From 1c88c9da7a4cc49f442cd8a333a07e5598fc2d79 Mon Sep 17 00:00:00 2001
From: Paul Gascou-Vaillancourt <pgascouvaillancourt@gitlab.com>
Date: Tue, 26 Jan 2021 03:42:15 +0000
Subject: [PATCH] Create API fuzzing configuration page
Adds the basic boilerplate for the new API fuzzing configuration page
---
.../api_fuzzing_configuration_controller.rb | 17 +++++
.../security/configuration_controller.rb | 1 +
ee/app/helpers/ee/projects_helper.rb | 2 +
.../security/configuration_presenter.rb | 3 +-
.../api_fuzzing_configuration/show.html.haml | 5 ++
.../api_fuzzing_configuration_ui.yml | 8 ++
ee/config/routes/project.rb | 1 +
...i_fuzzing_configuration_controller_spec.rb | 73 +++++++++++++++++++
ee/spec/helpers/projects_helper_spec.rb | 2 +
.../security/configuration_presenter_spec.rb | 12 ++-
locale/gitlab.pot | 3 +
11 files changed, 119 insertions(+), 8 deletions(-)
create mode 100644 ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
create mode 100644 ee/app/views/projects/security/api_fuzzing_configuration/show.html.haml
create mode 100644 ee/config/feature_flags/development/api_fuzzing_configuration_ui.yml
create mode 100644 ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
diff --git a/ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb b/ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
new file mode 100644
index 0000000000000..e25c05bbdbab6
--- /dev/null
+++ b/ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Projects
+ module Security
+ class ApiFuzzingConfigurationController < Projects::ApplicationController
+ include SecurityDashboardsPermissions
+
+ alias_method :vulnerable, :project
+
+ feature_category :fuzz_testing
+
+ def show
+ not_found unless Feature.enabled?(:api_fuzzing_configuration_ui, @project, default_enabled: :yaml)
+ end
+ end
+ end
+end
diff --git a/ee/app/controllers/projects/security/configuration_controller.rb b/ee/app/controllers/projects/security/configuration_controller.rb
index c0df5df217104..b916a3e50dea0 100644
--- a/ee/app/controllers/projects/security/configuration_controller.rb
+++ b/ee/app/controllers/projects/security/configuration_controller.rb
@@ -10,6 +10,7 @@ class ConfigurationController < Projects::ApplicationController
before_action only: [:show] do
push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false)
push_frontend_feature_flag(:sast_configuration_ui, project, default_enabled: true)
+ push_frontend_feature_flag(:api_fuzzing_configuration_ui, project, default_enabled: :yaml)
end
before_action only: [:auto_fix] do
diff --git a/ee/app/helpers/ee/projects_helper.rb b/ee/app/helpers/ee/projects_helper.rb
index afed700131579..274f16523b927 100644
--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -162,6 +162,7 @@ def sidebar_security_paths
%w[
projects/security/configuration#show
projects/security/sast_configuration#show
+ projects/security/api_fuzzing_configuration#show
projects/security/vulnerabilities#show
projects/security/vulnerability_report#index
projects/security/dashboard#index
@@ -200,6 +201,7 @@ def sidebar_security_configuration_paths
%w[
projects/security/configuration#show
projects/security/sast_configuration#show
+ projects/security/api_fuzzing_configuration#show
projects/security/dast_profiles#show
projects/security/dast_site_profiles#new
projects/security/dast_site_profiles#edit
diff --git a/ee/app/presenters/projects/security/configuration_presenter.rb b/ee/app/presenters/projects/security/configuration_presenter.rb
index eccd873e189fd..5b3c0c16785ac 100644
--- a/ee/app/presenters/projects/security/configuration_presenter.rb
+++ b/ee/app/presenters/projects/security/configuration_presenter.rb
@@ -183,7 +183,8 @@ def project_settings
def configuration_path(type)
{
sast: project_security_configuration_sast_path(project),
- dast_profiles: project_security_configuration_dast_profiles_path(project)
+ dast_profiles: project_security_configuration_dast_profiles_path(project),
+ api_fuzzing: ::Feature.enabled?(:api_fuzzing_configuration_ui, project, default_enabled: :yaml) ? project_security_configuration_api_fuzzing_path(project) : nil
}[type]
end
end
diff --git a/ee/app/views/projects/security/api_fuzzing_configuration/show.html.haml b/ee/app/views/projects/security/api_fuzzing_configuration/show.html.haml
new file mode 100644
index 0000000000000..a92c186168be2
--- /dev/null
+++ b/ee/app/views/projects/security/api_fuzzing_configuration/show.html.haml
@@ -0,0 +1,5 @@
+- add_to_breadcrumbs _("Security Configuration"), project_security_configuration_path(@project)
+- breadcrumb_title _("API Fuzzing Configuration")
+- page_title _("API Fuzzing Configuration")
+
+%h1= "API fuzzing configuration"
diff --git a/ee/config/feature_flags/development/api_fuzzing_configuration_ui.yml b/ee/config/feature_flags/development/api_fuzzing_configuration_ui.yml
new file mode 100644
index 0000000000000..ad15a26b93f3c
--- /dev/null
+++ b/ee/config/feature_flags/development/api_fuzzing_configuration_ui.yml
@@ -0,0 +1,8 @@
+---
+name: api_fuzzing_configuration_ui
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/51940
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/299234
+milestone: '13.9'
+type: development
+group: group::fuzz testing
+default_enabled: false
diff --git a/ee/config/routes/project.rb b/ee/config/routes/project.rb
index 4da2046b00824..9efc0d55f1d25 100644
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -67,6 +67,7 @@
post :auto_fix, on: :collection
resource :corpus_management, only: [:show], controller: :corpus_management
resource :sast, only: [:show, :create], controller: :sast_configuration
+ resource :api_fuzzing, only: :show, controller: :api_fuzzing_configuration
resource :dast_profiles, only: [:show] do
resources :dast_site_profiles, only: [:new, :edit]
resources :dast_scanner_profiles, only: [:new, :edit]
diff --git a/ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb b/ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
new file mode 100644
index 0000000000000..2ea82e028ff13
--- /dev/null
+++ b/ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::Security::ApiFuzzingConfigurationController do
+ let_it_be(:group) { create(:group) }
+ let_it_be(:project) { create(:project, namespace: group) }
+ let_it_be(:developer) { create(:user) }
+ let_it_be(:guest) { create(:user) }
+
+ before_all do
+ group.add_developer(developer)
+ group.add_guest(guest)
+ end
+
+ describe 'GET #show' do
+ subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
+
+ render_views
+
+ it_behaves_like SecurityDashboardsPermissions do
+ let(:vulnerable) { project }
+ let(:security_dashboard_action) { request }
+ end
+
+ context 'with authorized user' do
+ before do
+ stub_licensed_features(security_dashboard: true)
+
+ sign_in(developer)
+ end
+
+ it 'renders the show template' do
+ request
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response).to render_template(:show)
+ end
+
+ it 'renders the side navigation with the correct submenu set as active' do
+ request
+
+ expect(response.body).to have_active_sub_navigation('Configuration')
+ end
+
+ context 'with feature flag disabled' do
+ before do
+ stub_feature_flags(api_fuzzing_configuration_ui: false)
+ end
+
+ it 'returns a 404 for an HTML request' do
+ request
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+ end
+
+ context 'with unauthorized user' do
+ before do
+ stub_licensed_features(security_dashboard: true)
+
+ sign_in(guest)
+ end
+
+ it 'returns a 403' do
+ request
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+ end
+end
diff --git a/ee/spec/helpers/projects_helper_spec.rb b/ee/spec/helpers/projects_helper_spec.rb
index 5fca91caf7e54..53771168ecc06 100644
--- a/ee/spec/helpers/projects_helper_spec.rb
+++ b/ee/spec/helpers/projects_helper_spec.rb
@@ -204,6 +204,7 @@
%w[
projects/security/configuration#show
projects/security/sast_configuration#show
+ projects/security/api_fuzzing_configuration#show
projects/security/vulnerabilities#show
projects/security/vulnerability_report#index
projects/security/dashboard#index
@@ -248,6 +249,7 @@
%w[
projects/security/configuration#show
projects/security/sast_configuration#show
+ projects/security/api_fuzzing_configuration#show
projects/security/dast_profiles#show
projects/security/dast_site_profiles#new
projects/security/dast_site_profiles#edit
diff --git a/ee/spec/presenters/projects/security/configuration_presenter_spec.rb b/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
index 5d51976778dbe..2444b9a3cfab2 100644
--- a/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
+++ b/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
@@ -274,13 +274,11 @@ def security_scan(type, configured:, auto_dev_ops_enabled: false)
end
def configuration_path(type)
- if type === :dast_profiles
- project_security_configuration_dast_profiles_path(project)
- elsif type === :sast
- project_security_configuration_sast_path(project)
- else
- nil
- end
+ {
+ dast_profiles: project_security_configuration_dast_profiles_path(project),
+ sast: project_security_configuration_sast_path(project),
+ api_fuzzing: project_security_configuration_api_fuzzing_path(project)
+ }[type]
end
def scan_status(type, configured, auto_dev_ops_enabled)
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index fd23f9b9cfef9..3ed2267acaafb 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -1361,6 +1361,9 @@ msgstr ""
msgid "API Fuzzing"
msgstr ""
+msgid "API Fuzzing Configuration"
+msgstr ""
+
msgid "API Help"
msgstr ""
--
GitLab