Commit 0903456a authored by Mayra Cabrera's avatar Mayra Cabrera

Expose deploy token to CI/CD jobs as environment variable

- If a deploy token with a name 'gitlab-deploy-token' is exists for the
  project, CI_DEPLOY_USER and CI_DEPLOY_PASSWORD variables will be
expose
parent 3c3cab8b
...@@ -624,6 +624,7 @@ module Ci ...@@ -624,6 +624,7 @@ module Ci
variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request
variables.append(key: "CI_JOB_MANUAL", value: 'true') if action? variables.append(key: "CI_JOB_MANUAL", value: 'true') if action?
variables.concat(legacy_variables) variables.concat(legacy_variables)
variables.concat(deploy_token_variables) if project.gitlab_deploy_token
end end
end end
...@@ -654,6 +655,13 @@ module Ci ...@@ -654,6 +655,13 @@ module Ci
end end
end end
def deploy_token_variables
Gitlab::Ci::Variables::Collection.new.tap do |variables|
variables.append(key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN)
variables.append(key: 'CI_DEPLOY_PASSWORD', value: project.gitlab_deploy_token.token)
end
end
def environment_url def environment_url
options&.dig(:environment, :url) || persisted_environment&.external_url options&.dig(:environment, :url) || persisted_environment&.external_url
end end
......
...@@ -4,6 +4,7 @@ class DeployToken < ActiveRecord::Base ...@@ -4,6 +4,7 @@ class DeployToken < ActiveRecord::Base
add_authentication_token_field :token add_authentication_token_field :token
AVAILABLE_SCOPES = %i(read_repository read_registry).freeze AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
GITLAB_DEPLOY_TOKEN = 'gitlab-deploy-token'.freeze
default_value_for(:expires_at) { Forever.date } default_value_for(:expires_at) { Forever.date }
......
...@@ -1879,6 +1879,11 @@ class Project < ActiveRecord::Base ...@@ -1879,6 +1879,11 @@ class Project < ActiveRecord::Base
[] []
end end
def gitlab_deploy_token
@gitlab_deploy_token ||=
deploy_tokens.active.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN)
end
private private
def storage def storage
......
...@@ -10,5 +10,13 @@ FactoryBot.define do ...@@ -10,5 +10,13 @@ FactoryBot.define do
trait :revoked do trait :revoked do
revoked true revoked true
end end
trait :gitlab_deploy_token do
name DeployToken::GITLAB_DEPLOY_TOKEN
end
trait :expired do
expires_at { Date.today - 1.month }
end
end end
end end
...@@ -2035,6 +2035,37 @@ describe Ci::Build do ...@@ -2035,6 +2035,37 @@ describe Ci::Build do
expect(build).not_to be_persisted expect(build).not_to be_persisted
end end
end end
context 'for deploy tokens' do
let(:deploy_token) { create(:deploy_token, :gitlab_deploy_token) }
let(:deploy_token_variables) do
[
{ key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN, public: true },
{ key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: true }
]
end
context 'when gitlab-deploy-token exist' do
before do
project.deploy_tokens << deploy_token
end
it 'should include deploy token variables' do
deploy_token_variables.each do |deploy_token_variable|
is_expected.to include(deploy_token_variable)
end
end
end
context 'when gitlab-deploy-token does not exist' do
it 'should not include deploy token variables' do
deploy_token_variables.each do |deploy_token_variable|
is_expected.not_to include(deploy_token_variable)
end
end
end
end
end end
describe '#scoped_variables' do describe '#scoped_variables' do
......
...@@ -3585,4 +3585,31 @@ describe Project do ...@@ -3585,4 +3585,31 @@ describe Project do
it { is_expected.not_to be_valid } it { is_expected.not_to be_valid }
end end
end end
describe '#gitlab_deploy_token' do
let(:project) { create(:project) }
subject { project.gitlab_deploy_token }
context 'when there is a gitlab deploy token associated' do
let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) }
it { is_expected.to eq(deploy_token) }
end
context 'when there is no a gitlab deploy token associated' do
it { is_expected.to be_nil }
end
context 'when there is a gitlab deploy token associated but is has been revoked' do
let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :revoked, projects: [project]) }
it { is_expected.to be_nil }
end
context 'when there is a gitlab deploy token associated but it has expired' do
let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :expired, projects: [project]) }
it { is_expected.to be_nil }
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment