Commit 4ee9ac14 authored by Kerri Miller's avatar Kerri Miller

Merge branch 'use-ref-instead-of-sha-in-pipeline-config-for-variables-2nd-take' into 'master'

Use ref instead of sha for CI config variables

See merge request gitlab-org/gitlab!67540
parents fe886732 6ac6db77
......@@ -68,9 +68,9 @@ module Security
scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT)
end
def on_demand_scan_actions(branch)
def on_demand_scan_actions(ref)
active_policies
.select { |policy| applicable_for_branch?(policy, branch) }
.select { |policy| applicable_for_ref?(policy, ref) }
.flat_map { |policy| policy[:actions] }
.select { |action| action[:scan].in?(ON_DEMAND_SCANS) }
end
......@@ -142,9 +142,13 @@ module Security
end
end
def applicable_for_branch?(policy, ref)
def applicable_for_ref?(policy, ref)
return false unless Gitlab::Git.branch_ref?(ref)
branch_name = Gitlab::Git.ref_name(ref)
policy[:rules].any? do |rule|
rule[:type] == RULE_TYPES[:pipeline] && rule[:branches].any? { |branch| RefMatcher.new(branch).matches?(ref) }
rule[:type] == RULE_TYPES[:pipeline] && rule[:branches].any? { |branch| RefMatcher.new(branch).matches?(branch_name) }
end
end
end
......
......@@ -25,7 +25,7 @@ module EE
end
def process_security_orchestration_policy_includes(config)
::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref, source).perform
::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, source_ref_path, source).perform
end
end
end
......
......@@ -40,7 +40,7 @@ RSpec.describe Gitlab::Ci::Config do
describe 'with security orchestration policy' do
let(:source) { 'push' }
let_it_be(:ref) { 'master' }
let_it_be(:ref) { 'refs/heads/master' }
let_it_be_with_refind(:project) { create(:project, :repository) }
let_it_be(:policies_repository) { create(:project, :repository) }
......@@ -63,7 +63,7 @@ RSpec.describe Gitlab::Ci::Config do
EOS
end
subject(:config) { described_class.new(ci_yml, ref: ref, project: project, source: source) }
subject(:config) { described_class.new(ci_yml, source_ref_path: ref, project: project, source: source) }
before do
allow_next_instance_of(Repository) do |repository|
......@@ -105,7 +105,7 @@ RSpec.describe Gitlab::Ci::Config do
end
context 'when policy is not applicable on branch from the pipeline' do
let_it_be(:ref) { 'production' }
let_it_be(:ref) { 'refs/heads/production' }
context 'when DAST profiles are not found' do
it 'adds a job with error message' do
......
......@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
let_it_be(:config) { { image: 'ruby:3.0.1' } }
let(:ref) { 'master' }
let(:ref) { 'refs/heads/master' }
let(:source) { 'pipeline' }
let_it_be_with_refind(:project) { create(:project, :repository) }
......@@ -103,8 +103,16 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
end
end
context 'when ref is a tag' do
let_it_be(:ref) { 'refs/tags/v1.1.0' }
it 'does not modify the config' do
expect(subject).to eq(config)
end
end
context 'when policy is not applicable on branch from the pipeline' do
let_it_be(:ref) { 'production' }
let_it_be(:ref) { 'refs/heads/production' }
context 'when DAST profiles are not found' do
it 'does not modify the config' do
......
......@@ -427,7 +427,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end
subject(:on_demand_scan_actions) do
security_orchestration_policy_configuration.on_demand_scan_actions('release/123')
security_orchestration_policy_configuration.on_demand_scan_actions(ref)
end
before do
......@@ -435,8 +435,18 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
allow(repository).to receive(:blob_data_at).with(default_branch, Security::OrchestrationPolicyConfiguration::POLICY_PATH).and_return(policy_yaml)
end
it 'returns only actions for on-demand scans applicable for branch' do
expect(on_demand_scan_actions).to eq(expected_actions)
context 'when ref is branch' do
let(:ref) { 'refs/heads/release/123' }
it 'returns only actions for on-demand scans applicable for branch' do
expect(on_demand_scan_actions).to eq(expected_actions)
end
end
context 'when ref is a tag' do
let(:ref) { 'refs/tags/v1.0.0' }
it { is_expected.to be_empty }
end
end
......
......@@ -17,13 +17,13 @@ module Gitlab
Config::Yaml::Tags::TagError
].freeze
attr_reader :root, :context, :ref, :source
attr_reader :root, :context, :source_ref_path, :source
def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil, source: nil)
@context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline)
def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, source_ref_path: nil, source: nil)
@context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline, ref: source_ref_path)
@context.set_deadline(TIMEOUT_SECONDS)
@ref = ref
@source_ref_path = source_ref_path
@source = source
@config = expand_config(config)
......@@ -108,13 +108,13 @@ module Gitlab
end
end
def build_context(project:, sha:, user:, parent_pipeline:)
def build_context(project:, sha:, user:, parent_pipeline:, ref:)
Config::External::Context.new(
project: project,
sha: sha || find_sha(project),
user: user,
parent_pipeline: parent_pipeline,
variables: build_variables(project: project, ref: sha))
variables: build_variables(project: project, ref: ref))
end
def build_variables(project:, ref:)
......
......@@ -14,7 +14,7 @@ module Gitlab
result = ::Gitlab::Ci::YamlProcessor.new(
@command.config_content, {
project: project,
ref: @pipeline.ref,
source_ref_path: @pipeline.source_ref_path,
sha: @pipeline.sha,
source: @pipeline.source,
user: current_user,
......
......@@ -107,7 +107,6 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Populate do
context 'when ref is protected' do
before do
allow(project).to receive(:protected_for?).with('master').and_return(true)
allow(project).to receive(:protected_for?).with('b83d6e391c22777fca1ed3012fce84f633d7fed0').and_return(true)
allow(project).to receive(:protected_for?).with('refs/heads/master').and_return(true)
dependencies.map(&:perform!)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment