Commit 07826546 authored by Sashi Kumar Kumaresan's avatar Sashi Kumar Kumaresan Committed by Andy Soiron

Move security policy yaml in specs to factory

This commit moves the hardcoded policy yaml content
in specs into a new factory.

This commit is a follow-up from
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69108.
parent 1e0dcf3a
......@@ -10,22 +10,7 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
let_it_be(:policy_management_project) { create(:project, :repository, namespace: user.namespace) }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
let_it_be(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
let_it_be(:policy_yaml) do
<<-EOS
name: Run DAST in every pipeline
type: scan_execution_policy
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) }
......
......@@ -11,17 +11,8 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
let_it_be(:policy_last_updated_at) { Time.now }
let_it_be(:user) { policy_management_project.owner }
let_it_be(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy) { build(:scan_execution_policy, name: 'Run DAST in every pipeline') }
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
let(:repository) { instance_double(Repository, root_ref: 'master') }
......@@ -33,7 +24,7 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
commit.committed_date = policy_last_updated_at
allow(policy_management_project).to receive(:repository).and_return(repository)
allow(repository).to receive(:last_commit_for_path).and_return(commit)
allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml)
allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end
context 'when feature is not licensed' do
......
......@@ -73,43 +73,25 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
let_it_be(:policies_project) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: #{dast_scanner_profile.name}
- scan: dast
site_profile: Site Profile 2
scanner_profile: Scanner Profile 2
- name: Run DAST in every pipeline 2
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile 3
scanner_profile: Scanner Profile 3
- scan: dast
site_profile: Site Profile 4
scanner_profile: Scanner Profile 4
EOS
let(:policy1) do
build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: dast_scanner_profile.name },
{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
])
end
let(:policy2) do
build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
{ scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
])
end
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
before do
create_list(:dast_scanner_profile, 30, project: project)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
end
it 'only calls Gitaly twice when multiple profiles are present', :request_store do
......
......@@ -138,43 +138,25 @@ RSpec.describe GitlabSchema.types['DastSiteProfile'] do
let_it_be(:policies_project) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- scan: dast
site_profile: Site Profile 2
scanner_profile: Scanner Profile 2
- name: Run DAST in every pipeline 2
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "master"
actions:
- scan: dast
site_profile: Site Profile 3
scanner_profile: Scanner Profile 3
- scan: dast
site_profile: Site Profile 4
scanner_profile: Scanner Profile 4
EOS
let(:policy1) do
build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
{ scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
])
end
let(:policy2) do
build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
{ scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
{ scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
])
end
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
before do
create_list(:dast_site_profile, 30, project: project)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
end
it 'only calls Gitaly twice when multiple profiles are present', :request_store do
......
......@@ -45,30 +45,14 @@ RSpec.describe Gitlab::Ci::Config do
let_it_be(:policies_repository) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy)]) }
subject(:config) { described_class.new(ci_yml, source_ref_path: ref, project: project, source: source) }
before do
allow_next_instance_of(Repository) do |repository|
# allow(repository).to receive(:ls_files).and_return(['.gitlab/security-policies/enforce-dast.yml'])
allow(repository).to receive(:blob_data_at).and_return(policy_yml)
allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end
end
......
......@@ -16,28 +16,18 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
let_it_be(:policies_repository) { create(:project, :repository) }
let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- scan: secret_detection
EOS
let_it_be(:policy) do
build(:scan_execution_policy, actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
{ scan: 'secret_detection' }
])
end
let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
before do
allow_next_instance_of(Repository) do |repository|
allow(repository).to receive(:blob_data_at).and_return(policy_yml)
allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end
end
......@@ -56,20 +46,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
end
shared_examples 'when policy is invalid' do
let_it_be(:policy_yml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches: "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
let_it_be(:policy_yaml) do
build(:scan_execution_policy_yaml, policies:
[build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: 'production' }])])
end
it 'does not modify the config', :aggregate_failures do
......
......@@ -7,22 +7,7 @@ RSpec.describe 'Create scan execution policy for a project' do
let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project, :repository, namespace: current_user.namespace) }
let_it_be(:policy_yaml) do
<<-EOS
name: Run DAST in every pipeline
type: scan_execution_policy
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
def mutation
variables = { project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: 'APPEND' }
......
......@@ -8,18 +8,7 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
let_it_be(:project) { create(:project, :repository, namespace: owner.namespace) }
let_it_be(:policy_management_project) { create(:project, :repository, namespace: owner.namespace) }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
let_it_be(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let_it_be(:policy) { build(:scan_execution_policy) }
let_it_be(:type) { 'scan_execution_policy' }
let_it_be(:index) { project_security_policies_url(project) }
let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment