Commit 570e98d1 authored by Nick Thomas's avatar Nick Thomas

Merge branch '223195-validate-ci-secrets-foss' into 'master'

RUN AS-IF-FOSS: Move CI secrets json schema validation to FOSS

See merge request gitlab-org/gitlab!34990
parents 0ec2eff3 94262849
...@@ -19,6 +19,7 @@ module Ci ...@@ -19,6 +19,7 @@ module Ci
before_create :set_build_project before_create :set_build_project
validates :build, presence: true validates :build, presence: true
validates :secrets, json_schema: { filename: 'build_metadata_secrets' }
serialize :config_options, Serializers::JSON # rubocop:disable Cop/ActiveRecordSerialize serialize :config_options, Serializers::JSON # rubocop:disable Cop/ActiveRecordSerialize
serialize :config_variables, Serializers::JSON # rubocop:disable Cop/ActiveRecordSerialize serialize :config_variables, Serializers::JSON # rubocop:disable Cop/ActiveRecordSerialize
...@@ -83,5 +84,3 @@ module Ci ...@@ -83,5 +84,3 @@ module Ci
end end
end end
end end
Ci::BuildMetadata.prepend_if_ee('EE::Ci::BuildMetadata')
# frozen_string_literal: true
module EE
module Ci
module BuildMetadata
extend ActiveSupport::Concern
prepended do
validates :secrets, json_schema: { filename: 'build_metadata_secrets' }
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Ci::BuildMetadata do
describe 'validations' do
let(:metadata) { build(:ci_build).metadata }
context 'when attributes are valid' do
it 'returns no errors' do
metadata.secrets = {
DATABASE_PASSWORD: {
vault: {
engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db',
field: 'password'
}
}
}
expect(metadata).to be_valid
end
end
context 'when data is invalid' do
it 'returns errors' do
metadata.secrets = { DATABASE_PASSWORD: { vault: {} } }
aggregate_failures do
expect(metadata).to be_invalid
expect(metadata.errors.full_messages).to eq(["Secrets must be a valid json schema"])
end
end
end
end
end
...@@ -174,7 +174,7 @@ RSpec.describe 'Database schema' do ...@@ -174,7 +174,7 @@ RSpec.describe 'Database schema' do
IGNORED_JSONB_COLUMNS = { IGNORED_JSONB_COLUMNS = {
"ApplicationSetting" => %w[repository_storages_weighted], "ApplicationSetting" => %w[repository_storages_weighted],
"AlertManagement::Alert" => %w[payload], "AlertManagement::Alert" => %w[payload],
"Ci::BuildMetadata" => %w[config_options config_variables secrets], # secrets has an EE-only validator "Ci::BuildMetadata" => %w[config_options config_variables],
"Geo::Event" => %w[payload], "Geo::Event" => %w[payload],
"GeoNodeStatus" => %w[status], "GeoNodeStatus" => %w[status],
"Operations::FeatureFlagScope" => %w[strategies], "Operations::FeatureFlagScope" => %w[strategies],
......
...@@ -92,4 +92,33 @@ describe Ci::BuildMetadata do ...@@ -92,4 +92,33 @@ describe Ci::BuildMetadata do
end end
end end
end end
describe 'validations' do
context 'when attributes are valid' do
it 'returns no errors' do
metadata.secrets = {
DATABASE_PASSWORD: {
vault: {
engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db',
field: 'password'
}
}
}
expect(metadata).to be_valid
end
end
context 'when data is invalid' do
it 'returns errors' do
metadata.secrets = { DATABASE_PASSWORD: { vault: {} } }
aggregate_failures do
expect(metadata).to be_invalid
expect(metadata.errors.full_messages).to eq(["Secrets must be a valid json schema"])
end
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment