diff --git a/ee/app/models/dast_site_profile.rb b/ee/app/models/dast_site_profile.rb
index 57008aec8978b6067a076986d367886f0f1b2bce..506bb8488125b3f948c9ad5f6f1ad48bec5dc2af 100644
--- a/ee/app/models/dast_site_profile.rb
+++ b/ee/app/models/dast_site_profile.rb
@@ -32,10 +32,15 @@ class DastSiteProfile < ApplicationRecord
enum target_type: { website: 0, api: 1 }
- enum scan_method: { site: 0, openapi: 1, har: 2, postman: 3 }, _prefix: true
+ enum scan_method: { site: 0, openapi: 1, har: 2, postman: 3, graphql: 4 }, _prefix: true
delegate :dast_site_validation, to: :dast_site, allow_nil: true
+ SCAN_METHOD_VARIABLE_MAP = { openapi: 'DAST_API_OPENAPI',
+ har: 'DAST_API_HAR',
+ postman: 'DAST_API_POSTMAN_COLLECTION',
+ graphql: 'DAST_API_GRAPHQL' }.with_indifferent_access.freeze
+
sanitizes! :name, :scan_file_path
before_save :ensure_scan_method, :ensure_scan_file_path
@@ -178,13 +183,7 @@ def dast_api_config(url)
dast_api_config.append(key: 'DAST_API_EXCLUDE_URLS', value: excluded_urls.join(',')) unless excluded_urls.empty?
- if scan_method_openapi?
- dast_api_config.append(key: 'DAST_API_OPENAPI', value: api_specification)
- elsif scan_method_har?
- dast_api_config.append(key: 'DAST_API_HAR', value: api_specification)
- elsif scan_method_postman?
- dast_api_config.append(key: 'DAST_API_POSTMAN_COLLECTION', value: api_specification)
- end
+ dast_api_config.append(key: SCAN_METHOD_VARIABLE_MAP[scan_method], value: api_specification)
end
end
diff --git a/ee/spec/models/dast_site_profile_spec.rb b/ee/spec/models/dast_site_profile_spec.rb
index c097cdfcd816cd6c8cd2800b5642ffa70ccaeddb..d718367cb669c8736b2b790510498c1ff6383d84 100644
--- a/ee/spec/models/dast_site_profile_spec.rb
+++ b/ee/spec/models/dast_site_profile_spec.rb
@@ -181,7 +181,7 @@
end
let(:scan_methods) do
- { site: 0, openapi: 1, har: 2, postman: 3 }
+ { site: 0, openapi: 1, har: 2, postman: 3, graphql: 4 }
end
it { is_expected.to define_enum_for(:target_type).with_values(**target_types) }
@@ -369,7 +369,7 @@
let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
let(:scan_method) { :openapi }
- let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_HAR DAST_API_POSTMAN_COLLECTION] }
+ let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_HAR DAST_API_POSTMAN_COLLECTION DAST_API_GRAPHQL] }
let(:included) do
[
@@ -401,7 +401,7 @@
let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
let(:scan_method) { :har }
- let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_POSTMAN_COLLECTION] }
+ let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_POSTMAN_COLLECTION DAST_API_GRAPHQL] }
let(:included) do
[
@@ -433,7 +433,7 @@
let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
let(:scan_method) { :postman }
- let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_HAR] }
+ let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_HAR DAST_API_GRAPHQL] }
let(:included) do
[
@@ -459,6 +459,38 @@
it_behaves_like 'an api target'
end
end
+
+ context 'when scan_method is graphql' do
+ let(:targeting_api) { 'graphql' }
+ let(:scan_file_path) { "http://test-deployment/#{targeting_api}" }
+ let(:scan_method) { :graphql }
+
+ let(:excluded) { %w[DAST_WEBSITE DAST_EXCLUDE_URLS DAST_API_OPENAPI DAST_API_HAR DAST_API_POSTMAN_COLLECTION] }
+
+ let(:included) do
+ [
+ { key: 'DAST_API_GRAPHQL', value: scan_file_path, public: true },
+ { key: 'DAST_API_EXCLUDE_URLS', value: excluded_urls, public: true }
+ ]
+ end
+
+ it_behaves_like 'an api target'
+
+ it_behaves_like 'an api target when dast_api_scanner is disabled'
+
+ context 'when scan_file_path is blank' do
+ let(:scan_file_path) { nil }
+
+ let(:included) do
+ [
+ { key: 'DAST_API_GRAPHQL', value: subject.dast_site.url, public: true },
+ { key: 'DAST_API_EXCLUDE_URLS', value: excluded_urls, public: true }
+ ]
+ end
+
+ it_behaves_like 'an api target'
+ end
+ end
end
context 'when auth is disabled' do