Merge branch '10078-dependency-list-api-basic' into 'master'

Add basic dependencies endpoint See merge request gitlab-org/gitlab-ee!14612

Merge branch '10078-dependency-list-api-basic' into 'master'
Add basic dependencies endpoint See merge request gitlab-org/gitlab-ee!14612
f97ae34f · Mayra Cabrera · 875f6552 · a855ea95 · f97ae34f · f97ae34f
Commit f97ae34f authored Jul 15, 2019 by Mayra Cabrera
6 changed files
--- a/ee/changelogs/unreleased/10078-dependency-list-api-basic.yml
+++ b/ee/changelogs/unreleased/10078-dependency-list-api-basic.yml
+---
+title: Add dependency list public endpoint
+merge_request: 14612
+author:
+type: added
--- a/ee/lib/api/dependencies.rb
+++ b/ee/lib/api/dependencies.rb
+# frozen_string_literal: true
+
+module API
+  class Dependencies < Grape::API
+    helpers do
+      def dependencies_by(params)
+        pipeline = user_project.all_pipelines.latest_successful_for(user_project.default_branch)
+
+        return [] unless pipeline
+
+        ::Security::DependencyListService.new(pipeline: pipeline, params: params).execute
+      end
+    end
+
+    before do
+      authenticate!
+    end
+
+    params do
+      requires :id, type: String, desc: 'The ID of a project'
+    end
+
+    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      desc 'Get a list of project dependencies' do
+        success ::EE::API::Entities::Dependency
+      end
+
+      params do
+        optional :package_manager,
+                 type: Array[String],
+                 desc: "Returns dependencies belonging to specified package managers: #{::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES.join(', ')}.",
+                 values: ::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES
+      end
+
+      get ':id/dependencies' do
+        authorize! :read_dependencies, user_project
+
+        dependencies = dependencies_by(declared_params.merge(project: user_project))
+
+        present dependencies, with: ::EE::API::Entities::Dependency
+      end
+    end
+  end
+end
--- a/ee/lib/ee/api/endpoints.rb
+++ b/ee/lib/ee/api/endpoints.rb
@@ -32,6 +32,7 @@ module EE
        mount ::API::Vulnerabilities
        mount ::API::MergeRequestApprovals
        mount ::API::ProjectAliases
+        mount ::API::Dependencies

        version 'v3', using: :path do
          # Although the following endpoints are kept behind V3 namespace,

--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -706,6 +706,13 @@ module EE
      class ProjectAlias < Grape::Entity
        expose :id, :project_id, :name
      end
+
+      class Dependency < Grape::Entity
+        expose :name, :version, :package_manager, :dependency_file_path
+        expose :dependency_file_path do |dependency|
+          dependency[:location][:path]
+        end
+      end
    end
  end
 end
--- a/ee/spec/fixtures/api/schemas/public_api/v4/dependencies.json
+++ b/ee/spec/fixtures/api/schemas/public_api/v4/dependencies.json
+{
+  "type": "array",
+  "items": {
+    "type": "object",
+    "required": [
+      "name",
+      "version",
+      "package_manager",
+      "dependency_file_path"
+    ],
+    "properties": {
+      "name": {
+        "type": "string"
+      },
+      "package_manager": {
+        "type": "string"
+      },
+      "version": {
+        "type": "string"
+      },
+      "dependency_file_path": {
+        "type": "string"
+      }
+    }
+  }
+}
--- a/ee/spec/requests/api/dependencies_spec.rb
+++ b/ee/spec/requests/api/dependencies_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::Dependencies do
+  set(:project) { create(:project, :public) }
+  set(:user) { create(:user) }
+
+  describe "GET /projects/:id/dependencies" do
+    let(:request) { get api("/projects/#{project.id}/dependencies", user), params: params }
+    let(:params) { {} }
+
+    before do
+      stub_licensed_features(dependency_list: true, security_dashboard: true)
+    end
+
+    context 'with an authorized user with proper permissions' do
+      before do
+        create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
+        request
+      end
+
+      it 'returns all dependencies' do
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to match_response_schema('public_api/v4/dependencies', dir: 'ee')
+
+        expect(json_response.length).to eq(21)
+      end
+
+      context 'with filter options' do
+        let(:params) { { package_manager: 'yarn' } }
+
+        it 'returns yarn dependencies' do
+          expect(json_response.length).to eq(19)
+        end
+
+        context 'with wrong key' do
+          let(:params) { { package_manager: %w(nray yarn) } }
+
+          it 'returns error message' do
+            expect(json_response['error']).to eq('package_manager does not have a valid value')
+          end
+        end
+      end
+    end
+
+    context 'with authorized user without read permissions' do
+      let(:project) { create(:project, :private) }
+
+      before do
+        project.add_guest(user)
+        request
+      end
+
+      it 'responds with 403 Forbidden' do
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+
+    context 'with no project access' do
+      let(:project) { create(:project, :private) }
+
+      before do
+        request
+      end
+
+      it 'responds with 404 Not Found' do
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+end