Skip to content

G
gitlab-ce
Commit f51afbf1 authored by Avielle Wolfe's avatar Avielle Wolfe Committed by Avielle Wolfe
Browse files
Options

Move group specific tests back to group spec 

Access to these endpoints is controlled by the
Group::Security::ApplicationController, so these specs
shouldn't be shared.
parent 567bfb5e
Hide whitespace changes
Inline Side-by-side
Showing with 222 additions and 278 deletions
ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb
View file @ f51afbf1
......@@ -3,5 +3,50 @@
require 'spec_helper'
describe Groups::Security::VulnerabilitiesController do
let(:group) { create(:group) }
let(:user) { create(:user) }
it_behaves_like ::EE::VulnerabilitiesActions
before do
sign_in(user)
end
describe 'access for all actions' do
context 'when security dashboard feature is disabled' do
it 'returns 404' do
stub_licensed_features(security_dashboard: false)
get :index, params: { group_id: group }, format: :json
expect(response).to have_gitlab_http_status(404)
end
end
context 'when security dashboard feature is enabled' do
before do
stub_licensed_features(security_dashboard: true)
end
context 'when user has guest access' do
it 'denies access' do
group.add_guest(user)
get :index, params: { group_id: group }, format: :json
expect(response).to have_gitlab_http_status(403)
end
end
context 'when user has developer access' do
it 'grants access' do
group.add_developer(user)
get :index, params: { group_id: group }, format: :json
expect(response).to have_gitlab_http_status(200)
end
end
end
end
end
ee/spec/support/shared_examples/controllers/concerns/ee/vulnerabilities_actions_shared_examples.rb
View file @ f51afbf1
......@@ -14,357 +14,256 @@ shared_examples ::EE::VulnerabilitiesActions do
let(:projects) { [project_dev, project_guest, project_other] }
before do
group.add_developer(user)
sign_in(user)
stub_licensed_features(security_dashboard: true)
end
describe 'GET index.json' do
subject { get :index, params: { group_id: group }, format: :json }
context 'when security dashboard feature is disabled' do
context 'when no page request' do
before do
stub_licensed_features(security_dashboard: false)
projects.each do |project|
create_vulnerabilities(1, project)
end
end
it 'returns 404' do
it 'returns a list of vulnerabilities' do
subject
expect(response).to have_gitlab_http_status(404)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 2
expect(response).to match_response_schema('vulnerabilities/occurrence_list', dir: 'ee')
end
end
context 'when security dashboard feature is enabled' do
context 'when page requested' do
before do
stub_licensed_features(security_dashboard: true)
end
context 'when user has guest access' do
before do
group.add_guest(user)
end
it 'returns 403' do
subject
expect(response).to have_gitlab_http_status(403)
projects.each do |project|
create_vulnerabilities(11, project)
end
end
context 'when user has developer access' do
before do
group.add_developer(user)
end
context 'when no page request' do
before do
projects.each do |project|
create_vulnerabilities(1, project)
end
end
it "returns a list of vulnerabilities" do
subject
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 2
expect(response).to match_response_schema('vulnerabilities/occurrence_list', dir: 'ee')
end
end
context 'when page requested' do
before do
projects.each do |project|
create_vulnerabilities(11, project)
end
end
it "returns a list of vulnerabilities" do
get :index, params: { group_id: group, page: 2 }, format: :json
it 'returns a list of vulnerabilities for the requested page' do
get :index, params: { group_id: group, page: 2 }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 2
end
end
context 'with vulnerability feedback' do
it "avoids N+1 queries", :with_request_store do
create_vulnerabilities(2, project_dev, with_feedback: true)
control_count = ActiveRecord::QueryRecorder.new { get_index }
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 2
end
end
create_vulnerabilities(2, project_guest, with_feedback: true)
context 'with vulnerability feedback' do
it "avoids N+1 queries", :with_request_store do
create_vulnerabilities(2, project_dev, with_feedback: true)
expect { get_index }.not_to exceed_all_query_limit(control_count)
end
control_count = ActiveRecord::QueryRecorder.new { get_index }
private
create_vulnerabilities(2, project_guest, with_feedback: true)
def get_index
get :index, params: { group_id: group }, format: :json
end
end
expect { get_index }.not_to exceed_all_query_limit(control_count)
end
context 'with multiple report types' do
before do
projects.each do |project|
create_vulnerabilities(2, project_guest, { report_type: :sast })
create_vulnerabilities(1, project_dev, { report_type: :dependency_scanning })
end
end
it "returns a list of vulnerabilities for all report types without filter" do
subject
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 3
expect(json_response.map { |v| v['report_type'] }.uniq).to contain_exactly('sast', 'dependency_scanning')
expect(response).to match_response_schema('vulnerabilities/occurrence_list', dir: 'ee')
end
it "returns a list of vulnerabilities for sast only if filter is enabled" do
get :index, params: { group_id: group, report_type: ['sast'] }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 2
expect(json_response.map { |v| v['report_type'] }.uniq).to contain_exactly('sast')
expect(response).to match_response_schema('vulnerabilities/occurrence_list', dir: 'ee')
end
it "returns a list of vulnerabilities of all types with multi filter" do
get :index, params: { group_id: group, report_type: %w[sast dependency_scanning] }, format: :json
expect(json_response.length).to eq 3
expect(json_response.map { |v| v['report_type'] }.uniq).to contain_exactly('sast', 'dependency_scanning')
end
end
private
def create_vulnerabilities(count, project, options = {})
report_type = options[:report_type] || :sast
pipeline = create(:ci_pipeline, :success, project: project)
vulnerabilities = create_list(:vulnerabilities_occurrence, count, report_type: report_type, pipelines: [pipeline], project: project)
return vulnerabilities unless options[:with_feedback]
vulnerabilities.each do |occurrence|
create(:vulnerability_feedback, report_type, :dismissal,
pipeline: pipeline,
project: project_dev,
project_fingerprint: occurrence.project_fingerprint)
create(:vulnerability_feedback, report_type, :issue,
pipeline: pipeline,
issue: create(:issue, project: project),
project: project_dev,
project_fingerprint: occurrence.project_fingerprint)
end
end
def get_index
get :index, params: { group_id: group }, format: :json
end
end
end
describe 'GET summary.json' do
subject { get :summary, params: { group_id: group }, format: :json }
context 'when security dashboard feature is disabled' do
context 'with multiple report types' do
before do
stub_licensed_features(security_dashboard: false)
projects.each do |project|
create_vulnerabilities(2, project_guest, { report_type: :sast })
create_vulnerabilities(1, project_dev, { report_type: :dependency_scanning })
end
end
it 'returns 404' do
it "returns a list of vulnerabilities for all report types without filter" do
subject
expect(response).to have_gitlab_http_status(404)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 3
expect(json_response.map { |v| v['report_type'] }.uniq).to contain_exactly('sast', 'dependency_scanning')
expect(response).to match_response_schema('vulnerabilities/occurrence_list', dir: 'ee')
end
end
context 'when security dashboard feature is enabled' do
before do
stub_licensed_features(security_dashboard: true)
it "returns a list of vulnerabilities for sast only if filter is enabled" do
get :index, params: { group_id: group, report_type: ['sast'] }, format: :json
pipeline = create(:ci_pipeline, :success, project: project_dev)
create_list(:vulnerabilities_occurrence, 3,
pipelines: [pipeline], project: project_dev, report_type: :sast, severity: :high)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :dependency_scanning, severity: :low)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Array)
expect(json_response.length).to eq 2
expect(json_response.map { |v| v['report_type'] }.uniq).to contain_exactly('sast')
expect(response).to match_response_schema('vulnerabilities/occurrence_list', dir: 'ee')
end
create_list(:vulnerabilities_occurrence, 2,
pipelines: [pipeline], project: project_guest, report_type: :dependency_scanning, severity: :low)
it "returns a list of vulnerabilities of all types with multi filter" do
get :index, params: { group_id: group, report_type: %w[sast dependency_scanning] }, format: :json
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_guest, report_type: :dast, severity: :medium)
expect(json_response.length).to eq 3
expect(json_response.map { |v| v['report_type'] }.uniq).to contain_exactly('sast', 'dependency_scanning')
end
end
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_other, report_type: :dast, severity: :low)
def create_vulnerabilities(count, project, options = {})
report_type = options[:report_type] || :sast
pipeline = create(:ci_pipeline, :success, project: project)
vulnerabilities = create_list(:vulnerabilities_occurrence, count, report_type: report_type, pipelines: [pipeline], project: project)
return vulnerabilities unless options[:with_feedback]
vulnerabilities.each do |occurrence|
create(:vulnerability_feedback, report_type, :dismissal,
pipeline: pipeline,
project: project_dev,
project_fingerprint: occurrence.project_fingerprint)
create(:vulnerability_feedback, report_type, :issue,
pipeline: pipeline,
issue: create(:issue, project: project),
project: project_dev,
project_fingerprint: occurrence.project_fingerprint)
end
end
end
context 'when user has guest access' do
before do
group.add_guest(user)
end
describe 'GET summary.json' do
subject { get :summary, params: { group_id: group }, format: :json }
it 'returns 403' do
subject
before do
pipeline = create(:ci_pipeline, :success, project: project_dev)
expect(response).to have_gitlab_http_status(403)
end
end
create_list(:vulnerabilities_occurrence, 3,
pipelines: [pipeline], project: project_dev, report_type: :sast, severity: :high)
context 'when user has developer access' do
before do
group.add_developer(user)
end
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :dependency_scanning, severity: :low)
it 'returns vulnerabilities counts for all report types' do
subject
create_list(:vulnerabilities_occurrence, 2,
pipelines: [pipeline], project: project_guest, report_type: :dependency_scanning, severity: :low)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['high']).to eq(3)
expect(json_response['low']).to eq(4)
expect(json_response['medium']).to eq(1)
expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee')
end
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_guest, report_type: :dast, severity: :medium)
context 'with enabled filters' do
it 'returns counts for filtered vulnerabilities' do
get :summary, params: { group_id: group, report_type: %w[sast dast], severity: %[high low] }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['high']).to eq(3)
expect(json_response['low']).to eq(1)
expect(json_response['medium']).to eq(1)
expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee')
end
end
end
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_other, report_type: :dast, severity: :low)
end
end
describe 'GET history.json' do
subject { get :history, params: { group_id: group }, format: :json }
it 'returns vulnerabilities counts for all report types' do
subject
context 'when security dashboard feature is disabled' do
before do
stub_licensed_features(security_dashboard: false)
end
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['high']).to eq(3)
expect(json_response['low']).to eq(4)
expect(json_response['medium']).to eq(1)
expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee')
end
it 'returns 404' do
subject
context 'with enabled filters' do
it 'returns counts for filtered vulnerabilities' do
get :summary, params: { group_id: group, report_type: %w[sast dast], severity: %[high low] }, format: :json
expect(response).to have_gitlab_http_status(404)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['high']).to eq(3)
expect(json_response['low']).to eq(1)
expect(json_response['medium']).to eq(1)
expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee')
end
end
end
context 'when security dashboard feature is enabled' do
before do
stub_licensed_features(security_dashboard: true)
describe 'GET history.json' do
subject { get :history, params: { group_id: group }, format: :json }
travel_to(Time.zone.parse('2018-11-10')) do
pipeline_1 = create(:ci_pipeline, :success, project: project_dev)
pipeline_2 = create(:ci_pipeline, :success, project: project_dev)
before do
travel_to(Time.zone.parse('2018-11-10')) do
pipeline_1 = create(:ci_pipeline, :success, project: project_dev)
pipeline_2 = create(:ci_pipeline, :success, project: project_dev)
create_list(:vulnerabilities_occurrence, 2,
pipelines: [pipeline_1], project: project_dev, report_type: :sast, severity: :high)
create_list(:vulnerabilities_occurrence, 2,
pipelines: [pipeline_1], project: project_dev, report_type: :sast, severity: :high)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline_1], project: project_dev, report_type: :dependency_scanning, severity: :low)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline_1], project: project_dev, report_type: :dependency_scanning, severity: :low)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline_1, pipeline_2], project: project_dev, report_type: :sast, severity: :critical)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline_1, pipeline_2], project: project_dev, report_type: :sast, severity: :critical)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline_1, pipeline_2], project: project_dev, report_type: :dependency_scanning, severity: :low)
end
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline_1, pipeline_2], project: project_dev, report_type: :dependency_scanning, severity: :low)
end
travel_to(Time.zone.parse('2018-11-12')) do
pipeline = create(:ci_pipeline, :success, project: project_dev)
travel_to(Time.zone.parse('2018-11-12')) do
pipeline = create(:ci_pipeline, :success, project: project_dev)
create_list(:vulnerabilities_occurrence, 2,
pipelines: [pipeline], project: project_dev, report_type: :dependency_scanning, severity: :low)
create_list(:vulnerabilities_occurrence, 2,
pipelines: [pipeline], project: project_dev, report_type: :dependency_scanning, severity: :low)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :dast, severity: :medium)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :dast, severity: :medium)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :dast, severity: :low)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :dast, severity: :low)
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :container_scanning, severity: :high)
end
create_list(:vulnerabilities_occurrence, 1,
pipelines: [pipeline], project: project_dev, report_type: :container_scanning, severity: :high)
end
end
context 'when user has guest access' do
before do
group.add_guest(user)
end
it 'returns 403' do
subject
expect(response).to have_gitlab_http_status(403)
end
it 'returns vulnerability history within last 90 days' do
travel_to(Time.zone.parse('2019-02-10')) do
subject
end
context 'when user has developer access' do
before do
group.add_developer(user)
end
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 5 })
expect(json_response['critical']).to eq({ '2018-11-10' => 1 })
expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 })
expect(json_response['medium']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 3 })
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end
it 'returns vulnerability history within last 90 days' do
travel_to(Time.zone.parse('2019-02-10')) do
subject
end
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 5 })
expect(json_response['critical']).to eq({ '2018-11-10' => 1 })
expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 })
expect(json_response['medium']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 3 })
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end
it 'returns empty history if there are no vulnerabilities within last 90 days' do
travel_to(Time.zone.parse('2019-02-13')) do
subject
end
it 'returns empty history if there are no vulnerabilities within last 90 days' do
travel_to(Time.zone.parse('2019-02-13')) do
subject
end
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response).to eq({
"undefined" => {},
"info" => {},
"unknown" => {},
"low" => {},
"medium" => {},
"high" => {},
"critical" => {},
"total" => {}
})
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response).to eq({
"undefined" => {},
"info" => {},
"unknown" => {},
"low" => {},
"medium" => {},
"high" => {},
"critical" => {},
"total" => {}
})
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end
it 'returns filtered history if filters are enabled' do
travel_to(Time.zone.parse('2019-02-10')) do
get :history, params: { group_id: group, report_type: %w[dependency_scanning sast dast container_scanning] }, format: :json
end
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 5 })
expect(json_response['critical']).to eq({ '2018-11-10' => 1 })
expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 })
expect(json_response['medium']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 3 })
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end
it 'returns filtered history if filters are enabled' do
travel_to(Time.zone.parse('2019-02-10')) do
get :history, params: { group_id: group, report_type: %w[dependency_scanning sast dast container_scanning] }, format: :json
end
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash)
expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 5 })
expect(json_response['critical']).to eq({ '2018-11-10' => 1 })
expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 })
expect(json_response['medium']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 3 })
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7