Commit 913ca668 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch '340534-add-schedule-on-update' into 'master'

Create a DAST Profile schedule for existing profile

See merge request gitlab-org/gitlab!70144
parents 0c859c53 ba5ddcb8
...@@ -9,7 +9,7 @@ module AppSec ...@@ -9,7 +9,7 @@ module AppSec
params[:new_params].each do |property, new_value| params[:new_params].each do |property, new_value|
old_value = params[:old_params][property] old_value = params[:old_params][property]
next if old_value == new_value next if old_value.to_s == new_value.to_s
::Gitlab::Audit::Auditor.audit( ::Gitlab::Audit::Auditor.audit(
name: 'dast_profile_update', name: 'dast_profile_update',
......
...@@ -9,14 +9,13 @@ module AppSec ...@@ -9,14 +9,13 @@ module AppSec
def execute def execute
return unauthorized unless allowed? return unauthorized unless allowed?
return error('Profile parameter missing') unless dast_profile return error('Profile parameter missing') unless dast_profile
return error('Dast Profile Schedule not found') if update_schedule? && !schedule
build_auditors! build_auditors!
ApplicationRecord.transaction do ApplicationRecord.transaction do
dast_profile.update!(dast_profile_params) dast_profile.update!(dast_profile_params)
update_schedule if update_schedule? update_or_create_schedule! if schedule_input_params
end end
execute_auditors! execute_auditors!
...@@ -44,23 +43,31 @@ module AppSec ...@@ -44,23 +43,31 @@ module AppSec
private private
attr_reader :auditors attr_reader :auditors, :create_schedule_audit
def allowed? def allowed?
container.licensed_feature_available?(:security_on_demand_scans) && container.licensed_feature_available?(:security_on_demand_scans) &&
can?(current_user, :create_on_demand_dast_scan, container) can?(current_user, :create_on_demand_dast_scan, container)
end end
def update_schedule? def update_or_create_schedule!
schedule_input_params.present? if schedule
schedule.update!(schedule_input_params)
else
::Dast::ProfileSchedule.new(
dast_profile: dast_profile,
owner: current_user,
project: container
).tap do |dast_schedule|
dast_schedule.update!(schedule_input_params)
end end
def update_schedule @create_schedule_audit = true
schedule.update!(schedule_input_params) end
end end
def schedule def schedule
@schedule ||= dast_profile.dast_profile_schedule dast_profile.dast_profile_schedule
end end
def error(message, opts = {}) def error(message, opts = {})
...@@ -98,7 +105,7 @@ module AppSec ...@@ -98,7 +105,7 @@ module AppSec
}) })
] ]
if schedule_input_params if schedule_input_params && schedule
@auditors << @auditors <<
AppSec::Dast::ProfileSchedules::Audit::UpdateService.new(project: container, current_user: current_user, params: { AppSec::Dast::ProfileSchedules::Audit::UpdateService.new(project: container, current_user: current_user, params: {
dast_profile_schedule: schedule, dast_profile_schedule: schedule,
...@@ -110,6 +117,16 @@ module AppSec ...@@ -110,6 +117,16 @@ module AppSec
def execute_auditors! def execute_auditors!
auditors.map(&:execute) auditors.map(&:execute)
if create_schedule_audit
::Gitlab::Audit::Auditor.audit(
name: 'dast_profile_schedule_create',
author: current_user,
scope: container,
target: schedule,
message: 'Added DAST profile schedule'
)
end
end end
def create_scan(dast_profile) def create_scan(dast_profile)
......
...@@ -92,11 +92,36 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -92,11 +92,36 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
end end
context 'when associated schedule is not present' do context 'when associated schedule is not present' do
it 'communicates failure for dast_profile_schedule' do before do
aggregate_failures do
expect(dast_profile.dast_profile_schedule).to be nil expect(dast_profile.dast_profile_schedule).to be nil
expect(subject.status).to eq(:error) end
expect(subject.message).to include('Dast Profile Schedule not found')
it 'creates a new schedule' do
aggregate_failures do
expect { subject }.to change { Dast::ProfileSchedule.count }.by(1)
end
end
it 'returns the success status' do
expect(subject.status).to eq(:success)
end
it 'audits the creation' do
schedule = subject.payload[:dast_profile_schedule]
audit_event = AuditEvent.find_by(target_id: schedule.id)
aggregate_failures do
expect(audit_event.author).to eq(user)
expect(audit_event.entity).to eq(project)
expect(audit_event.target_id).to eq(dast_profile.dast_profile_schedule.id)
expect(audit_event.target_type).to eq('Dast::ProfileSchedule')
expect(audit_event.details).to eq({
author_name: user.name,
custom_message: 'Added DAST profile schedule',
target_id: schedule.id,
target_type: 'Dast::ProfileSchedule',
target_details: user.name
})
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment