Commit 4ee9ac14 authored by Kerri Miller's avatar Kerri Miller

Merge branch 'use-ref-instead-of-sha-in-pipeline-config-for-variables-2nd-take' into 'master'

Use ref instead of sha for CI config variables

See merge request gitlab-org/gitlab!67540
parents fe886732 6ac6db77
...@@ -68,9 +68,9 @@ module Security ...@@ -68,9 +68,9 @@ module Security
scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT) scan_execution_policy.select { |config| config[:enabled] }.first(POLICY_LIMIT)
end end
def on_demand_scan_actions(branch) def on_demand_scan_actions(ref)
active_policies active_policies
.select { |policy| applicable_for_branch?(policy, branch) } .select { |policy| applicable_for_ref?(policy, ref) }
.flat_map { |policy| policy[:actions] } .flat_map { |policy| policy[:actions] }
.select { |action| action[:scan].in?(ON_DEMAND_SCANS) } .select { |action| action[:scan].in?(ON_DEMAND_SCANS) }
end end
...@@ -142,9 +142,13 @@ module Security ...@@ -142,9 +142,13 @@ module Security
end end
end end
def applicable_for_branch?(policy, ref) def applicable_for_ref?(policy, ref)
return false unless Gitlab::Git.branch_ref?(ref)
branch_name = Gitlab::Git.ref_name(ref)
policy[:rules].any? do |rule| policy[:rules].any? do |rule|
rule[:type] == RULE_TYPES[:pipeline] && rule[:branches].any? { |branch| RefMatcher.new(branch).matches?(ref) } rule[:type] == RULE_TYPES[:pipeline] && rule[:branches].any? { |branch| RefMatcher.new(branch).matches?(branch_name) }
end end
end end
end end
......
...@@ -25,7 +25,7 @@ module EE ...@@ -25,7 +25,7 @@ module EE
end end
def process_security_orchestration_policy_includes(config) def process_security_orchestration_policy_includes(config)
::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, ref, source).perform ::Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor.new(config, context.project, source_ref_path, source).perform
end end
end end
end end
......
...@@ -40,7 +40,7 @@ RSpec.describe Gitlab::Ci::Config do ...@@ -40,7 +40,7 @@ RSpec.describe Gitlab::Ci::Config do
describe 'with security orchestration policy' do describe 'with security orchestration policy' do
let(:source) { 'push' } let(:source) { 'push' }
let_it_be(:ref) { 'master' } let_it_be(:ref) { 'refs/heads/master' }
let_it_be_with_refind(:project) { create(:project, :repository) } let_it_be_with_refind(:project) { create(:project, :repository) }
let_it_be(:policies_repository) { create(:project, :repository) } let_it_be(:policies_repository) { create(:project, :repository) }
...@@ -63,7 +63,7 @@ RSpec.describe Gitlab::Ci::Config do ...@@ -63,7 +63,7 @@ RSpec.describe Gitlab::Ci::Config do
EOS EOS
end end
subject(:config) { described_class.new(ci_yml, ref: ref, project: project, source: source) } subject(:config) { described_class.new(ci_yml, source_ref_path: ref, project: project, source: source) }
before do before do
allow_next_instance_of(Repository) do |repository| allow_next_instance_of(Repository) do |repository|
...@@ -105,7 +105,7 @@ RSpec.describe Gitlab::Ci::Config do ...@@ -105,7 +105,7 @@ RSpec.describe Gitlab::Ci::Config do
end end
context 'when policy is not applicable on branch from the pipeline' do context 'when policy is not applicable on branch from the pipeline' do
let_it_be(:ref) { 'production' } let_it_be(:ref) { 'refs/heads/production' }
context 'when DAST profiles are not found' do context 'when DAST profiles are not found' do
it 'adds a job with error message' do it 'adds a job with error message' do
......
...@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do ...@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
let_it_be(:config) { { image: 'ruby:3.0.1' } } let_it_be(:config) { { image: 'ruby:3.0.1' } }
let(:ref) { 'master' } let(:ref) { 'refs/heads/master' }
let(:source) { 'pipeline' } let(:source) { 'pipeline' }
let_it_be_with_refind(:project) { create(:project, :repository) } let_it_be_with_refind(:project) { create(:project, :repository) }
...@@ -103,8 +103,16 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do ...@@ -103,8 +103,16 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
end end
end end
context 'when ref is a tag' do
let_it_be(:ref) { 'refs/tags/v1.1.0' }
it 'does not modify the config' do
expect(subject).to eq(config)
end
end
context 'when policy is not applicable on branch from the pipeline' do context 'when policy is not applicable on branch from the pipeline' do
let_it_be(:ref) { 'production' } let_it_be(:ref) { 'refs/heads/production' }
context 'when DAST profiles are not found' do context 'when DAST profiles are not found' do
it 'does not modify the config' do it 'does not modify the config' do
......
...@@ -427,7 +427,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do ...@@ -427,7 +427,7 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
end end
subject(:on_demand_scan_actions) do subject(:on_demand_scan_actions) do
security_orchestration_policy_configuration.on_demand_scan_actions('release/123') security_orchestration_policy_configuration.on_demand_scan_actions(ref)
end end
before do before do
...@@ -435,11 +435,21 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do ...@@ -435,11 +435,21 @@ RSpec.describe Security::OrchestrationPolicyConfiguration do
allow(repository).to receive(:blob_data_at).with(default_branch, Security::OrchestrationPolicyConfiguration::POLICY_PATH).and_return(policy_yaml) allow(repository).to receive(:blob_data_at).with(default_branch, Security::OrchestrationPolicyConfiguration::POLICY_PATH).and_return(policy_yaml)
end end
context 'when ref is branch' do
let(:ref) { 'refs/heads/release/123' }
it 'returns only actions for on-demand scans applicable for branch' do it 'returns only actions for on-demand scans applicable for branch' do
expect(on_demand_scan_actions).to eq(expected_actions) expect(on_demand_scan_actions).to eq(expected_actions)
end end
end end
context 'when ref is a tag' do
let(:ref) { 'refs/tags/v1.0.0' }
it { is_expected.to be_empty }
end
end
describe '#active_policy_names_with_dast_site_profile' do describe '#active_policy_names_with_dast_site_profile' do
let(:policy_yaml) do let(:policy_yaml) do
<<-EOS <<-EOS
......
...@@ -17,13 +17,13 @@ module Gitlab ...@@ -17,13 +17,13 @@ module Gitlab
Config::Yaml::Tags::TagError Config::Yaml::Tags::TagError
].freeze ].freeze
attr_reader :root, :context, :ref, :source attr_reader :root, :context, :source_ref_path, :source
def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, ref: nil, source: nil) def initialize(config, project: nil, sha: nil, user: nil, parent_pipeline: nil, source_ref_path: nil, source: nil)
@context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline) @context = build_context(project: project, sha: sha, user: user, parent_pipeline: parent_pipeline, ref: source_ref_path)
@context.set_deadline(TIMEOUT_SECONDS) @context.set_deadline(TIMEOUT_SECONDS)
@ref = ref @source_ref_path = source_ref_path
@source = source @source = source
@config = expand_config(config) @config = expand_config(config)
...@@ -108,13 +108,13 @@ module Gitlab ...@@ -108,13 +108,13 @@ module Gitlab
end end
end end
def build_context(project:, sha:, user:, parent_pipeline:) def build_context(project:, sha:, user:, parent_pipeline:, ref:)
Config::External::Context.new( Config::External::Context.new(
project: project, project: project,
sha: sha || find_sha(project), sha: sha || find_sha(project),
user: user, user: user,
parent_pipeline: parent_pipeline, parent_pipeline: parent_pipeline,
variables: build_variables(project: project, ref: sha)) variables: build_variables(project: project, ref: ref))
end end
def build_variables(project:, ref:) def build_variables(project:, ref:)
......
...@@ -14,7 +14,7 @@ module Gitlab ...@@ -14,7 +14,7 @@ module Gitlab
result = ::Gitlab::Ci::YamlProcessor.new( result = ::Gitlab::Ci::YamlProcessor.new(
@command.config_content, { @command.config_content, {
project: project, project: project,
ref: @pipeline.ref, source_ref_path: @pipeline.source_ref_path,
sha: @pipeline.sha, sha: @pipeline.sha,
source: @pipeline.source, source: @pipeline.source,
user: current_user, user: current_user,
......
...@@ -107,7 +107,6 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Populate do ...@@ -107,7 +107,6 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Populate do
context 'when ref is protected' do context 'when ref is protected' do
before do before do
allow(project).to receive(:protected_for?).with('master').and_return(true) allow(project).to receive(:protected_for?).with('master').and_return(true)
allow(project).to receive(:protected_for?).with('b83d6e391c22777fca1ed3012fce84f633d7fed0').and_return(true)
allow(project).to receive(:protected_for?).with('refs/heads/master').and_return(true) allow(project).to receive(:protected_for?).with('refs/heads/master').and_return(true)
dependencies.map(&:perform!) dependencies.map(&:perform!)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment