Expose deploy token to CI/CD jobs as environment variable

- If a deploy token with a name 'gitlab-deploy-token' is exists for the
  project, CI_DEPLOY_USER and CI_DEPLOY_PASSWORD variables will be
expose

6 files changed, 80 insertions, 0 deletions

diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index b0c02cdeec7..2a652b01313 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -624,6 +624,7 @@ module Ci
         variables.append(key: "CI_PIPELINE_TRIGGERED", value: 'true') if trigger_request
         variables.append(key: "CI_JOB_MANUAL", value: 'true') if action?
         variables.concat(legacy_variables)
+        variables.concat(deploy_token_variables) if project.gitlab_deploy_token
       end
     end
 
@@ -654,6 +655,13 @@ module Ci
       end
     end
 
+    def deploy_token_variables
+      Gitlab::Ci::Variables::Collection.new.tap do |variables|
+        variables.append(key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN)
+        variables.append(key: 'CI_DEPLOY_PASSWORD', value: project.gitlab_deploy_token.token)
+      end
+    end
+
     def environment_url
       options&.dig(:environment, :url) || persisted_environment&.external_url
     end
diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
index 979e9232fda..191f07c527f 100644
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -4,6 +4,7 @@ class DeployToken < ActiveRecord::Base
   add_authentication_token_field :token
 
   AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
+  GITLAB_DEPLOY_TOKEN = 'gitlab-deploy-token'.freeze
 
   default_value_for(:expires_at) { Forever.date }
 
diff --git a/app/models/project.rb b/app/models/project.rb
index cec1e705aa8..a594f2df662 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1879,6 +1879,11 @@ class Project < ActiveRecord::Base
     []
   end
 
+  def gitlab_deploy_token
+    @gitlab_deploy_token ||=
+      deploy_tokens.active.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN)
+  end
+
   private
 
   def storage
diff --git a/spec/factories/deploy_tokens.rb b/spec/factories/deploy_tokens.rb
index 5fea4a9d5a6..52ec588973a 100644
--- a/spec/factories/deploy_tokens.rb
+++ b/spec/factories/deploy_tokens.rb
@@ -10,5 +10,13 @@ FactoryBot.define do
     trait :revoked do
       revoked true
     end
+
+    trait :gitlab_deploy_token do
+      name DeployToken::GITLAB_DEPLOY_TOKEN
+    end
+
+    trait :expired do
+      expires_at { Date.today - 1.month }
+    end
   end
 end
diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb
index fcdc31c8984..b68297bfabc 100644
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -2035,6 +2035,37 @@ describe Ci::Build do
         expect(build).not_to be_persisted
       end
     end
+
+    context 'for deploy tokens' do
+      let(:deploy_token) { create(:deploy_token, :gitlab_deploy_token) }
+
+      let(:deploy_token_variables) do
+        [
+          { key: 'CI_DEPLOY_USER', value: DeployToken::GITLAB_DEPLOY_TOKEN, public: true },
+          { key: 'CI_DEPLOY_PASSWORD', value: deploy_token.token, public: true }
+        ]
+      end
+
+      context 'when gitlab-deploy-token exist' do
+        before do
+          project.deploy_tokens << deploy_token
+        end
+
+        it 'should include deploy token variables' do
+          deploy_token_variables.each do |deploy_token_variable|
+            is_expected.to include(deploy_token_variable)
+          end
+        end
+      end
+
+      context 'when gitlab-deploy-token does not exist' do
+        it 'should not include deploy token variables' do
+          deploy_token_variables.each do |deploy_token_variable|
+            is_expected.not_to include(deploy_token_variable)
+          end
+        end
+      end
+    end
   end
 
   describe '#scoped_variables' do
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 2675c2f52c1..86ad80106af 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -3585,4 +3585,31 @@ describe Project do
       it { is_expected.not_to be_valid }
     end
   end
+
+  describe '#gitlab_deploy_token' do
+    let(:project) { create(:project) }
+
+    subject { project.gitlab_deploy_token }
+
+    context 'when there is a gitlab deploy token associated' do
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) }
+
+      it { is_expected.to eq(deploy_token) }
+    end
+
+    context 'when there is no a gitlab deploy token associated' do
+      it { is_expected.to be_nil }
+    end
+
+    context 'when there is a gitlab deploy token associated but is has been revoked' do
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :revoked, projects: [project]) }
+      it { is_expected.to be_nil }
+    end
+
+    context 'when there is a gitlab deploy token associated but it has expired' do
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :expired, projects: [project]) }
+
+      it { is_expected.to be_nil }
+    end
+  end
 end