Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-19 18:44:42 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-19 18:44:42 +0300
commit: 4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch)
tree: 5423a1c7516cffe36384133ade12572cf709398d /spec/lib/security
parent: e570267f2f6b326480d284e0164a6464ba4081bc (diff)
2 files changed, 208 insertions, 40 deletions
diff --git a/spec/lib/security/ci_configuration/sast_build_actions_spec.rb b/spec/lib/security/ci_configuration/sast_build_action_spec.rb
index c8f9430eff9..6a1ea68fdd6 100644
--- a/spec/lib/security/ci_configuration/sast_build_actions_spec.rb
+++ b/spec/lib/security/ci_configuration/sast_build_action_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Security::CiConfiguration::SastBuildActions do
+RSpec.describe Security::CiConfiguration::SastBuildAction do
   let(:default_sast_values) do
     { 'global' =>
       [
@@ -85,8 +85,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
         subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
         it 'generates the correct YML' do
-          expect(result.first[:action]).to eq('update')
-          expect(result.first[:content]).to eq(sast_yaml_two_includes)
+          expect(result[:action]).to eq('update')
+          expect(result[:content]).to eq(sast_yaml_two_includes)
         end
       end
 
@@ -96,12 +96,12 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
         subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
         it 'generates the correct YML' do
-          expect(result.first[:action]).to eq('update')
-          expect(result.first[:content]).to eq(sast_yaml_two_includes)
+          expect(result[:action]).to eq('update')
+          expect(result[:content]).to eq(sast_yaml_two_includes)
         end
 
         it 'reports defaults have been overwritten' do
-          expect(result.first[:default_values_overwritten]).to eq(true)
+          expect(result[:default_values_overwritten]).to eq(true)
         end
       end
     end
@@ -112,8 +112,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       it 'generates the correct YML' do
-        expect(result.first[:action]).to eq('update')
-        expect(result.first[:content]).to eq(sast_yaml_all_params)
+        expect(result[:action]).to eq('update')
+        expect(result[:content]).to eq(sast_yaml_all_params)
       end
     end
 
@@ -124,11 +124,11 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       it 'generates the correct YML' do
-        expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set)
+        expect(result[:content]).to eq(sast_yaml_with_no_variables_set)
       end
 
       it 'reports defaults have not been overwritten' do
-        expect(result.first[:default_values_overwritten]).to eq(false)
+        expect(result[:default_values_overwritten]).to eq(false)
       end
 
       context 'analyzer section' do
@@ -137,7 +137,7 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
         subject(:result) { described_class.new(auto_devops_enabled, params_with_analyzer_info, gitlab_ci_content).generate }
 
         it 'generates the correct YML' do
-          expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers)
+          expect(result[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers)
         end
 
         context 'analyzers are disabled' do
@@ -146,9 +146,9 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
           subject(:result) { described_class.new(auto_devops_enabled, params_with_analyzer_info, gitlab_ci_content).generate }
 
           it 'writes SAST_EXCLUDED_ANALYZERS' do
-            stub_const('Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS', 'bandit, brakeman, flawfinder')
+            stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'bandit, brakeman, flawfinder')
 
-            expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers)
+            expect(result[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers)
           end
         end
 
@@ -158,9 +158,9 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
           subject(:result) { described_class.new(auto_devops_enabled, params_with_all_analyzers_enabled, gitlab_ci_content).generate }
 
           it 'does not write SAST_DEFAULT_ANALYZERS or SAST_EXCLUDED_ANALYZERS' do
-            stub_const('Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS', 'brakeman, flawfinder')
+            stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'brakeman, flawfinder')
 
-            expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set)
+            expect(result[:content]).to eq(sast_yaml_with_no_variables_set)
           end
         end
       end
@@ -186,8 +186,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       it 'generates the correct YML' do
-        expect(result.first[:action]).to eq('update')
-        expect(result.first[:content]).to eq(sast_yaml_updated_stage)
+        expect(result[:action]).to eq('update')
+        expect(result[:content]).to eq(sast_yaml_updated_stage)
       end
     end
 
@@ -197,8 +197,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       it 'generates the correct YML' do
-        expect(result.first[:action]).to eq('update')
-        expect(result.first[:content]).to eq(sast_yaml_variable_section_added)
+        expect(result[:action]).to eq('update')
+        expect(result[:content]).to eq(sast_yaml_variable_section_added)
       end
     end
 
@@ -208,8 +208,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       it 'generates the correct YML' do
-        expect(result.first[:action]).to eq('update')
-        expect(result.first[:content]).to eq(sast_yaml_sast_section_added)
+        expect(result[:action]).to eq('update')
+        expect(result[:content]).to eq(sast_yaml_sast_section_added)
       end
     end
 
@@ -219,8 +219,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       it 'generates the correct YML' do
-        expect(result.first[:action]).to eq('update')
-        expect(result.first[:content]).to eq(sast_yaml_sast_variables_section_added)
+        expect(result[:action]).to eq('update')
+        expect(result[:content]).to eq(sast_yaml_sast_variables_section_added)
       end
     end
 
@@ -289,7 +289,7 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
         subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
         it 'generates the correct YML' do
-          expect(result.first[:content]).to eq(sast_yaml_with_no_variables_set)
+          expect(result[:content]).to eq(sast_yaml_with_no_variables_set)
         end
       end
 
@@ -297,7 +297,7 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
         subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
         it 'generates the correct YML' do
-          expect(result.first[:content]).to eq(sast_yaml_all_params)
+          expect(result[:content]).to eq(sast_yaml_all_params)
         end
       end
     end
@@ -308,22 +308,22 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       before do
-        allow_next_instance_of(described_class) do |sast_build_actions|
-          allow(sast_build_actions).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages)
+        allow_next_instance_of(described_class) do |sast_build_action|
+          allow(sast_build_action).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages)
         end
       end
 
       it 'generates the correct YML' do
-        expect(result.first[:content]).to eq(auto_devops_with_custom_stage)
+        expect(result[:content]).to eq(auto_devops_with_custom_stage)
       end
     end
   end
 
-  describe 'Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS' do
-    subject(:variable) {Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS}
+  describe 'Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS' do
+    subject(:variable) {Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS}
 
     it 'is sorted alphabetically' do
-      sorted_variable = Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS
+      sorted_variable = Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS
         .split(',')
         .map(&:strip)
         .sort
@@ -342,7 +342,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_with_no_variables_set_but_analyzers
     <<-CI_YML.strip_heredoc
     # You can override the included template(s) by including variable overrides
-    # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+    # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+    # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
     # Note that environment variables can be set in several places
     # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
     stages:
@@ -360,7 +361,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_with_no_variables_set
     <<-CI_YML.strip_heredoc
     # You can override the included template(s) by including variable overrides
-    # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+    # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+    # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
     # Note that environment variables can be set in several places
     # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
     stages:
@@ -375,7 +377,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_all_params
     <<-CI_YML.strip_heredoc
       # You can override the included template(s) by including variable overrides
-      # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
       # Note that environment variables can be set in several places
       # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
       stages:
@@ -396,7 +399,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def auto_devops_with_custom_stage
     <<-CI_YML.strip_heredoc
       # You can override the included template(s) by including variable overrides
-      # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
       # Note that environment variables can be set in several places
       # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
       stages:
@@ -430,7 +434,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_two_includes
     <<-CI_YML.strip_heredoc
       # You can override the included template(s) by including variable overrides
-      # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
       # Note that environment variables can be set in several places
       # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
       stages:
@@ -453,7 +458,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_variable_section_added
     <<-CI_YML.strip_heredoc
       # You can override the included template(s) by including variable overrides
-      # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
       # Note that environment variables can be set in several places
       # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
       stages:
@@ -474,7 +480,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_sast_section_added
     <<-CI_YML.strip_heredoc
       # You can override the included template(s) by including variable overrides
-      # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
       # Note that environment variables can be set in several places
       # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
       stages:
@@ -496,7 +503,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_sast_variables_section_added
     <<-CI_YML.strip_heredoc
       # You can override the included template(s) by including variable overrides
-      # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
       # Note that environment variables can be set in several places
       # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
       stages:
@@ -518,7 +526,8 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
   def sast_yaml_updated_stage
     <<-CI_YML.strip_heredoc
       # You can override the included template(s) by including variable overrides
-      # See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+      # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
       # Note that environment variables can be set in several places
       # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
       stages:
diff --git a/spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb b/spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb
new file mode 100644
index 00000000000..31854fcf3a7
--- /dev/null
+++ b/spec/lib/security/ci_configuration/secret_detection_build_action_spec.rb
@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Security::CiConfiguration::SecretDetectionBuildAction do
+  subject(:result) { described_class.new(auto_devops_enabled, gitlab_ci_content).generate }
+
+  let(:params) { {} }
+
+  context 'with existing .gitlab-ci.yml' do
+    let(:auto_devops_enabled) { false }
+
+    context 'secret_detection has not been included' do
+      let(:expected_yml) do
+        <<-CI_YML.strip_heredoc
+          # You can override the included template(s) by including variable overrides
+          # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+          # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+          # Note that environment variables can be set in several places
+          # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
+          stages:
+          - test
+          - security
+          variables:
+            RANDOM: make sure this persists
+          include:
+          - template: existing.yml
+          - template: Security/Secret-Detection.gitlab-ci.yml
+        CI_YML
+      end
+
+      context 'template includes are an array' do
+        let(:gitlab_ci_content) do
+          { "stages" => %w(test security),
+            "variables" => { "RANDOM" => "make sure this persists" },
+            "include" => [{ "template" => "existing.yml" }] }
+        end
+
+        it 'generates the correct YML' do
+          expect(result[:action]).to eq('update')
+          expect(result[:content]).to eq(expected_yml)
+        end
+      end
+
+      context 'template include is not an array' do
+        let(:gitlab_ci_content) do
+          { "stages" => %w(test security),
+            "variables" => { "RANDOM" => "make sure this persists" },
+            "include" => { "template" => "existing.yml" } }
+        end
+
+        it 'generates the correct YML' do
+          expect(result[:action]).to eq('update')
+          expect(result[:content]).to eq(expected_yml)
+        end
+      end
+    end
+
+    context 'secret_detection has been included' do
+      let(:expected_yml) do
+        <<-CI_YML.strip_heredoc
+          # You can override the included template(s) by including variable overrides
+          # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+          # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+          # Note that environment variables can be set in several places
+          # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
+          stages:
+          - test
+          variables:
+            RANDOM: make sure this persists
+          include:
+          - template: Security/Secret-Detection.gitlab-ci.yml
+        CI_YML
+      end
+
+      context 'secret_detection template include are an array' do
+        let(:gitlab_ci_content) do
+          { "stages" => %w(test),
+            "variables" => { "RANDOM" => "make sure this persists" },
+            "include" => [{ "template" => "Security/Secret-Detection.gitlab-ci.yml" }] }
+        end
+
+        it 'generates the correct YML' do
+          expect(result[:action]).to eq('update')
+          expect(result[:content]).to eq(expected_yml)
+        end
+      end
+
+      context 'secret_detection template include is not an array' do
+        let(:gitlab_ci_content) do
+          { "stages" => %w(test),
+            "variables" => { "RANDOM" => "make sure this persists" },
+            "include" => { "template" => "Security/Secret-Detection.gitlab-ci.yml" } }
+        end
+
+        it 'generates the correct YML' do
+          expect(result[:action]).to eq('update')
+          expect(result[:content]).to eq(expected_yml)
+        end
+      end
+    end
+  end
+
+  context 'with no .gitlab-ci.yml' do
+    let(:gitlab_ci_content) { nil }
+
+    context 'autodevops disabled' do
+      let(:auto_devops_enabled) { false }
+      let(:expected_yml) do
+        <<-CI_YML.strip_heredoc
+          # You can override the included template(s) by including variable overrides
+          # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+          # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+          # Note that environment variables can be set in several places
+          # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
+          include:
+          - template: Security/Secret-Detection.gitlab-ci.yml
+        CI_YML
+      end
+
+      it 'generates the correct YML' do
+        expect(result[:action]).to eq('create')
+        expect(result[:content]).to eq(expected_yml)
+      end
+    end
+
+    context 'with autodevops enabled' do
+      let(:auto_devops_enabled) { true }
+      let(:expected_yml) do
+        <<-CI_YML.strip_heredoc
+          # You can override the included template(s) by including variable overrides
+          # SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+          # Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+          # Note that environment variables can be set in several places
+          # See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
+          include:
+          - template: Auto-DevOps.gitlab-ci.yml
+        CI_YML
+      end
+
+      before do
+        allow_next_instance_of(described_class) do |secret_detection_build_actions|
+          allow(secret_detection_build_actions).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages)
+        end
+      end
+
+      it 'generates the correct YML' do
+        expect(result[:action]).to eq('create')
+        expect(result[:content]).to eq(expected_yml)
+      end
+    end
+  end
+
+  # stubbing this method allows this spec file to use fast_spec_helper
+  def fast_auto_devops_stages
+    auto_devops_template = YAML.safe_load( File.read('lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml') )
+    auto_devops_template['stages']
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-19 18:44:42 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-19 18:44:42 +0300
commit	4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch)
tree	5423a1c7516cffe36384133ade12572cf709398d /spec/lib/security
parent	e570267f2f6b326480d284e0164a6464ba4081bc (diff)