Commit ba5ddcb8 authored by Aditya Tiwari's avatar Aditya Tiwari Committed by Bob Van Landuyt

Create a DAST Profile schedule for existing profile

parent 98a4386b
......@@ -9,7 +9,7 @@ module AppSec
params[:new_params].each do |property, new_value|
old_value = params[:old_params][property]
next if old_value == new_value
next if old_value.to_s == new_value.to_s
::Gitlab::Audit::Auditor.audit(
name: 'dast_profile_update',
......
......@@ -9,14 +9,13 @@ module AppSec
def execute
return unauthorized unless allowed?
return error('Profile parameter missing') unless dast_profile
return error('Dast Profile Schedule not found') if update_schedule? && !schedule
build_auditors!
ApplicationRecord.transaction do
dast_profile.update!(dast_profile_params)
update_schedule if update_schedule?
update_or_create_schedule! if schedule_input_params
end
execute_auditors!
......@@ -44,23 +43,31 @@ module AppSec
private
attr_reader :auditors
attr_reader :auditors, :create_schedule_audit
def allowed?
container.licensed_feature_available?(:security_on_demand_scans) &&
can?(current_user, :create_on_demand_dast_scan, container)
end
def update_schedule?
schedule_input_params.present?
end
def update_or_create_schedule!
if schedule
schedule.update!(schedule_input_params)
else
::Dast::ProfileSchedule.new(
dast_profile: dast_profile,
owner: current_user,
project: container
).tap do |dast_schedule|
dast_schedule.update!(schedule_input_params)
end
def update_schedule
schedule.update!(schedule_input_params)
@create_schedule_audit = true
end
end
def schedule
@schedule ||= dast_profile.dast_profile_schedule
dast_profile.dast_profile_schedule
end
def error(message, opts = {})
......@@ -98,7 +105,7 @@ module AppSec
})
]
if schedule_input_params
if schedule_input_params && schedule
@auditors <<
AppSec::Dast::ProfileSchedules::Audit::UpdateService.new(project: container, current_user: current_user, params: {
dast_profile_schedule: schedule,
......@@ -110,6 +117,16 @@ module AppSec
def execute_auditors!
auditors.map(&:execute)
if create_schedule_audit
::Gitlab::Audit::Auditor.audit(
name: 'dast_profile_schedule_create',
author: current_user,
scope: container,
target: schedule,
message: 'Added DAST profile schedule'
)
end
end
def create_scan(dast_profile)
......
......@@ -92,11 +92,36 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
end
context 'when associated schedule is not present' do
it 'communicates failure for dast_profile_schedule' do
before do
expect(dast_profile.dast_profile_schedule).to be nil
end
it 'creates a new schedule' do
aggregate_failures do
expect { subject }.to change { Dast::ProfileSchedule.count }.by(1)
end
end
it 'returns the success status' do
expect(subject.status).to eq(:success)
end
it 'audits the creation' do
schedule = subject.payload[:dast_profile_schedule]
audit_event = AuditEvent.find_by(target_id: schedule.id)
aggregate_failures do
expect(dast_profile.dast_profile_schedule).to be nil
expect(subject.status).to eq(:error)
expect(subject.message).to include('Dast Profile Schedule not found')
expect(audit_event.author).to eq(user)
expect(audit_event.entity).to eq(project)
expect(audit_event.target_id).to eq(dast_profile.dast_profile_schedule.id)
expect(audit_event.target_type).to eq('Dast::ProfileSchedule')
expect(audit_event.details).to eq({
author_name: user.name,
custom_message: 'Added DAST profile schedule',
target_id: schedule.id,
target_type: 'Dast::ProfileSchedule',
target_details: user.name
})
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment