Merge branch...

Merge branch 'philipcunningham-add-dynamically-generated-ci-variables-for-dast-326953' into 'master' Generate DAST CI variables at the model layer See merge request gitlab-org/gitlab!62648

Merge branch...
Merge branch 'philipcunningham-add-dynamically-generated-ci-variables-for-dast-326953' into 'master' Generate DAST CI variables at the model layer See merge request gitlab-org/gitlab!62648
7491fc11 · Heinrich Lee Yu · f42332fe · 71eb7d06 · 7491fc11 · 7491fc11
Commit 7491fc11 authored May 31, 2021 by Heinrich Lee Yu
7 changed files
--- a/ee/app/models/dast/profile.rb
+++ b/ee/app/models/dast/profile.rb
@@ -32,7 +32,7 @@ module Dast
      Dast::Branch.new(self)
    end

-    def ci_variables
+    def secret_ci_variables
      ::Gitlab::Ci::Variables::Collection.new(secret_variables)
    end


--- a/ee/app/models/dast_scanner_profile.rb
+++ b/ee/app/models/dast_scanner_profile.rb
@@ -14,6 +14,16 @@ class DastScannerProfile < ApplicationRecord
    active: 2
  }

+  def ci_variables
+    ::Gitlab::Ci::Variables::Collection.new.tap do |variables|
+      variables.append(key: 'DAST_SPIDER_MINS', value: String(spider_timeout)) if spider_timeout
+      variables.append(key: 'DAST_TARGET_AVAILABILITY_TIMEOUT', value: String(target_timeout)) if target_timeout
+      variables.append(key: 'DAST_FULL_SCAN_ENABLED', value: String(full_scan_enabled?))
+      variables.append(key: 'DAST_USE_AJAX_SPIDER', value: String(use_ajax_spider))
+      variables.append(key: 'DAST_DEBUG', value: String(show_debug_messages))
+    end
+  end
+
  def full_scan_enabled?
    scan_type == 'active'
  end

--- a/ee/app/models/dast_site_profile.rb
+++ b/ee/app/models/dast_site_profile.rb
@@ -29,6 +29,30 @@ class DastSiteProfile < ApplicationRecord
  delegate :dast_site_validation, to: :dast_site, allow_nil: true

  def ci_variables
+    url = dast_site.url
+
+    collection = ::Gitlab::Ci::Variables::Collection.new.tap do |variables|
+      if target_type == 'website'
+        variables.append(key: 'DAST_WEBSITE', value: url)
+      else
+        variables.append(key: 'DAST_API_SPECIFICATION', value: url)
+        variables.append(key: 'DAST_API_HOST_OVERRIDE', value: URI(url).host)
+      end
+
+      variables.append(key: 'DAST_EXCLUDE_URLS', value: excluded_urls.join(',')) unless excluded_urls.empty?
+
+      if auth_enabled
+        variables.append(key: 'DAST_AUTH_URL', value: auth_url)
+        variables.append(key: 'DAST_USERNAME', value: auth_username)
+        variables.append(key: 'DAST_USERNAME_FIELD', value: auth_username_field)
+        variables.append(key: 'DAST_PASSWORD_FIELD', value: auth_password_field)
+      end
+    end
+
+    collection.compact
+  end
+
+  def secret_ci_variables
    ::Gitlab::Ci::Variables::Collection.new(secret_variables)
  end


--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -52,7 +52,7 @@ module EE
              # Subject to change. Please see gitlab-org/gitlab#330950 for more info.
              profile = pipeline.dast_profile || pipeline.dast_site_profile

-              collection.concat(profile.ci_variables)
+              collection.concat(profile.secret_ci_variables)
            end
          end
        end

--- a/ee/spec/models/dast/profile_spec.rb
+++ b/ee/spec/models/dast/profile_spec.rb
@@ -122,10 +122,10 @@ RSpec.describe Dast::Profile, type: :model do
      end
    end

-    describe '#ci_variables' do
+    describe '#secret_ci_variables' do
      context 'when there are no secret_variables' do
        it 'returns an empty collection' do
-          expect(subject.ci_variables.size).to be_zero
+          expect(subject.secret_ci_variables.size).to be_zero
        end
      end

@@ -133,7 +133,7 @@ RSpec.describe Dast::Profile, type: :model do
        it 'returns a collection containing that variable' do
          variable = create(:dast_site_profile_secret_variable, dast_site_profile: subject.dast_site_profile)

-          expect(subject.ci_variables.to_runner_variables).to include(key: variable.key, value: variable.value, public: false, masked: true)
+          expect(subject.secret_ci_variables.to_runner_variables).to include(key: variable.key, value: variable.value, public: false, masked: true)
        end
      end
    end

--- a/ee/spec/models/dast_scanner_profile_spec.rb
+++ b/ee/spec/models/dast_scanner_profile_spec.rb
@@ -33,6 +33,29 @@ RSpec.describe DastScannerProfile, type: :model do
    end
  end

+  describe '#ci_variables' do
+    let(:collection) { subject.ci_variables }
+
+    it 'returns a collection of variables' do
+      expected_variables = [
+        { key: 'DAST_FULL_SCAN_ENABLED', value: 'false', public: true, masked: false },
+        { key: 'DAST_USE_AJAX_SPIDER', value: 'false', public: true, masked: false },
+        { key: 'DAST_DEBUG', value: 'false', public: true, masked: false }
+      ]
+
+      expect(collection.to_runner_variables).to eq(expected_variables)
+    end
+
+    context 'when optional fields are set' do
+      subject { build(:dast_scanner_profile, spider_timeout: 1, target_timeout: 2) }
+
+      it 'returns a collection of variables including these', :aggregate_failures do
+        expect(collection).to include(key: 'DAST_SPIDER_MINS', value: String(subject.spider_timeout), public: true)
+        expect(collection).to include(key: 'DAST_TARGET_AVAILABILITY_TIMEOUT', value: String(subject.target_timeout), public: true)
+      end
+    end
+  end
+
  describe 'full_scan_enabled?' do
    describe 'when is active scan' do
      subject { create(:dast_scanner_profile, scan_type: :active).full_scan_enabled? }

--- a/ee/spec/models/dast_site_profile_spec.rb
+++ b/ee/spec/models/dast_site_profile_spec.rb
@@ -195,9 +195,63 @@ RSpec.describe DastSiteProfile, type: :model do
    end

    describe '#ci_variables' do
+      let(:collection) { subject.ci_variables }
+      let(:keys) { subject.ci_variables.map { |variable| variable[:key] } }
+      let(:excluded_urls) { subject.excluded_urls.join(',') }
+
+      it 'returns a collection of variables' do
+        expected_variables = [
+          { key: 'DAST_WEBSITE', value: subject.dast_site.url, public: true, masked: false },
+          { key: 'DAST_EXCLUDE_URLS', value: excluded_urls, public: true, masked: false },
+          { key: 'DAST_AUTH_URL', value: subject.auth_url, public: true, masked: false },
+          { key: 'DAST_USERNAME', value: subject.auth_username, public: true, masked: false },
+          { key: 'DAST_USERNAME_FIELD', value: subject.auth_username_field, public: true, masked: false },
+          { key: 'DAST_PASSWORD_FIELD', value: subject.auth_password_field, public: true, masked: false }
+        ]
+
+        expect(collection.to_runner_variables).to eq(expected_variables)
+      end
+
+      context 'when target_type=api' do
+        subject { build(:dast_site_profile, target_type: :api) }
+
+        it 'returns a collection of variables with api configuration only', :aggregate_failures do
+          expect(keys).not_to include('DAST_WEBSITE')
+
+          expect(collection).to include(key: 'DAST_API_SPECIFICATION', value: subject.dast_site.url, public: true)
+          expect(collection).to include(key: 'DAST_API_HOST_OVERRIDE', value: URI(subject.dast_site.url).host, public: true)
+        end
+      end
+
+      context 'when auth is disabled' do
+        subject { build(:dast_site_profile, auth_enabled: false) }
+
+        it 'returns a collection of variables excluding any auth variables', :aggregate_failures do
+          expect(keys).not_to include('DAST_AUTH_URL', 'DAST_USERNAME', 'DAST_USERNAME_FIELD', 'DAST_PASSWORD_FIELD')
+        end
+      end
+
+      context 'when excluded_urls is empty' do
+        subject { build(:dast_site_profile, excluded_urls: []) }
+
+        it 'is removed from the collection' do
+          expect(keys).not_to include('DAST_EXCLUDE_URLS')
+        end
+      end
+
+      context 'when a variable is set to nil' do
+        subject { build(:dast_site_profile, auth_enabled: true, auth_username_field: nil) }
+
+        it 'is removed from the collection' do
+          expect(keys).not_to include('DAST_USERNAME_FIELD')
+        end
+      end
+    end
+
+    describe '#secret_ci_variables' do
      context 'when there are no secret_variables' do
        it 'returns an empty collection' do
-          expect(subject.ci_variables.size).to be_zero
+          expect(subject.secret_ci_variables.size).to be_zero
        end
      end

@@ -205,7 +259,7 @@ RSpec.describe DastSiteProfile, type: :model do
        it 'returns a collection containing that variable' do
          variable = create(:dast_site_profile_secret_variable, dast_site_profile: subject)

-          expect(subject.ci_variables.to_runner_variables).to include(key: variable.key, value: variable.value, public: false, masked: true)
+          expect(subject.secret_ci_variables.to_runner_variables).to include(key: variable.key, value: variable.value, public: false, masked: true)
        end
      end
    end