Avoid leaking token data in CI logs

qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb

@@ -3,6 +3,8 @@
 module QA
   RSpec.describe 'Package', :orchestrated, :skip_live_env do
     describe 'Self-managed Container Registry' do
+      include Support::Helpers::MaskToken
+
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
           project.name = 'project-with-registry'
@@ -110,9 +112,9 @@ module QA
           let(:auth_token) do
             case authentication_token_type
             when :personal_access_token
-              "\"#{personal_access_token}\""
+              use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: project)
             when :project_deploy_token
-              "\"#{project_deploy_token.token}\""
+              use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
             when :ci_job_token
               '$CI_JOB_TOKEN'
             end

qa/qa/specs/features/browser_ui/5_package/package_registry/helm_registry_spec.rb

@@ -5,6 +5,7 @@ module QA
     describe 'Helm Registry' do
       using RSpec::Parameterized::TableSyntax
       include Runtime::Fixtures
+      include Support::Helpers::MaskToken
       include_context 'packages registry qa scenario'
 
       let(:package_name) { "gitlab_qa_helm-#{SecureRandom.hex(8)}" }
@@ -32,11 +33,13 @@ module QA
         let(:access_token) do
           case authentication_token_type
           when :personal_access_token
-            personal_access_token
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: package_project)
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: client_project)
           when :ci_job_token
             '${CI_JOB_TOKEN}'
           when :project_deploy_token
-            project_deploy_token.token
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: package_project)
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: client_project)
           end
         end
 

qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_instance_level_spec.rb

@@ -5,6 +5,7 @@ module QA
     describe 'npm instance level endpoint' do
       using RSpec::Parameterized::TableSyntax
       include Runtime::Fixtures
+      include Support::Helpers::MaskToken
 
       let!(:registry_scope) { Runtime::Namespace.sandbox_name }
       let!(:personal_access_token) do
@@ -78,11 +79,13 @@ module QA
         let(:auth_token) do
           case authentication_token_type
           when :personal_access_token
-            "\"#{personal_access_token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: project)
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: another_project)
           when :ci_job_token
             '${CI_JOB_TOKEN}'
           when :project_deploy_token
-            "\"#{project_deploy_token.token}\""
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: another_project)
           end
         end
 

qa/qa/specs/features/browser_ui/5_package/package_registry/npm/npm_project_level_spec.rb

@@ -5,6 +5,7 @@ module QA
     describe 'npm project level endpoint' do
       using RSpec::Parameterized::TableSyntax
       include Runtime::Fixtures
+      include Support::Helpers::MaskToken
 
       let!(:registry_scope) { Runtime::Namespace.sandbox_name }
       let!(:personal_access_token) do
@@ -69,11 +70,11 @@ module QA
         let(:auth_token) do
           case authentication_token_type
           when :personal_access_token
-            "\"#{personal_access_token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token, project: project)
           when :ci_job_token
             '${CI_JOB_TOKEN}'
           when :project_deploy_token
-            "\"#{project_deploy_token.token}\""
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
           end
         end
 

qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb

@@ -5,6 +5,7 @@ module QA
     describe 'NuGet group level endpoint' do
       using RSpec::Parameterized::TableSyntax
       include Runtime::Fixtures
+      include Support::Helpers::MaskToken
 
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
@@ -61,6 +62,8 @@ module QA
       after do
         runner.remove_via_api!
         package.remove_via_api!
+        project.remove_via_api!
+        another_project.remove_via_api!
       end
 
       where(:case_name, :authentication_token_type, :token_name, :testcase) do
@@ -73,11 +76,13 @@ module QA
         let(:auth_token_password) do
           case authentication_token_type
           when :personal_access_token
-            "\"#{personal_access_token.token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token.token, project: project)
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token.token, project: another_project)
           when :ci_job_token
             '${CI_JOB_TOKEN}'
           when :group_deploy_token
-            "\"#{group_deploy_token.token}\""
+            use_ci_variable(name: 'GROUP_DEPLOY_TOKEN', value: group_deploy_token.token, project: project)
+            use_ci_variable(name: 'GROUP_DEPLOY_TOKEN', value: group_deploy_token.token, project: another_project)
           end
         end
 

qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb

@@ -3,6 +3,8 @@
 module QA
   RSpec.describe 'Package', :orchestrated, :packages, :object_storage do
     describe 'NuGet project level endpoint' do
+      include Support::Helpers::MaskToken
+
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
           project.name = 'nuget-package-project'
@@ -77,11 +79,11 @@ module QA
         let(:auth_token_password) do
           case authentication_token_type
           when :personal_access_token
-            "\"#{personal_access_token.token}\""
+            use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: personal_access_token.token, project: project)
           when :ci_job_token
             '${CI_JOB_TOKEN}'
           when :project_deploy_token
-            "\"#{project_deploy_token.token}\""
+            use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project)
           end
         end
 

qa/qa/specs/features/browser_ui/5_package/package_registry/pypi_repository_spec.rb

@@ -4,6 +4,7 @@ module QA
   RSpec.describe 'Package', :orchestrated, :packages, :object_storage do
     describe 'PyPI Repository' do
       include Runtime::Fixtures
+      include Support::Helpers::MaskToken
 
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
@@ -30,7 +31,7 @@ module QA
       let(:uri) { URI.parse(Runtime::Scenario.gitlab_address) }
       let(:gitlab_address_with_port) { "#{uri.scheme}://#{uri.host}:#{uri.port}" }
       let(:gitlab_host_with_port) { "#{uri.host}:#{uri.port}" }
-      let(:personal_access_token) { Runtime::Env.personal_access_token }
+      let(:personal_access_token) { use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: Runtime::Env.personal_access_token, project: project) }
 
       before do
         Flow::Login.sign_in

qa/qa/support/helpers/mask_token.rb

+# frozen_string_literal: true
+
+module QA
+  module Support
+    module Helpers
+      module MaskToken
+        def use_ci_variable(name:, value:, project:)
+          Resource::CiVariable.fabricate_via_api! do |ci_variable|
+            ci_variable.project = project
+            ci_variable.key = name
+            ci_variable.value = value
+            ci_variable.protected = true
+          end
+          "$#{name}"
+        end
+      end
+    end
+  end
+end