API fuzz - configuration screen with code snippet -implementation-issue
Problem
This is the first implementation issue for the design outlined #297541 (closed)
Solution
- Figma: https://www.figma.com/file/T3GLY9ygaPgywEuoIfOvvD/API-Fuzzing-Configuration?node-id=461%3A0
- Clickable prototype: https://www.figma.com/proto/T3GLY9ygaPgywEuoIfOvvD/API-Fuzzing-Configuration?node-id=568%3A695&viewport=-559%2C-760%2C0.664442777633667&scaling=min-zoom
- Video walkover: https://www.loom.com/share/776ccdeca67c4716a73d5fe24921cbf6
This process will generate an MR adding the following information to a user's gitlab-ci.yml.
include:
- template: API-Fuzzing.gitlab-ci.yml
variables:
FUZZAPI_PROFILE: Quick-10
FUZZAPI_HAR: test-api-recording.har
FUZZAPI_OPENAPI: test-api-specification.json
FUZZAPI_TARGET_URL: http://test-deployment/
FUZZAPI_HTTP_USERNAME: testuser
FUZZAPI_HTTP_PASSWORD: $TEST_API_PASSWORDEither the FUZZAPI_HAR or the FUZZAPI_OPENAPI variable will be filled out.
Implementation Plan
- Feature flag rollout issue: #299465 (closed)
-
Add Enable button to the configuration page frontend -
Add form for user to input values for their MR -
Generate MR with values from user
frontend
| Issue | Description |
|---|---|
| #299125 (closed) | Create the new configuration page and link to it from the Security & Compliance > Configuration page. |
| #299126 (closed) | Create the form. |
| #299127 (closed) | Implement save. |
| #322621 (closed) | Wire up the backend and frontend. |
backend
-
Add fields for populating the dropdowns in the configuration form !52710 (merged) -
Add links to the HAML -
Add mutation for generating the snippet
API details
Configuration form page data
The configuration form page data will be fetched using HAML and GraphQL:
Links will be passed to the frontend via HAML:
- A link to API fuzzing authentication documentation.
- A link to CI variables documentation.
- A link to the project's CI settings.
Other data will be passed via GraphQL in the following format:
query {
project(fullPath: "my-namespace/my-project") {
apiFuzzingCiConfiguration { # a new ApiFuzzingCiConfiguration type
scanModes # array of all values for the ApiFuzzingScanMode enum
scanProfiles { # array of a new ApiFuzzingScanProfile type
name # STRING
description # STRING
yaml # STRING (a string parseable into YAML)
}
}
}
}ApiFuzzingScanMode will be an enum with the values OPENAPI and HAR.
Configuration MR mutation
The action for creating an MR with the fuzzing configuration changes will be implemented as a GraphQL mutation with the following structure:
mutation {
apiFuzzingCiConfigurationCreate(input: ApiFuzzingCiConfigurationCreateInput) {
configurationYaml # STRING that can be parsed into YAML
errors
gitlabCiYamlEditPath # STRING
}
}Where ApiFuzzingCiConfigurationCreateInput has the structure:
{
projectPath
target # GraphQL::String
scanMode # FuzzingScanMode
apiSpecificationFile # GraphQL::STRING
authUsername # GraphQL::STRING, optional
authPassword # GraphQL::STRING, optional
scanProfile # FuzzingScanProfile, optional
}Technical Design Pattern
SAST has implemented a similar feature. The code pattern should be reused and abstracted as necessary. The UX is visible by going to Security & Compliance > Configuration > Static Application Security Testing (SAST) > Configure
The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.