# frozen_string_literal: true require 'rake_helper' describe 'security tasks', :rake do before do allow(ReleaseTools::SharedStatus) .to receive(:critical_patch_release?) .and_return(false) end after do # rake tasks in the security namespace run the force_security task altering # the global state ENV.delete('SECURITY') end describe 'sync_git_tags', task: 'security:sync_git_tags' do it 'syncs git tags' do expect(ReleaseTools::Security::SyncGitRemotesService).to receive(:new) .with(['1.0', '2.0', 'v3.1']) .and_return(instance_double(ReleaseTools::Security::SyncGitRemotesService, execute: true)) task.invoke('1.0 2.0 v3.1') end end describe 'prepare:review_security_fixes', task: 'security:prepare:review_security_fixes' do it 'verifies the fixes included in the patch release' do expect(ReleaseTools::Security::Prepare::FixesVerifier).to receive(:new) .and_return(instance_double(ReleaseTools::Security::Prepare::FixesVerifier, execute: true)) task.invoke end end describe 'prepare:appsec_issue', task: 'security:prepare:appsec_issue' do it 'creates the AppSec task issue' do expect(ReleaseTools::Security::Prepare::IssueCreator).to receive(:new) .and_return(instance_double(ReleaseTools::Security::Prepare::IssueCreator, execute: true)) task.invoke end end describe 'prepare:comms_issue', task: 'security:prepare:comms_issue' do it 'creates the AppSec task issue' do expect(ReleaseTools::Security::Prepare::IssueCreator).to receive(:new) .and_return(instance_double(ReleaseTools::Security::Prepare::IssueCreator, execute: true)) task.invoke end end describe 'publish:generate_dynamic_pipeline', task: 'security:publish:generate_dynamic_pipeline' do let(:versions) { ['1.0.1', '1.1.1', '1.2.3'] } let(:generated_jobs) { "dummy:output" } let(:publish_jobs) { instance_double(ReleaseTools::Security::Publish::DynamicPipeline) } let(:coordinator) { instance_double(ReleaseTools::PatchRelease::Coordinator) } before do allow(ReleaseTools::Security::Publish::DynamicPipeline).to receive(:new).with(versions).and_return(publish_jobs) allow(File).to receive(:write) allow(ReleaseTools::PatchRelease::Coordinator).to receive(:new).and_return(coordinator) allow(coordinator).to receive(:versions).and_return(versions) end it 'correctly processes and writes a dynamic pipeline to a file' do expect(ReleaseTools::Security::Publish::DynamicPipeline).to receive(:new).with(versions).and_return(publish_jobs) expect(publish_jobs).to receive(:generate).and_return(generated_jobs) expect(File).to receive(:write).with('dynamic-gitlab-ci.yml', generated_jobs) task.invoke end end describe 'publish:move_blog_post', task: 'security:publish:move_blog_post' do it 'moves the blog post to the handbook canonical repo' do expect(ReleaseTools::Security::Publish::MoveBlogPost).to receive(:new) .and_return(instance_double(ReleaseTools::Security::Publish::MoveBlogPost, execute: true)) task.invoke end end describe 'publish:deploy_blog_post', task: 'security:publish:deploy_blog_post' do it 'publishes the patch release blog post' do expect(ReleaseTools::Security::Publish::DeployBlogPost).to receive(:new) .and_return(instance_double(ReleaseTools::Security::Publish::DeployBlogPost, execute: true)) task.invoke end end describe 'finalize:enable_security_target_processor', task: 'security:finalize:enable_security_target_processor' do it 'enables the security target processor' do expect(ReleaseTools::Security::Finalize::ToggleSecurityTargetProcessor).to receive(:new) .and_return(instance_double(ReleaseTools::Security::Finalize::ToggleSecurityTargetProcessor, execute: true)) task.invoke end end describe 'process_security_target_issues', task: 'security:process_security_target_issues' do it 'runs the processor' do expect(ReleaseTools::Security::TargetIssuesProcessor).to receive(:new) .and_return(instance_double(ReleaseTools::Security::TargetIssuesProcessor, execute: true)) task.invoke end end describe 'finalize:create_release_status_metric', task: 'security:finalize:create_release_status_metric' do it 'creates a new patch release status metric with open status' do expect(ReleaseTools::Metrics::PatchReleaseStatus).to receive(:new).with(status: :open) .and_return(instance_double(ReleaseTools::Metrics::PatchReleaseStatus, execute: true)) task.invoke end end describe 'tag:generate_dynamic_pipeline', task: 'security:tag:generate_dynamic_pipeline' do let(:versions) { ['1.0.1', '1.1.1', '1.2.3'] } let(:generated_jobs) { "dummy:output" } let(:tag_jobs) { instance_double(ReleaseTools::Security::Tag::DynamicPipeline) } let(:coordinator) { instance_double(ReleaseTools::PatchRelease::Coordinator) } before do allow(ReleaseTools::Security::Tag::DynamicPipeline).to receive(:new).with(versions).and_return(tag_jobs) allow(File).to receive(:write) allow(ReleaseTools::PatchRelease::Coordinator).to receive(:new).and_return(coordinator) allow(coordinator).to receive(:versions).and_return(versions) end it 'correctly processes and writes a dynamic pipeline to a file' do expect(ReleaseTools::Security::Tag::DynamicPipeline).to receive(:new).with(versions).and_return(tag_jobs) expect(tag_jobs).to receive(:generate).and_return(generated_jobs) expect(File).to receive(:write).with('dynamic-tag-gitlab-ci.yml', generated_jobs) task.invoke end end describe 'tag:check_omnibus_packages_tagging', task: 'security:tag:check_omnibus_packages_tagging' do let(:versions) { ['13.0.1', '13.1.1', '13.2.1'] } let(:coordinator) { instance_double(ReleaseTools::PatchRelease::Coordinator, versions: versions) } let(:tagging_service) { instance_double(ReleaseTools::Services::OmnibusPackages::Tagging) } before do allow(ReleaseTools::PatchRelease::Coordinator).to receive(:new).and_return(coordinator) allow(ReleaseTools::Services::OmnibusPackages::Tagging).to receive(:new).and_return(tagging_service) allow(tagging_service).to receive(:execute).and_return(true) end it 'executes ReleaseTools::Services::OmnibusPackages::Tagging 3 times' do expect(tagging_service).to receive(:execute).exactly(3).times task.invoke end end describe 'verify:check_omnibus_packages_publishing', task: 'security:verify:check_omnibus_packages_publishing' do let(:versions) { ['13.0.1', '13.1.1', '13.2.1'] } let(:coordinator) { instance_double(ReleaseTools::PatchRelease::Coordinator, versions: versions) } let(:publishing_service) { instance_double(ReleaseTools::Services::OmnibusPackages::Publishing) } before do allow(ReleaseTools::PatchRelease::Coordinator).to receive(:new).and_return(coordinator) allow(ReleaseTools::Services::OmnibusPackages::Publishing).to receive(:new).and_return(publishing_service) allow(publishing_service).to receive(:execute).and_return(true) end it 'executes ReleaseTools::Services::OmnibusPackages::Publishing 3 times' do expect(publishing_service).to receive(:execute).exactly(3).times task.invoke end end describe 'verify:check_docker_tags', task: 'security:verify:check_docker_tags' do let(:versions) { ['13.0.1', '13.1.1', '13.2.1'] } let(:coordinator) { instance_double(ReleaseTools::PatchRelease::Coordinator, versions: versions) } let(:verifier) { instance_double(ReleaseTools::DockerHub::Verifier) } before do allow(ReleaseTools::PatchRelease::Coordinator).to receive(:new).and_return(coordinator) allow(ReleaseTools::DockerHub::Verifier).to receive(:new).and_return(verifier) allow(verifier).to receive(:execute).and_return(true) end it 'executes ReleaseTools::DockerHub::Verifier 3 times' do expect(verifier).to receive(:execute).exactly(3).times task.invoke end end describe 'disable_security_target_processor:verify_managed_version_projects', task: 'security:disable_security_target_processor:verify_managed_version_projects' do it 'runs the notification service' do expect(ReleaseTools::Security::ManagedVersioningNotificationService).to receive(:new) .and_return(instance_double(ReleaseTools::Security::ManagedVersioningNotificationService, execute: true)) task.invoke end end describe 'update_paths:generate_dynamic_pipeline', task: 'security:update_paths:generate_dynamic_pipeline' do let(:versions) { ['1.2.1', '1.1.1', '1.0.3'] } let(:latest_version) { '1.2.1' } let(:dynamic_pipeline) { instance_double(ReleaseTools::UpdatePaths::DynamicPipeline) } let(:coordinator) { instance_double(ReleaseTools::PatchRelease::Coordinator) } before do allow(ReleaseTools::UpdatePaths::DynamicPipeline).to receive(:new).with(latest_version).and_return(dynamic_pipeline) allow(dynamic_pipeline).to receive(:generate) allow(File).to receive(:write) allow(ReleaseTools::PatchRelease::Coordinator).to receive(:new).and_return(coordinator) allow(coordinator).to receive(:versions).and_return(versions) end it 'calls generate method on the ReleaseTools::UpdatePaths::DynamicPipeline instance' do expect(ReleaseTools::UpdatePaths::DynamicPipeline).to receive(:new).with(latest_version).and_return(dynamic_pipeline) expect(dynamic_pipeline).to receive(:generate) task.invoke end it 'writes the generated YAML content to dynamic-gitlab-ci.yml' do expect(File).to receive(:write).with('dynamic-gitlab-ci.yml', dynamic_pipeline.generate) task.invoke end end end