Merge branch 'fix/gb/remove-rails-ci-secrets-masking' into 'master'

Increment trace mutation metric when CI/CD secrets are masked

Closes #241189

See merge request gitlab-org/gitlab!40408

app/models/ci/build.rb

@@ -871,13 +871,17 @@ module Ci
       options.dig(:release)&.any?
     end
 
-    def hide_secrets(trace)
+    def hide_secrets(data, metrics = ::Gitlab::Ci::Trace::Metrics.new)
       return unless trace
 
-      trace = trace.dup
+      data.dup.tap do |trace|
         Gitlab::Ci::MaskSecret.mask!(trace, project.runners_token) if project
         Gitlab::Ci::MaskSecret.mask!(trace, token) if token
-      trace
+
+        if trace != data
+          metrics.increment_trace_operation(operation: :mutated)
+        end
+      end
     end
 
     def serializable_hash(options = {})

lib/gitlab/ci/trace/metrics.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    class Trace
+      class Metrics
+        extend Gitlab::Utils::StrongMemoize
+
+        OPERATIONS = [:mutated].freeze
+
+        def increment_trace_operation(operation: :unknown)
+          unless OPERATIONS.include?(operation)
+            raise ArgumentError, 'unknown trace operation'
+          end
+
+          self.class.trace_operations.increment(operation: operation)
+        end
+
+        def self.trace_operations
+          strong_memoize(:trace_operations) do
+            name = :gitlab_ci_trace_operations_total
+            comment = 'Total amount of different operations on a build trace'
+
+            Gitlab::Metrics.counter(name, comment)
+          end
+        end
+      end
+    end
+  end
+end

spec/models/ci/build_spec.rb

@@ -1052,18 +1052,53 @@ RSpec.describe Ci::Build do
   end
 
   describe '#hide_secrets' do
+    let(:metrics) { spy('metrics') }
     let(:subject) { build.hide_secrets(data) }
 
     context 'hide runners token' do
       let(:data) { "new #{project.runners_token} data"}
 
       it { is_expected.to match(/^new x+ data$/) }
+
+      it 'increments trace mutation metric' do
+        build.hide_secrets(data, metrics)
+
+        expect(metrics)
+          .to have_received(:increment_trace_operation)
+          .with(operation: :mutated)
+      end
     end
 
     context 'hide build token' do
       let(:data) { "new #{build.token} data"}
 
       it { is_expected.to match(/^new x+ data$/) }
+
+      it 'increments trace mutation metric' do
+        build.hide_secrets(data, metrics)
+
+        expect(metrics)
+          .to have_received(:increment_trace_operation)
+          .with(operation: :mutated)
+      end
+    end
+
+    context 'when build does not include secrets' do
+      let(:data) { 'my build log' }
+
+      it 'does not mutate trace' do
+        trace = build.hide_secrets(data)
+
+        expect(trace).to eq data
+      end
+
+      it 'does not increment trace mutation metric' do
+        build.hide_secrets(data, metrics)
+
+        expect(metrics)
+          .not_to have_received(:increment_trace_operation)
+          .with(operation: :mutated)
+      end
     end
   end