.gitlab-ci.yml

# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/pipeline/#customization
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
stages:
- lint
- test
- fuzz

variables:
  DJANGO_APPLICATION_ENVIRONMENT: test
  ACCOUNT_VERIFICATION: true
  SWAGGER_BASE_URL: http://localhost:8000
  POSTGRES_HOST: postgresql
  POSTGRES_PORT: 5432
  POSTGRES_DB: valorem
  POSTGRES_USER: valorem
  POSTGRES_PASSWORD: valorem
  POETRY_NO_INTERACTION: 1
  POETRY_VIRTUALENVS_CREATE: 'false'
  POETRY_CACHE_DIR: "/var/cache/pypoetry"
  POETRY_HOME: "/usr/local"

  FUZZAPI_PROFILE: Quick-10
  FUZZAPI_OPENAPI: http://localhost:8000/swagger/?format=openapi
  FUZZAPI_TARGET_URL: http://localhost:8000
  FUZZAPI_OVERRIDES_FILE: api-fuzzing-overrides.json

  ## Fuzz template variables
  # Setting this variable affects all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
  #
  FUZZAPI_VERSION: "5"
  FUZZAPI_IMAGE_SUFFIX: ""
  FUZZAPI_IMAGE: api-security


api_lint:
  rules:
    - changes:
        - api/**/*
    - when: never
  stage: lint
  image: python:3.12
  script:
  - cd api
  - pip install poetry
  - poetry install --with test
  - ruff check

api_test:
  rules:
    - changes:
        - api/**/*
      when: never
    - if: '$CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "develop"'
  stage: test
  image: python:3.12
  services:
  - name: postgres:16.0-alpine
    alias: postgresql
    variables:
      POSTGRES_DB: "$POSTGRES_DB"
      POSTGRES_USER: "$POSTGRES_USER"
      POSTGRES_PASSWORD: "$POSTGRES_PASSWORD"
  script:
  - cd api
  - python -m pip install --upgrade pip
  - pip install poetry
  - poetry install --with test
  - apt-get update && apt-get install -y postgresql-client
  - until pg_isready -h postgres -p 5432; do sleep 2; done
  - python manage.py migrate
  - pytest --junitxml=report.xml --cov-report term-missing --cov
  artifacts:
    reports:
      junit: api/report.xml
    paths:
      - api/report.xml
    when: always
    expire_in: 2 week


api_fuzz:
    stage: fuzz
    image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX
    services:
    - name: postgres:16.0-alpine
      alias: postgresql
      variables:
        POSTGRES_DB: "$POSTGRES_DB"
        POSTGRES_USER: "$POSTGRES_USER"
        POSTGRES_PASSWORD: "$POSTGRES_PASSWORD"
    allow_failure: true
    rules:
        - changes:
            - api/**/*
          when: never
        - if: $API_FUZZING_DISABLED == 'true' || $API_FUZZING_DISABLED == '1'
          when: never
        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH == 'true'  &&
                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
          when: never
        - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH == '1'  &&
                $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
          when: never
        - if: $CI_COMMIT_BRANCH &&
              $CI_GITLAB_FIPS_MODE == "true"
          variables:
              FUZZAPI_IMAGE_SUFFIX: "-fips"
        - if: $CI_COMMIT_BRANCH
        - if: '$CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "develop"'
    script:
        - cd api
        # Set up a Python virtual environment
        - python3 -m venv venv
        - source venv/bin/activate
        # Set up Python 3.12 environment
        - pip install --upgrade pip
        - pip install poetry
        - sudo -E poetry install --with test
        # Run the server
        - sudo -E apk update && sudo apk add --no-cache postgresql-client
        - until pg_isready -h postgres -p 5432; do sleep 2; done
        - sudo -E poetry run python3 manage.py migrate
        - sudo -E poetry run python3 manage.py runserver localhost:8000 &
        - sleep 5
        # Get authentication token
        - sudo -E poetry run python3 get_test_token.py 
        # Run the fuzzing analyzer
        - /peach/analyzer-fuzz-api
        - chown gitlab:nogroup gl-*
        - chmod 644 gl-*
        - ls -la
    artifacts:
        access: 'developer'
        when: always
        paths:
            - api/gl-assets
            - api/gl-api-fuzzing-report.json
            - api/gl-*.log
        reports:
            api_fuzzing: api/gl-api-fuzzing-report.json


sast:
  stage: test
  rules:
    - changes:
        - api/**/*
      when: never

secret_detection:
  variables:
    SECRETS_ANALYZER_VERSION: "4.5"

include:
- template: Security/SAST.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/Secret-Detection.gitlab-ci.yml
# - template: Jobs/Code-Quality.gitlab-ci.yml