Merge branch 'mask-tokens-package-job-logs' into 'master'

Avoid leaking token data in CI logs See merge request gitlab-org/gitlab!83526

Merge branch 'mask-tokens-package-job-logs' into 'master'
Avoid leaking token data in CI logs See merge request gitlab-org/gitlab!83526
58d7b33a · Andrejs Cunskis · 1270174a · e3094dc6 · 58d7b33a · 58d7b33a
Commit 58d7b33a authored Apr 01, 2022 by Andrejs Cunskis
8 changed files
--- a/qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb
@@ -3,6 +3,8 @@
 module QA
  RSpec.describe 'Package', :orchestrated, :skip_live_env do
    describe 'Self-managed Container Registry' do
+      include Support::Helpers::MaskToken
      let(:project) do
        Resource::Project.fabricate_via_api! do |project|
          project.name = 'project-with-registry'
@@ -110,9 +112,9 @@ module QA
          let(:auth_token) do
            case authentication_token_type
            when :personal_access_token
-              "\"#{personal_access_token}\""
+              use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: project)
            when :project_deploy_token
-              "\"#{project_deploy_token.token}\""
+              use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
            when :ci_job_token
              '$CI_JOB_TOKEN'
            end

--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/helm_registry_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/helm_registry_spec.rb
@@ -5,6 +5,7 @@ module QA
    describe 'Helm Registry' do
      using RSpec::Parameterized::TableSyntax
      include Runtime::Fixtures
+      include Support::Helpers::MaskToken
      include_context 'packages registry qa scenario'
      let(:package_name) { "gitlab_qa_helm-#{SecureRandom.hex(8)}" }
@@ -32,11 +33,13 @@ module QA
        let(:access_token) do
          case authentication_token_type
          when :personal_access_token
-            personal_access_token
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: package_project)
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: client_project)
          when :ci_job_token
            '${CI_JOB_TOKEN}'
          when :project_deploy_token
-            project_deploy_token.token
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: package_project)
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: client_project)
          end
        end

--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_instance_level_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_instance_level_spec.rb
@@ -5,6 +5,7 @@ module QA
    describe 'npm instance level endpoint' do
      using RSpec::Parameterized::TableSyntax
      include Runtime::Fixtures
+      include Support::Helpers::MaskToken
      let!(:registry_scope) { Runtime::Namespace.sandbox_name }
      let!(:personal_access_token) do
@@ -78,11 +79,13 @@ module QA
        let(:auth_token) do
          case authentication_token_type
          when :personal_access_token
-            "\"#{personal_access_token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: project)
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: another_project)
          when :ci_job_token
            '${CI_JOB_TOKEN}'
          when :project_deploy_token
-            "\"#{project_deploy_token.token}\""
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: another_project)
          end
        end

--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_project_level_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_project_level_spec.rb
@@ -5,6 +5,7 @@ module QA
    describe 'npm project level endpoint' do
      using RSpec::Parameterized::TableSyntax
      include Runtime::Fixtures
+      include Support::Helpers::MaskToken
      let!(:registry_scope) { Runtime::Namespace.sandbox_name }
      let!(:personal_access_token) do
@@ -69,11 +70,11 @@ module QA
        let(:auth_token) do
          case authentication_token_type
          when :personal_access_token
-            "\"#{personal_access_token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: project)
          when :ci_job_token
            '${CI_JOB_TOKEN}'
          when :project_deploy_token
-            "\"#{project_deploy_token.token}\""
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
          end
        end

--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb
@@ -5,6 +5,7 @@ module QA
    describe 'NuGet group level endpoint' do
      using RSpec::Parameterized::TableSyntax
      include Runtime::Fixtures
+      include Support::Helpers::MaskToken
      let(:project) do
        Resource::Project.fabricate_via_api! do |project|
@@ -61,6 +62,8 @@ module QA
      after do
        runner.remove_via_api!
        package.remove_via_api!
+        project.remove_via_api!
+        another_project.remove_via_api!
      end
      where(:case_name, :authentication_token_type, :token_name, :testcase) do
@@ -73,11 +76,13 @@ module QA
        let(:auth_token_password) do
          case authentication_token_type
          when :personal_access_token
-            "\"#{personal_access_token.token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token.token, project: project)
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token.token, project: another_project)
          when :ci_job_token
            '${CI_JOB_TOKEN}'
          when :group_deploy_token
-            "\"#{group_deploy_token.token}\""
+            use_ci_variable(name: 'GROUP_DEPLOY_TOKEN', value: group_deploy_token.token, project: project)
+            use_ci_variable(name: 'GROUP_DEPLOY_TOKEN', value: group_deploy_token.token, project: another_project)
          end
        end

--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb
@@ -3,6 +3,8 @@
 module QA
  RSpec.describe 'Package', :orchestrated, :packages, :object_storage do
    describe 'NuGet project level endpoint' do
+      include Support::Helpers::MaskToken
      let(:project) do
        Resource::Project.fabricate_via_api! do |project|
          project.name = 'nuget-package-project'
@@ -77,11 +79,11 @@ module QA
        let(:auth_token_password) do
          case authentication_token_type
          when :personal_access_token
-            "\"#{personal_access_token.token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token.token, project: project)
          when :ci_job_token
            '${CI_JOB_TOKEN}'
          when :project_deploy_token
-            "\"#{project_deploy_token.token}\""
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
          end
        end

--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/pypi_repository_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/pypi_repository_spec.rb
@@ -4,6 +4,7 @@ module QA
  RSpec.describe 'Package', :orchestrated, :packages, :object_storage do
    describe 'PyPI Repository' do
      include Runtime::Fixtures
+      include Support::Helpers::MaskToken
      let(:project) do
        Resource::Project.fabricate_via_api! do |project|
@@ -30,7 +31,7 @@ module QA
      let(:uri) { URI.parse(Runtime::Scenario.gitlab_address) }
      let(:gitlab_address_with_port) { "#{uri.scheme}://#{uri.host}:#{uri.port}" }
      let(:gitlab_host_with_port) { "#{uri.host}:#{uri.port}" }
-      let(:personal_access_token) { Runtime::Env.personal_access_token }
+      let(:personal_access_token) { use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: Runtime::Env.personal_access_token, project: project) }
      before do
        Flow::Login.sign_in

--- a/qa/qa/support/helpers/mask_token.rb
+++ b/qa/qa/support/helpers/mask_token.rb
+# frozen_string_literal: true
+module QA
+  module Support
+    module Helpers
+      module MaskToken
+        def use_ci_variable(name:, value:, project:)
+          Resource::CiVariable.fabricate_via_api! do |ci_variable|
+            ci_variable.project = project
+            ci_variable.key = name
+            ci_variable.value = value
+            ci_variable.protected = true
+          end
+          "$#{name}"
+        end
+      end
+    end
+  end
+end