debian-mirror-gitlab/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml

stages:
    - build
    - test
    - deploy
    - fuzz

variables:
    FUZZAPI_PROFILE: Quick
    FUZZAPI_VERSION: latest
    FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml"
    FUZZAPI_TIMEOUT: 30
    FUZZAPI_REPORT: gl-api-fuzzing-report.xml
    #
    FUZZAPI_D_NETWORK: testing-net
    #
    # Wait up to 5 minutes for API Fuzzer and target url to become
    # available (non 500 response to HTTP(s))
    FUZZAPI_SERVICE_START_TIMEOUT: "300"
    #

apifuzzer_fuzz:
    stage: fuzz
    image: docker:19.03.12
    variables:
        DOCKER_DRIVER: overlay2
        DOCKER_TLS_CERTDIR: ""
        FUZZAPI_PROJECT: $CI_PROJECT_PATH
        FUZZAPI_API: http://apifuzzer:80
    allow_failure: true
    rules:
        - if: $API_FUZZING_DISABLED
          when: never
        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
              $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
          when: never
        - if: $FUZZAPI_HAR == null &&
              $FUZZAPI_OPENAPI == null &&
              $FUZZAPI_D_WORKER_IMAGE == null
          when: never
        - if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
    services:
        - docker:19.03.12-dind
    script:
        #
        - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
        #
        - docker network create --driver bridge $FUZZAPI_D_NETWORK
        #
        # Run user provided pre-script
        - sh -c "$FUZZAPI_PRE_SCRIPT"
        #
        # Start peach testing engine container
        - |
            docker run -d \
            --name apifuzzer \
            --network $FUZZAPI_D_NETWORK \
            -e Proxy:Port=8000 \
            -e TZ=America/Los_Angeles \
            -e FUZZAPI_API=http://127.0.0.1:80 \
            -e FUZZAPI_PROJECT \
            -e FUZZAPI_PROFILE \
            -e FUZZAPI_CONFIG \
            -e FUZZAPI_REPORT \
            -e FUZZAPI_HAR \
            -e FUZZAPI_OPENAPI \
            -e FUZZAPI_TARGET_URL \
            -e FUZZAPI_OVERRIDES_FILE \
            -e FUZZAPI_OVERRIDES_ENV \
            -e FUZZAPI_OVERRIDES_CMD \
            -e FUZZAPI_OVERRIDES_INTERVAL \
            -e FUZZAPI_TIMEOUT \
            -e FUZZAPI_VERBOSE \
            -e FUZZAPI_SERVICE_START_TIMEOUT \
            -e FUZZAPI_HTTP_USERNAME \
            -e FUZZAPI_HTTP_PASSWORD \
            -e GITLAB_FEATURES \
            -v $CI_PROJECT_DIR:/app \
            -p 80:80 \
            -p 8000:8000 \
            -p 514:514 \
            --restart=no \
            registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${FUZZAPI_VERSION}-engine            
        #
        # Start target container
        - |
            if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then \
                docker run -d \
                    --name target \
                    --network $FUZZAPI_D_NETWORK \
                    $FUZZAPI_D_TARGET_ENV \
                    $FUZZAPI_D_TARGET_PORTS \
                    $FUZZAPI_D_TARGET_VOLUME \
                    --restart=no \
                    $FUZZAPI_D_TARGET_IMAGE \
                ; fi            
        #
        # Start worker container
        - |
            if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
                echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \
                docker run \
                    --name worker \
                    --network $FUZZAPI_D_NETWORK \
                    -e FUZZAPI_API=http://apifuzzer:80 \
                    -e FUZZAPI_PROJECT \
                    -e FUZZAPI_PROFILE \
                    -e FUZZAPI_AUTOMATION_CMD \
                    -e FUZZAPI_CONFIG \
                    -e FUZZAPI_REPORT \
                    -e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
                    $FUZZAPI_D_WORKER_ENV \
                    $FUZZAPI_D_WORKER_PORTS \
                    $FUZZAPI_D_WORKER_VOLUME \
                    --restart=no \
                    $FUZZAPI_D_WORKER_IMAGE \
                ; fi            
        #
        # Wait for testing to complete if api fuzzer is scanning
        - if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi
        #
        # Propagate exit code from api fuzzer (if any)
        - if [[ $(docker inspect apifuzzer --format='{{.State.ExitCode}}') != "0" ]]; then echo "API Fuzzing exited with an error. Logs are available as job artifacts."; docker logs apifuzzer; exit 1; fi
        #
        # Run user provided pre-script
        - sh -c "$FUZZAPI_POST_SCRIPT"
        #
    after_script:
        #
        # Shutdown all containers
        - echo "Stopping all containers"
        - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi
        - docker stop apifuzzer
        #
        # Save docker logs
        - docker logs apifuzzer &> gl-api_fuzzing-logs.log
        - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
        - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi
        #
    artifacts:
        when: always
        paths:
            - ./gl-api_fuzzing*.log
            - ./gl-api_fuzzing*.zip
        reports:
            junit: $FUZZAPI_REPORT

# end