Resolve "Mask the existing variables"

686ffdc2 · Matija Čupić · Kamil Trzciński · 380fa883 · 686ffdc2 · 686ffdc2
Commit 686ffdc2 authored Mar 07, 2019 by Matija Čupić Committed by Kamil Trzciński Mar 07, 2019
10 changed files
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -426,11 +426,11 @@ module Ci
          .concat(pipeline.persisted_variables)
          .append(key: 'CI_JOB_ID', value: id.to_s)
          .append(key: 'CI_JOB_URL', value: Gitlab::Routing.url_helpers.project_job_url(project, self))
-          .append(key: 'CI_JOB_TOKEN', value: token.to_s, public: false)
+          .append(key: 'CI_JOB_TOKEN', value: token.to_s, public: false, masked: true)
          .append(key: 'CI_BUILD_ID', value: id.to_s)
-          .append(key: 'CI_BUILD_TOKEN', value: token.to_s, public: false)
+          .append(key: 'CI_BUILD_TOKEN', value: token.to_s, public: false, masked: true)
          .append(key: 'CI_REGISTRY_USER', value: CI_REGISTRY_USER)
-          .append(key: 'CI_REGISTRY_PASSWORD', value: token.to_s, public: false)
+          .append(key: 'CI_REGISTRY_PASSWORD', value: token.to_s, public: false, masked: true)
          .append(key: 'CI_REPOSITORY_URL', value: repo_url.to_s, public: false)
          .concat(deploy_token_variables)
      end
@@ -454,7 +454,7 @@ module Ci
        break variables unless gitlab_deploy_token
        variables.append(key: 'CI_DEPLOY_USER', value: gitlab_deploy_token.username)
-        variables.append(key: 'CI_DEPLOY_PASSWORD', value: gitlab_deploy_token.token, public: false)
+        variables.append(key: 'CI_DEPLOY_PASSWORD', value: gitlab_deploy_token.token, public: false, masked: true)
      end
    end

--- a/app/models/clusters/kubernetes_namespace.rb
+++ b/app/models/clusters/kubernetes_namespace.rb
@@ -37,7 +37,7 @@ module Clusters
        variables
          .append(key: 'KUBE_SERVICE_ACCOUNT', value: service_account_name.to_s)
          .append(key: 'KUBE_NAMESPACE', value: namespace.to_s)
-          .append(key: 'KUBE_TOKEN', value: service_account_token.to_s, public: false)
+          .append(key: 'KUBE_TOKEN', value: service_account_token.to_s, public: false, masked: true)
          .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true)
      end
    end

--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -95,7 +95,7 @@ module Clusters
            # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433
            variables
              .append(key: 'KUBE_URL', value: api_url)
-              .append(key: 'KUBE_TOKEN', value: token, public: false)
+              .append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
              .append(key: 'KUBE_NAMESPACE', value: actual_namespace)
              .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true)
          end

--- a/app/models/project_services/kubernetes_service.rb
+++ b/app/models/project_services/kubernetes_service.rb
@@ -113,7 +113,7 @@ class KubernetesService < DeploymentService
    Gitlab::Ci::Variables::Collection.new.tap do |variables|
      variables
        .append(key: 'KUBE_URL', value: api_url)
-        .append(key: 'KUBE_TOKEN', value: token, public: false)
+        .append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
        .append(key: 'KUBE_NAMESPACE', value: actual_namespace)
        .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true)

--- a/changelogs/unreleased/58010-mask-the-existing-variables.yml
+++ b/changelogs/unreleased/58010-mask-the-existing-variables.yml
+---
+title: Mask all TOKEN and PASSWORD CI variables.
+merge_request: 25868
+author:
+type: changed
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -2118,11 +2118,11 @@ describe Ci::Build do
          { key: 'CI_PIPELINE_URL', value: project.web_url + "/pipelines/#{pipeline.id}", public: true, masked: false },
          { key: 'CI_JOB_ID', value: build.id.to_s, public: true, masked: false },
          { key: 'CI_JOB_URL', value: project.web_url + "/-/jobs/#{build.id}", public: true, masked: false },
-          { key: 'CI_JOB_TOKEN', value: 'my-token', public: false, masked: false },
+          { key: 'CI_JOB_TOKEN', value: 'my-token', public: false, masked: true },
          { key: 'CI_BUILD_ID', value: build.id.to_s, public: true, masked: false },
-          { key: 'CI_BUILD_TOKEN', value: 'my-token', public: false, masked: false },
+          { key: 'CI_BUILD_TOKEN', value: 'my-token', public: false, masked: true },
          { key: 'CI_REGISTRY_USER', value: 'gitlab-ci-token', public: true, masked: false },
-          { key: 'CI_REGISTRY_PASSWORD', value: 'my-token', public: false, masked: false },
+          { key: 'CI_REGISTRY_PASSWORD', value: 'my-token', public: false, masked: true },
          { key: 'CI_REPOSITORY_URL', value: build.repo_url, public: false, masked: false },
          { key: 'CI', value: 'true', public: true, masked: false },
          { key: 'GITLAB_CI', value: 'true', public: true, masked: false },
@@ -2652,7 +2652,7 @@ describe Ci::Build do
      let(:deploy_token_variables) do
        [
          { key: 'CI_DEPLOY_USER', value: deploy_token.username, public: true, masked: false },
-          { key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: false, masked: false }
+          { key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: false, masked: true }
        ]
      end

--- a/spec/models/clusters/kubernetes_namespace_spec.rb
+++ b/spec/models/clusters/kubernetes_namespace_spec.rb
@@ -115,7 +115,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
      expect(kubernetes_namespace.predefined_variables).to include(
        { key: 'KUBE_SERVICE_ACCOUNT', value: kubernetes_namespace.service_account_name, public: true },
        { key: 'KUBE_NAMESPACE', value: kubernetes_namespace.namespace, public: true },
-        { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false },
+        { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false, masked: true },
        { key: 'KUBECONFIG', value: kubeconfig, public: false, file: true }
      )
    end

--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -269,7 +269,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
      it 'sets KUBE_TOKEN' do
        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false }
+          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
        )
      end
    end
@@ -281,7 +281,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
      it 'sets KUBE_TOKEN' do
        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false }
+          { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false, masked: true }
        )
      end
    end
@@ -297,7 +297,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
      it 'sets KUBE_TOKEN' do
        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false }
+          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
        )
      end
    end
@@ -309,7 +309,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
      it 'sets KUBE_TOKEN' do
        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false }
+          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
        )
      end
    end
@@ -338,7 +338,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
        it 'sets KUBE_TOKEN' do
          expect(subject).to include(
-            { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false }
+            { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false, masked: true }
          )
        end
      end

--- a/spec/models/project_services/kubernetes_service_spec.rb
+++ b/spec/models/project_services/kubernetes_service_spec.rb
@@ -276,7 +276,7 @@ describe KubernetesService, :use_clean_rails_memory_store_caching do
      it 'sets the variables' do
        expect(subject.predefined_variables(project: project)).to include(
          { key: 'KUBE_URL', value: 'https://kube.domain.com', public: true },
-          { key: 'KUBE_TOKEN', value: 'token', public: false },
+          { key: 'KUBE_TOKEN', value: 'token', public: false, masked: true },
          { key: 'KUBE_NAMESPACE', value: namespace, public: true },
          { key: 'KUBECONFIG', value: kubeconfig, public: false, file: true },
          { key: 'KUBE_CA_PEM', value: 'CA PEM DATA', public: true },

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2607,7 +2607,7 @@ describe Project do
      shared_examples 'same behavior between KubernetesService and Platform::Kubernetes' do
        it 'returns variables from this service' do
          expect(project.deployment_variables).to include(
-            { key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false }
+            { key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false, masked: true }
          )
        end
      end
@@ -2632,7 +2632,7 @@ describe Project do
        it 'should return token from kubernetes namespace' do
          expect(project.deployment_variables).to include(
-            { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false }
+            { key: 'KUBE_TOKEN', value: kubernetes_namespace.service_account_token, public: false, masked: true }
          )
        end
      end