Add header validation to DastSiteValidationWorker

Add ability to validate a DastSiteValidation using a header.

Add header validation to DastSiteValidationWorker
Add ability to validate a DastSiteValidation using a header.
d172a2b7 · Philip Cunningham · 93758584 · d172a2b7 · d172a2b7 · d172a2b7
Commit d172a2b7 authored Oct 05, 2020 by Philip Cunningham
5 changed files
--- a/ee/app/models/dast_site_validation.rb
+++ b/ee/app/models/dast_site_validation.rb
 # frozen_string_literal: true

 class DastSiteValidation < ApplicationRecord
+  HEADER = 'Gitlab-On-Demand-DAST'.freeze
+
  belongs_to :dast_site_token
  has_many :dast_sites

@@ -13,7 +15,7 @@ class DastSiteValidation < ApplicationRecord

  before_create :set_normalized_url_base

-  enum validation_strategy: { text_file: 0 }
+  enum validation_strategy: { text_file: 0, header: 1 }

  delegate :project, to: :dast_site_token, allow_nil: true


--- a/ee/app/services/dast_site_validations/validate_service.rb
+++ b/ee/app/services/dast_site_validations/validate_service.rb
@@ -38,11 +38,20 @@ module DastSiteValidations
    end

    def token_found?(response)
-      response.body.include?(dast_site_validation.dast_site_token.token)
+      token = dast_site_validation.dast_site_token.token
+
+      case dast_site_validation.validation_strategy
+      when 'text_file'
+        response.body.include?(token)
+      when 'header'
+        response.headers[DastSiteValidation::HEADER] == token
+      else
+        false
+      end
    end

    def validate!(response)
-      raise TokenNotFound.new('Could not find token in response body') unless token_found?(response)
+      raise TokenNotFound.new('Could not find token') unless token_found?(response)

      dast_site_validation.pass
    end

--- a/ee/changelogs/unreleased/support-header-validation-for-on-demand-dast-260341.yml
+++ b/ee/changelogs/unreleased/support-header-validation-for-on-demand-dast-260341.yml
+---
+title: Add header validation to DastSiteValidationWorker
+merge_request: 44314
+author:
+type: added
--- a/ee/spec/models/dast_site_validation_spec.rb
+++ b/ee/spec/models/dast_site_validation_spec.rb
@@ -51,7 +51,7 @@ RSpec.describe DastSiteValidation, type: :model do

  describe 'enums' do
    let(:validation_strategies) do
-      { text_file: 0 }
+      { text_file: 0, header: 1 }
    end

    it { is_expected.to define_enum_for(:validation_strategy).with_values(validation_strategies) }

--- a/ee/spec/services/dast_site_validations/validate_service_spec.rb
+++ b/ee/spec/services/dast_site_validations/validate_service_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'

 RSpec.describe DastSiteValidations::ValidateService do
  let(:dast_site_validation) { create(:dast_site_validation) }
+  let(:token) { dast_site_validation.dast_site_token.token }

  subject do
    described_class.new(
@@ -35,11 +36,7 @@ RSpec.describe DastSiteValidations::ValidateService do
      before do
        stub_licensed_features(security_on_demand_scans: true)
        stub_feature_flags(security_on_demand_scans_site_validation: true)
-        stub_request(:get, dast_site_validation.validation_url).to_return(body: response_body)
-      end
-
-      let(:response_body) do
-        dast_site_validation.dast_site_token.token
+        stub_request(:get, dast_site_validation.validation_url).to_return(body: token)
      end

      it 'validates the url before making an http request' do
@@ -47,13 +44,26 @@ RSpec.describe DastSiteValidations::ValidateService do

        aggregate_failures do
          expect(Gitlab::UrlBlocker).to receive(:validate!).and_return([uri, nil])
-          expect(Gitlab::HTTP).to receive(:get).with(uri).and_return(double('response', body: dast_site_validation.dast_site_token.token))
+          expect(Gitlab::HTTP).to receive(:get).with(uri).and_return(double('response', body: token))
+        end
+
+        subject
      end

+      context 'when validation has already been attempted' do
+        let_it_be(:dast_site_validation) { create(:dast_site_validation, state: :failed) }
+
+        it 'marks the validation as a retry' do
+          freeze_time do
            subject
+
+            expect(dast_site_validation.reload.validation_last_retried_at).to eq(Time.now.utc)
+          end
+        end
      end

-      context 'when the request body contains the token' do
+      shared_examples 'a validation' do
+        context 'when the token is found' do
          it 'calls dast_site_validation#start' do
            expect(dast_site_validation).to receive(:start)

@@ -73,7 +83,9 @@ RSpec.describe DastSiteValidations::ValidateService do
          end

          context 'when validation has already started' do
-          let(:dast_site_validation) { create(:dast_site_validation, state: :inprogress) }
+            before do
+              dast_site_validation.update_column(:state, :inprogress)
+            end

            it 'does not call dast_site_validation#pass' do
              expect(dast_site_validation).not_to receive(:start)
@@ -83,7 +95,9 @@ RSpec.describe DastSiteValidations::ValidateService do
          end

          context 'when validation is already complete' do
-          let(:dast_site_validation) { create(:dast_site_validation, state: :passed) }
+            before do
+              dast_site_validation.update_column(:state, :passed)
+            end

            it 'does not re-validate' do
              expect(Gitlab::HTTP).not_to receive(:get)
@@ -93,8 +107,8 @@ RSpec.describe DastSiteValidations::ValidateService do
          end
        end

-      context 'when the request body does not contain the token' do
-        let(:response_body) do
+        context 'when the token is not found' do
+          let(:token) do
            SecureRandom.hex
          end

@@ -102,17 +116,28 @@ RSpec.describe DastSiteValidations::ValidateService do
            expect { subject }.to raise_error(DastSiteValidations::ValidateService::TokenNotFound)
          end
        end
+      end

-      context 'when validation has already been attempted' do
-        let_it_be(:dast_site_validation) { create(:dast_site_validation, state: :failed) }
+      context 'when validation_strategy=text_file' do
+        let(:dast_site_validation) { create(:dast_site_validation, validation_strategy: :text_file) }

-        it 'marks the validation as a retry' do
-          freeze_time do
-            subject
+        before do
+          stub_request(:get, dast_site_validation.validation_url).to_return(body: token)
+        end

-            expect(dast_site_validation.reload.validation_last_retried_at).to eq(Time.now.utc)
+        it_behaves_like 'a validation'
      end
+
+      context 'when validation_strategy=header' do
+        let(:dast_site_validation) { create(:dast_site_validation, validation_strategy: :header) }
+
+        before do
+          headers = { DastSiteValidation::HEADER => token }
+
+          stub_request(:get, dast_site_validation.validation_url).to_return(headers: headers)
        end
+
+        it_behaves_like 'a validation'
      end
    end
  end