Skip to content

DAST Site validation - Model Layer

Philip Cunningham requested to merge on-demand-dast-validation-model-layer-245208 into master

What does this MR do?

this merge request adds two new models (dast_site_tokens and dast_site_validations) and adds an association to dast_sites as part of the ongoing work on on-demand dast scans.

a dast_site_token is created when a user wants to validate their site. it will be used in combination with dast_site_validation to validate a user can run a scan against a site. this validation should not be considered security control but, instead, a means of ensuring users don't accidentally run an active scan against the wrong environment.

for more information, please see the linked issue.

Note(s)

i have deliberately chosen not to split this up into several merge requests because there are 5 other issues that are blocked by these changes. having the changes in a single, atomic, change will reduce the coordination burden when working on these issues. if the size of the merge request is too burdensome for review i can split things up. please let me know.

Related Issue(s)

#245208 (closed)

db

Growth Context

  • new feature
  • less than 100 dast_site_profiles on gitlab.com at time of writing
  • worst case is that we'll have as many dast_site_validations and dast_site_tokens as dast_site_profiles

Migration

% rake db:migrate:up VERSION=20200907021256 && rake db:migrate:up VERSION=20200907062101 && rake db:migrate:up VERSION=20200908033805 && rake db:migrate:down VERSION=20200908033805 && rake db:migrate:down VERSION=20200907062101 && rake db:migrate:down VERSION=20200907021256                                                                                              
== 20200907021256 CreateDastSiteTokens: migrating =============================
-- table_exists?(:dast_site_tokens)
   -> 0.0005s
-- create_table(:dast_site_tokens)
   -> 0.0078s
-- transaction_open?()
   -> 0.0000s
-- execute("ALTER TABLE dast_site_tokens\nADD CONSTRAINT check_02a6bf20a7\nCHECK ( char_length(token) <= 255 )\nNOT VALID;\n")
   -> 0.0004s
-- execute("ALTER TABLE dast_site_tokens VALIDATE CONSTRAINT check_02a6bf20a7;")
   -> 0.0005s
-- transaction_open?()
   -> 0.0000s
-- execute("ALTER TABLE dast_site_tokens\nADD CONSTRAINT check_69ab8622a6\nCHECK ( char_length(url) <= 255 )\nNOT VALID;\n")
   -> 0.0003s
-- execute("ALTER TABLE dast_site_tokens VALIDATE CONSTRAINT check_69ab8622a6;")
   -> 0.0004s
== 20200907021256 CreateDastSiteTokens: migrated (0.0179s) ====================

== 20200907062101 CreateDastSiteValidations: migrating ========================
-- table_exists?(:dast_site_validations)
   -> 0.0006s
-- create_table(:dast_site_validations)
   -> 0.0068s
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:dast_site_validations, :url_base, {:algorithm=>:concurrently})
   -> 0.0026s
-- add_index(:dast_site_validations, :url_base, {:algorithm=>:concurrently})
   -> 0.0028s
-- transaction_open?()
   -> 0.0000s
-- execute("ALTER TABLE dast_site_validations\nADD CONSTRAINT check_cd3b538210\nCHECK ( char_length(url_base) <= 255 )\nNOT VALID;\n")
   -> 0.0006s
-- execute("ALTER TABLE dast_site_validations VALIDATE CONSTRAINT check_cd3b538210;")
   -> 0.0005s
-- transaction_open?()
   -> 0.0000s
-- execute("ALTER TABLE dast_site_validations\nADD CONSTRAINT check_13b34efe4b\nCHECK ( char_length(url_path) <= 255 )\nNOT VALID;\n")
   -> 0.0004s
-- execute("ALTER TABLE dast_site_validations VALIDATE CONSTRAINT check_13b34efe4b;")
   -> 0.0005s
== 20200907062101 CreateDastSiteValidations: migrated (0.0254s) ===============

== 20200908033805 AddDastSiteValidationIdToDastSite: migrating ================
-- column_exists?(:dast_sites, :dast_site_validation_id)
   -> 0.0026s
-- add_column(:dast_sites, :dast_site_validation_id, :bigint)
   -> 0.0007s
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:dast_sites, :dast_site_validation_id, {:name=>"index_dast_sites_on_dast_site_validation_id", :algorithm=>:concurrently})
   -> 0.0020s
-- add_index(:dast_sites, :dast_site_validation_id, {:name=>"index_dast_sites_on_dast_site_validation_id", :algorithm=>:concurrently})
   -> 0.0024s
-- transaction_open?()
   -> 0.0000s
-- foreign_keys(:dast_sites)
   -> 0.0026s
-- execute("ALTER TABLE dast_sites\nADD CONSTRAINT fk_0a57f2271b\nFOREIGN KEY (dast_site_validation_id)\nREFERENCES dast_site_validations (id)\nON DELETE SET NULL\nNOT VALID;\n")
   -> 0.0009s
-- execute("ALTER TABLE dast_sites VALIDATE CONSTRAINT fk_0a57f2271b;")
   -> 0.0010s
== 20200908033805 AddDastSiteValidationIdToDastSite: migrated (0.0173s) =======

== 20200908033805 AddDastSiteValidationIdToDastSite: reverting ================
-- foreign_keys(:dast_sites)
   -> 0.0035s
-- remove_foreign_key(:dast_sites, :dast_site_validations)
   -> 0.0035s
-- transaction_open?()
   -> 0.0000s
-- indexes(:dast_sites)
   -> 0.0032s
-- remove_index(:dast_sites, {:algorithm=>:concurrently, :name=>"index_dast_sites_on_dast_site_validation_id"})
   -> 0.0017s
-- remove_column(:dast_sites, :dast_site_validation_id)
   -> 0.0004s
== 20200908033805 AddDastSiteValidationIdToDastSite: reverted (0.0167s) =======

== 20200907062101 CreateDastSiteValidations: reverting ========================
-- drop_table(:dast_site_validations)
   -> 0.0019s
== 20200907062101 CreateDastSiteValidations: reverted (0.0070s) ===============

== 20200907021256 CreateDastSiteTokens: reverting =============================
-- drop_table(:dast_site_tokens)
   -> 0.0021s
== 20200907021256 CreateDastSiteTokens: reverted (0.0066s) ====================

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Philip Cunningham

Merge request reports