Merge branch 'philipcunningham-add-additional-config-to-yaml-225406' into 'master'

Inject additional site profile config into CI yaml

See merge request gitlab-org/gitlab!57454

ee/app/services/ci/dast_scan_ci_configuration_service.rb

@@ -8,7 +8,12 @@ module Ci
       target_url: 'DAST_WEBSITE',
       use_ajax_spider: 'DAST_USE_AJAX_SPIDER',
       show_debug_messages: 'DAST_DEBUG',
-      full_scan_enabled: 'DAST_FULL_SCAN_ENABLED'
+      full_scan_enabled: 'DAST_FULL_SCAN_ENABLED',
+      excluded_urls: 'DAST_EXCLUDE_URLS',
+      auth_url: 'DAST_AUTH_URL',
+      auth_username_field: 'DAST_USERNAME_FIELD',
+      auth_password_field: 'DAST_PASSWORD_FIELD',
+      auth_username: 'DAST_USERNAME'
     }.freeze
 
     def self.execute(args)

ee/app/services/dast_on_demand_scans/params_create_service.rb

@@ -5,11 +5,11 @@ module DastOnDemandScans
     include Gitlab::Utils::StrongMemoize
 
     def execute
-      return ServiceResponse.error(message: 'Site Profile was not provided') unless dast_site.present?
+      return ServiceResponse.error(message: 'Dast site profile was not provided') unless dast_site_profile.present?
       return ServiceResponse.error(message: 'Cannot run active scan against unvalidated target') unless active_scan_allowed?
 
       ServiceResponse.success(
-        payload: default_config.merge(scanner_profile_config)
+        payload: default_config.merge(site_profile_config, scanner_profile_config)
       )
     end
 
@@ -33,7 +33,13 @@ module DastOnDemandScans
 
     def dast_site
       strong_memoize(:dast_site) do
-        params[:dast_site_profile]&.dast_site
+        dast_site_profile&.dast_site
+      end
+    end
+
+    def dast_site_profile
+      strong_memoize(:dast_site_profile) do
+        params[:dast_site_profile]
       end
     end
 
@@ -56,6 +62,17 @@ module DastOnDemandScans
       }
     end
 
+    def site_profile_config
+      return {} unless dast_site_profile
+
+      {
+        excluded_urls: dast_site_profile.excluded_urls.join(','),
+        auth_username_field: dast_site_profile.auth_username_field,
+        auth_password_field: dast_site_profile.auth_password_field,
+        auth_username: dast_site_profile.auth_username
+      }
+    end
+
     def scanner_profile_config
       return {} unless dast_scanner_profile
 

ee/spec/services/ci/dast_scan_ci_configuration_service_spec.rb

@@ -14,7 +14,12 @@ RSpec.describe Ci::DastScanCiConfigurationService do
           target_url: 'https://gitlab.local',
           use_ajax_spider: true,
           show_debug_messages: true,
-          full_scan_enabled: true
+          full_scan_enabled: true,
+          excluded_urls: 'https://gitlab.local/hello,https://gitlab.local/world',
+          auth_url: 'https://gitlab.local/login',
+          auth_username_field: 'session[username]',
+          auth_password_field: 'session[password]',
+          auth_username: 'tanuki'
         }
       end
 
@@ -32,6 +37,11 @@ RSpec.describe Ci::DastScanCiConfigurationService do
           DAST_USE_AJAX_SPIDER: 'true'
           DAST_DEBUG: 'true'
           DAST_FULL_SCAN_ENABLED: 'true'
+          DAST_EXCLUDE_URLS: https://gitlab.local/hello,https://gitlab.local/world
+          DAST_AUTH_URL: https://gitlab.local/login
+          DAST_USERNAME_FIELD: session[username]
+          DAST_PASSWORD_FIELD: session[password]
+          DAST_USERNAME: tanuki
         YAML
       end
 

ee/spec/services/ci/run_dast_scan_service_spec.rb

@@ -6,17 +6,36 @@ RSpec.describe Ci::RunDastScanService do
   let(:user) { create(:user) }
   let(:project) { create(:project, :repository, creator: user) }
   let(:branch) { project.default_branch }
+  let(:spider_timeout) { 42 }
+  let(:target_timeout) { 21 }
   let(:target_url) { generate(:url) }
   let(:use_ajax_spider) { true }
   let(:show_debug_messages) { false }
   let(:full_scan_enabled) { true }
+  let(:excluded_urls) { "#{target_url}/hello,#{target_url}/world" }
+  let(:auth_url) { "#{target_url}/login" }
 
   before do
     stub_licensed_features(security_on_demand_scans: true)
   end
 
   describe '#execute' do
-    subject { described_class.new(project, user).execute(branch: branch, target_url: target_url, spider_timeout: 42, target_timeout: 21, use_ajax_spider: use_ajax_spider, show_debug_messages: show_debug_messages, full_scan_enabled: full_scan_enabled) }
+    subject do
+      described_class.new(project, user).execute(
+        branch: branch,
+        target_url: target_url,
+        spider_timeout: spider_timeout,
+        target_timeout: target_timeout,
+        use_ajax_spider: use_ajax_spider,
+        show_debug_messages: show_debug_messages,
+        full_scan_enabled: full_scan_enabled,
+        excluded_urls: excluded_urls,
+        auth_url: auth_url,
+        auth_username_field: 'session[username]',
+        auth_password_field: 'session[password]',
+        auth_username: 'tanuki'
+      )
+    end
 
     let(:status) { subject.status }
     let(:pipeline) { subject.payload }
@@ -90,46 +109,67 @@ RSpec.describe Ci::RunDastScanService do
 
       it 'creates a build with appropriate variables' do
         build = pipeline.builds.first
+
         expected_variables = [
           {
-            'key' => 'DAST_VERSION',
-            'value' => '1',
+            'key' => 'DAST_AUTH_URL',
+            'value' => auth_url,
             'public' => true
           }, {
-            'key' => 'SECURE_ANALYZERS_PREFIX',
-            'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+            'key' => 'DAST_DEBUG',
+            'value' => 'false',
             'public' => true
           }, {
-            'key' => 'DAST_WEBSITE',
-            'value' => target_url,
+            'key' => 'DAST_EXCLUDE_URLS',
+            'value' => excluded_urls,
             'public' => true
-          },
-          {
+          }, {
+            'key' => 'DAST_FULL_SCAN_ENABLED',
+            'value' => 'true',
+            'public' => true
+          }, {
+            'key' => 'DAST_PASSWORD_FIELD',
+            'value' => 'session[password]',
+            'public' => true
+          }, {
             'key' => 'DAST_SPIDER_MINS',
-            'value' => '42',
+            'value' => spider_timeout.to_s,
             'public' => true
           }, {
             'key' => 'DAST_TARGET_AVAILABILITY_TIMEOUT',
-            'value' => '21',
+            'value' => target_timeout.to_s,
             'public' => true
           }, {
-            'key' => "DAST_USE_AJAX_SPIDER",
-            'public' => true,
-            'value' => 'true'
+            'key' => 'DAST_USERNAME',
+            'value' => 'tanuki',
+            'public' => true
           }, {
-            'key' => "DAST_DEBUG",
-            'public' => true,
-            'value' => 'false'
+            'key' => 'DAST_USERNAME_FIELD',
+            'value' => 'session[username]',
+            'public' => true
+          }, {
+            'key' => 'DAST_USE_AJAX_SPIDER',
+            'value' => 'true',
+            'public' => true
           }, {
-            'key' => "DAST_FULL_SCAN_ENABLED",
-            'public' => true,
-            'value' => 'true'
+            'key' => 'DAST_VERSION',
+            'value' => '1',
+            'public' => true
+          }, {
+            'key' => 'DAST_WEBSITE',
+            'value' => target_url,
+            'public' => true
           }, {
             'key' => 'GIT_STRATEGY',
             'value' => 'none',
             'public' => true
+          }, {
+            'key' => 'SECURE_ANALYZERS_PREFIX',
+            'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers',
+            'public' => true
           }
         ]
+
         expect(build.yaml_variables).to contain_exactly(*expected_variables)
       end
 

ee/spec/services/dast_on_demand_scans/create_service_spec.rb

@@ -51,7 +51,11 @@ RSpec.describe DastOnDemandScans::CreateService do
 
         it 'delegates pipeline creation to Ci::RunDastScanService', :aggregate_failures do
           expected_params = {
-            branch: 'master',
+            auth_password_field: dast_site_profile.auth_password_field,
+            auth_username: dast_site_profile.auth_username,
+            auth_username_field: dast_site_profile.auth_username_field,
+            branch: project.default_branch_or_master,
+            excluded_urls: dast_site_profile.excluded_urls.join(','),
             full_scan_enabled: false,
             show_debug_messages: false,
             spider_timeout: nil,

ee/spec/services/dast_on_demand_scans/params_create_service_spec.rb

@@ -17,7 +17,7 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
 
       it 'responds with error message', :aggregate_failures do
         expect(subject).not_to be_success
-        expect(subject.message).to eq('Site Profile was not provided')
+        expect(subject.message).to eq('Dast site profile was not provided')
       end
     end
 
@@ -39,8 +39,12 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
 
         it 'returns prepared scanner params in the payload' do
           expect(subject.payload).to eq(
-            branch: 'master',
-            target_url: dast_site_profile.dast_site.url
+            branch: project.default_branch,
+            target_url: dast_site_profile.dast_site.url,
+            excluded_urls: dast_site_profile.excluded_urls.join(','),
+            auth_username_field: dast_site_profile.auth_username_field,
+            auth_password_field: dast_site_profile.auth_password_field,
+            auth_username: dast_site_profile.auth_username
           )
         end
       end
@@ -51,11 +55,15 @@ RSpec.describe DastOnDemandScans::ParamsCreateService do
         it 'returns prepared scanner params in the payload' do
           expect(subject.payload).to eq(
             branch: project.default_branch,
+            target_url: dast_site_profile.dast_site.url,
+            excluded_urls: dast_site_profile.excluded_urls.join(','),
+            auth_username_field: dast_site_profile.auth_username_field,
+            auth_password_field: dast_site_profile.auth_password_field,
+            auth_username: dast_site_profile.auth_username,
             full_scan_enabled: false,
             show_debug_messages: false,
             spider_timeout: nil,
             target_timeout: nil,
-            target_url: dast_site_profile.dast_site.url,
             use_ajax_spider: false
           )
         end

ee/spec/services/security/security_orchestration_policies/on_demand_scan_pipeline_configuration_service_spec.rb

@@ -50,7 +50,11 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
 
     it 'delegates variables preparation to ::Ci::DastScanCiConfigurationService' do
       expected_params = {
+        auth_password_field: site_profile.auth_password_field,
+        auth_username: site_profile.auth_username,
+        auth_username_field: site_profile.auth_username_field,
         branch: project.default_branch_or_master,
+        excluded_urls: site_profile.excluded_urls.join(','),
         full_scan_enabled: false,
         show_debug_messages: false,
         spider_timeout: nil,
@@ -76,19 +80,23 @@ RSpec.describe Security::SecurityOrchestrationPolicies::OnDemandScanPipelineConf
           stage: 'test',
           image: { name: '$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION' },
           variables: {
-            DAST_VERSION: 1,
-            SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
-            DAST_WEBSITE: site_profile.dast_site.url,
+            DAST_DEBUG: 'false',
+            DAST_EXCLUDE_URLS: site_profile.excluded_urls.join(','),
             DAST_FULL_SCAN_ENABLED: 'false',
+            DAST_PASSWORD_FIELD: site_profile.auth_password_field,
+            DAST_USERNAME: site_profile.auth_username,
+            DAST_USERNAME_FIELD: site_profile.auth_username_field,
             DAST_USE_AJAX_SPIDER: 'false',
-            DAST_DEBUG: 'false'
+            DAST_VERSION: 1,
+            DAST_WEBSITE: site_profile.dast_site.url,
+            SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers'
           },
           allow_failure: true,
           script: ['/analyze'],
           artifacts: { reports: { dast: 'gl-dast-report.json' } }
         },
         'dast-on-demand-1': {
-          script: 'echo "Error during On-Demand Scan execution: Site Profile was not provided" && false',
+          script: 'echo "Error during On-Demand Scan execution: Dast site profile was not provided" && false',
           allow_failure: true
         }
       }