Commit 70eadcfa authored by Craig Smith's avatar Craig Smith Committed by Yannis Roussos

Add properties to DAST Scanner Profile

Allow on-demand DAST users to create profiles that control debug
messages, turn off/on ajax scans and toggle between active and passive
scans
parent 79de9f65
---
title: Add on-demand DAST scan options (scanType, showDebugMessages, useAjaxSpider)
ajax spider and set the scan type
merge_request: 43240
author:
type: added
# frozen_string_literal: true
class AddOptionsToDastScannerProfile < ActiveRecord::Migration[6.0]
DOWNTIME = false
PASSIVE_SCAN_ENUM_VALUE = 1
def change
add_column :dast_scanner_profiles, :scan_type, :integer, limit: 2, default: PASSIVE_SCAN_ENUM_VALUE, null: false
add_column :dast_scanner_profiles, :use_ajax_spider, :boolean, default: false, null: false
add_column :dast_scanner_profiles, :show_debug_messages, :boolean, default: false, null: false
end
end
d413e19c8ddaba4556cf36a38e03b1c7c46ee7edf7e56692028e066f97605784
\ No newline at end of file
......@@ -11216,6 +11216,9 @@ CREATE TABLE dast_scanner_profiles (
spider_timeout smallint,
target_timeout smallint,
name text NOT NULL,
scan_type smallint DEFAULT 1 NOT NULL,
use_ajax_spider boolean DEFAULT false NOT NULL,
show_debug_messages boolean DEFAULT false NOT NULL,
CONSTRAINT check_568568fabf CHECK ((char_length(name) <= 255))
);
......
......@@ -3634,6 +3634,11 @@ type DastOnDemandScanCreatePayload {
}
enum DastScanTypeEnum {
"""
Active DAST scan. This scan will make active attacks against the target site.
"""
ACTIVE
"""
Passive DAST scan. This scan will not make active attacks against the target site.
"""
......@@ -3664,6 +3669,16 @@ type DastScannerProfile {
"""
profileName: String
"""
Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.
"""
scanType: DastScanTypeEnum
"""
Indicates if debug messages should be included in DAST console output. True to include the debug messages.
"""
showDebugMessages: Boolean!
"""
The maximum number of minutes allowed for the spider to traverse the site
"""
......@@ -3673,6 +3688,13 @@ type DastScannerProfile {
The maximum number of seconds allowed for the site under test to respond to a request
"""
targetTimeout: Int
"""
Indicates if the AJAX spider should be used to crawl the target site. True to
run the AJAX spider in addition to the traditional spider, and false to run
only the traditional spider.
"""
useAjaxSpider: Boolean!
}
"""
......@@ -3714,6 +3736,16 @@ input DastScannerProfileCreateInput {
"""
profileName: String!
"""
Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.
"""
scanType: DastScanTypeEnum = PASSIVE
"""
Indicates if debug messages should be included in DAST console output. True to include the debug messages.
"""
showDebugMessages: Boolean = false
"""
The maximum number of minutes allowed for the spider to traverse the site.
"""
......@@ -3723,6 +3755,13 @@ input DastScannerProfileCreateInput {
The maximum number of seconds allowed for the site under test to respond to a request.
"""
targetTimeout: Int
"""
Indicates if the AJAX spider should be used to crawl the target site. True to
run the AJAX spider in addition to the traditional spider, and false to run
only the traditional spider.
"""
useAjaxSpider: Boolean = false
}
"""
......@@ -3829,6 +3868,16 @@ input DastScannerProfileUpdateInput {
"""
profileName: String!
"""
Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.
"""
scanType: DastScanTypeEnum
"""
Indicates if debug messages should be included in DAST console output. True to include the debug messages.
"""
showDebugMessages: Boolean
"""
The maximum number of minutes allowed for the spider to traverse the site.
"""
......@@ -3838,6 +3887,13 @@ input DastScannerProfileUpdateInput {
The maximum number of seconds allowed for the site under test to respond to a request.
"""
targetTimeout: Int!
"""
Indicates if the AJAX spider should be used to crawl the target site. True to
run the AJAX spider in addition to the traditional spider, and false to run
only the traditional spider.
"""
useAjaxSpider: Boolean
}
"""
......
......@@ -9839,6 +9839,12 @@
"description": "Passive DAST scan. This scan will not make active attacks against the target site.",
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "ACTIVE",
"description": "Active DAST scan. This scan will make active attacks against the target site.",
"isDeprecated": false,
"deprecationReason": null
}
],
"possibleTypes": null
......@@ -9912,6 +9918,38 @@
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "scanType",
"description": "Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.",
"args": [
],
"type": {
"kind": "ENUM",
"name": "DastScanTypeEnum",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "showDebugMessages",
"description": "Indicates if debug messages should be included in DAST console output. True to include the debug messages.",
"args": [
],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": {
"kind": "SCALAR",
"name": "Boolean",
"ofType": null
}
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "spiderTimeout",
"description": "The maximum number of minutes allowed for the spider to traverse the site",
......@@ -9939,6 +9977,24 @@
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "useAjaxSpider",
"description": "Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.",
"args": [
],
"type": {
"kind": "NON_NULL",
"name": null,
"ofType": {
"kind": "SCALAR",
"name": "Boolean",
"ofType": null
}
},
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
......@@ -10069,6 +10125,36 @@
},
"defaultValue": null
},
{
"name": "scanType",
"description": "Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.",
"type": {
"kind": "ENUM",
"name": "DastScanTypeEnum",
"ofType": null
},
"defaultValue": "PASSIVE"
},
{
"name": "useAjaxSpider",
"description": "Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.",
"type": {
"kind": "SCALAR",
"name": "Boolean",
"ofType": null
},
"defaultValue": "false"
},
{
"name": "showDebugMessages",
"description": "Indicates if debug messages should be included in DAST console output. True to include the debug messages.",
"type": {
"kind": "SCALAR",
"name": "Boolean",
"ofType": null
},
"defaultValue": "false"
},
{
"name": "clientMutationId",
"description": "A unique identifier for the client performing the mutation.",
......@@ -10398,6 +10484,36 @@
},
"defaultValue": null
},
{
"name": "scanType",
"description": "Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.",
"type": {
"kind": "ENUM",
"name": "DastScanTypeEnum",
"ofType": null
},
"defaultValue": null
},
{
"name": "useAjaxSpider",
"description": "Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.",
"type": {
"kind": "SCALAR",
"name": "Boolean",
"ofType": null
},
"defaultValue": null
},
{
"name": "showDebugMessages",
"description": "Indicates if debug messages should be included in DAST console output. True to include the debug messages.",
"type": {
"kind": "SCALAR",
"name": "Boolean",
"ofType": null
},
"defaultValue": null
},
{
"name": "clientMutationId",
"description": "A unique identifier for the client performing the mutation.",
......@@ -592,8 +592,11 @@ Represents a DAST scanner profile.
| `globalId` | DastScannerProfileID! | ID of the DAST scanner profile |
| `id` **{warning-solid}** | ID! | **Deprecated:** Use `global_id`. Deprecated in 13.4 |
| `profileName` | String | Name of the DAST scanner profile |
| `scanType` | DastScanTypeEnum | Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan. |
| `showDebugMessages` | Boolean! | Indicates if debug messages should be included in DAST console output. True to include the debug messages. |
| `spiderTimeout` | Int | The maximum number of minutes allowed for the spider to traverse the site |
| `targetTimeout` | Int | The maximum number of seconds allowed for the site under test to respond to a request |
| `useAjaxSpider` | Boolean! | Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider. |
### DastScannerProfileCreatePayload
......@@ -3140,6 +3143,7 @@ Mode of a commit action.
| Value | Description |
| ----- | ----------- |
| `ACTIVE` | Active DAST scan. This scan will make active attacks against the target site. |
| `PASSIVE` | Passive DAST scan. This scan will not make active attacks against the target site. |
### DastSiteProfileValidationStatusEnum
......
......@@ -32,13 +32,38 @@ module Mutations
required: false,
description: 'The maximum number of seconds allowed for the site under test to respond to a request.'
argument :scan_type, Types::DastScanTypeEnum,
required: false,
description: 'Indicates the type of DAST scan that will run. ' \
'Either a Passive Scan or an Active Scan.',
default_value: 'passive'
argument :use_ajax_spider, GraphQL::BOOLEAN_TYPE,
required: false,
description: 'Indicates if the AJAX spider should be used to crawl the target site. ' \
'True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.',
default_value: false
argument :show_debug_messages, GraphQL::BOOLEAN_TYPE,
required: false,
description: 'Indicates if debug messages should be included in DAST console output. ' \
'True to include the debug messages.',
default_value: false
authorize :create_on_demand_dast_scan
def resolve(full_path:, profile_name:, spider_timeout: nil, target_timeout: nil)
def resolve(full_path:, profile_name:, spider_timeout: nil, target_timeout: nil, scan_type:, use_ajax_spider:, show_debug_messages:)
project = authorized_find_project!(full_path: full_path)
service = ::DastScannerProfiles::CreateService.new(project, current_user)
result = service.execute(name: profile_name, spider_timeout: spider_timeout, target_timeout: target_timeout)
result = service.execute(
name: profile_name,
spider_timeout: spider_timeout,
target_timeout: target_timeout,
scan_type: scan_type,
use_ajax_spider: use_ajax_spider,
show_debug_messages: show_debug_messages
)
if result.success?
{ id: result.payload.to_global_id, global_id: result.payload.to_global_id, errors: [] }
......
......@@ -31,6 +31,21 @@ module Mutations
required: true,
description: 'The maximum number of seconds allowed for the site under test to respond to a request.'
argument :scan_type, Types::DastScanTypeEnum,
required: false,
description: 'Indicates the type of DAST scan that will run. ' \
'Either a Passive Scan or an Active Scan.'
argument :use_ajax_spider, GraphQL::BOOLEAN_TYPE,
required: false,
description: 'Indicates if the AJAX spider should be used to crawl the target site. ' \
'True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.'
argument :show_debug_messages, GraphQL::BOOLEAN_TYPE,
required: false,
description: 'Indicates if debug messages should be included in DAST console output. ' \
'True to include the debug messages.'
authorize :create_on_demand_dast_scan
def resolve(full_path:, **service_args)
......
......@@ -2,6 +2,7 @@
module Types
class DastScanTypeEnum < BaseEnum
value 'PASSIVE', description: 'Passive DAST scan. This scan will not make active attacks against the target site.'
value 'PASSIVE', value: 'passive', description: 'Passive DAST scan. This scan will not make active attacks against the target site.'
value 'ACTIVE', value: 'active', description: 'Active DAST scan. This scan will make active attacks against the target site.'
end
end
......@@ -25,6 +25,18 @@ module Types
field :target_timeout, GraphQL::INT_TYPE, null: true,
description: 'The maximum number of seconds allowed for the site under test to respond to a request'
field :scan_type, Types::DastScanTypeEnum, null: true,
description: 'Indicates the type of DAST scan that will run. ' \
'Either a Passive Scan or an Active Scan.'
field :use_ajax_spider, GraphQL::BOOLEAN_TYPE, null: false,
description: 'Indicates if the AJAX spider should be used to crawl the target site. ' \
'True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.'
field :show_debug_messages, GraphQL::BOOLEAN_TYPE, null: false,
description: 'Indicates if debug messages should be included in DAST console output. ' \
'True to include the debug messages.'
field :edit_path, GraphQL::STRING_TYPE, null: true,
description: 'Relative web path to the edit page of a scanner profile',
resolve: -> (obj, _args, _ctx) do
......
......@@ -7,4 +7,9 @@ class DastScannerProfile < ApplicationRecord
validates :name, length: { maximum: 255 }, uniqueness: { scope: :project_id }
scope :project_id_in, -> (project_ids) { where(project_id: project_ids) }
enum scan_type: {
passive: 1,
active: 2
}
end
......@@ -2,14 +2,17 @@
module DastScannerProfiles
class CreateService < BaseService
def execute(name:, target_timeout:, spider_timeout:)
def execute(name:, target_timeout:, spider_timeout:, scan_type:, use_ajax_spider:, show_debug_messages:)
return ServiceResponse.error(message: 'Insufficient permissions') unless allowed?
dast_scanner_profile = DastScannerProfile.create(
project: project,
name: name,
target_timeout: target_timeout,
spider_timeout: spider_timeout
spider_timeout: spider_timeout,
scan_type: scan_type,
use_ajax_spider: use_ajax_spider,
show_debug_messages: show_debug_messages
)
return ServiceResponse.success(payload: dast_scanner_profile) if dast_scanner_profile.valid?
......
......@@ -4,13 +4,22 @@ module DastScannerProfiles
class UpdateService < BaseService
include Gitlab::Allowable
def execute(id:, profile_name:, target_timeout:, spider_timeout:)
def execute(id:, profile_name:, target_timeout:, spider_timeout:, scan_type: nil, use_ajax_spider: nil, show_debug_messages: nil)
return unauthorized unless can_update_scanner_profile?
dast_scanner_profile = find_dast_scanner_profile(id)
return ServiceResponse.error(message: "Scanner profile not found for given parameters") unless dast_scanner_profile
if dast_scanner_profile.update(name: profile_name, target_timeout: target_timeout, spider_timeout: spider_timeout)
update_args = {
name: profile_name,
target_timeout: target_timeout,
spider_timeout: spider_timeout
}
update_args[:scan_type] = scan_type if scan_type
update_args[:use_ajax_spider] = use_ajax_spider if use_ajax_spider
update_args[:show_debug_messages] = show_debug_messages if show_debug_messages
if dast_scanner_profile.update(update_args)
ServiceResponse.success(payload: dast_scanner_profile)
else
ServiceResponse.error(message: dast_scanner_profile.errors.full_messages)
......
......@@ -20,7 +20,10 @@ RSpec.describe Mutations::DastScannerProfiles::Create do
subject do
mutation.resolve(
full_path: full_path,
profile_name: profile_name
profile_name: profile_name,
scan_type: DastScannerProfile.scan_types[:passive],
use_ajax_spider: false,
show_debug_messages: false
)
end
......@@ -52,7 +55,15 @@ RSpec.describe Mutations::DastScannerProfiles::Create do
result = double('result', success?: false, errors: [])
expect(DastScannerProfiles::CreateService).to receive(:new).and_return(service)
expect(service).to receive(:execute).with(name: profile_name, spider_timeout: nil, target_timeout: nil).and_return(result)
expected_args = {
name: profile_name,
spider_timeout: nil,
target_timeout: nil,
scan_type: DastScannerProfile.scan_types[:passive],
show_debug_messages: false,
use_ajax_spider: false
}
expect(service).to receive(:execute).with(expected_args).and_return(result)
subject
end
......@@ -63,7 +74,10 @@ RSpec.describe Mutations::DastScannerProfiles::Create do
response = mutation.resolve(
full_path: full_path,
profile_name: profile_name
profile_name: profile_name,
scan_type: DastScannerProfile.scan_types[:passive],
use_ajax_spider: false,
show_debug_messages: false
)
expect(response[:errors]).to include('Name has already been taken')
......
......@@ -12,6 +12,9 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
let_it_be(:new_profile_name) { SecureRandom.hex }
let_it_be(:new_target_timeout) { dast_scanner_profile.target_timeout + 1 }
let_it_be(:new_spider_timeout) { dast_scanner_profile.spider_timeout + 1 }
let_it_be(:new_scan_type) { (DastScannerProfile.scan_types.keys - [DastScannerProfile.last.scan_type]).first }
let_it_be(:new_use_ajax_spider) { !dast_scanner_profile.use_ajax_spider }
let_it_be(:new_show_debug_messages) { !dast_scanner_profile.show_debug_messages }
subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
......@@ -26,7 +29,10 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
id: scanner_profile_id,
profile_name: new_profile_name,
target_timeout: new_target_timeout,
spider_timeout: new_spider_timeout
spider_timeout: new_spider_timeout,
scan_type: new_scan_type,
use_ajax_spider: new_use_ajax_spider,
show_debug_messages: new_show_debug_messages
)
end
......@@ -60,6 +66,28 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
project.add_developer(user)
end
context 'when the user omits unrequired elements' do
subject do
mutation.resolve(
full_path: full_path,
id: scanner_profile_id,
profile_name: new_profile_name,
target_timeout: new_target_timeout,
spider_timeout: new_spider_timeout
)
end
it 'does not update those elements' do
updated_dast_scanner_profile = subject[:id].find
aggregate_failures do
expect(updated_dast_scanner_profile.scan_type).to eq(dast_scanner_profile.scan_type)
expect(updated_dast_scanner_profile.use_ajax_spider).to eq(dast_scanner_profile.use_ajax_spider)
expect(updated_dast_scanner_profile.show_debug_messages).to eq(dast_scanner_profile.show_debug_messages)
end
end
end
it 'updates the dast_scanner_profile' do
dast_scanner_profile = subject[:id].find
......@@ -67,6 +95,9 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
expect(dast_scanner_profile.name).to eq(new_profile_name)
expect(dast_scanner_profile.target_timeout).to eq(new_target_timeout)
expect(dast_scanner_profile.spider_timeout).to eq(new_spider_timeout)
expect(dast_scanner_profile.scan_type).to eq(new_scan_type)
expect(dast_scanner_profile.use_ajax_spider).to eq(new_use_ajax_spider)
expect(dast_scanner_profile.show_debug_messages).to eq(new_show_debug_messages)
end
end
......
......@@ -6,7 +6,7 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile) }
let_it_be(:project) { dast_scanner_profile.project }
let_it_be(:user) { create(:user) }
let_it_be(:fields) { %i[id globalId profileName spiderTimeout targetTimeout editPath] }
let_it_be(:fields) { %i[id globalId profileName spiderTimeout targetTimeout editPath scanType useAjaxSpider showDebugMessages] }
let(:response) do
GitlabSchema.execute(
......@@ -47,6 +47,9 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
profileName
targetTimeout
spiderTimeout
scanType
useAjaxSpider
showDebugMessages
}
}
}
......
......@@ -31,6 +31,16 @@ RSpec.describe 'Creating a DAST Scanner Profile' do
expect(mutation_response['globalId']).to eq(dast_scanner_profile.to_global_id.to_s)
end
it 'sets default values of omitted properties' do
post_graphql_mutation(mutation, current_user: current_user)
aggregate_failures do
expect(dast_scanner_profile.scan_type).to eq('passive')
expect(dast_scanner_profile.use_ajax_spider).to eq(false)
expect(dast_scanner_profile.show_debug_messages).to eq(false)
end
end
context 'when dast_scanner_profile exists' do
before do
DastScannerProfile.create!(project: project, name: profile_name)
......
......@@ -11,6 +11,9 @@ RSpec.describe 'Update a DAST Scanner Profile' do
let_it_be(:new_profile_name) { SecureRandom.hex }
let(:new_target_timeout) { dast_scanner_profile.target_timeout + 1 }
let(:new_spider_timeout) { dast_scanner_profile.spider_timeout + 1 }
let(:new_scan_type) { (DastScannerProfile.scan_types.keys - [DastScannerProfile.last.scan_type]).first }
let(:new_use_ajax_spider) { !dast_scanner_profile.use_ajax_spider }
let(:new_show_debug_messages) { !dast_scanner_profile.show_debug_messages }
let(:mutation_name) { :dast_scanner_profile_update }
let(:mutation) do
......@@ -20,7 +23,10 @@ RSpec.describe 'Update a DAST Scanner Profile' do
id: dast_scanner_profile.to_global_id.to_s,
profile_name: new_profile_name,
target_timeout: new_target_timeout,
spider_timeout: new_spider_timeout
spider_timeout: new_spider_timeout,
scan_type: new_scan_type.upcase,
use_ajax_spider: new_use_ajax_spider,
show_debug_messages: new_show_debug_messages
)
end
......@@ -40,6 +46,9 @@ RSpec.describe 'Update a DAST Scanner Profile' do
expect(dast_scanner_profile.name).to eq(new_profile_name)
expect(dast_scanner_profile.target_timeout).to eq(new_target_timeout)
expect(dast_scanner_profile.spider_timeout).to eq(new_spider_timeout)
expect(dast_scanner_profile.scan_type).to eq(new_scan_type)
expect(dast_scanner_profile.use_ajax_spider).to eq(new_use_ajax_spider)
expect(dast_scanner_profile.show_debug_messages).to eq(new_show_debug_messages)
end
end
......@@ -65,7 +74,10 @@ RSpec.describe 'Update a DAST Scanner Profile' do
id: dast_scanner_profile.to_global_id.to_s,
profile_name: new_profile_name,
target_timeout: new_target_timeout,
spider_timeout: new_spider_timeout
spider_timeout: new_spider_timeout,
scan_type: new_scan_type.upcase,
use_ajax_spider: new_use_ajax_spider,
show_debug_messages: new_show_debug_messages
)
end
......
......@@ -10,7 +10,7 @@ RSpec.describe 'Running a DAST Scan' do
let(:project_path) { project.full_path }
let(:target_url) { generate(:url) }
let(:branch) { project.default_branch }
let(:scan_type) { Types::DastScanTypeEnum.enum[:passive] }
let(:scan_type) { Types::DastScanTypeEnum.enum[:passive].upcase }
let(:mutation) do
graphql_mutation(
......
......@@ -8,6 +8,9 @@ RSpec.describe DastScannerProfiles::CreateService do
let(:name) { FFaker::Company.catch_phrase }
let(:target_timeout) { 60 }
let(:spider_timeout) { 600 }
let(:scan_type) { 1 }
let(:use_ajax_spider) { true }
let(:show_debug_messages) { true }
before do
stub_licensed_features(security_on_demand_scans: true)
......@@ -18,7 +21,10 @@ RSpec.describe DastScannerProfiles::CreateService do
described_class.new(project, user).execute(
name: name,
target_timeout: target_timeout,
spider_timeout: spider_timeout
spider_timeout: spider_timeout,
scan_type: scan_type,
use_ajax_spider: use_ajax_spider,
show_debug_messages: show_debug_messages
)
end
......@@ -66,6 +72,18 @@ RSpec.describe DastScannerProfiles::CreateService do
expect { subject }.to change(DastScannerProfile, :count).by(1)
end
it 'creates a dast_scanner_profile with the given params' do
aggregate_failures do
expect(payload).to be_persisted
expect(payload.spider_timeout).to eq(spider_timeout)
expect(payload.target_timeout).to eq(target_timeout)
expect(payload.name).to eq(name)
expect(DastScannerProfile.scan_types[payload.scan_type]).to eq(scan_type)
expect(payload.use_ajax_spider).to eq(use_ajax_spider)
expect(payload.show_debug_messages).to eq(show_debug_messages)
end
end
it 'returns a dast_scanner_profile payload' do
expect(payload).to be_a(DastScannerProfile)
end
......
......@@ -12,6 +12,9 @@ RSpec.describe DastScannerProfiles::UpdateService do
let_it_be(:new_profile_name) { SecureRandom.hex }
let_it_be(:new_target_timeout) { dast_scanner_profile.target_timeout + 1 }
let_it_be(:new_spider_timeout) { dast_scanner_profile.spider_timeout + 1 }
let_it_be(:new_scan_type) { (DastScannerProfile.scan_types.keys - [DastScannerProfile.last.scan_type]).first }
let_it_be(:new_use_ajax_spider) { !dast_scanner_profile.use_ajax_spider }
let_it_be(:new_show_debug_messages) { !dast_scanner_profile.show_debug_messages }
before do
stub_licensed_features(security_on_demand_scans: true)
......@@ -23,7 +26,10 @@ RSpec.describe DastScannerProfiles::UpdateService do
id: dast_scanner_profile_id,
profile_name: new_profile_name,
target_timeout: new_target_timeout,
spider_timeout: new_spider_timeout
spider_timeout: new_spider_timeout,
scan_type: new_scan_type,
use_ajax_spider: new_use_ajax_spider,
show_debug_messages: new_show_debug_messages
)
end
......@@ -53,7 +59,10 @@ RSpec.describe DastScannerProfiles::UpdateService do
id: dast_scanner_profile.id,
profile_name: new_profile_name,
target_timeout: new_target_timeout,
spider_timeout: new_spider_timeout
spider_timeout: new_spider_timeout,
scan_type: new_scan_type,
use_ajax_spider: new_use_ajax_spider,
show_debug_messages: new_show_debug_messages
)
end
......@@ -67,6 +76,31 @@ RSpec.describe DastScannerProfiles::UpdateService do
project.add_developer(user)
end
context 'when the user omits unrequired elements' do
before do
project.add_developer(user)
end
subject do
described_class.new(project, user).execute(
id: dast_scanner_profile_id,
profile_name: new_profile_name,
target_timeout: new_target_timeout,
spider_timeout: new_spider_timeout
)
end
it 'does not update those elements' do
updated_dast_scanner_profile = payload.reload
aggregate_failures do
expect(updated_dast_scanner_profile.scan_type).to eq(dast_scanner_profile.scan_type)
expect(updated_dast_scanner_profile.use_ajax_spider).to eq(dast_scanner_profile.use_ajax_spider)
expect(updated_dast_scanner_profile.show_debug_messages).to eq(dast_scanner_profile.show_debug_messages)
end
end
end
it 'returns a success status' do
expect(status).to eq(:success)
end
......@@ -78,6 +112,9 @@ RSpec.describe DastScannerProfiles::UpdateService do
expect(updated_dast_scanner_profile.name).to eq(new_profile_name)
expect(updated_dast_scanner_profile.target_timeout).to eq(new_target_timeout)
expect(updated_dast_scanner_profile.spider_timeout).to eq(new_spider_timeout)
expect(updated_dast_scanner_profile.scan_type).to eq(new_scan_type)
expect(updated_dast_scanner_profile.use_ajax_spider).to eq(new_use_ajax_spider)
expect(updated_dast_scanner_profile.show_debug_messages).to eq(new_show_debug_messages)
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment