Add service to update Dast::Profile

37307e62 · Philip Cunningham · Douglas Barbosa Alexandre · 948e03df · 37307e62 · 37307e62
Commit 37307e62 authored Feb 08, 2021 by Philip Cunningham Committed by Douglas Barbosa Alexandre Feb 08, 2021
Showing with 153 additions and 0 deletions

ee/app/services/dast/profiles/update_service.rb ee/app/services/dast/profiles/update_service.rb +46 -0

ee/spec/services/dast/profiles/update_service_spec.rb ee/spec/services/dast/profiles/update_service_spec.rb +107 -0

No files found.
--- a/ee/app/services/dast/profiles/update_service.rb
+++ b/ee/app/services/dast/profiles/update_service.rb
+# frozen_string_literal: true
+
+module Dast
+  module Profiles
+    class UpdateService < BaseContainerService
+      include Gitlab::Utils::StrongMemoize
+
+      def execute
+        return unauthorized unless allowed?
+        return ServiceResponse.error(message: 'ID parameter missing') unless params[:id].present?
+        return ServiceResponse.error(message: 'Profile not found for given parameters') unless dast_profile
+
+        return ServiceResponse.error(message: dast_profile.errors.full_messages) unless dast_profile.update(dast_profile_params)
+
+        ServiceResponse.success(payload: dast_profile)
+      end
+
+      private
+
+      def allowed?
+        container.feature_available?(:security_on_demand_scans) &&
+          Feature.enabled?(:dast_saved_scans, container, default_enabled: :yaml) &&
+          can?(current_user, :create_on_demand_dast_scan, container)
+      end
+
+      def unauthorized
+        ServiceResponse.error(
+          message: 'You are not authorized to update this profile',
+          http_status: 403
+        )
+      end
+
+      def dast_profile
+        strong_memoize(:dast_profile) do
+          Dast::ProfilesFinder.new(project_id: container.id, id: params[:id])
+            .execute
+            .first
+        end
+      end
+
+      def dast_profile_params
+        params.slice(:dast_site_profile_id, :dast_scanner_profile_id, :name, :description)
+      end
+    end
+  end
+end
--- a/ee/spec/services/dast/profiles/update_service_spec.rb
+++ b/ee/spec/services/dast/profiles/update_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Dast::Profiles::UpdateService do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:dast_profile) { create(:dast_profile, project: project) }
+  let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
+  let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) }
+
+  let_it_be(:params) do
+    {
+      id: dast_profile.id,
+      dast_site_profile_id: dast_site_profile.id,
+      dast_scanner_profile_id: dast_scanner_profile.id,
+      name: SecureRandom.hex,
+      description: SecureRandom.hex
+    }
+  end
+
+  subject do
+    described_class.new(
+      container: project,
+      current_user: user,
+      params: params
+    ).execute
+  end
+
+  describe 'execute', :clean_gitlab_redis_shared_state do
+    before do
+      project.clear_memoization(:licensed_feature_available)
+    end
+
+    context 'when on demand scan feature is disabled' do
+      it 'communicates failure' do
+        stub_licensed_features(security_on_demand_scans: true)
+        stub_feature_flags(dast_saved_scans: false)
+
+        aggregate_failures do
+          expect(subject.status).to eq(:error)
+          expect(subject.message).to eq('You are not authorized to update this profile')
+        end
+      end
+    end
+
+    context 'when on demand scan licensed feature is not available' do
+      it 'communicates failure' do
+        stub_licensed_features(security_on_demand_scans: false)
+        stub_feature_flags(security_on_demand_scans_site_validation: true)
+
+        aggregate_failures do
+          expect(subject.status).to eq(:error)
+          expect(subject.message).to eq('You are not authorized to update this profile')
+        end
+      end
+    end
+
+    context 'when the feature is enabled' do
+      before do
+        stub_licensed_features(security_on_demand_scans: true)
+        stub_feature_flags(dast_saved_scans: true)
+      end
+
+      context 'when the user cannot run a DAST scan' do
+        it 'communicates failure' do
+          aggregate_failures do
+            expect(subject.status).to eq(:error)
+            expect(subject.message).to eq('You are not authorized to update this profile')
+          end
+        end
+      end
+
+      context 'when the user can run a DAST scan' do
+        before do
+          project.add_developer(user)
+        end
+
+        it 'communicates success' do
+          expect(subject.status).to eq(:success)
+        end
+
+        it 'updates the dast_profile' do
+          updated_dast_profile = subject.payload.reload
+
+          aggregate_failures do
+            expect(updated_dast_profile.dast_site_profile.id).to eq(params[:dast_site_profile_id])
+            expect(updated_dast_profile.dast_scanner_profile.id).to eq(params[:dast_scanner_profile_id])
+            expect(updated_dast_profile.name).to eq(params[:name])
+            expect(updated_dast_profile.description).to eq(params[:description])
+          end
+        end
+
+        context 'when id param is missing' do
+          let(:params) { {} }
+
+          it 'communicates failure' do
+            aggregate_failures do
+              expect(subject.status).to eq(:error)
+              expect(subject.message).to eq('ID parameter missing')
+            end
+          end
+        end
+      end
+    end
+  end
+end