Expose deploy token to CI/CD jobs as environment variable

- If a deploy token with a name 'gitlab-deploy-token' is exists for the project, CI_DEPLOY_USER and CI_DEPLOY_PASSWORD variables will be expose

Expose deploy token to CI/CD jobs as environment variable
- If a deploy token with a name 'gitlab-deploy-token' is exists for the project, CI_DEPLOY_USER and CI_DEPLOY_PASSWORD variables will be expose
0903456a · Mayra Cabrera · 3c3cab8b · 0903456a · 0903456a · 0903456a
Commit 0903456a authored Apr 16, 2018 by Mayra Cabrera
6 changed files
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -624,6 +624,7 @@ module Ci
        variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request
        variables.append(key: "CI_JOB_MANUAL", value: 'true') if action?
        variables.concat(legacy_variables)
+        variables.concat(deploy_token_variables) if project.gitlab_deploy_token
      end
    end

@@ -654,6 +655,13 @@ module Ci
      end
    end

+    def deploy_token_variables
+      Gitlab::Ci::Variables::Collection.new.tap do |variables|
+        variables.append(key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN)
+        variables.append(key: 'CI_DEPLOY_PASSWORD', value: project.gitlab_deploy_token.token)
+      end
+    end
+
    def environment_url
      options&.dig(:environment, :url) || persisted_environment&.external_url
    end

--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -4,6 +4,7 @@ class DeployToken < ActiveRecord::Base
  add_authentication_token_field :token

  AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
+  GITLAB_DEPLOY_TOKEN = 'gitlab-deploy-token'.freeze

  default_value_for(:expires_at) { Forever.date }


--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1879,6 +1879,11 @@ class Project < ActiveRecord::Base
    []
  end

+  def gitlab_deploy_token
+    @gitlab_deploy_token ||=
+      deploy_tokens.active.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN)
+  end
+
  private

  def storage

--- a/spec/factories/deploy_tokens.rb
+++ b/spec/factories/deploy_tokens.rb
@@ -10,5 +10,13 @@ FactoryBot.define do
    trait :revoked do
      revoked true
    end
+
+    trait :gitlab_deploy_token do
+      name DeployToken::GITLAB_DEPLOY_TOKEN
+    end
+
+    trait :expired do
+      expires_at { Date.today - 1.month }
+    end
  end
 end
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -2035,6 +2035,37 @@ describe Ci::Build do
        expect(build).not_to be_persisted
      end
    end
+
+    context 'for deploy tokens' do
+      let(:deploy_token) { create(:deploy_token, :gitlab_deploy_token) }
+
+      let(:deploy_token_variables) do
+        [
+          { key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN, public: true },
+          { key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: true }
+        ]
+      end
+
+      context 'when gitlab-deploy-token exist' do
+        before do
+          project.deploy_tokens << deploy_token
+        end
+
+        it 'should include deploy token variables' do
+          deploy_token_variables.each do |deploy_token_variable|
+            is_expected.to include(deploy_token_variable)
+          end
+        end
+      end
+
+      context 'when gitlab-deploy-token does not exist' do
+        it 'should not include deploy token variables' do
+          deploy_token_variables.each do |deploy_token_variable|
+            is_expected.not_to include(deploy_token_variable)
+          end
+        end
+      end
+    end
  end

  describe '#scoped_variables' do

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -3585,4 +3585,31 @@ describe Project do
      it { is_expected.not_to be_valid }
    end
  end
+
+  describe '#gitlab_deploy_token' do
+    let(:project) { create(:project) }
+
+    subject { project.gitlab_deploy_token }
+
+    context 'when there is a gitlab deploy token associated' do
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) }
+
+      it { is_expected.to eq(deploy_token) }
+    end
+
+    context 'when there is no a gitlab deploy token associated' do
+      it { is_expected.to be_nil }
+    end
+
+    context 'when there is a gitlab deploy token associated but is has been revoked' do
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :revoked, projects: [project]) }
+      it { is_expected.to be_nil }
+    end
+
+    context 'when there is a gitlab deploy token associated but it has expired' do
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :expired, projects: [project]) }
+
+      it { is_expected.to be_nil }
+    end
+  end
 end