Commit 37307e62 authored by Philip Cunningham's avatar Philip Cunningham Committed by Douglas Barbosa Alexandre

Add service to update Dast::Profile

parent 948e03df
# frozen_string_literal: true
module Dast
module Profiles
class UpdateService < BaseContainerService
include Gitlab::Utils::StrongMemoize
def execute
return unauthorized unless allowed?
return ServiceResponse.error(message: 'ID parameter missing') unless params[:id].present?
return ServiceResponse.error(message: 'Profile not found for given parameters') unless dast_profile
return ServiceResponse.error(message: dast_profile.errors.full_messages) unless dast_profile.update(dast_profile_params)
ServiceResponse.success(payload: dast_profile)
end
private
def allowed?
container.feature_available?(:security_on_demand_scans) &&
Feature.enabled?(:dast_saved_scans, container, default_enabled: :yaml) &&
can?(current_user, :create_on_demand_dast_scan, container)
end
def unauthorized
ServiceResponse.error(
message: 'You are not authorized to update this profile',
http_status: 403
)
end
def dast_profile
strong_memoize(:dast_profile) do
Dast::ProfilesFinder.new(project_id: container.id, id: params[:id])
.execute
.first
end
end
def dast_profile_params
params.slice(:dast_site_profile_id, :dast_scanner_profile_id, :name, :description)
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Dast::Profiles::UpdateService do
let_it_be(:project) { create(:project) }
let_it_be(:user) { create(:user) }
let_it_be(:dast_profile) { create(:dast_profile, project: project) }
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) }
let_it_be(:params) do
{
id: dast_profile.id,
dast_site_profile_id: dast_site_profile.id,
dast_scanner_profile_id: dast_scanner_profile.id,
name: SecureRandom.hex,
description: SecureRandom.hex
}
end
subject do
described_class.new(
container: project,
current_user: user,
params: params
).execute
end
describe 'execute', :clean_gitlab_redis_shared_state do
before do
project.clear_memoization(:licensed_feature_available)
end
context 'when on demand scan feature is disabled' do
it 'communicates failure' do
stub_licensed_features(security_on_demand_scans: true)
stub_feature_flags(dast_saved_scans: false)
aggregate_failures do
expect(subject.status).to eq(:error)
expect(subject.message).to eq('You are not authorized to update this profile')
end
end
end
context 'when on demand scan licensed feature is not available' do
it 'communicates failure' do
stub_licensed_features(security_on_demand_scans: false)
stub_feature_flags(security_on_demand_scans_site_validation: true)
aggregate_failures do
expect(subject.status).to eq(:error)
expect(subject.message).to eq('You are not authorized to update this profile')
end
end
end
context 'when the feature is enabled' do
before do
stub_licensed_features(security_on_demand_scans: true)
stub_feature_flags(dast_saved_scans: true)
end
context 'when the user cannot run a DAST scan' do
it 'communicates failure' do
aggregate_failures do
expect(subject.status).to eq(:error)
expect(subject.message).to eq('You are not authorized to update this profile')
end
end
end
context 'when the user can run a DAST scan' do
before do
project.add_developer(user)
end
it 'communicates success' do
expect(subject.status).to eq(:success)
end
it 'updates the dast_profile' do
updated_dast_profile = subject.payload.reload
aggregate_failures do
expect(updated_dast_profile.dast_site_profile.id).to eq(params[:dast_site_profile_id])
expect(updated_dast_profile.dast_scanner_profile.id).to eq(params[:dast_scanner_profile_id])
expect(updated_dast_profile.name).to eq(params[:name])
expect(updated_dast_profile.description).to eq(params[:description])
end
end
context 'when id param is missing' do
let(:params) { {} }
it 'communicates failure' do
aggregate_failures do
expect(subject.status).to eq(:error)
expect(subject.message).to eq('ID parameter missing')
end
end
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment