id).to eq(params[:dast_scanner_profile_id])
expect(updated_dast_profile.name).to eq(params[:name]) expect(updated_dast_profile.name).to eq(params[:name])
expect(updated_dast_profile.description).to eq(params[:description]) expect(updated_dast_profile.description).to eq(params[:description])
end
end
it 'does not try to create or update the dast_profile_schedule' do
subject
expect { subject }.not_to change { dast_profile.reload.dast_profile_schedule }.from(nil)
end
it 'ignores the dast_profile_schedule' do
subject
expect(params[:dast_profile]).not_to receive(:dast_profile_schedule)
end end
end end
...@@ -130,6 +144,16 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -130,6 +144,16 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
context 'when associated schedule is present' do context 'when associated schedule is present' do
let_it_be_with_reload(:dast_profile_schedule) { create(:dast_profile_schedule, project: project, dast_profile: dast_profile, owner: scheduler_owner) } let_it_be_with_reload(:dast_profile_schedule) { create(:dast_profile_schedule, project: project, dast_profile: dast_profile, owner: scheduler_owner) }
shared_examples 'audits the owner change' do
it 'audits the owner change', :sidekiq_inline do
subject
messages = AuditEvent.where(target_id: dast_profile.dast_profile_schedule.id).pluck(:details).pluck(:custom_message)
old_owner = User.find_by(id: scheduler_owner.id)
expect(messages).to include("Changed DAST profile schedule user_id from #{old_owner&.id || 'nil'} to #{user.id}")
end
end
it 'updates the dast profile schedule' do it 'updates the dast profile schedule' do
subject subject
...@@ -155,15 +179,17 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -155,15 +179,17 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
context 'when the owner was deleted' do context 'when the owner was deleted' do
before do before do
scheduler_owner.destroy! dast_profile_schedule.owner.destroy!
subject.payload[:dast_profile_schedule].reload dast_profile_schedule.reload
end end
it 'updates the schedule owner' do it 'updates the schedule owner' do
subject subject
expect(dast_profile_schedule.user_id).to eq(user.id) expect(dast_profile_schedule.reload.user_id).to eq(user.id)
end end
include_examples 'audits the owner change'
end end
context 'when the owner permission was downgraded' do context 'when the owner permission was downgraded' do
...@@ -176,6 +202,8 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -176,6 +202,8 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
expect(dast_profile_schedule.user_id).to eq(user.id) expect(dast_profile_schedule.user_id).to eq(user.id)
end end
include_examples 'audits the owner change'
end end
context 'when the owner was removed from the project' do context 'when the owner was removed from the project' do
...@@ -189,6 +217,8 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -189,6 +217,8 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
expect(dast_profile_schedule.user_id).to eq(user.id) expect(dast_profile_schedule.user_id).to eq(user.id)
end end
include_examples 'audits the owner change'
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment