.gitlab-ci.yml

variables:
  VAULT_SERVER_URL: https://tluav-lb.faradaysec.com
  VAULT_AUTH_ROLE: python-sast-readonly
  VAULT_AUTH_PATH: jwt


include:
  - local: .gitlab/ci/get-secrets.yml

stages:
  - SAST
  - pre_testing
  - testing
  - post_testing
  - publish

before_script:
  - apt-get update -qy
  - pip install pip -U

workflow:
  rules:
    - if: $CI_MERGE_REQUEST_ID
      when: never
    - when: always

.parse-secrets: &parse-secrets
- DEVSECOPS_WORKSPACE=$(cat $DEVSECOPS_WORKSPACE)
- FARADAY_PASSWORD=$(cat $FARADAY_PASSWORD)
- FARADAY_URL=$(cat $FARADAY_URL)
- FARADAY_USER=$(cat $FARADAY_USER)

.install_faraday_venv: &install_faraday_venv
- pip3 install virtualenv
- virtualenv -p python3 faraday_venv
- source faraday_venv/bin/activate
- pip3 install pytest pytest-xdist pytest-cov
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/faradaysec/faraday.git
- cd faraday
- pip3 install $PIP_FLAGS .
- pip uninstall faraday-plugins -y # we need to install fardaysec for marshmallow schemas, we remove plugins from pypi
- cd ..

.clone_reports: &clone_reports
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/faradaysec/support/report-collection.git
- cd report-collection
- (git branch -a | grep $CI_COMMIT_BRANCH) && export REPORT_REF=$CI_COMMIT_BRANCH || export REPORT_REF=master
- git checkout $REPORT_REF
- cd ..

bandit:
  stage: SAST
  image: python:3.11
  tags:
    - faradaytests
  extends:
    - .get-secrets
  script:
    - pip3 install virtualenv
    - virtualenv -p python3 faraday_venv
    - source faraday_venv/bin/activate
    - pip3 install bandit
    - mkdir /results
    - "bandit -r ${CI_PROJECT_DIR}/faraday-plugins -o /results/output.xml -f xml --skip B101,B104,B410,B405,B314,B320"
    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (cat /results/output.xml); fi
  after_script:
    - *parse-secrets
    - apt update && apt-get install lsb-release gpg wget -y
    - apt-get install software-properties-common -y
    - wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
    - gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
    - echo "deb [ signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg ] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
    - apt update &&  apt install vault -y
    - setcap cap_ipc_lock= /usr/bin/vault
    - pip3 install faraday-cli
    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report /results/output.xml -w $DEVSECOPS_WORKSPACE --vuln-tag $CI_PROJECT_NAME --vuln-tag $CI_COMMIT_REF_NAME); else (echo 'no vulns detected' && exit 0); fi
  rules:
    - when: on_success

flake8:
    image: python:3.11
    stage: pre_testing
    before_script:
      - pip install flake8
      # Help flake8 to find the Python files without .py extension.
      - find . -name '*.py' >> files.txt
      - sort -u files.txt | tee files.processed
    script:
        - python -m flake8 --statistics --count $(cat files.processed) --verbose
    after_script:
        - wc -l files.processed

.test_base:
  stage: testing
  coverage: '/TOTAL\s+\d+\s+\d+\s+(\d+%)/'
  script:
    - *clone_reports
    - *install_faraday_venv
    - pip3 install $PIP_FLAGS .
    - pytest tests --capture=sys -v --cov=faraday_plugins --color=yes --disable-warnings $PYTEST_FLAGS

tests:
  extends: .test_base
  image: python:3.11

test_performance:
  extends: .test_base
  image: python:3.11
  stage: post_testing
  allow_failure: true
  variables:
    PYTEST_FLAGS: --performance
  rules:
    - if: '$CI_COMMIT_BRANCH == "dev"'
      when: on_success

publish_pypi:
  image: python:3.11
  stage: publish
  script:
    - apt-get update -qy
    - apt-get install twine -y
    - python setup.py sdist bdist_wheel
    - twine upload -u $PYPI_USER -p $PYPI_PASS dist/* --verbose
  rules:
    - if: '$CI_COMMIT_TAG'
      when: on_success