Commit 25b5dc36 authored by Sashi's avatar Sashi Committed by Brian Williams

Move security policy yaml in specs to factory

This commit moves the hardcoded policy yaml content
in specs into a new factory.
parent f9cf18c8
# frozen_string_literal: true
FactoryBot.define do
factory :scan_execution_policy, class: Struct.new(:name, :description, :enabled, :actions, :rules) do
skip_create
initialize_with do
name = attributes[:name]
description = attributes[:description]
enabled = attributes[:enabled]
actions = attributes[:actions]
rules = attributes[:rules]
new(name, description, enabled, actions, rules).to_h
end
sequence(:name) { |n| "test-policy-#{n}" }
description { 'This policy enforces to run DAST for every pipeline within the project' }
enabled { true }
rules { [{ type: 'pipeline', branches: %w[production] }] }
actions { [{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }] }
trait :with_schedule do
rules { [{ type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }] }
end
end
factory :scan_execution_policy_yaml, class: Struct.new(:scan_execution_policy) do
skip_create
initialize_with do
policies = attributes[:policies]
YAML.dump(new(policies).to_h.deep_stringify_keys)
end
end
end
......@@ -6,22 +6,10 @@ RSpec.describe Security::SecurityOrchestrationPolicies::FetchPolicyService do
describe '#execute' do
let(:project) { create(:project) }
let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
let(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy_blob) { { scan_execution_policy: [policy] }.to_yaml }
let(:policy) { build(:scan_execution_policy) }
let(:policy_blob) { build(:scan_execution_policy_yaml, policies: [policy]) }
let(:type) { :scan_execution_policy }
let(:name) { 'Run DAST in every pipeline' }
let(:name) { policy[:name] }
subject(:service) do
described_class.new(policy_configuration: policy_configuration, name: name, type: type)
......
......@@ -8,42 +8,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
let_it_be(:current_user) { project.owner }
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
let(:policy_yaml) do
<<-EOS
name: Run DAST in every pipeline
type: scan_execution_policy
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:policy) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:policy_hash) { build(:scan_execution_policy, name: 'Test Policy') }
let(:input_policy_yaml) { policy_hash.merge(type: 'scan_execution_policy').to_yaml }
let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy_hash])}
let(:operation) { :append }
let(:params) { { policy_yaml: policy_yaml, operation: operation } }
let(:params) { { policy_yaml: input_policy_yaml, operation: operation } }
subject(:service) do
described_class.new(project: project, current_user: current_user, params: params)
......@@ -51,19 +21,19 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
before do
allow_next_instance_of(Repository) do |repository|
allow(repository).to receive(:blob_data_at).and_return(policy)
allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
end
end
context 'when policy_yaml is invalid' do
let(:invalid_policy_yaml) do
let(:invalid_input_policy_yaml) do
<<-EOS
invalid_name: invalid
type: scan_execution_policy
EOS
end
let(:params) { { policy_yaml: invalid_policy_yaml, operation: operation } }
let(:params) { { policy_yaml: invalid_input_policy_yaml, operation: operation } }
it 'returns error' do
response = service.execute
......@@ -85,23 +55,6 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyCommitService do
end
context 'when policy already exists in policy project' do
let(:policy) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
before do
allow_next_instance_of(::Files::UpdateService) do |instance|
allow(instance).to receive(:execute).and_return({ status: :success })
......
......@@ -7,19 +7,8 @@ RSpec.describe Security::SecurityOrchestrationPolicies::PolicyConfigurationValid
let(:project) { create(:project) }
let(:policy_configuration) { create(:security_orchestration_policy_configuration, project: project) }
let(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy_blob) { { scan_execution_policy: [policy] }.to_yaml }
let(:policy) { build(:scan_execution_policy) }
let(:policy_blob) { build(:scan_execution_policy_yaml, policies: [policy]) }
let(:type) { :scan_execution_policy }
let(:environment_id) { nil }
......
......@@ -6,92 +6,26 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessPolicyService do
describe '#execute' do
let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration) }
let(:policy) do
<<-EOS
name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: false
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
end
let(:policy) { build(:scan_execution_policy, name: 'Test Policy', enabled: false) }
let(:scheduled_policy) { build(:scan_execution_policy, :with_schedule, name: 'Scheduled DAST') }
let(:policy_yaml) { Gitlab::Config::Loader::Yaml.new(policy.to_yaml).load! }
let(:type) { :scan_execution_policy }
let(:operation) { :append }
let(:repository_with_existing_policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Run DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Scheduled DAST
description: This policy executes DAST in a scheduled pipeline
enabled: true
rules:
- type: schedule
branches:
- "production"
cadence: '*/15 * * * *'
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
pipeline_policy = build(:scan_execution_policy, name: 'Test Policy')
build(:scan_execution_policy_yaml, policies: [pipeline_policy, scheduled_policy])
end
let(:repository_policy_yaml) do
<<-EOS
scan_execution_policy:
- name: Execute DAST in every pipeline
description: This policy enforces to run DAST for every pipeline within the project
enabled: true
rules:
- type: pipeline
branches:
- "production"
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
- name: Scheduled DAST
description: This policy executes DAST in a scheduled pipeline
enabled: true
rules:
- type: schedule
branches:
- "production"
cadence: '*/15 * * * *'
actions:
- scan: dast
site_profile: Site Profile
scanner_profile: Scanner Profile
EOS
pipeline_policy = build(:scan_execution_policy, name: "Execute DAST in every pipeline")
build(:scan_execution_policy_yaml, policies: [pipeline_policy, scheduled_policy])
end
let(:policy_yaml) { Gitlab::Config::Loader::Yaml.new(policy).load! }
let(:type) { :scan_execution_policy }
let(:operation) { :append }
subject(:service) { described_class.new(policy_configuration: policy_configuration, params: { policy: policy_yaml, operation: operation, type: type }) }
context 'when policy is invalid' do
let(:policy) do
<<-EOS
invalid_name: invalid
EOS
end
let(:policy) { { invalid_name: 'invalid' } }
it 'raises StandardError' do
expect { service.execute }.to raise_error(StandardError, 'Invalid policy yaml')
......
......@@ -13,18 +13,12 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
end
let(:policy) do
{
name: 'DAST Scan',
description: 'This policy runs DAST on pipeline and for every 15 mins',
enabled: true,
rules: [
{ type: 'pipeline', branches: %w[production] },
{ type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }
],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
rules = [
{ type: 'pipeline', branches: %w[production] },
{ type: 'schedule', branches: %w[production], cadence: '*/15 * * * *' }
]
build(:scan_execution_policy, rules: rules)
end
subject(:service) { described_class.new(policy_configuration: policy_configuration, policy_index: 0, policy: policy) }
......@@ -58,17 +52,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ProcessRuleService do
end
context 'when policy is not of type scheduled' do
let(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: false,
rules: [{ type: 'pipeline', branches: %w[production] }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy) { build(:scan_execution_policy) }
it 'deletes schedules' do
expect { service.execute }.to change(Security::OrchestrationPolicyRuleSchedule, :count).by(-1)
......
......@@ -10,17 +10,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do
let(:schedule) { create(:security_orchestration_policy_rule_schedule, security_orchestration_policy_configuration: policy_configuration) }
let!(:scanner_profile) { create(:dast_scanner_profile, name: 'Scanner Profile', project: project) }
let!(:site_profile) { create(:dast_site_profile, name: 'Site Profile', project: project) }
let(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'schedule', branches: %w[master production], cadence: '*/20 * * * *' }],
actions: [
{ scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
]
}
end
let(:policy) { build(:scan_execution_policy, enabled: true, rules: [{ type: 'schedule', branches: %w[master production], cadence: '*/20 * * * *' }]) }
subject(:service) { described_class.new(container: project, current_user: current_user) }
......@@ -69,44 +59,22 @@ RSpec.describe Security::SecurityOrchestrationPolicies::RuleScheduleService do
context 'when the branch in rules does not exist' do
let(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'schedule', branches: %w[invalid_branch], cadence: '*/20 * * * *' }],
actions: []
}
build(:scan_execution_policy,
enabled: true,
rules: [{ type: 'schedule', branches: %w[invalid_branch], cadence: '*/20 * * * *' }])
end
it_behaves_like 'does not execute scan'
end
context 'when policy actions does not exist' do
let(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'schedule', branches: %w[production], cadence: '*/20 * * * *' }],
actions: []
}
end
let(:policy) { build(:scan_execution_policy, :with_schedule, enabled: true, actions: []) }
it_behaves_like 'does not execute scan'
end
context 'when policy scan type is invalid' do
let(:policy) do
{
name: 'Run DAST in every pipeline',
description: 'This policy enforces to run DAST for every pipeline within the project',
enabled: true,
rules: [{ type: 'schedule', branches: %w[production], cadence: '*/20 * * * *' }],
actions: [
{ scan: 'invalid' }
]
}
end
let(:policy) { build(:scan_execution_policy, :with_schedule, enabled: true, actions: [{ scan: 'invalid' }]) }
it_behaves_like 'does not execute scan'
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment