API fuzz - configuration screen with MR -implementation-issue

Problem

This is the first implementation issue for the design outlined #239065 (closed)

Solution

Solution

This process will generate an MR adding the following information to a user's gitlab-ci.yml.

include:
  - template: API-Fuzzing.gitlab-ci.yml

variables:
  FUZZAPI_PROFILE: Quick-10
  FUZZAPI_HAR: test-api-recording.har
  FUZZAPI_OPENAPI: test-api-specification.json
  FUZZAPI_TARGET_URL: http://test-deployment/
  FUZZAPI_HTTP_USERNAME: testuser
  FUZZAPI_HTTP_PASSWORD: $TEST_API_PASSWORD

Either the FUZZAPI_HAR or the FUZZAPI_OPENAPI variable will be filled out.

Implementation Plan

  • Add Enable button to the configuration page frontend
  • Add form for user to input values for their MR
  • Generate MR with values from user

frontend

Issue Description
#299125 (closed) Create the new configuration page and link to it from the Security & Compliance > Configuration page.
#299126 (closed) Create the form.
#299127 (closed) Implement save.

API details

Configuration form page data

The configuration form page data will be fetched using HAML and GraphQL:

Links will be passed to the frontend via HAML:

Other data will be passed via GraphQL in the following format:

query {
  project(fullPath: "my-namespace/my-project") {
    fuzzingCiConfiguration {  # a new FuzzingCiConfiguration type
      scanModes  # array of all values for the FuzzingScanMode enum
      scanProfiles  # array of all values for the FuzzingScanProfileName enum
    }
  }
}

Once a scan profile has been chosen from the dropdown, its data can be fetched with:

query {
  project(fullPath: "my-namespace/my-project") {
    fuzzingScanProfile(name: !FuzzingScanProfileName) {
      name  # STRING
      description  # STRING
      snippet  # STRING (a string parseable into YAML)
    }
  }
}

FuzzingScanMode will be an enum with the values OPENAPI and HAR.
FuzzingScanProfileName will be an enum with the values QUICK, QUICK_10, MEDIUM_20, MEDIUM_50, and LONG_100.

Configuration MR mutation

The action for creating an MR with the fuzzing configuration changes will be implemented as a GraphQL mutation with the following structure:

mutation {
  configureFuzzing(configuration: FuzzingCiConfigurationInput) {
    status  # GraphQL::STRING
    successPath  # GraphQL::STRING
  }
}

Where FuzzingCiConfigurationInput has the structure:

{
  projectPath
  target  # GraphQL::String
  scanMode  # FuzzingScanMode
  apiSpecificationFile  # GraphQL::STRING
  authUsername  # GraphQL::STRING, optional
  authPassword  # GraphQL::STRING, optional
  scanProfile  # FuzzingScanProfile, optional
}

Technical Design Pattern

SAST has implemented a similar feature. The code pattern should be reused and abstracted as necessary. The UX is visible by going to Security & Compliance > Configuration > Static Application Security Testing (SAST) > Configure

Edited by Camellia X Yang