Add targetType to DastSiteProfileUpdate mutation

58d87a37 · Philip Cunningham · Robert Speicher · afda2f2a · 58d87a37 · 58d87a37
Commit 58d87a37 authored Apr 21, 2021 by Philip Cunningham Committed by Robert Speicher Apr 21, 2021
3 changed files
--- a/ee/app/graphql/mutations/dast_site_profiles/update.rb
+++ b/ee/app/graphql/mutations/dast_site_profiles/update.rb
@@ -29,6 +29,11 @@ module Mutations
               required: false,
               description: 'The URL of the target to be scanned.'

+      argument :target_type, Types::DastTargetTypeEnum,
+               required: false,
+               description: 'The type of target to be scanned. Will be ignored ' \
+                            'if `security_dast_site_profiles_api_option` feature flag is disabled.'
+
      argument :excluded_urls, [GraphQL::STRING_TYPE],
               required: false,
               description: 'The URLs to skip during an authenticated scan. Will be ignored ' \
@@ -50,16 +55,17 @@ module Mutations
      def resolve(full_path:, id:, profile_name:, target_url: nil, **params)
        project = authorized_find!(full_path)

-        auth_params = feature_flagged(project, params[:auth], default: {})
+        auth_params = feature_flagged(project, :security_dast_site_profiles_additional_fields, params[:auth], default: {})

        # TODO: remove explicit coercion once compatibility layer has been removed
        # See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883
        dast_site_profile_params = {
          id: SiteProfileID.coerce_isolated_input(id).model_id,
-          excluded_urls: feature_flagged(project, params[:excluded_urls]),
          name: profile_name,
-          request_headers: feature_flagged(project, params[:request_headers]),
          target_url: target_url,
+          target_type: feature_flagged(project, :security_dast_site_profiles_api_option, params[:target_type]),
+          excluded_urls: feature_flagged(project, :security_dast_site_profiles_additional_fields, params[:excluded_urls]),
+          request_headers: feature_flagged(project, :security_dast_site_profiles_additional_fields, params[:request_headers]),
          auth_enabled: auth_params[:enabled],
          auth_url: auth_params[:url],
          auth_username_field: auth_params[:username_field],
@@ -75,8 +81,8 @@ module Mutations

      private

-      def feature_flagged(project, value, opts = {})
-        return opts[:default] unless Feature.enabled?(:security_dast_site_profiles_additional_fields, project, default_enabled: :yaml)
+      def feature_flagged(project, flag, value, opts = {})
+        return opts[:default] unless Feature.enabled?(flag, project, default_enabled: :yaml)

        value || opts[:default]
      end

--- a/ee/spec/graphql/mutations/dast_site_profiles/update_spec.rb
+++ b/ee/spec/graphql/mutations/dast_site_profiles/update_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
  let(:new_target_url) { generate(:url) }
  let(:new_excluded_urls) { ["#{new_target_url}/signout"] }
  let(:new_request_headers) { "Authorization: Bearer #{SecureRandom.hex}" }
+  let(:new_target_type) { 'api' }

  let(:new_auth) do
    {
@@ -40,6 +41,7 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
        id: dast_site_profile.to_global_id,
        profile_name: new_profile_name,
        target_url: new_target_url,
+        target_type: new_target_type,
        excluded_urls: new_excluded_urls,
        request_headers: new_request_headers,
        auth: new_auth
@@ -68,6 +70,7 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
            id: dast_site_profile.id.to_s,
            name: new_profile_name,
            target_url: new_target_url,
+            target_type: new_target_type,
            excluded_urls: new_excluded_urls,
            request_headers: new_request_headers,
            auth_enabled: new_auth[:enabled],
@@ -154,9 +157,11 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
        end

        context 'when the feature flag security_dast_site_profiles_additional_fields is disabled' do
-          it 'does not update the feature flagged attributes', :aggregate_failures do
+          before do
            stub_feature_flags(security_dast_site_profiles_additional_fields: false)
+          end

+          it 'does not update the feature flagged attributes', :aggregate_failures do
            dast_site_profile = subject[:id].find

            expect(dast_site_profile).not_to have_attributes(
@@ -171,6 +176,16 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
            expect(dast_site_profile.secret_variables).to be_empty
          end
        end
+
+        context 'when the feature flag security_dast_site_profiles_api_option is disabled' do
+          before do
+            stub_feature_flags(security_dast_site_profiles_api_option: false)
+          end
+
+          it 'does not update the target_type' do
+            expect { subject }.not_to change { dast_site_profile.reload.target_type }
+          end
+        end
      end
    end
  end

--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/update_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/update_spec.rb
@@ -18,6 +18,7 @@ RSpec.describe 'Creating a DAST Site Profile' do
      id: dast_site_profile.to_global_id.to_s,
      profile_name: new_profile_name,
      target_url: new_target_url,
+      target_type: 'API',
      excluded_urls: ["#{new_target_url}/signout"],
      request_headers: 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0',
      auth: {