Skip to content

DAST Site profile - add support for Authentication, Request headers & Excluded Urls - Backend

Summary

This is the second backend iteration for building the DAST site profile form MVC. At this point, we should have a basic form already done, and we're going to add the Authentication section, as well as the Request headers field.

Flow

  • user creates a new dast_site_profile
    • secret variables are base64 encoded and stored in associated table called dast_site_profile_secret_variables
    • non-secret variables stored on dast_site_profile

  • user updates dast_site_profile:
    • DastSiteProfiles::CreateService updates:
      • dast_site_profile
      • corresponding dast_site_profile_secret_variables

  • user deletes dast_site_profile:
    • DastSiteProfiles::CreateService deletes:
      • dast_site_profile
      • corresponding dast_site_profile_secret_variables

  • user runs a new on-demand dast scan
    • Contexable fetches associated dast_site_profile_secret_variables

  • dast runs new scan:
    • decodes base64 encoded fields

Implementation Plan

  1. define the explicit relationship between CI pipeline model and DAST profile model.
  2. allow users to register auth secrets in DAST site profile.
  3. inject the auth secrets into job variables.

Contract

--- proposal_iteration1.graphl
+++ proposal_iteration2.graphl
@@ -2,12 +2,26 @@ mutation dastSiteProfileCreate(
   $fullPath: ID!
   $profileName: String!
   $targetUrl: String
+  $authEnabled: Boolean!
+  $authUsername: String
+  $authUrl: String
+  $authUsernameField: String
+  $authPasswordField: String
+  $authPassword: String
+  $excludedUrls: String
+  $requestHeaders: String
 ) {
   dastSiteProfileCreate(
     input: {
       fullPath: $fullPath
       profileName: $profileName
       targetUrl: $targetUrl
+      auth: {
+       enabled: $authEnabled
+        url: $authUrl
+        usernameField: $authUsernameField
+        passwordField: $authPasswordField
+        username: $authUsername
+        password: $authPassword
+      }
+      excludedUrls: $excludedUrls
+      requestHeaders: $requestHeaders
     }
   ) {
     id
Edited by Philip Cunningham