Merge branch 'sk/337728-add-security-policy-factory' into 'master'

Move security policy yaml in specs to factory

See merge request gitlab-org/gitlab!69108

ee/spec/factories/security/policies.rb

+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :scan_execution_policy, class: Struct.new(:name, :description, :enabled, :actions, :rules) do
+    skip_create
+
+    initialize_with do
+      name = attributes[:name]
+      description = attributes[:description]
+      enabled = attributes[:enabled]
+      actions = attributes[:actions]
+      rules = attributes[:rules]
+
+      new(name, description, enabled, actions, rules).to_h
+    end
+
+    sequence(:name) { |n| "test-policy-#{n}" }
+    description { 'This policy enforces to run DAST for every pipeline within the project' }
+    enabled { true }
+    rules { [{ type: 'pipeline', branches: %w[production] }] }
+    actions { [{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }] }
+
+    trait :with_schedule do
+      rules { [{ type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }] }
+    end
+  end
+
+  factory :scan_execution_policy_yaml, class: Struct.new(:scan_execution_policy) do
+    skip_create
+
+    initialize_with do
+      policies = attributes[:policies]
+
+      YAML.dump(new(policies).to_h.deep_stringify_keys)
+    end
+  end
+end

ee/spec/services/security/security_orchestration_policies/fetch_policy_service_spec.rb

@@ -6,22 +6,10 @@ RSpec.describe Security::SecurityOrchestrationPolicies::FetchPolicyService do
   describe '#execute' do
     let(:project) { create(:project) }
     let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
-
-    let(:policy) do
-      {
-        name: 'Run DAST in every pipeline',
-        description: 'This policy enforces to run DAST for every pipeline within the project',
-        enabled: true,
-        rules: [{ type: 'pipeline', branches: %w[production] }],
-        actions: [
-          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-        ]
-      }
-    end
-
-    let(:policy_blob) { { scan_execution_policy: [policy] }.to_yaml }
+    let(:policy) { build(:scan_execution_policy) }
+    let(:policy_blob) { build(:scan_execution_policy_yaml, policies: [policy]) }
     let(:type) { :scan_execution_policy }
-    let(:name) { 'Run DAST in every pipeline' }
+    let(:name) { policy[:name] }
 
     subject(:service) do
       described_class.new(policy_configuration: policy_configuration, name: name, type: type)

ee/spec/services/security/security_orchestration_policies/policy_commit_service_spec.rb

@@ -8,42 +8,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
     let_it_be(:current_user) { project.owner }
     let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
 
-    let(:policy_yaml) do
-      <<-EOS
-        name: Run DAST in every pipeline
-        type: scan_execution_policy
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-      EOS
-    end
-
-    let(:policy) do
-      <<-EOS
-          scan_execution_policy:
-            -  name: Run DAST in every pipeline
-               description: This policy enforces to run DAST for every pipeline within the project
-               enabled: true
-               rules:
-               - type: pipeline
-                 branches:
-                 - "production"
-               actions:
-               - scan: dast
-                 site_profile: Site Profile
-                 scanner_profile: Scanner Profile
-      EOS
-    end
+    let(:policy_hash) { build(:scan_execution_policy, name: 'Test Policy') }
+    let(:input_policy_yaml) { policy_hash.merge(type: 'scan_execution_policy').to_yaml }
+    let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy_hash])}
 
     let(:operation) { :append }
-    let(:params) { { policy_yaml: policy_yaml, operation: operation } }
+    let(:params) { { policy_yaml: input_policy_yaml, operation: operation } }
 
     subject(:service) do
       described_class.new(project: project, current_user: current_user, params: params)
@@ -51,19 +21,19 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
 
     before do
       allow_next_instance_of(Repository) do |repository|
-        allow(repository).to receive(:blob_data_at).and_return(policy)
+        allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
       end
     end
 
     context 'when policy_yaml is invalid' do
-      let(:invalid_policy_yaml) do
+      let(:invalid_input_policy_yaml) do
         <<-EOS
           invalid_name: invalid
           type: scan_execution_policy
         EOS
       end
 
-      let(:params) { { policy_yaml: invalid_policy_yaml, operation: operation } }
+      let(:params) { { policy_yaml: invalid_input_policy_yaml, operation: operation } }
 
       it 'returns error' do
         response = service.execute
@@ -85,23 +55,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
     end
 
     context 'when policy already exists in policy project' do
-      let(:policy) do
-        <<-EOS
-          scan_execution_policy:
-            -  name: Run DAST in every pipeline
-               description: This policy enforces to run DAST for every pipeline within the project
-               enabled: true
-               rules:
-               - type: pipeline
-                 branches:
-                 - "production"
-               actions:
-               - scan: dast
-                 site_profile: Site Profile
-                 scanner_profile: Scanner Profile
-        EOS
-      end
-
       before do
         allow_next_instance_of(::Files::UpdateService) do |instance|
           allow(instance).to receive(:execute).and_return({ status: :success })

ee/spec/services/security/security_orchestration_policies/policy_configuration_validation_service_spec.rb

@@ -7,19 +7,8 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyConfigurationValid
     let(:project) { create(:project) }
     let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
 
-    let(:policy) do
-      {
-        name: 'Run DAST in every pipeline',
-        description: 'This policy enforces to run DAST for every pipeline within the project',
-        enabled: true,
-        rules: [{ type: 'pipeline', branches: %w[production] }],
-        actions: [
-          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-        ]
-      }
-    end
-
-    let(:policy_blob) { { scan_execution_policy: [policy] }.to_yaml }
+    let(:policy) { build(:scan_execution_policy) }
+    let(:policy_blob) { build(:scan_execution_policy_yaml, policies: [policy]) }
     let(:type) { :scan_execution_policy }
     let(:environment_id) { nil }
 

ee/spec/services/security/security_orchestration_policies/process_policy_service_spec.rb

@@ -6,92 +6,26 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessPolicyService do
   describe '#execute' do
     let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration) }
 
-    let(:policy) do
-      <<-EOS
-          name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: false
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-      EOS
-    end
+    let(:policy) { build(:scan_execution_policy, name: 'Test Policy', enabled: false) }
+    let(:scheduled_policy) { build(:scan_execution_policy, :with_schedule, name: 'Scheduled DAST') }
+    let(:policy_yaml) { Gitlab::Config::Loader::Yaml.new(policy.to_yaml).load! }
+    let(:type) { :scan_execution_policy }
+    let(:operation) { :append }
 
     let(:repository_with_existing_policy_yaml) do
-      <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-        - name: Scheduled DAST
-          description: This policy executes DAST in a scheduled pipeline
-          enabled: true
-          rules:
-          - type: schedule
-            branches:
-            - "production"
-            cadence: '*/15 * * * *'
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-      EOS
+      pipeline_policy = build(:scan_execution_policy, name: 'Test Policy')
+      build(:scan_execution_policy_yaml, policies: [pipeline_policy, scheduled_policy])
     end
 
     let(:repository_policy_yaml) do
-      <<-EOS
-        scan_execution_policy:
-        - name: Execute DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-        - name: Scheduled DAST
-          description: This policy executes DAST in a scheduled pipeline
-          enabled: true
-          rules:
-          - type: schedule
-            branches:
-            - "production"
-            cadence: '*/15 * * * *'
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-      EOS
+      pipeline_policy = build(:scan_execution_policy, name: "Execute DAST in every pipeline")
+      build(:scan_execution_policy_yaml, policies: [pipeline_policy, scheduled_policy])
     end
 
-    let(:policy_yaml) { Gitlab::Config::Loader::Yaml.new(policy).load! }
-    let(:type) { :scan_execution_policy }
-    let(:operation) { :append }
-
     subject(:service) { described_class.new(policy_configuration: policy_configuration, params: { policy: policy_yaml, operation: operation, type: type }) }
 
     context 'when policy is invalid' do
-      let(:policy) do
-        <<-EOS
-          invalid_name: invalid
-        EOS
-      end
+      let(:policy) { { invalid_name: 'invalid' } }
 
       it 'raises StandardError' do
         expect { service.execute }.to raise_error(StandardError, 'Invalid policy yaml')

ee/spec/services/security/security_orchestration_policies/process_rule_service_spec.rb

@@ -13,18 +13,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
     end
 
     let(:policy) do
-      {
-        name: 'DAST Scan',
-        description: 'This policy runs DAST on pipeline and for every 15 mins',
-        enabled: true,
-        rules: [
-          { type: 'pipeline', branches: %w[production] },
-          { type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }
-        ],
-        actions: [
-          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-        ]
-      }
+      rules = [
+        { type: 'pipeline', branches: %w[production] },
+        { type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }
+      ]
+
+      build(:scan_execution_policy, rules: rules)
     end
 
     subject(:service) { described_class.new(policy_configuration: policy_configuration, policy_index: 0, policy: policy) }
@@ -58,17 +52,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
     end
 
     context 'when policy is not of type scheduled' do
-      let(:policy) do
-        {
-          name: 'Run DAST in every pipeline',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: false,
-          rules: [{ type: 'pipeline', branches: %w[production] }],
-          actions: [
-            { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-          ]
-        }
-      end
+      let(:policy) { build(:scan_execution_policy) }
 
       it 'deletes schedules' do
         expect { service.execute }.to change(Security::OrchestrationPolicyRuleSchedule, :count).by(-1)

ee/spec/services/security/security_orchestration_policies/rule_schedule_service_spec.rb

@@ -10,17 +10,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do
     let(:schedule) { create(:security_orchestration_policy_rule_schedule, security_orchestration_policy_configuration: policy_configuration) }
     let!(:scanner_profile) { create(:dast_scanner_profile, name: 'Scanner Profile', project: project) }
     let!(:site_profile) { create(:dast_site_profile, name: 'Site Profile', project: project) }
-    let(:policy) do
-      {
-        name: 'Run DAST in every pipeline',
-        description: 'This policy enforces to run DAST for every pipeline within the project',
-        enabled: true,
-        rules: [{ type: 'schedule', branches: %w[master production], cadence: '*/20 * * * *' }],
-        actions: [
-          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-        ]
-      }
-    end
+    let(:policy) { build(:scan_execution_policy, enabled: true, rules: [{ type: 'schedule', branches: %w[master production], cadence: '*/20 * * * *' }]) }
 
     subject(:service) { described_class.new(container: project, current_user: current_user) }
 
@@ -69,44 +59,22 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do
 
     context 'when the branch in rules does not exist' do
       let(:policy) do
-        {
-          name: 'Run DAST in every pipeline',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'schedule', branches: %w[invalid_branch], cadence: '*/20 * * * *' }],
-          actions: []
-        }
+        build(:scan_execution_policy,
+                           enabled: true,
+                           rules: [{ type: 'schedule', branches: %w[invalid_branch], cadence: '*/20 * * * *' }])
       end
 
       it_behaves_like 'does not execute scan'
     end
 
     context 'when policy actions does not exist' do
-      let(:policy) do
-        {
-          name: 'Run DAST in every pipeline',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'schedule', branches: %w[production], cadence: '*/20 * * * *' }],
-          actions: []
-        }
-      end
+      let(:policy) { build(:scan_execution_policy, :with_schedule, enabled: true, actions: []) }
 
       it_behaves_like 'does not execute scan'
     end
 
     context 'when policy scan type is invalid' do
-      let(:policy) do
-        {
-          name: 'Run DAST in every pipeline',
-          description: 'This policy enforces to run DAST for every pipeline within the project',
-          enabled: true,
-          rules: [{ type: 'schedule', branches: %w[production], cadence: '*/20 * * * *' }],
-          actions: [
-            { scan: 'invalid' }
-          ]
-        }
-      end
+      let(:policy) { build(:scan_execution_policy, :with_schedule, enabled: true, actions: [{ scan: 'invalid' }]) }
 
       it_behaves_like 'does not execute scan'
     end