PyPI - gitlabcis - Versions diffs - 1.3.2__py3-none-any.whl - Mend

gitlabcis 1.3.2__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (218) hide show

gitlabcis/tests/unit/benchmarks/artifacts_4/access_to_artifacts_4_2_test.py ADDED Viewed

@@ -0,0 +1,131 @@
+# -----------------------------------------------------------------------------
+from unittest.mock import Mock
+import pytest  # noqa: F401
+from conftest import run
+from gitlab.exceptions import GitlabHttpError
+from gitlabcis.benchmarks.artifacts_4 import access_to_artifacts_4_2
+# -----------------------------------------------------------------------------
+def test_limit_certifying_artifacts(glEntity, glObject):
+    test = access_to_artifacts_4_2.limit_certifying_artifacts
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_limit_artifact_uploaders(glEntity, glObject):
+    test = access_to_artifacts_4_2.limit_artifact_uploaders
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=30),
+        Mock(access_level=20),
+        Mock(access_level=10),
+        Mock(access_level=10)
+    ]
+    run(glEntity, glObject, test, True)
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=30),
+        Mock(access_level=20)
+    ]
+    run(glEntity, glObject, test, False)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_require_mfa_to_package_registry(glEntity, glObject):
+    test = access_to_artifacts_4_2.require_mfa_to_package_registry
+    glObject.settings.get.return_value = Mock(
+        require_two_factor_authentication=True)
+    run(glEntity, glObject, test, True)
+    glObject.settings.get.return_value = Mock(
+        require_two_factor_authentication=False)
+    run(glEntity, glObject, test, False)
+    glObject.settings.get.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glObject.settings.get.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_external_auth_server(glEntity, glObject):
+    test = access_to_artifacts_4_2.external_auth_server
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_restrict_anonymous_access(glEntity, glObject):
+    test = access_to_artifacts_4_2.restrict_anonymous_access
+    glObject.settings.get.return_value = Mock(
+        default_project_visibility='public')
+    run(glEntity, glObject, test, False)
+    glObject.settings.get.return_value = Mock(
+        default_project_visibility='not-public')
+    run(glEntity, glObject, test, True)
+    glObject.settings.get.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glObject.settings.get.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_minimum_package_registry_admins(glEntity, glObject):
+    test = access_to_artifacts_4_2.minimum_package_registry_admins
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10)
+    ]
+    run(glEntity, glObject, test, True)
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=20)
+    ]
+    run(glEntity, glObject, test, False)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None

gitlabcis/tests/unit/benchmarks/artifacts_4/origin_traceability_4_4_test.py ADDED Viewed

@@ -0,0 +1,15 @@
+# -----------------------------------------------------------------------------
+import pytest  # noqa: F401
+from conftest import run
+from gitlabcis.benchmarks.artifacts_4 import origin_traceability_4_4
+# -----------------------------------------------------------------------------
+def test_artifact_origin_info(glEntity, glObject):
+    test = origin_traceability_4_4.artifact_origin_info
+    run(glEntity, glObject, test, None)

gitlabcis/tests/unit/benchmarks/artifacts_4/package_registries_4_3_test.py ADDED Viewed

@@ -0,0 +1,102 @@
+# -----------------------------------------------------------------------------
+from unittest.mock import Mock
+import pytest  # noqa: F401
+from conftest import run
+from gitlab.exceptions import GitlabHttpError
+from gitlabcis.benchmarks.artifacts_4 import package_registries_4_3
+# -----------------------------------------------------------------------------
+def test_validate_signed_artifacts_on_upload(glEntity, glObject):
+    test = package_registries_4_3.validate_signed_artifacts_on_upload
+    glEntity.commits.list.return_value = [Mock(id='1'), Mock(id='2')]
+    glEntity.commits.get.return_value = Mock(status='verified')
+    run(glEntity, glObject, test, True)
+    glEntity.commits.get.return_value = Mock(status=None)
+    run(glEntity, glObject, test, False)
+    glEntity.commits.get.side_effect = [
+        Mock(status='verified'), Mock(status='unverified')]
+    run(glEntity, glObject, test, False)
+    glEntity.commits.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.commits.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_all_artifact_versions_signed(glEntity, glObject):
+    test = package_registries_4_3.all_artifact_versions_signed
+    glEntity.commits.list.return_value = [Mock(id='1'), Mock(id='2')]
+    glEntity.commits.get.return_value = Mock(status=None)
+    run(glEntity, glObject, test, False)
+    glEntity.commits.get.return_value = Mock(status='verified')
+    run(glEntity, glObject, test, True)
+    glEntity.commits.get.return_value = Mock(status='unverified')
+    run(glEntity, glObject, test, False)
+    glEntity.commits.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.commits.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_audit_package_registry_config(glEntity, glObject):
+    test = package_registries_4_3.audit_package_registry_config
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_secure_repo_webhooks(glEntity, glObject):
+    test = package_registries_4_3.secure_repo_webhooks
+    secHookSSLVerify = Mock(url='https://example.com',
+                            enable_ssl_verification=True)
+    secHookNoSSLVerify = Mock(url='https://example.com',
+                              enable_ssl_verification=False)
+    unsecureHook = Mock(url='http://example.com',
+                        enable_ssl_verification=False)
+    glEntity.hooks.list.return_value = []
+    run(glEntity, glObject, test, True)
+    glEntity.hooks.list.return_value = [
+         secHookSSLVerify]
+    run(glEntity, glObject, test, True)
+    glEntity.hooks.list.return_value = [
+         secHookNoSSLVerify]
+    run(glEntity, glObject, test, False)
+    glEntity.hooks.list.return_value = [
+         unsecureHook]
+    run(glEntity, glObject, test, False)
+    glEntity.hooks.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.hooks.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None

gitlabcis/tests/unit/benchmarks/artifacts_4/verification_4_1_test.py ADDED Viewed

@@ -0,0 +1,78 @@
+# -----------------------------------------------------------------------------
+from unittest.mock import Mock, patch
+import pytest  # noqa: F401
+from conftest import run
+from gitlabcis.benchmarks.artifacts_4 import verification_4_1
+# -----------------------------------------------------------------------------
+@patch('zipfile.ZipFile')
+def test_sign_artifacts_in_build_pipeline(mock_zipfile, glEntity, glObject):
+    from gitlab.exceptions import GitlabHttpError
+    test = verification_4_1.sign_artifacts_in_build_pipeline
+    glEntity.pipelines.list.return_value = []
+    run(glEntity, glObject, test, False)
+    mockPipeline = Mock()
+    mockJob = Mock()
+    mockJob.stage = 'test'
+    mockPipeline.jobs.list.return_value = [mockJob]
+    glEntity.pipelines.list.return_value = [mockPipeline]
+    run(glEntity, glObject, test, False)
+    mockJob.stage = 'build'
+    mockJob.id = 1
+    mockPipeline.jobs.list.return_value = [mockJob]
+    glEntity.pipelines.list.return_value = [mockPipeline]
+    glEntity.jobs.get.return_value.artifacts.return_value = b'fake_artifact'
+    mock_zipfile.return_value.__enter__.return_value.namelist.return_value \
+        = ['file1.txt', 'file2.txt']
+    run(glEntity, glObject, test, False)
+    mockPipeline = Mock()
+    mockJob = Mock()
+    mockJob.stage = 'build'
+    mockJob.id = 1
+    mockPipeline.jobs.list.return_value = [mockJob]
+    glEntity.pipelines.list.return_value = [mockPipeline]
+    glEntity.jobs.get.return_value.artifacts.return_value = b'fake_artifact'
+    mock_zipfile.return_value.__enter__.return_value.namelist.return_value \
+        = ['file1.txt', 'file1.sig', 'file2.txt', 'file2.sig']
+    run(glEntity, glObject, test, True)
+    glEntity.pipelines.list.side_effect \
+        = GitlabHttpError('', response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.pipelines.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None  # noqa: E501
+# -----------------------------------------------------------------------------
+def test_encrypt_artifacts_before_distribution(glEntity, glObject):
+    test = verification_4_1.encrypt_artifacts_before_distribution
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_only_authorized_platforms_can_decrypt_artifacts(glEntity, glObject):
+    test = verification_4_1.only_authorized_platforms_can_decrypt_artifacts
+    run(glEntity, glObject, test, None)

gitlabcis/tests/unit/benchmarks/build_pipelines_2/build_environment_2_1_test.py ADDED Viewed

@@ -0,0 +1,239 @@
+# -----------------------------------------------------------------------------
+from unittest.mock import Mock, patch
+import pytest  # noqa: F401
+from conftest import run
+from gitlab.exceptions import GitlabHttpError
+from gitlabcis.benchmarks.build_pipelines_2 import build_environment_2_1
+# -----------------------------------------------------------------------------
+def test_single_responsibility_pipeline(glEntity, glObject):
+    test = build_environment_2_1.single_responsibility_pipeline
+    def setup_pipeline_jobs(*job_stages):
+        mock_pipeline = Mock()
+        mock_pipeline.jobs.list.return_value = [
+            Mock(stage=stage) for stage in job_stages]
+        glEntity.pipelines.list.return_value = [mock_pipeline]
+    glEntity.pipelines.list.return_value = []
+    run(glEntity, glObject, test, True)
+    setup_pipeline_jobs('test')
+    run(glEntity, glObject, test, None)
+    setup_pipeline_jobs('build')
+    run(glEntity, glObject, test, True)
+    setup_pipeline_jobs('build', 'build')
+    run(glEntity, glObject, test, False)
+    glEntity.pipelines.list.side_effect = GitlabHttpError(response_code=401)
+    run(glEntity, glObject, test, None)
+    glEntity.pipelines.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_immutable_pipeline_infrastructure(glEntity, glObject):
+    test = build_environment_2_1.immutable_pipeline_infrastructure
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_build_logging(glEntity, glObject):
+    test = build_environment_2_1.build_logging
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+@patch('gitlabcis.utils.ci.getConfig')
+def test_build_automation(mockGetConfig, glEntity, glObject):
+    test = build_environment_2_1.build_automation
+    mockGetConfig.return_value = {'gitlab-ci.yml': 'content'}
+    run(glEntity, glObject, test, True)
+    mockGetConfig.return_value = {None: 'No CI file found'}
+    run(glEntity, glObject, test, None)
+    mockGetConfig.return_value = {False: 'Invalid CI file'}
+    run(glEntity, glObject, test, False)
+    mockGetConfig.side_effect = GitlabHttpError('Error', response_code=401)
+    run(glEntity, glObject, test, None)
+    mockGetConfig.side_effect = GitlabHttpError('Error', response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_limit_build_access(glEntity, glObject):
+    test = build_environment_2_1.limit_build_access
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=20),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10)
+    ]
+    run(glEntity, glObject, test, True)
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=30),
+        Mock(access_level=20)
+    ]
+    run(glEntity, glObject, test, False)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_authenticate_build_access(glEntity, glObject):
+    test = build_environment_2_1.authenticate_build_access
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=20),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10)
+    ]
+    run(glEntity, glObject, test, True)
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=30),
+        Mock(access_level=20)
+    ]
+    run(glEntity, glObject, test, False)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_limit_build_secrets_scope(glEntity, glObject):
+    test = build_environment_2_1.limit_build_secrets_scope
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_vuln_scanning(glEntity, glObject):
+    test = build_environment_2_1.vuln_scanning
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_disable_build_tools_default_passwords(glEntity, glObject):
+    test = build_environment_2_1.disable_build_tools_default_passwords
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_secure_build_env_webhooks(glEntity, glObject):
+    test = build_environment_2_1.secure_build_env_webhooks
+    secHookSSLVerify = Mock(url='https://example.com',
+                            enable_ssl_verification=True)
+    secHookNoSSLVerify = Mock(url='https://example.com',
+                              enable_ssl_verification=False)
+    unsecureHook = Mock(url='http://example.com',
+                        enable_ssl_verification=False)
+    glEntity.hooks.list.return_value = []
+    run(glEntity, glObject, test, True)
+    glEntity.hooks.list.return_value = [
+         secHookSSLVerify]
+    run(glEntity, glObject, test, True)
+    glEntity.hooks.list.return_value = [
+         secHookNoSSLVerify]
+    run(glEntity, glObject, test, False)
+    glEntity.hooks.list.return_value = [
+         unsecureHook]
+    run(glEntity, glObject, test, False)
+    glEntity.hooks.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.hooks.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_build_env_admins(glEntity, glObject):
+    test = build_environment_2_1.build_env_admins
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=20),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10),
+        Mock(access_level=10)
+    ]
+    run(glEntity, glObject, test, True)
+    glEntity.members.list.return_value = [
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=40),
+        Mock(access_level=30),
+        Mock(access_level=20)
+    ]
+    run(glEntity, glObject, test, False)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=403)
+    run(glEntity, glObject, test, None)
+    glEntity.members.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None

gitlabcis/tests/unit/benchmarks/build_pipelines_2/build_worker_2_2_test.py ADDED Viewed

@@ -0,0 +1,105 @@
+# -----------------------------------------------------------------------------
+from unittest.mock import Mock, patch
+import pytest  # noqa: F401
+from conftest import run
+from gitlab.exceptions import GitlabHttpError
+from gitlabcis.benchmarks.build_pipelines_2 import build_worker_2_2
+# -----------------------------------------------------------------------------
+def test_single_use_workers(glEntity, glObject):
+    test = build_worker_2_2.single_use_workers
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_pass_worker_envs_and_commands(glEntity, glObject):
+    test = build_worker_2_2.pass_worker_envs_and_commands
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_segregate_worker_duties(glEntity, glObject):
+    test = build_worker_2_2.segregate_worker_duties
+    glEntity.runners.list.return_value = [Mock(is_shared=False)]
+    run(glEntity, glObject, test, True)
+    glEntity.runners.list.return_value = [Mock(is_shared=True)]
+    run(glEntity, glObject, test, False)
+    glEntity.runners.list.side_effect = GitlabHttpError(response_code=401)
+    run(glEntity, glObject, test, None)
+    glEntity.runners.list.side_effect = GitlabHttpError(response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_restrict_worker_connectivity(glEntity, glObject):
+    test = build_worker_2_2.restrict_worker_connectivity
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_worker_runtime_security(glEntity, glObject):
+    test = build_worker_2_2.worker_runtime_security
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+def test_build_worker_vuln_scanning(glEntity, glObject):
+    test = build_worker_2_2.build_worker_vuln_scanning
+    run(glEntity, glObject, test, None)
+# -----------------------------------------------------------------------------
+@patch('gitlabcis.utils.ci.getConfig')
+def test_store_worker_config(mockGetConfig, glEntity, glObject):
+    test = build_worker_2_2.store_worker_config
+    mockGetConfig.return_value = {'gitlab-ci.yml': 'content'}
+    run(glEntity, glObject, test, True)
+    mockGetConfig.return_value = {None: 'No CI file found'}
+    run(glEntity, glObject, test, None)
+    mockGetConfig.return_value = {False: 'Invalid CI file'}
+    run(glEntity, glObject, test, False)
+    mockGetConfig.side_effect = GitlabHttpError('Error', response_code=401)
+    run(glEntity, glObject, test, None)
+    mockGetConfig.side_effect = GitlabHttpError('Error', response_code=418)
+    assert test(glEntity, glObject) is None
+# -----------------------------------------------------------------------------
+def test_monitor_worker_resource_consumption(glEntity, glObject):
+    test = build_worker_2_2.monitor_worker_resource_consumption
+    run(glEntity, glObject, test, None)