1 files changed, 146 insertions, 0 deletions

diff --git a/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
new file mode 100644
index 00000000000..e87f0f28d01
--- /dev/null
+++ b/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml
@@ -0,0 +1,146 @@
+stages:
+    - build
+    - test
+    - deploy
+    - fuzz
+
+variables:
+    FUZZAPI_PROFILE: Quick
+    FUZZAPI_VERSION: latest
+    FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml"
+    FUZZAPI_TIMEOUT: 30
+    FUZZAPI_REPORT: gl-api-fuzzing-report.xml
+    #
+    FUZZAPI_D_NETWORK: testing-net
+    #
+    # Wait up to 5 minutes for API Fuzzer and target url to become
+    # available (non 500 response to HTTP(s))
+    FUZZAPI_SERVICE_START_TIMEOUT: "300"
+    #
+
+apifuzzer_fuzz:
+    stage: fuzz
+    image: docker:19.03.12
+    variables:
+        DOCKER_DRIVER: overlay2
+        DOCKER_TLS_CERTDIR: ""
+        FUZZAPI_PROJECT: $CI_PROJECT_PATH
+        FUZZAPI_API: http://apifuzzer:80
+    allow_failure: true
+    rules:
+        - if: $API_FUZZING_DISABLED
+          when: never
+        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
+              $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
+          when: never
+        - if: $FUZZAPI_HAR == null &&
+              $FUZZAPI_OPENAPI == null &&
+              $FUZZAPI_D_WORKER_IMAGE == null
+          when: never
+        - if: $FUZZAPI_D_WORKER_IMAGE == null &&
+              $FUZZAPI_TARGET_URL == null
+          when: never
+        - if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
+    services:
+        - docker:19.03.12-dind
+    script:
+        #
+        - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
+        #
+        - docker network create --driver bridge $FUZZAPI_D_NETWORK
+        #
+        # Run user provided pre-script
+        - sh -c "$FUZZAPI_PRE_SCRIPT"
+        #
+        # Start peach testing engine container
+        - |
+            docker run -d \
+            --name apifuzzer \
+            --network $FUZZAPI_D_NETWORK \
+            -e Proxy:Port=8000 \
+            -e TZ=America/Los_Angeles \
+            -e FUZZAPI_API=http://127.0.0.1:80 \
+            -e FUZZAPI_PROJECT \
+            -e FUZZAPI_PROFILE \
+            -e FUZZAPI_CONFIG \
+            -e FUZZAPI_REPORT \
+            -e FUZZAPI_HAR \
+            -e FUZZAPI_OPENAPI \
+            -e FUZZAPI_TARGET_URL \
+            -e FUZZAPI_OVERRIDES_FILE \
+            -e FUZZAPI_OVERRIDES_ENV \
+            -e FUZZAPI_OVERRIDES_CMD \
+            -e FUZZAPI_OVERRIDES_INTERVAL \
+            -e FUZZAPI_TIMEOUT \
+            -e FUZZAPI_VERBOSE \
+            -e FUZZAPI_SERVICE_START_TIMEOUT \
+            -e GITLAB_FEATURES \
+            -v $CI_PROJECT_DIR:/app \
+            -p 80:80 \
+            -p 8000:8000 \
+            -p 514:514 \
+            --restart=no \
+            registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing-src:${FUZZAPI_VERSION}-engine
+        #
+        # Start target container
+        - |
+            if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then \
+                docker run -d \
+                    --name target \
+                    --network $FUZZAPI_D_NETWORK \
+                    $FUZZAPI_D_TARGET_ENV \
+                    $FUZZAPI_D_TARGET_PORTS \
+                    $FUZZAPI_D_TARGET_VOLUME \
+                    --restart=no \
+                    $FUZZAPI_D_TARGET_IMAGE \
+                ; fi
+        #
+        # Start worker container
+        - |
+            if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
+                echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \
+                docker run \
+                    --name worker \
+                    --network $FUZZAPI_D_NETWORK \
+                    -e FUZZAPI_API=http://apifuzzer:80 \
+                    -e FUZZAPI_PROJECT \
+                    -e FUZZAPI_PROFILE \
+                    -e FUZZAPI_AUTOMATION_CMD \
+                    -e FUZZAPI_CONFIG \
+                    -e FUZZAPI_REPORT \
+                    -e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
+                    $FUZZAPI_D_WORKER_ENV \
+                    $FUZZAPI_D_WORKER_PORTS \
+                    $FUZZAPI_D_WORKER_VOLUME \
+                    --restart=no \
+                    $FUZZAPI_D_WORKER_IMAGE \
+                ; fi
+        #
+        # Wait for testing to complete if api fuzzer is scanning
+        - if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi
+        #
+        # Run user provided pre-script
+        - sh -c "$FUZZAPI_POST_SCRIPT"
+        #
+    after_script:
+        #
+        # Shutdown all containers
+        - echo "Stopping all containers"
+        - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
+        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi
+        - docker stop apifuzzer
+        #
+        # Save docker logs
+        - docker logs apifuzzer &> gl-api_fuzzing-logs.log
+        - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
+        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi
+        #
+    artifacts:
+        when: always
+        paths:
+            - ./gl-api_fuzzing*.log
+            - ./gl-api_fuzzing*.zip
+        reports:
+            junit: $FUZZAPI_REPORT
+
+# end