API fuzz - configuration screen with MR -implementation-issue
Problem
This is the first implementation issue for the design outlined #239065 (closed)
Solution
- Figma file: https://www.figma.com/file/T3GLY9ygaPgywEuoIfOvvD/API-Fuzzing-Configuration?node-id=1%3A29
- Video walkover:https://youtu.be/ocDuphwBM6
Solution
- Figma file: https://www.figma.com/file/T3GLY9ygaPgywEuoIfOvvD/API-Fuzzing-Configuration?node-id=461%3A1
- Video walkover: https://www.loom.com/share/d857009ce5fc4bc5ab6a0a16dc875a6d
This process will generate an MR adding the following information to a user's gitlab-ci.yml
.
include:
- template: API-Fuzzing.gitlab-ci.yml
variables:
FUZZAPI_PROFILE: Quick-10
FUZZAPI_HAR: test-api-recording.har
FUZZAPI_OPENAPI: test-api-specification.json
FUZZAPI_TARGET_URL: http://test-deployment/
FUZZAPI_HTTP_USERNAME: testuser
FUZZAPI_HTTP_PASSWORD: $TEST_API_PASSWORD
Either the FUZZAPI_HAR
or the FUZZAPI_OPENAPI
variable will be filled out.
Implementation Plan
-
Add Enable button to the configuration page frontend -
Add form for user to input values for their MR -
Generate MR with values from user
frontend
Issue | Description |
---|---|
#299125 (closed) | Create the new configuration page and link to it from the Security & Compliance > Configuration page. |
#299126 (closed) | Create the form. |
#299127 (closed) | Implement save. |
API details
Configuration form page data
The configuration form page data will be fetched using HAML and GraphQL:
Links will be passed to the frontend via HAML:
- A link to API fuzzing authentication documentation.
- A link to CI variables documentation.
- A link to the project's CI settings.
Other data will be passed via GraphQL in the following format:
query {
project(fullPath: "my-namespace/my-project") {
fuzzingCiConfiguration { # a new FuzzingCiConfiguration type
scanModes # array of all values for the FuzzingScanMode enum
scanProfiles # array of all values for the FuzzingScanProfileName enum
}
}
}
Once a scan profile has been chosen from the dropdown, its data can be fetched with:
query {
project(fullPath: "my-namespace/my-project") {
fuzzingScanProfile(name: !FuzzingScanProfileName) {
name # STRING
description # STRING
snippet # STRING (a string parseable into YAML)
}
}
}
FuzzingScanMode
will be an enum with the values OPENAPI
and HAR
.
FuzzingScanProfileName
will be an enum with the values QUICK
, QUICK_10
, MEDIUM_20
, MEDIUM_50
, and LONG_100
.
Configuration MR mutation
The action for creating an MR with the fuzzing configuration changes will be implemented as a GraphQL mutation with the following structure:
mutation {
configureFuzzing(configuration: FuzzingCiConfigurationInput) {
status # GraphQL::STRING
successPath # GraphQL::STRING
}
}
Where FuzzingCiConfigurationInput
has the structure:
{
projectPath
target # GraphQL::String
scanMode # FuzzingScanMode
apiSpecificationFile # GraphQL::STRING
authUsername # GraphQL::STRING, optional
authPassword # GraphQL::STRING, optional
scanProfile # FuzzingScanProfile, optional
}
Technical Design Pattern
SAST has implemented a similar feature. The code pattern should be reused and abstracted as necessary. The UX is visible by going to Security & Compliance > Configuration > Static Application Security Testing (SAST) > Configure