Merge branch 'sk/337728-consume-security-policy-factory' into 'master'

Consume security policy yaml in specs from factory

See merge request gitlab-org/gitlab!69109

ee/spec/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb

@@ -10,22 +10,7 @@ RSpec.describe Mutations::SecurityPolicy::CommitScanExecutionPolicy do
     let_it_be(:policy_management_project) { create(:project, :repository, namespace: user.namespace) }
     let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
     let_it_be(:operation_mode) { Types::MutationOperationModeEnum.enum[:append] }
-    let_it_be(:policy_yaml) do
-      <<-EOS
-        name: Run DAST in every pipeline
-        type: scan_execution_policy
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-      EOS
-    end
+    let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
 
     subject { mutation.resolve(project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: operation_mode) }
 

ee/spec/graphql/resolvers/scan_execution_policy_resolver_spec.rb

@@ -11,17 +11,8 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
   let_it_be(:policy_last_updated_at) { Time.now }
   let_it_be(:user) { policy_management_project.owner }
 
-  let_it_be(:policy) do
-    {
-      name: 'Run DAST in every pipeline',
-      description: 'This policy enforces to run DAST for every pipeline within the project',
-      enabled: true,
-      rules: [{ type: 'pipeline', branches: %w[production] }],
-      actions: [
-        { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-      ]
-    }
-  end
+  let(:policy) { build(:scan_execution_policy, name: 'Run DAST in every pipeline') }
+  let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
 
   let(:repository) { instance_double(Repository, root_ref: 'master') }
 
@@ -33,7 +24,7 @@ RSpec.describe Resolvers::ScanExecutionPolicyResolver do
       commit.committed_date = policy_last_updated_at
       allow(policy_management_project).to receive(:repository).and_return(repository)
       allow(repository).to receive(:last_commit_for_path).and_return(commit)
-      allow(repository).to receive(:blob_data_at).and_return({ scan_execution_policy: [policy] }.to_yaml)
+      allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
     end
 
     context 'when feature is not licensed' do

ee/spec/graphql/types/dast_scanner_profile_type_spec.rb

@@ -73,43 +73,25 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
       let_it_be(:policies_project) { create(:project, :repository) }
       let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
 
-      let_it_be(:policy_yml) do
-        <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: #{dast_scanner_profile.name}
-          - scan: dast
-            site_profile: Site Profile 2
-            scanner_profile: Scanner Profile 2
-        - name: Run DAST in every pipeline 2
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile 3
-            scanner_profile: Scanner Profile 3
-          - scan: dast
-            site_profile: Site Profile 4
-            scanner_profile: Scanner Profile 4
-        EOS
+      let(:policy1) do
+        build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: dast_scanner_profile.name },
+          { scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
+        ])
       end
 
+      let(:policy2) do
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
+          { scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
+        ])
+      end
+
+      let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
+
       before do
         create_list(:dast_scanner_profile, 30, project: project)
-        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
+        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
       end
 
       it 'only calls Gitaly twice when multiple profiles are present', :request_store do

ee/spec/graphql/types/dast_site_profile_type_spec.rb

@@ -138,43 +138,25 @@ RSpec.describe GitlabSchema.types['DastSiteProfile'] do
       let_it_be(:policies_project) { create(:project, :repository) }
       let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_project) }
 
-      let_it_be(:policy_yml) do
-        <<-EOS
-        scan_execution_policy:
-        - name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-          - scan: dast
-            site_profile: Site Profile 2
-            scanner_profile: Scanner Profile 2
-        - name: Run DAST in every pipeline 2
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "master"
-          actions:
-          - scan: dast
-            site_profile: Site Profile 3
-            scanner_profile: Scanner Profile 3
-          - scan: dast
-            site_profile: Site Profile 4
-            scanner_profile: Scanner Profile 4
-        EOS
+      let(:policy1) do
+        build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
+          { scan: 'dast', site_profile: 'Site Profile 2', scanner_profile: 'Scanner Profile 2' }
+        ])
       end
 
+      let(:policy2) do
+        build(:scan_execution_policy, name: 'Run DAST in every pipeline 2', rules: [{ type: 'pipeline', branches: %w[master] }], actions: [
+          { scan: 'dast', site_profile: 'Site Profile 3', scanner_profile: 'Scanner Profile 3' },
+          { scan: 'dast', site_profile: 'Site Profile 4', scanner_profile: 'Scanner Profile 4' }
+        ])
+      end
+
+      let(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy1, policy2]) }
+
       before do
         create_list(:dast_site_profile, 30, project: project)
-        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yml)
+        create_file_in_repo(policies_project, 'master', 'master', Security::OrchestrationPolicyConfiguration::POLICY_PATH, policy_yaml)
       end
 
       it 'only calls Gitaly twice when multiple profiles are present', :request_store do

ee/spec/lib/ee/gitlab/ci/config_spec.rb

@@ -45,30 +45,14 @@ RSpec.describe Gitlab::Ci::Config do
 
     let_it_be(:policies_repository) { create(:project, :repository) }
     let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
-
-    let_it_be(:policy_yml) do
-      <<-EOS
-      scan_execution_policy:
-       -  name: Run DAST in every pipeline
-          description: This policy enforces to run DAST for every pipeline within the project
-          enabled: true
-          rules:
-          - type: pipeline
-            branches:
-            - "production"
-          actions:
-          - scan: dast
-            site_profile: Site Profile
-            scanner_profile: Scanner Profile
-      EOS
-    end
+    let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [build(:scan_execution_policy)]) }
 
     subject(:config) { described_class.new(ci_yml, source_ref_path: ref, project: project, source: source) }
 
     before do
       allow_next_instance_of(Repository) do |repository|
         # allow(repository).to receive(:ls_files).and_return(['.gitlab/security-policies/enforce-dast.yml'])
-        allow(repository).to receive(:blob_data_at).and_return(policy_yml)
+        allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
       end
     end
 

ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb

@@ -16,28 +16,18 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
 
   let_it_be(:policies_repository) { create(:project, :repository) }
   let_it_be(:security_orchestration_policy_configuration) { create(:security_orchestration_policy_configuration, project: project, security_policy_management_project: policies_repository) }
-
-  let_it_be(:policy_yml) do
-    <<-EOS
-    scan_execution_policy:
-      -  name: Run DAST in every pipeline
-         description: This policy enforces to run DAST for every pipeline within the project
-         enabled: true
-         rules:
-         - type: pipeline
-           branches:
-           - "production"
-         actions:
-         - scan: dast
-           site_profile: Site Profile
-           scanner_profile: Scanner Profile
-         - scan: secret_detection
-    EOS
+  let_it_be(:policy) do
+    build(:scan_execution_policy, actions: [
+    { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' },
+    { scan: 'secret_detection' }
+  ])
   end
 
+  let_it_be(:policy_yaml) { build(:scan_execution_policy_yaml, policies: [policy]) }
+
   before do
     allow_next_instance_of(Repository) do |repository|
-      allow(repository).to receive(:blob_data_at).and_return(policy_yml)
+      allow(repository).to receive(:blob_data_at).and_return(policy_yaml)
     end
   end
 
@@ -56,20 +46,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
   end
 
   shared_examples 'when policy is invalid' do
-    let_it_be(:policy_yml) do
-      <<-EOS
-      scan_execution_policy:
-        -  name: Run DAST in every pipeline
-           description: This policy enforces to run DAST for every pipeline within the project
-           enabled: true
-           rules:
-           - type: pipeline
-             branches: "production"
-           actions:
-           - scan: dast
-             site_profile: Site Profile
-             scanner_profile: Scanner Profile
-      EOS
+    let_it_be(:policy_yaml) do
+      build(:scan_execution_policy_yaml, policies:
+      [build(:scan_execution_policy, rules: [{ type: 'pipeline', branches: 'production' }])])
     end
 
     it 'does not modify the config', :aggregate_failures do

ee/spec/requests/api/graphql/mutations/security_policy/commit_scan_execution_policy_spec.rb

@@ -7,22 +7,7 @@ RSpec.describe 'Create scan execution policy for a project' do
 
   let_it_be(:current_user) { create(:user) }
   let_it_be(:project) { create(:project, :repository, namespace: current_user.namespace) }
-  let_it_be(:policy_yaml) do
-    <<-EOS
-        name: Run DAST in every pipeline
-        type: scan_execution_policy
-        description: This policy enforces to run DAST for every pipeline within the project
-        enabled: true
-        rules:
-        - type: pipeline
-          branches:
-          - "production"
-        actions:
-        - scan: dast
-          site_profile: Site Profile
-          scanner_profile: Scanner Profile
-    EOS
-  end
+  let_it_be(:policy_yaml) { build(:scan_execution_policy).merge(type: 'scan_execution_policy').to_yaml }
 
   def mutation
     variables = { project_path: project.full_path, policy_yaml: policy_yaml, operation_mode: 'APPEND' }

ee/spec/requests/projects/security/policies_controller_spec.rb

@@ -8,18 +8,7 @@ RSpec.describe Projects::Security::PoliciesController, type: :request do
   let_it_be(:project) { create(:project, :repository, namespace: owner.namespace) }
   let_it_be(:policy_management_project) { create(:project, :repository, namespace: owner.namespace) }
   let_it_be(:policy_configuration) { create(:security_orchestration_policy_configuration, security_policy_management_project: policy_management_project, project: project) }
-  let_it_be(:policy) do
-    {
-      name: 'Run DAST in every pipeline',
-      description: 'This policy enforces to run DAST for every pipeline within the project',
-      enabled: true,
-      rules: [{ type: 'pipeline', branches: %w[production] }],
-      actions: [
-        { scan: 'dast', site_profile: 'Site Profile', scanner_profile: 'Scanner Profile' }
-      ]
-    }
-  end
-
+  let_it_be(:policy) { build(:scan_execution_policy) }
   let_it_be(:type) { 'scan_execution_policy' }
   let_it_be(:index) { project_security_policies_url(project) }
   let_it_be(:edit) { edit_project_security_policy_url(project, id: policy[:name], type: type) }