Prevent DAST profiles from being deleted when referenced by policies

This change adds new fields to GraphQL API and adds additional contraint that verifies if given DAST Site/Scanner profile can be deleted if is referenced by active policy

Prevent DAST profiles from being deleted when referenced by policies
This change adds new fields to GraphQL API and adds additional contraint that verifies if given DAST Site/Scanner profile can be deleted if is referenced by active policy
0ae53f72 · Alan (Maciej) Paruszewski · Markus Koller · 5ffe0ec9 · 0ae53f72 · 0ae53f72
Commit 0ae53f72 authored Mar 01, 2021 by Alan (Maciej) Paruszewski Committed by Markus Koller Mar 01, 2021
24 changed files
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -1302,6 +1302,7 @@ Represents a DAST scanner profile.
 | `globalId` **{warning-solid}** | DastScannerProfileID! | **Deprecated:** Use `id`. Deprecated in 13.6. |
 | `id` | DastScannerProfileID! | ID of the DAST scanner profile. |
 | `profileName` | String | Name of the DAST scanner profile. |
+| `referencedInSecurityPolicies` | String! => Array | List of security policy names that are referencing given project. |
 | `scanType` | DastScanTypeEnum | Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan. |
 | `showDebugMessages` | Boolean! | Indicates if debug messages should be included in DAST console output. True to include the debug messages. |
 | `spiderTimeout` | Int | The maximum number of minutes allowed for the spider to traverse the site. |
@@ -1348,6 +1349,7 @@ Represents a DAST Site Profile.
 | `id` | DastSiteProfileID! | ID of the site profile. |
 | `normalizedTargetUrl` | String | Normalized URL of the target to be scanned. |
 | `profileName` | String | The name of the site profile. |
+| `referencedInSecurityPolicies` | String! => Array | List of security policy names that are referencing given project. |
 | `targetUrl` | String | The URL of the target to be scanned. |
 | `userPermissions` | DastSiteProfilePermissions! | Permissions for the current user on the resource |
 | `validationStatus` | DastSiteProfileValidationStatusEnum | The current validation status of the site profile. |

--- a/ee/app/graphql/mutations/dast_site_profiles/delete.rb
+++ b/ee/app/graphql/mutations/dast_site_profiles/delete.rb
@@ -21,13 +21,12 @@ module Mutations
        # See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883
        id = ::Types::GlobalIDType[::DastSiteProfile].coerce_isolated_input(id)
-        dast_site_profile = find_dast_site_profile(project: project, global_id: id)
+        service = ::DastSiteProfiles::DestroyService.new(project, current_user)
+        result = service.execute(id: id.model_id)
-        return { errors: dast_site_profile.errors.full_messages } unless dast_site_profile.destroy
+        return { errors: result.errors } unless result.success?
        { errors: [] }
-      rescue ActiveRecord::RecordNotFound
-        raise_resource_not_available_error!
      end
      private
@@ -35,12 +34,6 @@ module Mutations
      def find_object(full_path)
        Project.find_by_full_path(full_path)
      end
-      def find_dast_site_profile(project:, global_id:)
-        project.dast_site_profiles.find(global_id.model_id)
-      rescue ActiveRecord::RecordNotFound
-        raise_resource_not_available_error!
-      end
    end
  end
 end
--- a/ee/app/graphql/types/dast_scanner_profile_type.rb
+++ b/ee/app/graphql/types/dast_scanner_profile_type.rb
@@ -40,6 +40,11 @@ module Types
    field :edit_path, GraphQL::STRING_TYPE, null: true,
          description: 'Relative web path to the edit page of a scanner profile.'
+    field :referenced_in_security_policies, [GraphQL::STRING_TYPE], null: true,
+          complexity: 10,
+          calls_gitaly: true,
+          description: 'List of security policy names that are referencing given project.'
    def edit_path
      Rails.application.routes.url_helpers.edit_project_security_configuration_dast_profiles_dast_scanner_profile_path(object.project, object)
    end

--- a/ee/app/graphql/types/dast_site_profile_type.rb
+++ b/ee/app/graphql/types/dast_site_profile_type.rb
@@ -29,6 +29,11 @@ module Types
    field :normalized_target_url, GraphQL::STRING_TYPE, null: true,
          description: 'Normalized URL of the target to be scanned.'
+    field :referenced_in_security_policies, [GraphQL::STRING_TYPE], null: true,
+          complexity: 10,
+          calls_gitaly: true,
+          description: 'List of security policy names that are referencing given project.'
    def target_url
      object.dast_site.url
    end

--- a/ee/app/models/dast_scanner_profile.rb
+++ b/ee/app/models/dast_scanner_profile.rb
@@ -17,4 +17,10 @@ class DastScannerProfile < ApplicationRecord
  def full_scan_enabled?
    scan_type == 'active'
  end
+  def referenced_in_security_policies
+    return [] unless project.security_orchestration_policy_configuration.present?
+    project.security_orchestration_policy_configuration.active_policy_names_with_dast_scanner_profile(name)
+  end
 end
--- a/ee/app/models/dast_site_profile.rb
+++ b/ee/app/models/dast_site_profile.rb
@@ -21,6 +21,12 @@ class DastSiteProfile < ApplicationRecord
    dast_site_validation.state
  end
+  def referenced_in_security_policies
+    return [] unless project.security_orchestration_policy_configuration.present?
+    project.security_orchestration_policy_configuration.active_policy_names_with_dast_site_profile(name)
+  end
  private
  def cleanup_dast_site

--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -2,6 +2,8 @@
 module Security
  class OrchestrationPolicyConfiguration < ApplicationRecord
+    include Gitlab::Utils::StrongMemoize
    self.table_name = 'security_orchestration_policy_configurations'
    POLICIES_BASE_PATH = '.gitlab/security-policies/'
@@ -14,7 +16,13 @@ module Security
    validates :project, presence: true, uniqueness: true
    validates :security_policy_management_project, presence: true, uniqueness: true
+    def enabled?
+      ::Feature.enabled?(:security_orchestration_policies_configuration, project)
+    end
    def active_policies
+      return [] unless enabled?
      security_policy_management_project
        .repository
        .ls_files(security_policy_management_project.default_branch_or_master)
@@ -30,8 +38,33 @@ module Security
        .select { |action| action[:scan].in?(ON_DEMAND_SCANS) }
    end
+    def active_policy_names_with_dast_site_profile(profile_name)
+      active_policy_names_with_dast_profiles.dig(:site_profiles, profile_name)
+    end
+    def active_policy_names_with_dast_scanner_profile(profile_name)
+      active_policy_names_with_dast_profiles.dig(:scanner_profiles, profile_name)
+    end
    private
+    def active_policy_names_with_dast_profiles
+      strong_memoize(:active_policy_names_with_dast_profiles) do
+        profiles = { site_profiles: Hash.new { Set.new }, scanner_profiles: Hash.new { Set.new } }
+        active_policies.each do |policy|
+          policy[:actions].each do |action|
+            next unless action[:scan].in?(ON_DEMAND_SCANS)
+            profiles[:site_profiles][action[:site_profile]] += [policy[:name]]
+            profiles[:scanner_profiles][action[:scanner_profile]] += [policy[:name]] if action[:scanner_profile].present?
+          end
+        end
+        profiles
+      end
+    end
    def policy_at(path)
      security_policy_management_project
        .repository

--- a/ee/app/services/dast_scanner_profiles/destroy_service.rb
+++ b/ee/app/services/dast_scanner_profiles/destroy_service.rb
@@ -9,6 +9,7 @@ module DastScannerProfiles
      dast_scanner_profile = find_dast_scanner_profile(id)
      return ServiceResponse.error(message: "Scanner profile not found for given parameters") unless dast_scanner_profile
+      return ServiceResponse.error(message: "Cannot delete #{dast_scanner_profile.name} referenced in security policy") if referenced_in_security_policy?(dast_scanner_profile)
      if dast_scanner_profile.destroy
        ServiceResponse.success(payload: dast_scanner_profile)
@@ -23,6 +24,10 @@ module DastScannerProfiles
      ::ServiceResponse.error(message: _('You are not authorized to update this scanner profile'), http_status: 403)
    end
+    def referenced_in_security_policy?(profile)
+      profile.referenced_in_security_policies.present?
+    end
    def can_delete_scanner_profile?
      can?(current_user, :create_on_demand_dast_scan, project)
    end

--- a/ee/app/services/dast_scanner_profiles/update_service.rb
+++ b/ee/app/services/dast_scanner_profiles/update_service.rb
@@ -9,6 +9,7 @@ module DastScannerProfiles
      dast_scanner_profile = find_dast_scanner_profile(id)
      return ServiceResponse.error(message: "Scanner profile not found for given parameters") unless dast_scanner_profile
+      return ServiceResponse.error(message: "Cannot modify #{dast_scanner_profile.name} referenced in security policy") if referenced_in_security_policy?(dast_scanner_profile)
      update_args = {
        name: profile_name,
@@ -32,6 +33,10 @@ module DastScannerProfiles
      ::ServiceResponse.error(message: _('You are not authorized to update this scanner profile'), http_status: 403)
    end
+    def referenced_in_security_policy?(profile)
+      profile.referenced_in_security_policies.present?
+    end
    def can_update_scanner_profile?
      can?(current_user, :create_on_demand_dast_scan, project)
    end

--- a/ee/app/services/dast_site_profiles/destroy_service.rb
+++ b/ee/app/services/dast_site_profiles/destroy_service.rb
+# frozen_string_literal: true
+module DastSiteProfiles
+  class DestroyService < BaseService
+    include Gitlab::Allowable
+    def execute(id:)
+      return unauthorized unless can_delete_site_profile?
+      dast_site_profile = find_dast_site_profile(id)
+      return ServiceResponse.error(message: "Site profile not found for given parameters") unless dast_site_profile
+      return ServiceResponse.error(message: "Cannot delete #{dast_site_profile.name} referenced in security policy") if referenced_in_security_policy?(dast_site_profile)
+      if dast_site_profile.destroy
+        ServiceResponse.success(payload: dast_site_profile)
+      else
+        ServiceResponse.error(message: 'Site profile failed to delete')
+      end
+    end
+    private
+    def unauthorized
+      ::ServiceResponse.error(message: _('You are not authorized to delete this site profile'), http_status: 403)
+    end
+    def referenced_in_security_policy?(profile)
+      profile.referenced_in_security_policies.present?
+    end
+    def can_delete_site_profile?
+      can?(current_user, :create_on_demand_dast_scan, project)
+    end
+    def find_dast_site_profile(id)
+      project.dast_site_profiles.id_in(id).first
+    end
+  end
+end
--- a/ee/app/services/dast_site_profiles/update_service.rb
+++ b/ee/app/services/dast_site_profiles/update_service.rb
@@ -5,9 +5,11 @@ module DastSiteProfiles
    def execute(id:, profile_name:, target_url:)
      return ServiceResponse.error(message: 'Insufficient permissions') unless allowed?
-      ActiveRecord::Base.transaction do
      dast_site_profile = find_dast_site_profile!(id)
+      return ServiceResponse.error(message: "Cannot modify #{dast_site_profile.name} referenced in security policy") if referenced_in_security_policy?(dast_site_profile)
+      ActiveRecord::Base.transaction do
        service = DastSites::FindOrCreateService.new(project, current_user)
        dast_site = service.execute!(url: target_url)
@@ -28,6 +30,10 @@ module DastSiteProfiles
      Ability.allowed?(current_user, :create_on_demand_dast_scan, project)
    end
+    def referenced_in_security_policy?(profile)
+      profile.referenced_in_security_policies.present?
+    end
    # rubocop: disable CodeReuse/ActiveRecord
    def find_dast_site_profile!(id)
      DastSiteProfilesFinder.new(project_id: project.id, id: id).execute.first!

--- a/ee/spec/graphql/mutations/dast_site_profiles/delete_spec.rb
+++ b/ee/spec/graphql/mutations/dast_site_profiles/delete_spec.rb
@@ -45,9 +45,9 @@ RSpec.describe Mutations::DastSiteProfiles::Delete do
        context 'when there is an issue deleting the dast_site_profile' do
          it 'returns an error' do
-            allow(mutation).to receive(:find_dast_site_profile).and_return(dast_site_profile)
+            allow_next_instance_of(::DastSiteProfiles::DestroyService) do |service|
-            allow(dast_site_profile).to receive(:destroy).and_return(false)
+              allow(service).to receive(:execute).and_return(double(success?: false, errors: ['Name is weird']))
-            dast_site_profile.errors.add(:name, 'is weird')
+            end
            expect(subject[:errors]).to include('Name is weird')
          end

--- a/ee/spec/graphql/types/dast_scanner_profile_type_spec.rb
+++ b/ee/spec/graphql/types/dast_scanner_profile_type_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
  let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile) }
  let_it_be(:project) { dast_scanner_profile.project }
  let_it_be(:user) { create(:user) }
-  let_it_be(:fields) { %i[id globalId profileName spiderTimeout targetTimeout editPath scanType useAjaxSpider showDebugMessages] }
+  let_it_be(:fields) { %i[id globalId profileName spiderTimeout targetTimeout editPath scanType useAjaxSpider showDebugMessages referencedInSecurityPolicies] }
  let(:response) do
    GitlabSchema.execute(
@@ -50,6 +50,7 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
                scanType
                useAjaxSpider
                showDebugMessages
+                referencedInSecurityPolicies
              }
            }
          }

--- a/ee/spec/graphql/types/dast_site_profile_type_spec.rb
+++ b/ee/spec/graphql/types/dast_site_profile_type_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe GitlabSchema.types['DastSiteProfile'] do
  let_it_be(:dast_site_profile) { create(:dast_site_profile) }
  let_it_be(:project) { dast_site_profile.project }
  let_it_be(:user) { create(:user) }
-  let_it_be(:fields) { %i[id profileName targetUrl editPath validationStatus userPermissions normalizedTargetUrl] }
+  let_it_be(:fields) { %i[id profileName targetUrl editPath validationStatus userPermissions normalizedTargetUrl referencedInSecurityPolicies] }
  subject do
    GitlabSchema.execute(
@@ -47,6 +47,7 @@ RSpec.describe GitlabSchema.types['DastSiteProfile'] do
                editPath
                validationStatus
                normalizedTargetUrl
+                referencedInSecurityPolicies
              }
            }
          }

--- a/ee/spec/models/dast_scanner_profile_spec.rb
+++ b/ee/spec/models/dast_scanner_profile_spec.rb
@@ -46,4 +46,30 @@ RSpec.describe DastScannerProfile, type: :model do
      it { is_expected.to eq(false) }
    end
  end
+  describe '#referenced_in_security_policies' do
+    context 'there is no security_orchestration_policy_configuration assigned to project' do
+      it 'returns the referenced policy name' do
+        expect(subject.referenced_in_security_policies).to eq([])
+      end
+    end
+    context 'there is security_orchestration_policy_configuration assigned to project' do
+      let(:security_orchestration_policy_configuration) { instance_double(Security::OrchestrationPolicyConfiguration, present?: true, active_policy_names_with_dast_scanner_profile: ['Policy Name']) }
+      before do
+        allow(subject.project).to receive(:security_orchestration_policy_configuration).and_return(security_orchestration_policy_configuration)
+      end
+      it 'calls security_orchestration_policy_configuration.active_policy_names_with_dast_scanner_profile with profile name' do
+        expect(security_orchestration_policy_configuration).to receive(:active_policy_names_with_dast_scanner_profile).with(subject.name)
+        subject.referenced_in_security_policies
+      end
+      it 'returns empty array' do
+        expect(subject.referenced_in_security_policies).to eq(['Policy Name'])
+      end
+    end
+  end
 end
--- a/ee/spec/models/dast_site_profile_spec.rb
+++ b/ee/spec/models/dast_site_profile_spec.rb
@@ -98,4 +98,30 @@ RSpec.describe DastSiteProfile, type: :model do
      end
    end
  end
+  describe '#referenced_in_security_policies' do
+    context 'there is no security_orchestration_policy_configuration assigned to project' do
+      it 'returns empty array' do
+        expect(subject.referenced_in_security_policies).to eq([])
+      end
+    end
+    context 'there is security_orchestration_policy_configuration assigned to project' do
+      let(:security_orchestration_policy_configuration) { instance_double(Security::OrchestrationPolicyConfiguration, present?: true, active_policy_names_with_dast_site_profile: ['Policy Name']) }
+      before do
+        allow(subject.project).to receive(:security_orchestration_policy_configuration).and_return(security_orchestration_policy_configuration)
+      end
+      it 'calls security_orchestration_policy_configuration.active_policy_names_with_dast_site_profile with profile name' do
+        expect(security_orchestration_policy_configuration).to receive(:active_policy_names_with_dast_site_profile).with(subject.name)
+        subject.referenced_in_security_policies
+      end
+      it 'returns the referenced policy name' do
+        expect(subject.referenced_in_security_policies).to eq(['Policy Name'])
+      end
+    end
+  end
 end
--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -24,6 +24,22 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
    it { is_expected.to validate_uniqueness_of(:security_policy_management_project) }
  end
+  describe '#enabled?' do
+    subject { security_orchestration_policy_configuration.enabled? }
+    context 'when feature is enabled' do
+      it { is_expected.to eq(true) }
+    end
+    context 'when feature is disabled' do
+      before do
+        stub_feature_flags(security_orchestration_policies_configuration: false)
+      end
+      it { is_expected.to eq(false) }
+    end
+  end
  describe '#active_policies' do
    let(:enforce_dast_yaml) do
      <<-EOS
@@ -86,6 +102,16 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
    it 'returns only enabled policies' do
      expect(active_policies).to eq(expected_active_policies)
    end
+    context 'when feature is disabled' do
+      before do
+        stub_feature_flags(security_orchestration_policies_configuration: false)
+      end
+      it 'returns empty array' do
+        expect(active_policies).to eq([])
+      end
+    end
  end
  describe '#on_demand_scan_actions' do
@@ -173,4 +199,68 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
      expect(on_demand_scan_actions).to eq(expected_actions)
    end
  end
+  describe '#active_policy_names_with_dast_site_profile' do
+    let(:enforce_dast_yaml) do
+      <<-EOS
+      type: scan_execution_policy
+      name: Run DAST in every pipeline
+      description: This policy enforces to run DAST for every pipeline within the project
+      enabled: true
+      rules:
+      - type: pipeline
+        branches:
+        - "production"
+      actions:
+      - scan: dast
+        site_profile: Site Profile
+        scanner_profile: Scanner Profile
+      - scan: dast
+        site_profile: Site Profile
+        scanner_profile: Scanner Profile 2
+      EOS
+    end
+    before do
+      allow(security_policy_management_project).to receive(:repository).and_return(repository)
+      allow(repository).to receive(:ls_files).and_return(['.gitlab/security-policies/enforce-dast.yml'])
+      allow(repository).to receive(:blob_data_at).with(default_branch, '.gitlab/security-policies/enforce-dast.yml').and_return(enforce_dast_yaml)
+    end
+    it 'returns list of policy names where site profile is referenced' do
+      expect(security_orchestration_policy_configuration.active_policy_names_with_dast_site_profile('Site Profile')).to contain_exactly('Run DAST in every pipeline')
+    end
+  end
+  describe '#active_policy_names_with_dast_scanner_profile' do
+    let(:enforce_dast_yaml) do
+      <<-EOS
+      type: scan_execution_policy
+      name: Run DAST in every pipeline
+      description: This policy enforces to run DAST for every pipeline within the project
+      enabled: true
+      rules:
+      - type: pipeline
+        branches:
+        - "production"
+      actions:
+      - scan: dast
+        site_profile: Site Profile
+        scanner_profile: Scanner Profile
+      - scan: dast
+        site_profile: Site Profile 2
+        scanner_profile: Scanner Profile
+      EOS
+    end
+    before do
+      allow(security_policy_management_project).to receive(:repository).and_return(repository)
+      allow(repository).to receive(:ls_files).and_return(['.gitlab/security-policies/enforce-dast.yml'])
+      allow(repository).to receive(:blob_data_at).with(default_branch, '.gitlab/security-policies/enforce-dast.yml').and_return(enforce_dast_yaml)
+    end
+    it 'returns list of policy names where site profile is referenced' do
+      expect(security_orchestration_policy_configuration.active_policy_names_with_dast_scanner_profile('Scanner Profile')).to contain_exactly('Run DAST in every pipeline')
+    end
+  end
 end
--- a/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/dast_site_profiles/delete_spec.rb
@@ -8,11 +8,12 @@ RSpec.describe 'Creating a DAST Site Profile' do
  let!(:dast_site_profile) { create(:dast_site_profile, project: project) }
  let(:mutation_name) { :dast_site_profile_delete }
+  let(:dast_site_profile_id) { dast_site_profile.to_global_id.to_s }
  let(:mutation) do
    graphql_mutation(
      mutation_name,
      full_path: full_path,
-      id: dast_site_profile.to_global_id.to_s
+      id: dast_site_profile_id
    )
  end
@@ -24,22 +25,18 @@ RSpec.describe 'Creating a DAST Site Profile' do
    context 'when there is an issue deleting the dast_site_profile' do
      before do
-        mutation_klass = Mutations::DastSiteProfiles::Delete
+        allow_next_instance_of(::DastSiteProfiles::DestroyService) do |service|
-        allow_any_instance_of(mutation_klass).to receive(:find_dast_site_profile).and_return(dast_site_profile)
+          allow(service).to receive(:execute).and_return(double(success?: false, errors: ['Name is weird']))
-        allow(dast_site_profile).to receive(:destroy).and_return(false)
+        end
-        dast_site_profile.errors.add(:name, 'is weird')
      end
      it_behaves_like 'a mutation that returns errors in the response', errors: ['Name is weird']
    end
    context 'when the dast_site_profile does not exist' do
-      before do
+      let(:dast_site_profile_id) { Gitlab::GlobalId.build(nil, model_name: 'DastSiteProfile', id: 'does_not_exist') }
-        dast_site_profile.destroy!
-      end
-      it_behaves_like 'a mutation that returns top-level errors',
+      it_behaves_like 'a mutation that returns errors in the response', errors: ['Site profile not found for given parameters']
-        errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
    end
    context 'when wrong type of global id is passed' do

--- a/ee/spec/services/dast_scanner_profiles/destroy_service_spec.rb
+++ b/ee/spec/services/dast_scanner_profiles/destroy_service_spec.rb
@@ -4,8 +4,8 @@ require 'spec_helper'
 RSpec.describe DastScannerProfiles::DestroyService do
  let_it_be(:user) { create(:user) }
-  let_it_be(:dast_scanner_profile, reload: true) { create(:dast_scanner_profile, target_timeout: 200, spider_timeout: 5000) }
+  let_it_be(:dast_profile, reload: true) { create(:dast_scanner_profile, target_timeout: 200, spider_timeout: 5000) }
-  let(:project) { dast_scanner_profile.project }
+  let(:project) { dast_profile.project }
  before do
    stub_licensed_features(security_on_demand_scans: true)
@@ -18,7 +18,7 @@ RSpec.describe DastScannerProfiles::DestroyService do
      )
    end
-    let(:dast_scanner_profile_id) { dast_scanner_profile.id }
+    let(:dast_scanner_profile_id) { dast_profile.id }
    let(:status) { subject.status }
    let(:message) { subject.message }
    let(:payload) { subject.payload }
@@ -77,6 +77,8 @@ RSpec.describe DastScannerProfiles::DestroyService do
          expect(message).to eq('You are not authorized to update this scanner profile')
        end
      end
+      include_examples 'restricts modification if referenced by policy', :delete
    end
  end
 end
--- a/ee/spec/services/dast_scanner_profiles/update_service_spec.rb
+++ b/ee/spec/services/dast_scanner_profiles/update_service_spec.rb
@@ -4,17 +4,17 @@ require 'spec_helper'
 RSpec.describe DastScannerProfiles::UpdateService do
  let_it_be(:user) { create(:user) }
-  let_it_be(:dast_scanner_profile, reload: true) { create(:dast_scanner_profile, target_timeout: 200, spider_timeout: 5000) }
+  let_it_be(:dast_profile, reload: true) { create(:dast_scanner_profile, target_timeout: 200, spider_timeout: 5000) }
-  let_it_be(:dast_scanner_profile_2, reload: true) { create(:dast_scanner_profile) }
+  let_it_be(:dast_profile_2, reload: true) { create(:dast_scanner_profile) }
-  let(:project) { dast_scanner_profile.project }
+  let(:project) { dast_profile.project }
-  let(:project_2) { dast_scanner_profile_2.project }
+  let(:project_2) { dast_profile_2.project }
  let_it_be(:new_profile_name) { SecureRandom.hex }
-  let_it_be(:new_target_timeout) { dast_scanner_profile.target_timeout + 1 }
+  let_it_be(:new_target_timeout) { dast_profile.target_timeout + 1 }
-  let_it_be(:new_spider_timeout) { dast_scanner_profile.spider_timeout + 1 }
+  let_it_be(:new_spider_timeout) { dast_profile.spider_timeout + 1 }
  let_it_be(:new_scan_type) { (DastScannerProfile.scan_types.keys - [DastScannerProfile.last.scan_type]).first }
-  let(:new_use_ajax_spider) { !dast_scanner_profile.use_ajax_spider }
+  let(:new_use_ajax_spider) { !dast_profile.use_ajax_spider }
-  let(:new_show_debug_messages) { !dast_scanner_profile.show_debug_messages }
+  let(:new_show_debug_messages) { !dast_profile.show_debug_messages }
  before do
    stub_licensed_features(security_on_demand_scans: true)
@@ -33,7 +33,7 @@ RSpec.describe DastScannerProfiles::UpdateService do
      )
    end
-    let(:dast_scanner_profile_id) { dast_scanner_profile.id }
+    let(:dast_scanner_profile_id) { dast_profile.id }
    let(:status) { subject.status }
    let(:message) { subject.message }
    let(:payload) { subject.payload }
@@ -56,7 +56,7 @@ RSpec.describe DastScannerProfiles::UpdateService do
      subject do
        described_class.new(project_2, user).execute(
-          id: dast_scanner_profile.id,
+          id: dast_profile.id,
          profile_name: new_profile_name,
          target_timeout: new_target_timeout,
          spider_timeout: new_spider_timeout,
@@ -94,9 +94,9 @@ RSpec.describe DastScannerProfiles::UpdateService do
          updated_dast_scanner_profile = payload.reload
          aggregate_failures do
-            expect(updated_dast_scanner_profile.scan_type).to eq(dast_scanner_profile.scan_type)
+            expect(updated_dast_scanner_profile.scan_type).to eq(dast_profile.scan_type)
-            expect(updated_dast_scanner_profile.use_ajax_spider).to eq(dast_scanner_profile.use_ajax_spider)
+            expect(updated_dast_scanner_profile.use_ajax_spider).to eq(dast_profile.use_ajax_spider)
-            expect(updated_dast_scanner_profile.show_debug_messages).to eq(dast_scanner_profile.show_debug_messages)
+            expect(updated_dast_scanner_profile.show_debug_messages).to eq(dast_profile.show_debug_messages)
          end
        end
      end
@@ -164,6 +164,8 @@ RSpec.describe DastScannerProfiles::UpdateService do
          expect(message).to eq('You are not authorized to update this scanner profile')
        end
      end
+      include_examples 'restricts modification if referenced by policy', :modify
    end
  end
 end
--- a/ee/spec/services/dast_site_profiles/destroy_service_spec.rb
+++ b/ee/spec/services/dast_site_profiles/destroy_service_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe DastSiteProfiles::DestroyService do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:dast_profile, reload: true) { create(:dast_site_profile) }
+  let(:project) { dast_profile.project }
+  before do
+    stub_licensed_features(security_on_demand_scans: true)
+  end
+  describe '#execute' do
+    subject do
+      described_class.new(project, user).execute(
+        id: dast_site_profile_id
+      )
+    end
+    let(:dast_site_profile_id) { dast_profile.id }
+    let(:status) { subject.status }
+    let(:message) { subject.message }
+    let(:payload) { subject.payload }
+    context 'when a user does not have access to the project' do
+      it 'returns an error status' do
+        expect(status).to eq(:error)
+      end
+      it 'populates message' do
+        expect(message).to eq('You are not authorized to delete this site profile')
+      end
+    end
+    context 'when the user can run a DAST scan' do
+      before do
+        project.add_developer(user)
+      end
+      it 'returns a success status' do
+        expect(status).to eq(:success)
+      end
+      it 'deletes the dast_site_profile' do
+        expect { subject }.to change { DastSiteProfile.count }.by(-1)
+      end
+      it 'returns a dast_site_profile payload' do
+        expect(payload).to be_a(DastSiteProfile)
+      end
+      context 'when the dast_site_profile does not exist' do
+        let(:dast_site_profile_id) do
+          Gitlab::GlobalId.build(nil, model_name: 'DastSiteProfile', id: 'does_not_exist')
+        end
+        it 'returns an error status' do
+          expect(status).to eq(:error)
+        end
+        it 'populates message' do
+          expect(message).to eq('Site profile not found for given parameters')
+        end
+      end
+      context 'when on demand scan licensed feature is not available' do
+        before do
+          stub_licensed_features(security_on_demand_scans: false)
+        end
+        it 'returns an error status' do
+          expect(status).to eq(:error)
+        end
+        it 'populates message' do
+          expect(message).to eq('You are not authorized to delete this site profile')
+        end
+      end
+      include_examples 'restricts modification if referenced by policy', :delete
+    end
+  end
+end
--- a/ee/spec/services/dast_site_profiles/update_service_spec.rb
+++ b/ee/spec/services/dast_site_profiles/update_service_spec.rb
@@ -3,9 +3,9 @@
 require 'spec_helper'
 RSpec.describe DastSiteProfiles::UpdateService do
-  let(:project) { dast_site_profile.project }
+  let(:project) { dast_profile.project }
  let(:user) { create(:user) }
-  let(:dast_site_profile) { create(:dast_site_profile) }
+  let(:dast_profile) { create(:dast_site_profile) }
  let(:new_profile_name) { SecureRandom.hex }
  let(:new_target_url) { generate(:url) }
@@ -17,7 +17,7 @@ RSpec.describe DastSiteProfiles::UpdateService do
  describe '#execute' do
    subject do
      described_class.new(project, user).execute(
-        id: dast_site_profile.id,
+        id: dast_profile.id,
        profile_name: new_profile_name,
        target_url: new_target_url
      )
@@ -74,7 +74,7 @@ RSpec.describe DastSiteProfiles::UpdateService do
      context 'when the dast_site_profile doesn\'t exist' do
        before do
-          dast_site_profile.destroy!
+          dast_profile.destroy!
        end
        it 'returns an error status' do
@@ -99,6 +99,8 @@ RSpec.describe DastSiteProfiles::UpdateService do
          expect(message).to eq('Insufficient permissions')
        end
      end
+      include_examples 'restricts modification if referenced by policy', :modify
    end
  end
 end
--- a/ee/spec/support/shared_examples/services/dast_profile_service_shared_examples.rb
+++ b/ee/spec/support/shared_examples/services/dast_profile_service_shared_examples.rb
+# frozen_string_literal: true
+RSpec.shared_examples 'restricts modification if referenced by policy' do |modification_type|
+  context 'when project has security policies enabled' do
+    before do
+      allow_next_found_instance_of(dast_profile.class) do |profile|
+        allow(profile).to receive(:referenced_in_security_policies).and_return(policy_names)
+      end
+    end
+    context 'when there is no policy that is referencing the profile' do
+      let(:policy_names) { [] }
+      it 'returns a success status' do
+        expect(status).to eq(:success)
+      end
+    end
+    context 'when there is a policy that is referencing the profile' do
+      let(:policy_names) { [dast_profile.name] }
+      it 'returns an error status' do
+        expect(status).to eq(:error)
+      end
+      it 'populates message' do
+        expect(message).to include("Cannot #{modification_type}")
+      end
+    end
+  end
+end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -33870,6 +33870,9 @@ msgstr ""
 msgid "You are not allowed to unlink your primary login account"
 msgstr ""
+msgid "You are not authorized to delete this site profile"
+msgstr ""
 msgid "You are not authorized to perform this action"
 msgstr ""