Commit 800ee75a authored by Mayra Cabrera's avatar Mayra Cabrera

Ensure deploy tokens variables are not available in the context of only/except

parent 0dd6d25c
...@@ -27,6 +27,7 @@ module Ci ...@@ -27,6 +27,7 @@ module Ci
has_one :metadata, class_name: 'Ci::BuildMetadata' has_one :metadata, class_name: 'Ci::BuildMetadata'
delegate :timeout, to: :metadata, prefix: true, allow_nil: true delegate :timeout, to: :metadata, prefix: true, allow_nil: true
delegate :gitlab_deploy_token, to: :project
## ##
# The "environment" field for builds is a String, and is the unexpanded name! # The "environment" field for builds is a String, and is the unexpanded name!
...@@ -604,6 +605,8 @@ module Ci ...@@ -604,6 +605,8 @@ module Ci
.append(key: 'CI_REGISTRY_USER', value: CI_REGISTRY_USER) .append(key: 'CI_REGISTRY_USER', value: CI_REGISTRY_USER)
.append(key: 'CI_REGISTRY_PASSWORD', value: token, public: false) .append(key: 'CI_REGISTRY_PASSWORD', value: token, public: false)
.append(key: 'CI_REPOSITORY_URL', value: repo_url, public: false) .append(key: 'CI_REPOSITORY_URL', value: repo_url, public: false)
variables.concat(deploy_token_variables) if gitlab_deploy_token
end end
end end
...@@ -624,7 +627,6 @@ module Ci ...@@ -624,7 +627,6 @@ module Ci
variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request
variables.append(key: "CI_JOB_MANUAL", value: 'true') if action? variables.append(key: "CI_JOB_MANUAL", value: 'true') if action?
variables.concat(legacy_variables) variables.concat(legacy_variables)
variables.concat(deploy_token_variables) if project.gitlab_deploy_token
end end
end end
...@@ -657,8 +659,8 @@ module Ci ...@@ -657,8 +659,8 @@ module Ci
def deploy_token_variables def deploy_token_variables
Gitlab::Ci::Variables::Collection.new.tap do |variables| Gitlab::Ci::Variables::Collection.new.tap do |variables|
variables.append(key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN_NAME) variables.append(key: 'CI_DEPLOY_USER', value: gitlab_deploy_token.name)
variables.append(key: 'CI_DEPLOY_PASSWORD', value: project.gitlab_deploy_token.token) variables.append(key: 'CI_DEPLOY_PASSWORD', value: gitlab_deploy_token.token)
end end
end end
......
...@@ -260,6 +260,8 @@ are unsupported in environment name context: ...@@ -260,6 +260,8 @@ are unsupported in environment name context:
- `CI_REGISTRY_PASSWORD` - `CI_REGISTRY_PASSWORD`
- `CI_REPOSITORY_URL` - `CI_REPOSITORY_URL`
- `CI_ENVIRONMENT_URL` - `CI_ENVIRONMENT_URL`
- `CI_DEPLOY_USER`
- `CI_DEPLOY_PASSWORD`
GitLab Runner exposes various [environment variables][variables] when a job runs, GitLab Runner exposes various [environment variables][variables] when a job runs,
and as such, you can use them as environment names. Let's add another job in and as such, you can use them as environment names. Let's add another job in
......
...@@ -548,6 +548,8 @@ You can find a full list of unsupported variables below: ...@@ -548,6 +548,8 @@ You can find a full list of unsupported variables below:
- `CI_REGISTRY_PASSWORD` - `CI_REGISTRY_PASSWORD`
- `CI_REPOSITORY_URL` - `CI_REPOSITORY_URL`
- `CI_ENVIRONMENT_URL` - `CI_ENVIRONMENT_URL`
- `CI_DEPLOY_USER`
- `CI_DEPLOY_PASSWORD`
These variables are also not supported in a contex of a These variables are also not supported in a contex of a
[dynamic environment name][dynamic-environments]. [dynamic environment name][dynamic-environments].
......
...@@ -2041,7 +2041,7 @@ describe Ci::Build do ...@@ -2041,7 +2041,7 @@ describe Ci::Build do
let(:deploy_token_variables) do let(:deploy_token_variables) do
[ [
{ key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN_NAME, public: true }, { key: 'CI_DEPLOY_USER', value: deploy_token.name, public: true },
{ key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: true } { key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: true }
] ]
end end
...@@ -2058,9 +2058,8 @@ describe Ci::Build do ...@@ -2058,9 +2058,8 @@ describe Ci::Build do
context 'when gitlab-deploy-token does not exist' do context 'when gitlab-deploy-token does not exist' do
it 'should not include deploy token variables' do it 'should not include deploy token variables' do
%w(CI_DEPLOY_USER CI_DEPLOY_PASSWORD).each do |deploy_token_key| expect(subject.find { |v| v[:key] == 'CI_DEPLOY_USER'}).to be_nil
expect(subject.find { |v| v[:key] == deploy_token_key}).to be_nil expect(subject.find { |v| v[:key] == 'CI_DEPLOY_PASSWORD'}).to be_nil
end
end end
end end
end end
...@@ -2112,7 +2111,9 @@ describe Ci::Build do ...@@ -2112,7 +2111,9 @@ describe Ci::Build do
CI_REGISTRY_USER CI_REGISTRY_USER
CI_REGISTRY_PASSWORD CI_REGISTRY_PASSWORD
CI_REPOSITORY_URL CI_REPOSITORY_URL
CI_ENVIRONMENT_URL] CI_ENVIRONMENT_URL
CI_DEPLOY_USER
CI_DEPLOY_PASSWORD]
build.scoped_variables.map { |env| env[:key] }.tap do |names| build.scoped_variables.map { |env| env[:key] }.tap do |names|
expect(names).not_to include(*keys) expect(names).not_to include(*keys)
......
...@@ -3612,7 +3612,7 @@ describe Project do ...@@ -3612,7 +3612,7 @@ describe Project do
it { is_expected.to be_nil } it { is_expected.to be_nil }
end end
context 'when there is a gitlab deploy token associated with a different name' do context 'when there is a deploy token associated with a different name' do
let!(:deploy_token) { create(:deploy_token, projects: [project]) } let!(:deploy_token) { create(:deploy_token, projects: [project]) }
it { is_expected.to be_nil } it { is_expected.to be_nil }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment