Merge pull request #15 from rapid7/DF-4077

New regions, user agent, scan-config changes
rapid7 · May 10, 2021 · 780a24e · 780a24e
2 parents a45bf1f + 47c2f55
commit 780a24e
Show file tree

Hide file tree

Showing 7 changed files with 143 additions and 31 deletions.
diff --git a/extension.spec.yaml b/extension.spec.yaml
@@ -3,7 +3,7 @@ products: [insightappsec]
 name: insightappsec_bamboo_plugin
 title: Atlassian Bamboo Plugin
 description: Integrate InsightAppSec application security scans into Atlassian Bamboo build and release pipelines
-version: 1.1.0
+version: 1.1.1
 vendor: rapid7
 status: []
 support: rapid7

diff --git a/help.md b/help.md
@@ -73,6 +73,7 @@ If the scan gating doesn't appear to occur as expected, confirm that the vulnera
 
 # Version History
 
+* 1.1.1 - Add new regions to InsightAppSec Region dropdown. Use search endpoint to retrieve scan-configs.
 * 1.1.0 - Support for Atlassian Bamboo 7.0.X, Implements RuntimeDataProvider to assist with pre-fetch of API Key for tasks run on remote agents
 * 1.0.0 - Initial integration
 

diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.rapid7.ias.bamboo</groupId>
     <artifactId>insightappsec-bamboo-plugin</artifactId>
-    <version>1.1.0</version>
+    <version>1.1.1</version>
     <scm>
         <url>https://github.com/rapid7/insightappsec-bamboo-plugin</url>
         <connection>scm:git:git@github.com:rapid7/insightappsec-bamboo-plugin.git</connection>
@@ -23,8 +23,8 @@
     <packaging>atlassian-plugin</packaging>
 
     <properties>
-        <bamboo.version>7.0.4</bamboo.version>
-        <bamboo.data.version>7.0.4</bamboo.data.version>
+        <bamboo.version>7.1.1</bamboo.version>
+        <bamboo.data.version>7.1.1</bamboo.data.version>
         <amps.version>6.3.21</amps.version>
         <plugin.testrunner.version>1.2.3</plugin.testrunner.version>
         <atlassian.spring.scanner.version>1.2.13</atlassian.spring.scanner.version>
@@ -38,6 +38,7 @@
         <okhttp-version>2.7.5</okhttp-version>
         <gson-version>2.8.1</gson-version>
         <gson-fire-version>1.8.0</gson-fire-version>
+        <mockito-core.version>2.8.9</mockito-core.version>
     </properties>
 
     <dependencies>
@@ -76,6 +77,13 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>${mockito-core.version}</version>
+            <scope>test</scope>
+        </dependency>
+
         <!-- WIRED TEST RUNNER DEPENDENCIES -->
         <dependency>
             <groupId>com.atlassian.plugins</groupId>

diff --git a/src/main/java/com/rapid7/ias/bamboo/impl/IasConstants.java b/src/main/java/com/rapid7/ias/bamboo/impl/IasConstants.java
@@ -22,7 +22,7 @@ public interface IasConstants {
     String VULN_QUERY_ENFORCEMENT     = "vulnQueryEnforcement";
     String VULN_QUERY                 = "vulnQuery";
 
-    List<String> REGION_OPTIONS_LIST = Arrays.asList("US","EU","AU","CA","AP","OTHER");
+    List<String> REGION_OPTIONS_LIST = Arrays.asList("US","US2","US3","EU","AU","CA","AP","OTHER");
 
     List<String> ADVANCE_ON_OPTIONS_LIST = Arrays.asList(
             "SUBMITTED",

diff --git a/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecHelper.java b/src/main/java/com/rapid7/ias/bamboo/impl/InsightAppSecHelper.java
@@ -8,6 +8,7 @@
 import com.rapid7.ias.client.ApiResponse;
 import com.rapid7.ias.bamboo.util.UtilityLogger;
 import com.rapid7.ias.client.model.*;
+import com.squareup.okhttp.Call;
 
 import java.io.FileWriter;
 import java.io.IOException;
@@ -18,6 +19,10 @@
 import java.util.regex.Pattern;
 
 public class InsightAppSecHelper {
+
+    private String USER_AGENT = "r7:insightappsec-bamboo/1.1.1";
+    private String SCAN_CONFIG_QUERY = "scanconfig.app.id='%1$s' && scanconfig.name='%2$s'";
+
     private UtilityLogger logger;
 
     public ScansApi scansApi;
@@ -33,6 +38,7 @@ public InsightAppSecHelper(String region, String apiKey, UtilityLogger logger) {
         ApiClient client = new ApiClient();
         client.setBasePath("https://" + region + ".api.insight.rapid7.com/ias/v1");
         client.addDefaultHeader("X-Api-Key", apiKey);
+        client.setUserAgent(USER_AGENT);
 
         scansApi = new ScansApi(client);
         scanConfigsApi = new ScanConfigsApi(client);
@@ -119,37 +125,30 @@ public Map<String,String> scanStatus(String scanId) throws InsightAppSecExceptio
     }
 
     public ResourceScanConfig getScanConfiguration(String scanConfigName, UUID appId) throws InsightAppSecException {
-        Integer index = 0;
-        Integer size = 1000;
-        Boolean cont = true;
+        SearchRequest scanConfigSearch = new SearchRequest();
+        scanConfigSearch.type(SearchRequest.TypeEnum.SCAN_CONFIG);
+        scanConfigSearch.setQuery(String.format(SCAN_CONFIG_QUERY, appId.toString(), scanConfigName));
 
-        while(cont) {
-            try {
-                PageScanConfig scanConfigs = scanConfigsApi.getScanConfigs(index, size, null);
+        try {
+            Call searchApiCall = searchApi.performSearchCall(scanConfigSearch, 0, 50, null, null, null);
+            ApiResponse<PageScanConfig> response = searchApi.getApiClient().execute(searchApiCall, PageScanConfig.class);
 
-                List<ResourceScanConfig> listScanConfigs = scanConfigs.getData();
-                for (ResourceScanConfig scanConfig : listScanConfigs) {
-                    if (scanConfig.getName().equals(scanConfigName) && scanConfig.getApp().getId().equals(appId)) {
-                        return scanConfig;
-                    }
-                }
+            PageScanConfig resultsPage = response.getData();
+            List<ResourceScanConfig> results = resultsPage.getData();
 
-                // Check if more pages exist
-                if((index + 1) >= scanConfigs.getMetadata().getTotalPages()) {
-                    cont = false;
-                }
-            } catch (com.rapid7.ias.client.ApiException iase) {
-                logger.error("InsightAppSec Scan Config Exception: " + iase.getResponseBody() + " (" + iase.getCode() + ")");
-                handleException(iase);
-
-                return null;
-            } catch (Exception e) {
-                logger.error("Exception when calling ScanConfigsApi#getScanConfigs: " + e.toString());
+            if(results == null || results.size() != 1) {
+                logger.error("Number of application's scan configs with name " + scanConfigName + " should be 1.");
                 return null;
             }
 
-            // Increment for next page
-            index++;
+            return results.get(0);
+        }
+        catch (ApiException iase) {
+            logger.error("InsightAppSec Scan Config Exception: " + iase.getResponseBody() + " (" + iase.getCode() + ")");
+            handleException(iase);
+        }
+        catch (Exception e) {
+            logger.error("Exception when calling ScanConfigsApi#getScanConfigs: " + e.toString());
         }
 
         return null;

diff --git a/src/main/resources/atlassian-plugin-marketing.xml b/src/main/resources/atlassian-plugin-marketing.xml
@@ -1,7 +1,7 @@
 <atlassian-plugin-marketing>
     <!--Describe names and versions of compatible applications -->
     <compatibility>
-        <product name="bamboo" min="6.3" max="7.0.4"/>
+        <product name="bamboo" min="6.3" max="7.1.1"/>
     </compatibility>
     <!-- Describe your add-on logo and banner. The banner is only displayed in the UPM. -->
     <logo image="images/rapid7-icon.png"/>

diff --git a/src/test/java/ut/com/rapid7/ias/bamboo/InsightAppSecHelperUnitTest.java b/src/test/java/ut/com/rapid7/ias/bamboo/InsightAppSecHelperUnitTest.java
@@ -0,0 +1,104 @@
+package ut.com.rapid7.ias.bamboo;
+
+import com.rapid7.ias.bamboo.impl.InsightAppSecHelper;
+import com.rapid7.ias.bamboo.util.UtilityLogger;
+import com.rapid7.ias.client.ApiClient;
+import com.rapid7.ias.client.ApiResponse;
+import com.rapid7.ias.client.api.SearchApi;
+import com.rapid7.ias.client.model.PageScanConfig;
+import com.rapid7.ias.client.model.RequiredIdResource;
+import com.rapid7.ias.client.model.ResourceScanConfig;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class InsightAppSecHelperUnitTest {
+
+    @Mock
+    UtilityLogger logger;
+
+    @InjectMocks
+    private InsightAppSecHelper insightAppSecHelper;
+
+    @Test
+    public void testGetScanConfiguration() throws Exception {
+        //Call mockCall = mock(Call.class);
+        ApiClient apiClient = mock(ApiClient.class);
+        ApiResponse response = mock(ApiResponse.class);
+        SearchApi searchApi = mock(SearchApi.class);
+
+        insightAppSecHelper.searchApi = searchApi;
+
+        //when(searchApi.performSearchCall(any(SearchRequest.class), anyInt(), anyInt(), any(), any(), any())).thenReturn(mockCall);
+        when(searchApi.getApiClient()).thenReturn(apiClient);
+        when(apiClient.execute(any(), any())).thenReturn(response);
+        when(response.getData()).thenReturn(getPageScanConfig(1));
+
+        ResourceScanConfig result = insightAppSecHelper.getScanConfiguration("my-scan-config", UUID.randomUUID());
+
+        assertNotNull(result);
+        assertNotNull(result.getApp());
+    }
+
+    @Test
+    public void testGetScanConfigurationError() throws Exception {
+        //Call mockCall = mock(Call.class);
+        ApiClient apiClient = mock(ApiClient.class);
+        ApiResponse response = mock(ApiResponse.class);
+        SearchApi searchApi = mock(SearchApi.class);
+
+        insightAppSecHelper.searchApi = searchApi;
+
+        //when(searchApi.performSearchCall(any(SearchRequest.class), anyInt(), anyInt(), any(), any(), any())).thenReturn(mockCall);
+        when(searchApi.getApiClient()).thenReturn(apiClient);
+        when(apiClient.execute(any(), any())).thenReturn(response);
+        when(response.getData()).thenReturn(getPageScanConfig(0));
+
+        ResourceScanConfig result = insightAppSecHelper.getScanConfiguration("my-scan-config", UUID.randomUUID());
+        assertNull(result);
+
+        when(response.getData()).thenReturn(getPageScanConfig(5));
+
+        result = insightAppSecHelper.getScanConfiguration("my-scan-config", UUID.randomUUID());
+        assertNull(result);
+    }
+
+    // TEST HELPERS
+
+    public PageScanConfig getPageScanConfig(int size) {
+        List<ResourceScanConfig> data = new ArrayList<>(size);
+
+        for(int i = 0; i < size; i++) {
+            data.add(getResourceScanConfig());
+        }
+
+        PageScanConfig pageScanConfig = new PageScanConfig();
+        pageScanConfig.setData(data);
+
+        return pageScanConfig;
+    }
+
+    public ResourceScanConfig getResourceScanConfig(){
+        UUID id = UUID.randomUUID();
+        RequiredIdResource app = new RequiredIdResource();
+        app.id(id);
+
+        ResourceScanConfig resourceScanConfig = new ResourceScanConfig();
+        resourceScanConfig.setApp(app);
+
+        return resourceScanConfig;
+    }
+}