Add tests and also pass protected vars to protected tags

app/models/ci/build.rb

@@ -186,7 +186,9 @@ module Ci
       variables += yaml_variables
       variables += user_variables
       variables += project.secret_variables
-      variables += project.protected_variables if ProtectedBranch.protected?(project, ref)
+      variables += project.protected_variables if
+        ProtectedBranch.protected?(project, ref) ||
+          ProtectedTag.protected?(project, ref)
       variables += trigger_request.user_variables if trigger_request
       variables
     end

spec/factories/ci/variables.rb

@@ -3,6 +3,10 @@ FactoryGirl.define do
     sequence(:key) { |n| "VARIABLE_#{n}" }
     value 'VARIABLE_VALUE'
 
+    trait(:protected) do
+      protected true
+    end
+
     project factory: :empty_project
   end
 end

spec/models/ci/build_spec.rb

@@ -1215,16 +1215,49 @@ describe Ci::Build, :models do
       it { is_expected.to include(tag_variable) }
     end
 
-    context 'when secure variable is defined' do
-      let(:secure_variable) do
+    context 'when secret variable is defined' do
+      let(:secret_variable) do
         { key: 'SECRET_KEY', value: 'secret_value', public: false }
       end
 
       before do
-        build.project.variables << Ci::Variable.new(key: 'SECRET_KEY', value: 'secret_value')
+        create(:ci_variable,
+               secret_variable.slice(:key, :value).merge(project: project))
       end
 
-      it { is_expected.to include(secure_variable) }
+      it { is_expected.to include(secret_variable) }
+    end
+
+    context 'when protected variable is defined' do
+      let(:protected_variable) do
+        { key: 'PROTECTED_KEY', value: 'protected_value', public: false }
+      end
+
+      before do
+        create(:ci_variable,
+               :protected,
+               protected_variable.slice(:key, :value).merge(project: project))
+      end
+
+      context 'when the branch is protected' do
+        before do
+          create(:protected_branch, project: build.project, name: build.ref)
+        end
+
+        it { is_expected.to include(protected_variable) }
+      end
+
+      context 'when the tag is protected' do
+        before do
+          create(:protected_tag, project: build.project, name: build.ref)
+        end
+
+        it { is_expected.to include(protected_variable) }
+      end
+
+      context 'when the ref is not protected' do
+        it { is_expected.not_to include(protected_variable) }
+      end
     end
 
     context 'when build is for triggers' do

spec/models/project_spec.rb

@@ -1710,6 +1710,36 @@ describe Project, models: true do
     end
   end
 
+  describe 'variables' do
+    let(:project) { create(:empty_project) }
+
+    let!(:secret_variable) do
+      create(:ci_variable, value: 'secret', project: project)
+    end
+
+    let!(:protected_variable) do
+      create(:ci_variable, :protected, value: 'protected', project: project)
+    end
+
+    describe '#secret_variables' do
+      it 'contains only the secret variables' do
+        expect(project.secret_variables).to eq(
+          [{ key: secret_variable.key,
+             value: secret_variable.value,
+             public: false } ])
+      end
+    end
+
+    describe '#protected_variables' do
+      it 'contains only the protected variables' do
+        expect(project.protected_variables).to eq(
+          [{ key: protected_variable.key,
+             value: protected_variable.value,
+             public: false } ])
+      end
+    end
+  end
+
   describe '#update_project_statistics' do
     let(:project) { create(:empty_project) }