diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:44:42 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:44:42 +0300 |
commit | 4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch) | |
tree | 5423a1c7516cffe36384133ade12572cf709398d /spec/lib/security | |
parent | e570267f2f6b326480d284e0164a6464ba4081bc (diff) |
Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42
Diffstat (limited to 'spec/lib/security')
-rw-r--r-- | spec/lib/security/ci_configuration/sast_build_action_spec.rb (renamed from spec/lib/security/ci_configuration/sast_build_actions_spec.rb) | 89 | ||||
-rw-r--r-- | spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb | 159 |
2 files changed, 208 insertions, 40 deletions
diff --git a/spec/lib/security/ci_configuration/sast_build_actions_spec.rb b/spec/lib/security/ci_configuration/sast_build_action_spec.rb index c8f9430eff9..6a1ea68fdd6 100644 --- a/spec/lib/security/ci_configuration/sast_build_actions_spec.rb +++ b/spec/lib/security/ci_configuration/sast_build_action_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Security::CiConfiguration::SastBuildActions do +RSpec.describe Security::CiConfiguration::SastBuildAction do let(:default_sast_values) do { 'global' => [ @@ -85,8 +85,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:action]).to eq('update') - expect(result.first[:content]).to eq(sast_yaml_two_includes) + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(sast_yaml_two_includes) end end @@ -96,12 +96,12 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:action]).to eq('update') - expect(result.first[:content]).to eq(sast_yaml_two_includes) + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(sast_yaml_two_includes) end it 'reports defaults have been overwritten' do - expect(result.first[:default_values_overwritten]).to eq(true) + expect(result[:default_values_overwritten]).to eq(true) end end end @@ -112,8 +112,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:action]).to eq('update') - expect(result.first[:content]).to eq(sast_yaml_all_params) + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(sast_yaml_all_params) end end @@ -124,11 +124,11 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set) + expect(result[:content]).to eq(sast_yaml_with_no_variables_set) end it 'reports defaults have not been overwritten' do - expect(result.first[:default_values_overwritten]).to eq(false) + expect(result[:default_values_overwritten]).to eq(false) end context 'analyzer section' do @@ -137,7 +137,7 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params_with_analyzer_info, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers) + expect(result[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers) end context 'analyzers are disabled' do @@ -146,9 +146,9 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params_with_analyzer_info, gitlab_ci_content).generate } it 'writes SAST_EXCLUDED_ANALYZERS' do - stub_const('Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS', 'bandit, brakeman, flawfinder') + stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'bandit, brakeman, flawfinder') - expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers) + expect(result[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers) end end @@ -158,9 +158,9 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params_with_all_analyzers_enabled, gitlab_ci_content).generate } it 'does not write SAST_DEFAULT_ANALYZERS or SAST_EXCLUDED_ANALYZERS' do - stub_const('Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS', 'brakeman, flawfinder') + stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'brakeman, flawfinder') - expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set) + expect(result[:content]).to eq(sast_yaml_with_no_variables_set) end end end @@ -186,8 +186,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:action]).to eq('update') - expect(result.first[:content]).to eq(sast_yaml_updated_stage) + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(sast_yaml_updated_stage) end end @@ -197,8 +197,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:action]).to eq('update') - expect(result.first[:content]).to eq(sast_yaml_variable_section_added) + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(sast_yaml_variable_section_added) end end @@ -208,8 +208,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:action]).to eq('update') - expect(result.first[:content]).to eq(sast_yaml_sast_section_added) + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(sast_yaml_sast_section_added) end end @@ -219,8 +219,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:action]).to eq('update') - expect(result.first[:content]).to eq(sast_yaml_sast_variables_section_added) + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(sast_yaml_sast_variables_section_added) end end @@ -289,7 +289,7 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set) + expect(result[:content]).to eq(sast_yaml_with_no_variables_set) end end @@ -297,7 +297,7 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } it 'generates the correct YML' do - expect(result.first[:content]).to eq(sast_yaml_all_params) + expect(result[:content]).to eq(sast_yaml_all_params) end end end @@ -308,22 +308,22 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate } before do - allow_next_instance_of(described_class) do |sast_build_actions| - allow(sast_build_actions).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages) + allow_next_instance_of(described_class) do |sast_build_action| + allow(sast_build_action).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages) end end it 'generates the correct YML' do - expect(result.first[:content]).to eq(auto_devops_with_custom_stage) + expect(result[:content]).to eq(auto_devops_with_custom_stage) end end end - describe 'Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS' do - subject(:variable) {Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS} + describe 'Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS' do + subject(:variable) {Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS} it 'is sorted alphabetically' do - sorted_variable = Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS + sorted_variable = Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS .split(',') .map(&:strip) .sort @@ -342,7 +342,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_with_no_variables_set_but_analyzers <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -360,7 +361,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_with_no_variables_set <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -375,7 +377,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_all_params <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -396,7 +399,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def auto_devops_with_custom_stage <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -430,7 +434,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_two_includes <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -453,7 +458,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_variable_section_added <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -474,7 +480,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_sast_section_added <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -496,7 +503,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_sast_variables_section_added <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: @@ -518,7 +526,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do def sast_yaml_updated_stage <<-CI_YML.strip_heredoc # You can override the included template(s) by including variable overrides - # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings # Note that environment variables can be set in several places # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables stages: diff --git a/spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb b/spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb new file mode 100644 index 00000000000..31854fcf3a7 --- /dev/null +++ b/spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb @@ -0,0 +1,159 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction do + subject(:result) { described_class.new(auto_devops_enabled, gitlab_ci_content).generate } + + let(:params) { {} } + + context 'with existing .gitlab-ci.yml' do + let(:auto_devops_enabled) { false } + + context 'secret_detection has not been included' do + let(:expected_yml) do + <<-CI_YML.strip_heredoc + # You can override the included template(s) by including variable overrides + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings + # Note that environment variables can be set in several places + # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables + stages: + - test + - security + variables: + RANDOM: make sure this persists + include: + - template: existing.yml + - template: Security/Secret-Detection.gitlab-ci.yml + CI_YML + end + + context 'template includes are an array' do + let(:gitlab_ci_content) do + { "stages" => %w(test security), + "variables" => { "RANDOM" => "make sure this persists" }, + "include" => [{ "template" => "existing.yml" }] } + end + + it 'generates the correct YML' do + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(expected_yml) + end + end + + context 'template include is not an array' do + let(:gitlab_ci_content) do + { "stages" => %w(test security), + "variables" => { "RANDOM" => "make sure this persists" }, + "include" => { "template" => "existing.yml" } } + end + + it 'generates the correct YML' do + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(expected_yml) + end + end + end + + context 'secret_detection has been included' do + let(:expected_yml) do + <<-CI_YML.strip_heredoc + # You can override the included template(s) by including variable overrides + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings + # Note that environment variables can be set in several places + # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables + stages: + - test + variables: + RANDOM: make sure this persists + include: + - template: Security/Secret-Detection.gitlab-ci.yml + CI_YML + end + + context 'secret_detection template include are an array' do + let(:gitlab_ci_content) do + { "stages" => %w(test), + "variables" => { "RANDOM" => "make sure this persists" }, + "include" => [{ "template" => "Security/Secret-Detection.gitlab-ci.yml" }] } + end + + it 'generates the correct YML' do + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(expected_yml) + end + end + + context 'secret_detection template include is not an array' do + let(:gitlab_ci_content) do + { "stages" => %w(test), + "variables" => { "RANDOM" => "make sure this persists" }, + "include" => { "template" => "Security/Secret-Detection.gitlab-ci.yml" } } + end + + it 'generates the correct YML' do + expect(result[:action]).to eq('update') + expect(result[:content]).to eq(expected_yml) + end + end + end + end + + context 'with no .gitlab-ci.yml' do + let(:gitlab_ci_content) { nil } + + context 'autodevops disabled' do + let(:auto_devops_enabled) { false } + let(:expected_yml) do + <<-CI_YML.strip_heredoc + # You can override the included template(s) by including variable overrides + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings + # Note that environment variables can be set in several places + # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables + include: + - template: Security/Secret-Detection.gitlab-ci.yml + CI_YML + end + + it 'generates the correct YML' do + expect(result[:action]).to eq('create') + expect(result[:content]).to eq(expected_yml) + end + end + + context 'with autodevops enabled' do + let(:auto_devops_enabled) { true } + let(:expected_yml) do + <<-CI_YML.strip_heredoc + # You can override the included template(s) by including variable overrides + # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings + # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings + # Note that environment variables can be set in several places + # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables + include: + - template: Auto-DevOps.gitlab-ci.yml + CI_YML + end + + before do + allow_next_instance_of(described_class) do |secret_detection_build_actions| + allow(secret_detection_build_actions).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages) + end + end + + it 'generates the correct YML' do + expect(result[:action]).to eq('create') + expect(result[:content]).to eq(expected_yml) + end + end + end + + # stubbing this method allows this spec file to use fast_spec_helper + def fast_auto_devops_stages + auto_devops_template = YAML.safe_load( File.read('lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml') ) + auto_devops_template['stages'] + end +end |