Commit afbc66e3 authored by Marcos Rocha's avatar Marcos Rocha Committed by Bob Van Landuyt

Update scheduler owner when the owner is not valid

parent 179873ea
...@@ -51,6 +51,10 @@ class Dast::ProfileSchedule < ApplicationRecord ...@@ -51,6 +51,10 @@ class Dast::ProfileSchedule < ApplicationRecord
self.class.active_for_project(project_id) self.class.active_for_project(project_id)
end end
def owner_valid?
Ability.allowed?(owner, :create_on_demand_dast_scan, project)
end
private private
def deactivate! def deactivate!
......
...@@ -52,7 +52,9 @@ module AppSec ...@@ -52,7 +52,9 @@ module AppSec
def update_or_create_schedule! def update_or_create_schedule!
if schedule if schedule
schedule.update!(schedule_input_params) attributes = schedule_input_params
attributes = attributes.merge(user_id: current_user.id) unless schedule.owner_valid?
schedule.update!(attributes)
else else
::Dast::ProfileSchedule.new( ::Dast::ProfileSchedule.new(
dast_profile: dast_profile, dast_profile: dast_profile,
......
...@@ -9,6 +9,7 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -9,6 +9,7 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) } let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) } let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) }
let_it_be(:plan_limits) { create(:plan_limits, :default_plan) } let_it_be(:plan_limits) { create(:plan_limits, :default_plan) }
let_it_be(:scheduler_owner) { create(:user, name: 'Scheduler Owner') }
let(:default_params) do let(:default_params) do
{ {
...@@ -59,7 +60,7 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -59,7 +60,7 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
context 'when the user can run a DAST scan' do context 'when the user can run a DAST scan' do
before do before do
project.add_developer(user) project.add_users([user, scheduler_owner], :developer)
end end
it 'communicates success' do it 'communicates success' do
...@@ -127,24 +128,69 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do ...@@ -127,24 +128,69 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
end end
context 'when associated schedule is present' do context 'when associated schedule is present' do
before do let_it_be_with_reload(:dast_profile_schedule) { create(:dast_profile_schedule, project: project, dast_profile: dast_profile, owner: scheduler_owner) }
create(:dast_profile_schedule, dast_profile: dast_profile)
end
it 'updates the dast profile schedule' do it 'updates the dast profile schedule' do
updated_schedule = subject.payload[:dast_profile_schedule].reload subject
aggregate_failures do aggregate_failures do
expect(updated_schedule.active).to eq(params[:dast_profile_schedule][:active]) expect(dast_profile_schedule.active).to eq(params[:dast_profile_schedule][:active])
expect(updated_schedule.starts_at.to_i).to eq(params[:dast_profile_schedule][:starts_at].to_i) expect(dast_profile_schedule.starts_at.to_i).to eq(params[:dast_profile_schedule][:starts_at].to_i)
expect(updated_schedule.timezone).to eq(params[:dast_profile_schedule][:timezone]) expect(dast_profile_schedule.timezone).to eq(params[:dast_profile_schedule][:timezone])
expect(updated_schedule.cadence).to eq(params[:dast_profile_schedule][:cadence].stringify_keys) expect(dast_profile_schedule.cadence).to eq(params[:dast_profile_schedule][:cadence].stringify_keys)
end end
end end
it 'creates the audit event' do it 'creates the audit event' do
expect { subject }.to change { AuditEvent.where(target_id: dast_profile.dast_profile_schedule.id).count } expect { subject }.to change { AuditEvent.where(target_id: dast_profile.dast_profile_schedule.id).count }
end end
context 'when the owner is valid' do
it 'does not updates the schedule owner' do
subject
expect(dast_profile_schedule.user_id).to eq(scheduler_owner.id)
end
end
context 'when the owner was deleted' do
before do
scheduler_owner.destroy!
subject.payload[:dast_profile_schedule].reload
end
it 'updates the schedule owner' do
subject
expect(dast_profile_schedule.user_id).to eq(user.id)
end
end
context 'when the owner permission was downgraded' do
before do
project.add_guest(scheduler_owner)
end
it 'updates the schedule owner' do
subject
expect(dast_profile_schedule.user_id).to eq(user.id)
end
end
context 'when the owner was removed from the project' do
before do
stub_feature_flags(member_destroy_async_auth_refresh: false)
project.team.truncate
project.add_developer(user)
end
it 'updates the schedule owner' do
subject
expect(dast_profile_schedule.user_id).to eq(user.id)
end
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment