Don't use DnD by default for API Fuzzing

ee/changelogs/unreleased/241736-dont-use-dnd-by-default-apifuzzin.yml

+---
+title: Don't use docker-in-docker by default for API Fuzzing
+merge_request: 45827
+author:
+type: changed

ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb

@@ -9,6 +9,7 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
     let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
     let(:contents) { File.read(template_filename) }
     let(:production_registry) { 'registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine' }
+    let(:staging_registry) { 'registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing-src:${FUZZAPI_VERSION}-engine' }
 
     # Make sure future changes to the template use the production container registry.
     #
@@ -19,6 +20,10 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
     it 'uses the production repository' do
       expect( contents.include?(production_registry) ).to be true
     end
+
+    it 'doesn\'t use the staging repository' do
+      expect( contents.include?(staging_registry) ).to be false
+    end
   end
 
   describe 'the created pipeline' do
@@ -55,12 +60,12 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
       end
 
       context 'by default' do
-        it 'includes no jobs' do
+        it 'includes no job' do
           expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
         end
       end
 
-      context 'when FUZZAPI_HAR is present' do
+      context 'when configured with HAR' do
         before do
           create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
           create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
@@ -71,9 +76,9 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
         end
       end
 
-      context 'when FUZZAPI_OPENAPI is present' do
+      context 'when configured with OpenAPI' do
         before do
-          create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'openapi.json')
+          create(:ci_variable, project: project, key: 'FUZZAPI_OPENAPI', value: 'testing.json')
           create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
         end
 
@@ -81,13 +86,38 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
           expect(build_names).to match_array(%w[apifuzzer_fuzz])
         end
       end
+
+      context 'when FUZZAPI_D_TARGET_IMAGE is present' do
+        before do
+          create(:ci_variable, project: project, key: 'FUZZAPI_D_TARGET_IMAGE', value: 'imagename:latest')
+          create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+          create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+        end
+
+        it 'includes dnd job' do
+          expect(build_names).to match_array(%w[apifuzzer_fuzz_dnd])
+        end
+      end
     end
 
     context 'when API_FUZZING_DISABLED=1' do
       before do
+        create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
         create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
         create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+      end
+
+      it 'includes no jobs' do
+        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+      end
+    end
+
+    context 'when API_FUZZING_DISABLED=1 with DnD' do
+      before do
         create(:ci_variable, project: project, key: 'API_FUZZING_DISABLED', value: '1')
+        create(:ci_variable, project: project, key: 'FUZZAPI_D_TARGET_IMAGE', value: 'imagename:latest')
+        create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+        create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
       end
 
       it 'includes no jobs' do

lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml

+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/
+
+# Configure the scanning tool through the environment variables.
+# List of the variables: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#available-variables
+# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
+
 stages:
     - build
     - test
@@ -7,7 +13,7 @@ stages:
 variables:
     FUZZAPI_PROFILE: Quick
     FUZZAPI_VERSION: latest
-    FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml"
+    FUZZAPI_CONFIG: .gitlab-api-fuzzing.yml
     FUZZAPI_TIMEOUT: 30
     FUZZAPI_REPORT: gl-api-fuzzing-report.xml
     #
@@ -17,8 +23,52 @@ variables:
     # available (non 500 response to HTTP(s))
     FUZZAPI_SERVICE_START_TIMEOUT: "300"
     #
+    FUZZAPI_IMAGE: registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine
+    #
 
 apifuzzer_fuzz:
+    stage: fuzz
+    image:
+        name: $FUZZAPI_IMAGE
+        entrypoint: ["/bin/bash", "-l", "-c"]
+    variables:
+        FUZZAPI_PROJECT: $CI_PROJECT_PATH
+        FUZZAPI_API: http://apifuzzer:80
+        TZ: America/Los_Angeles
+    services:
+        - name: $FUZZAPI_IMAGE
+          alias: apifuzzer
+          entrypoint: ["dotnet", "/peach/Peach.Web.dll"]
+    allow_failure: true
+    rules:
+        - if: $FUZZAPI_D_TARGET_IMAGE
+          when: never
+        - if: $FUZZAPI_D_WORKER_IMAGE
+          when: never
+        - if: $API_FUZZING_DISABLED
+          when: never
+        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
+                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+          when: never
+        - if: $FUZZAPI_HAR == null && $FUZZAPI_OPENAPI == null
+          when: never
+        - if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
+    script:
+        #
+        # Run user provided pre-script
+        - sh -c "$FUZZAPI_PRE_SCRIPT"
+        #
+        # Start scanning
+        - worker-entry
+        #
+        # Run user provided post-script
+        - sh -c "$FUZZAPI_POST_SCRIPT"
+        #
+    artifacts:
+        reports:
+            junit: $FUZZAPI_REPORT
+
+apifuzzer_fuzz_dnd:
     stage: fuzz
     image: docker:19.03.12
     variables:
@@ -28,19 +78,20 @@ apifuzzer_fuzz:
         FUZZAPI_API: http://apifuzzer:80
     allow_failure: true
     rules:
+        - if: $FUZZAPI_D_TARGET_IMAGE == null && $FUZZAPI_D_WORKER_IMAGE == null
+          when: never
         - if: $API_FUZZING_DISABLED
           when: never
         - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
-              $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
           when: never
-        - if: $FUZZAPI_HAR == null &&
-              $FUZZAPI_OPENAPI == null &&
-              $FUZZAPI_D_WORKER_IMAGE == null
+        - if: $FUZZAPI_HAR == null && $FUZZAPI_OPENAPI == null
           when: never
         - if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
     services:
         - docker:19.03.12-dind
     script:
+        #
         #
         - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
         #
@@ -56,30 +107,13 @@ apifuzzer_fuzz:
             --network $FUZZAPI_D_NETWORK \
             -e Proxy:Port=8000 \
             -e TZ=America/Los_Angeles \
-            -e FUZZAPI_API=http://127.0.0.1:80 \
-            -e FUZZAPI_PROJECT \
-            -e FUZZAPI_PROFILE \
-            -e FUZZAPI_CONFIG \
-            -e FUZZAPI_REPORT \
-            -e FUZZAPI_HAR \
-            -e FUZZAPI_OPENAPI \
-            -e FUZZAPI_TARGET_URL \
-            -e FUZZAPI_OVERRIDES_FILE \
-            -e FUZZAPI_OVERRIDES_ENV \
-            -e FUZZAPI_OVERRIDES_CMD \
-            -e FUZZAPI_OVERRIDES_INTERVAL \
-            -e FUZZAPI_TIMEOUT \
-            -e FUZZAPI_VERBOSE \
-            -e FUZZAPI_SERVICE_START_TIMEOUT \
-            -e FUZZAPI_HTTP_USERNAME \
-            -e FUZZAPI_HTTP_PASSWORD \
             -e GITLAB_FEATURES \
-            -v $CI_PROJECT_DIR:/app \
             -p 80:80 \
             -p 8000:8000 \
             -p 514:514 \
             --restart=no \
-            registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine
+            $FUZZAPI_IMAGE \
+            dotnet /peach/Peach.Web.dll
         #
         # Start target container
         - |
@@ -94,7 +128,7 @@ apifuzzer_fuzz:
                     $FUZZAPI_D_TARGET_IMAGE \
                 ; fi
         #
-        # Start worker container
+        # Start worker container if provided
         - |
             if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
                 echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \
@@ -104,9 +138,20 @@ apifuzzer_fuzz:
                     -e FUZZAPI_API=http://apifuzzer:80 \
                     -e FUZZAPI_PROJECT \
                     -e FUZZAPI_PROFILE \
-                    -e FUZZAPI_AUTOMATION_CMD \
                     -e FUZZAPI_CONFIG \
                     -e FUZZAPI_REPORT \
+                    -e FUZZAPI_HAR \
+                    -e FUZZAPI_OPENAPI \
+                    -e FUZZAPI_TARGET_URL \
+                    -e FUZZAPI_OVERRIDES_FILE \
+                    -e FUZZAPI_OVERRIDES_ENV \
+                    -e FUZZAPI_OVERRIDES_CMD \
+                    -e FUZZAPI_OVERRIDES_INTERVAL \
+                    -e FUZZAPI_TIMEOUT \
+                    -e FUZZAPI_VERBOSE \
+                    -e FUZZAPI_SERVICE_START_TIMEOUT \
+                    -e FUZZAPI_HTTP_USERNAME \
+                    -e FUZZAPI_HTTP_PASSWORD \
                     -e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
                     $FUZZAPI_D_WORKER_ENV \
                     $FUZZAPI_D_WORKER_PORTS \
@@ -115,13 +160,43 @@ apifuzzer_fuzz:
                     $FUZZAPI_D_WORKER_IMAGE \
                 ; fi
         #
-        # Wait for testing to complete if api fuzzer is scanning
-        - if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi
+        # Start API Fuzzing provided worker if no other worker present
+        - |
+            if [ "$FUZZAPI_D_WORKER_IMAGE" == "" ]; then \
+                docker run \
+                    --name worker \
+                    --network $FUZZAPI_D_NETWORK \
+                    -e TZ=America/Los_Angeles \
+                    -e FUZZAPI_API=http://apifuzzer:80 \
+                    -e FUZZAPI_PROJECT \
+                    -e FUZZAPI_PROFILE \
+                    -e FUZZAPI_CONFIG \
+                    -e FUZZAPI_REPORT \
+                    -e FUZZAPI_HAR \
+                    -e FUZZAPI_OPENAPI \
+                    -e FUZZAPI_TARGET_URL \
+                    -e FUZZAPI_OVERRIDES_FILE \
+                    -e FUZZAPI_OVERRIDES_ENV \
+                    -e FUZZAPI_OVERRIDES_CMD \
+                    -e FUZZAPI_OVERRIDES_INTERVAL \
+                    -e FUZZAPI_TIMEOUT \
+                    -e FUZZAPI_VERBOSE \
+                    -e FUZZAPI_SERVICE_START_TIMEOUT \
+                    -e FUZZAPI_HTTP_USERNAME \
+                    -e FUZZAPI_HTTP_PASSWORD \
+                    -v $CI_PROJECT_DIR:/app \
+                    -p 81:80 \
+                    -p 8001:8000 \
+                    -p 515:514 \
+                    --restart=no \
+                    $FUZZAPI_IMAGE \
+                    worker-entry \
+                ; fi
         #
-        # Propagate exit code from api fuzzer (if any)
-        - if [[ $(docker inspect apifuzzer --format='{{.State.ExitCode}}') != "0" ]]; then echo "API Fuzzing exited with an error. Logs are available as job artifacts."; docker logs apifuzzer; exit 1; fi
+        # Propagate exit code from api fuzzing scanner (if any)
+        - if [[ $(docker inspect apifuzzer --format='{{.State.ExitCode}}') != "0" ]]; then echo "API Fuzzing scanner exited with an error. Logs are available as job artifacts."; exit 1; fi
         #
-        # Run user provided pre-script
+        # Run user provided post-script
         - sh -c "$FUZZAPI_POST_SCRIPT"
         #
     after_script:
@@ -129,13 +204,13 @@ apifuzzer_fuzz:
         # Shutdown all containers
         - echo "Stopping all containers"
         - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
-        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi
+        - docker stop worker
         - docker stop apifuzzer
         #
         # Save docker logs
         - docker logs apifuzzer &> gl-api_fuzzing-logs.log
         - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
-        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi
+        - docker logs worker &> gl-api_fuzzing-worker-logs.log
         #
     artifacts:
         when: always