Merge branch '223195-validate-ci-secrets-foss' into 'master'

RUN AS-IF-FOSS: Move CI secrets json schema validation to FOSS See merge request gitlab-org/gitlab!34990

Merge branch '223195-validate-ci-secrets-foss' into 'master'
RUN AS-IF-FOSS: Move CI secrets json schema validation to FOSS See merge request gitlab-org/gitlab!34990
570e98d1 · Nick Thomas · 0ec2eff3 · 94262849 · 570e98d1 · 0ec2eff3
Commit 570e98d1 authored Jun 22, 2020 by Nick Thomas
5 changed files
--- a/app/models/ci/build_metadata.rb
+++ b/app/models/ci/build_metadata.rb
@@ -19,6 +19,7 @@ module Ci
    before_create :set_build_project
    validates :build, presence: true
+    validates :secrets, json_schema: { filename: 'build_metadata_secrets' }
    serialize :config_options, Serializers::JSON # rubocop:disable Cop/ActiveRecordSerialize
    serialize :config_variables, Serializers::JSON # rubocop:disable Cop/ActiveRecordSerialize
@@ -83,5 +84,3 @@ module Ci
    end
  end
 end
-Ci::BuildMetadata.prepend_if_ee('EE::Ci::BuildMetadata')
--- a/ee/app/models/ee/ci/build_metadata.rb
+++ b/ee/app/models/ee/ci/build_metadata.rb
-# frozen_string_literal: true
-module EE
-  module Ci
-    module BuildMetadata
-      extend ActiveSupport::Concern
-      prepended do
-        validates :secrets, json_schema: { filename: 'build_metadata_secrets' }
-      end
-    end
-  end
-end
--- a/ee/spec/models/ci/build_metadata_spec.rb
+++ b/ee/spec/models/ci/build_metadata_spec.rb
-# frozen_string_literal: true
-require 'spec_helper'
-describe Ci::BuildMetadata do
-  describe 'validations' do
-    let(:metadata) { build(:ci_build).metadata }
-    context 'when attributes are valid' do
-      it 'returns no errors' do
-        metadata.secrets = {
-          DATABASE_PASSWORD: {
-            vault: {
-              engine: { name: 'kv-v2', path: 'kv-v2' },
-              path: 'production/db',
-              field: 'password'
-            }
-          }
-        }
-        expect(metadata).to be_valid
-      end
-    end
-    context 'when data is invalid' do
-      it 'returns errors' do
-        metadata.secrets = { DATABASE_PASSWORD: { vault: {} } }
-        aggregate_failures do
-          expect(metadata).to be_invalid
-          expect(metadata.errors.full_messages).to eq(["Secrets must be a valid json schema"])
-        end
-      end
-    end
-  end
-end
--- a/spec/db/schema_spec.rb
+++ b/spec/db/schema_spec.rb
@@ -174,7 +174,7 @@ RSpec.describe 'Database schema' do
  IGNORED_JSONB_COLUMNS = {
    "ApplicationSetting" => %w[repository_storages_weighted],
    "AlertManagement::Alert" => %w[payload],
-    "Ci::BuildMetadata" => %w[config_options config_variables secrets], # secrets has an EE-only validator
+    "Ci::BuildMetadata" => %w[config_options config_variables],
    "Geo::Event" => %w[payload],
    "GeoNodeStatus" => %w[status],
    "Operations::FeatureFlagScope" => %w[strategies],

--- a/spec/models/ci/build_metadata_spec.rb
+++ b/spec/models/ci/build_metadata_spec.rb
@@ -92,4 +92,33 @@ describe Ci::BuildMetadata do
      end
    end
  end
+  describe 'validations' do
+    context 'when attributes are valid' do
+      it 'returns no errors' do
+        metadata.secrets = {
+          DATABASE_PASSWORD: {
+            vault: {
+              engine: { name: 'kv-v2', path: 'kv-v2' },
+              path: 'production/db',
+              field: 'password'
+            }
+          }
+        }
+        expect(metadata).to be_valid
+      end
+    end
+    context 'when data is invalid' do
+      it 'returns errors' do
+        metadata.secrets = { DATABASE_PASSWORD: { vault: {} } }
+        aggregate_failures do
+          expect(metadata).to be_invalid
+          expect(metadata.errors.full_messages).to eq(["Secrets must be a valid json schema"])
+        end
+      end
+    end
+  end
 end