Merge branch '340534-add-schedule-on-update' into 'master'

Create a DAST Profile schedule for existing profile See merge request gitlab-org/gitlab!70144

Merge branch '340534-add-schedule-on-update' into 'master'
Create a DAST Profile schedule for existing profile See merge request gitlab-org/gitlab!70144
913ca668 · Bob Van Landuyt · 0c859c53 · ba5ddcb8 · 913ca668 · 913ca668
Commit 913ca668 authored Sep 14, 2021 by Bob Van Landuyt
3 changed files
--- a/ee/app/services/app_sec/dast/profiles/audit/update_service.rb
+++ b/ee/app/services/app_sec/dast/profiles/audit/update_service.rb
@@ -9,7 +9,7 @@ module AppSec
            params[:new_params].each do |property, new_value|
              old_value = params[:old_params][property]

-              next if old_value == new_value
+              next if old_value.to_s == new_value.to_s

              ::Gitlab::Audit::Auditor.audit(
                name: 'dast_profile_update',

--- a/ee/app/services/app_sec/dast/profiles/update_service.rb
+++ b/ee/app/services/app_sec/dast/profiles/update_service.rb
@@ -9,14 +9,13 @@ module AppSec
        def execute
          return unauthorized unless allowed?
          return error('Profile parameter missing') unless dast_profile
-          return error('Dast Profile Schedule not found') if update_schedule? && !schedule

          build_auditors!

          ApplicationRecord.transaction do
            dast_profile.update!(dast_profile_params)

-            update_schedule if update_schedule?
+            update_or_create_schedule! if schedule_input_params
          end

          execute_auditors!
@@ -44,23 +43,31 @@ module AppSec

        private

-        attr_reader :auditors
+        attr_reader :auditors, :create_schedule_audit

        def allowed?
          container.licensed_feature_available?(:security_on_demand_scans) &&
            can?(current_user, :create_on_demand_dast_scan, container)
        end

-        def update_schedule?
-          schedule_input_params.present?
+        def update_or_create_schedule!
+          if schedule
+            schedule.update!(schedule_input_params)
+          else
+            ::Dast::ProfileSchedule.new(
+              dast_profile: dast_profile,
+              owner: current_user,
+              project: container
+            ).tap do |dast_schedule|
+              dast_schedule.update!(schedule_input_params)
            end

-        def update_schedule
-          schedule.update!(schedule_input_params)
+            @create_schedule_audit = true
+          end
        end

        def schedule
-          @schedule ||= dast_profile.dast_profile_schedule
+          dast_profile.dast_profile_schedule
        end

        def error(message, opts = {})
@@ -98,7 +105,7 @@ module AppSec
            })
          ]

-          if schedule_input_params
+          if schedule_input_params && schedule
            @auditors <<
              AppSec::Dast::ProfileSchedules::Audit::UpdateService.new(project: container, current_user: current_user, params: {
                dast_profile_schedule: schedule,
@@ -110,6 +117,16 @@ module AppSec

        def execute_auditors!
          auditors.map(&:execute)
+
+          if create_schedule_audit
+            ::Gitlab::Audit::Auditor.audit(
+              name: 'dast_profile_schedule_create',
+              author: current_user,
+              scope: container,
+              target: schedule,
+              message: 'Added DAST profile schedule'
+            )
+          end
        end

        def create_scan(dast_profile)

--- a/ee/spec/services/app_sec/dast/profiles/update_service_spec.rb
+++ b/ee/spec/services/app_sec/dast/profiles/update_service_spec.rb
@@ -92,11 +92,36 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
          end

          context 'when associated schedule is not present' do
-            it 'communicates failure for dast_profile_schedule' do
-              aggregate_failures do
+            before do
              expect(dast_profile.dast_profile_schedule).to be nil
-                expect(subject.status).to eq(:error)
-                expect(subject.message).to include('Dast Profile Schedule not found')
+            end
+
+            it 'creates a new schedule' do
+              aggregate_failures do
+                expect { subject }.to change { Dast::ProfileSchedule.count }.by(1)
+              end
+            end
+
+            it 'returns the success status' do
+              expect(subject.status).to eq(:success)
+            end
+
+            it 'audits the creation' do
+              schedule = subject.payload[:dast_profile_schedule]
+              audit_event = AuditEvent.find_by(target_id: schedule.id)
+
+              aggregate_failures do
+                expect(audit_event.author).to eq(user)
+                expect(audit_event.entity).to eq(project)
+                expect(audit_event.target_id).to eq(dast_profile.dast_profile_schedule.id)
+                expect(audit_event.target_type).to eq('Dast::ProfileSchedule')
+                expect(audit_event.details).to eq({
+                  author_name: user.name,
+                  custom_message: 'Added DAST profile schedule',
+                  target_id: schedule.id,
+                  target_type: 'Dast::ProfileSchedule',
+                  target_details: user.name
+                })
              end
            end
          end