Use ref instead of sha for CI config variables

6ac6db77 · Hordur Freyr Yngvason · Kerri Miller · 4f4b77d3 · 6ac6db77 · 6ac6db77
Commit 6ac6db77 authored Aug 11, 2021 by Hordur Freyr Yngvason Committed by Kerri Miller Aug 11, 2021
8 changed files
--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -68,9 +68,9 @@ module Security
      scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT)
    end

-    def on_demand_scan_actions(branch)
+    def on_demand_scan_actions(ref)
      active_policies
-        .select { |policy| applicable_for_branch?(policy, branch) }
+        .select { |policy| applicable_for_ref?(policy, ref) }
        .flat_map { |policy| policy[:actions] }
        .select { |action| action[:scan].in?(ON_DEMAND_SCANS) }
    end
@@ -142,9 +142,13 @@ module Security
      end
    end

-    def applicable_for_branch?(policy, ref)
+    def applicable_for_ref?(policy, ref)
+      return false unless Gitlab::Git.branch_ref?(ref)
+
+      branch_name = Gitlab::Git.ref_name(ref)
+
      policy[:rules].any? do |rule|
-        rule[:type] == RULE_TYPES[:pipeline] && rule[:branches].any? { |branch| RefMatcher.new(branch).matches?(ref) }
+        rule[:type] == RULE_TYPES[:pipeline] && rule[:branches].any? { |branch| RefMatcher.new(branch).matches?(branch_name) }
      end
    end
  end

--- a/ee/lib/ee/gitlab/ci/config_ee.rb
+++ b/ee/lib/ee/gitlab/ci/config_ee.rb
@@ -25,7 +25,7 @@ module EE
        end

        def process_security_orchestration_policy_includes(config)
-          ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref, source).perform
+          ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, source_ref_path, source).perform
        end
      end
    end

--- a/ee/spec/lib/ee/gitlab/ci/config_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/config_spec.rb
@@ -40,7 +40,7 @@ RSpec.describe Gitlab::Ci::Config do
  describe 'with security orchestration policy' do
    let(:source) { 'push' }

-    let_it_be(:ref) { 'master' }
+    let_it_be(:ref) { 'refs/heads/master' }
    let_it_be_with_refind(:project) { create(:project, :repository) }

    let_it_be(:policies_repository) { create(:project, :repository) }
@@ -63,7 +63,7 @@ RSpec.describe Gitlab::Ci::Config do
      EOS
    end

-    subject(:config) { described_class.new(ci_yml, ref: ref, project: project, source: source) }
+    subject(:config) { described_class.new(ci_yml, source_ref_path: ref, project: project, source: source) }

    before do
      allow_next_instance_of(Repository) do |repository|
@@ -105,7 +105,7 @@ RSpec.describe Gitlab::Ci::Config do
        end

        context 'when policy is not applicable on branch from the pipeline' do
-          let_it_be(:ref) { 'production' }
+          let_it_be(:ref) { 'refs/heads/production' }

          context 'when DAST profiles are not found' do
            it 'adds a job with error message' do

--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do

  let_it_be(:config) { { image: 'ruby:3.0.1' } }

-  let(:ref) { 'master' }
+  let(:ref) { 'refs/heads/master' }
  let(:source) { 'pipeline' }

  let_it_be_with_refind(:project) { create(:project, :repository) }
@@ -103,8 +103,16 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
        end
      end

+      context 'when ref is a tag' do
+        let_it_be(:ref) { 'refs/tags/v1.1.0' }
+
+        it 'does not modify the config' do
+          expect(subject).to eq(config)
+        end
+      end
+
      context 'when policy is not applicable on branch from the pipeline' do
-        let_it_be(:ref) { 'production' }
+        let_it_be(:ref) { 'refs/heads/production' }

        context 'when DAST profiles are not found' do
          it 'does not modify the config' do

--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -427,7 +427,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
    end

    subject(:on_demand_scan_actions) do
-      security_orchestration_policy_configuration.on_demand_scan_actions('release/123')
+      security_orchestration_policy_configuration.on_demand_scan_actions(ref)
    end

    before do
@@ -435,8 +435,18 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
      allow(repository).to receive(:blob_data_at).with(default_branch, Security::OrchestrationPolicyConfiguration::POLICY_PATH).and_return(policy_yaml)
    end

-    it 'returns only actions for on-demand scans applicable for branch' do
-      expect(on_demand_scan_actions).to eq(expected_actions)
+    context 'when ref is branch' do
+      let(:ref) { 'refs/heads/release/123' }
+
+      it 'returns only actions for on-demand scans applicable for branch' do
+        expect(on_demand_scan_actions).to eq(expected_actions)
+      end
+    end
+
+    context 'when ref is a tag' do
+      let(:ref) { 'refs/tags/v1.0.0' }
+
+      it { is_expected.to be_empty }
    end
  end


--- a/lib/gitlab/ci/config.rb
+++ b/lib/gitlab/ci/config.rb
@@ -17,13 +17,13 @@ module Gitlab
        Config::Yaml::Tags::TagError
      ].freeze

-      attr_reader :root, :context, :ref, :source
+      attr_reader :root, :context, :source_ref_path, :source

-      def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil, source: nil)
-        @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline)
+      def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, source_ref_path: nil, source: nil)
+        @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline, ref: source_ref_path)
        @context.set_deadline(TIMEOUT_SECONDS)

-        @ref = ref
+        @source_ref_path = source_ref_path
        @source = source

        @config = expand_config(config)
@@ -108,13 +108,13 @@ module Gitlab
        end
      end

-      def build_context(project:, sha:, user:, parent_pipeline:)
+      def build_context(project:, sha:, user:, parent_pipeline:, ref:)
        Config::External::Context.new(
          project: project,
          sha: sha || find_sha(project),
          user: user,
          parent_pipeline: parent_pipeline,
-          variables: build_variables(project: project, ref: sha))
+          variables: build_variables(project: project, ref: ref))
      end

      def build_variables(project:, ref:)

--- a/lib/gitlab/ci/pipeline/chain/config/process.rb
+++ b/lib/gitlab/ci/pipeline/chain/config/process.rb
@@ -14,7 +14,7 @@ module Gitlab
              result = ::Gitlab::Ci::YamlProcessor.new(
                @command.config_content, {
                  project: project,
-                  ref: @pipeline.ref,
+                  source_ref_path: @pipeline.source_ref_path,
                  sha: @pipeline.sha,
                  source: @pipeline.source,
                  user: current_user,

--- a/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb
+++ b/spec/lib/gitlab/ci/pipeline/chain/populate_spec.rb
@@ -107,7 +107,6 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Populate do
    context 'when ref is protected' do
      before do
        allow(project).to receive(:protected_for?).with('master').and_return(true)
-        allow(project).to receive(:protected_for?).with('b83d6e391c22777fca1ed3012fce84f633d7fed0').and_return(true)
        allow(project).to receive(:protected_for?).with('refs/heads/master').and_return(true)

        dependencies.map(&:perform!)