Merge branch 'philipcunningham-fix-dast-site-token-generation-362992' into 'master'

Align DAST Site Token URL validation See merge request !88246

Merge branch 'philipcunningham-fix-dast-site-token-generation-362992' into 'master'
23bd9b37 · Alex Pooley · 166145bb · 40ae54ee · 23bd9b37 · 23bd9b37
Commit 23bd9b37 authored 2 years ago by Alex Pooley
--- a/ee/app/models/concerns/app_sec/dast/url_addressable.rb
+++ b/ee/app/models/concerns/app_sec/dast/url_addressable.rb
+# frozen_string_literal: true
+
+module AppSec
+  module Dast
+    module UrlAddressable
+      extend ::ActiveSupport::Concern
+
+      included do
+        validates :url, addressable_url: true
+      end
+    end
+  end
+end
--- a/ee/app/models/dast_site.rb
+++ b/ee/app/models/dast_site.rb
 # frozen_string_literal: true

 class DastSite < ApplicationRecord
+  include AppSec::Dast::UrlAddressable
+
  belongs_to :project
  belongs_to :dast_site_validation
  has_many :dast_site_profiles

  validates :url, length: { maximum: 255 }, uniqueness: { scope: :project_id }
-  validates :url, addressable_url: true

  validates :project_id, presence: true
  validate :dast_site_validation_project_id_fk

--- a/ee/app/models/dast_site_token.rb
+++ b/ee/app/models/dast_site_token.rb
 # frozen_string_literal: true

 class DastSiteToken < ApplicationRecord
+  include AppSec::Dast::UrlAddressable
+
  belongs_to :project

  validates :project_id, presence: true
  validates :token, length: { maximum: 255 }, presence: true, uniqueness: true
-  validates :url, length: { maximum: 255 }, presence: true, public_url: true, uniqueness: { scope: :project_id }
+  validates :url, length: { maximum: 255 }, uniqueness: { scope: :project_id }, presence: true

  def dast_site
    @dast_site ||= DastSite.find_by(project_id: project.id, url: url)

--- a/ee/spec/models/dast_site_spec.rb
+++ b/ee/spec/models/dast_site_spec.rb
@@ -19,6 +19,8 @@
    it { is_expected.to validate_uniqueness_of(:url).scoped_to(:project_id) }
    it { is_expected.to validate_presence_of(:project_id) }

+    it_behaves_like 'dast url addressable'
+
    context 'when the project_id and dast_site_token.project_id do not match' do
      let(:project) { create(:project) }
      let(:dast_site_validation) { create(:dast_site_validation) }
@@ -32,17 +34,6 @@
        end
      end
    end
-
-    context 'when the url is not public' do
-      let_it_be(:message) { 'Url is blocked: Requests to localhost are not allowed' }
-
-      subject { build(:dast_site, project: project, url: 'http://127.0.0.1') }
-
-      it 'is is valid', :aggregate_failures do
-        expect(subject).to be_valid
-        expect(subject.errors.full_messages).not_to include(message)
-      end
-    end
  end

  describe 'callbacks' do

--- a/ee/spec/models/dast_site_token_spec.rb
+++ b/ee/spec/models/dast_site_token_spec.rb
@@ -19,16 +19,7 @@
    it { is_expected.to validate_uniqueness_of(:token) }
    it { is_expected.to validate_uniqueness_of(:url).scoped_to(:project_id) }

-    context 'when the url is not public' do
-      subject { build(:dast_site_token, url: 'http://127.0.0.1') }
-
-      it 'is not valid' do
-        aggregate_failures do
-          expect(subject.valid?).to eq(false)
-          expect(subject.errors.full_messages).to include('Url is blocked: Requests to localhost are not allowed')
-        end
-      end
-    end
+    it_behaves_like 'dast url addressable'
  end

  describe '#dast_site' do

--- a/ee/spec/support/shared_examples/models/concerns/app_sec/dast/url_addressable_shared_examples.rb
+++ b/ee/spec/support/shared_examples/models/concerns/app_sec/dast/url_addressable_shared_examples.rb
+# frozen_string_literal: true
+
+RSpec.shared_examples 'dast url addressable' do
+  it 'includes UrlAddressable' do
+    expect(described_class).to include(AppSec::Dast::UrlAddressable)
+  end
+
+  context 'when the url is not public' do
+    before do
+      subject.url = 'http://127.0.0.1'
+    end
+
+    it 'is valid', :aggregate_failures do
+      expect(subject).to be_valid
+    end
+  end
+end