1 files changed, 23 insertions, 2 deletions

diff --git a/spec/requests/api/ci/variables_spec.rb b/spec/requests/api/ci/variables_spec.rb
index 74ed8c1551d..cafb841995d 100644
--- a/spec/requests/api/ci/variables_spec.rb
+++ b/spec/requests/api/ci/variables_spec.rb
@@ -46,6 +46,7 @@ RSpec.describe API::Ci::Variables do
         expect(json_response['value']).to eq(variable.value)
         expect(json_response['protected']).to eq(variable.protected?)
         expect(json_response['masked']).to eq(variable.masked?)
+        expect(json_response['raw']).to eq(variable.raw?)
         expect(json_response['variable_type']).to eq('env_var')
       end
 
@@ -115,7 +116,7 @@ RSpec.describe API::Ci::Variables do
     context 'authorized user with proper permissions' do
       it 'creates variable' do
         expect do
-          post api("/projects/#{project.id}/variables", user), params: { key: 'TEST_VARIABLE_2', value: 'PROTECTED_VALUE_2', protected: true, masked: true }
+          post api("/projects/#{project.id}/variables", user), params: { key: 'TEST_VARIABLE_2', value: 'PROTECTED_VALUE_2', protected: true, masked: true, raw: true }
         end.to change { project.variables.count }.by(1)
 
         expect(response).to have_gitlab_http_status(:created)
@@ -123,12 +124,22 @@ RSpec.describe API::Ci::Variables do
         expect(json_response['value']).to eq('PROTECTED_VALUE_2')
         expect(json_response['protected']).to be_truthy
         expect(json_response['masked']).to be_truthy
+        expect(json_response['raw']).to be_truthy
         expect(json_response['variable_type']).to eq('env_var')
       end
 
+      it 'masks the new value when logging' do
+        masked_params = { 'key' => 'VAR_KEY', 'value' => '[FILTERED]', 'protected' => 'true', 'masked' => 'true' }
+
+        expect(::API::API::LOGGER).to receive(:info).with(include(params: include(masked_params)))
+
+        post api("/projects/#{project.id}/variables", user),
+          params: { key: 'VAR_KEY', value: 'SENSITIVE', protected: true, masked: true }
+      end
+
       it 'creates variable with optional attributes' do
         expect do
-          post api("/projects/#{project.id}/variables", user), params: { variable_type: 'file',  key: 'TEST_VARIABLE_2', value: 'VALUE_2' }
+          post api("/projects/#{project.id}/variables", user), params: { variable_type: 'file', key: 'TEST_VARIABLE_2', value: 'VALUE_2' }
         end.to change { project.variables.count }.by(1)
 
         expect(response).to have_gitlab_http_status(:created)
@@ -136,6 +147,7 @@ RSpec.describe API::Ci::Variables do
         expect(json_response['value']).to eq('VALUE_2')
         expect(json_response['protected']).to be_falsey
         expect(json_response['masked']).to be_falsey
+        expect(json_response['raw']).to be_falsey
         expect(json_response['variable_type']).to eq('file')
       end
 
@@ -206,6 +218,15 @@ RSpec.describe API::Ci::Variables do
         expect(updated_variable.variable_type).to eq('file')
       end
 
+      it 'masks the new value when logging' do
+        masked_params = { 'value' => '[FILTERED]', 'protected' => 'true' }
+
+        expect(::API::API::LOGGER).to receive(:info).with(include(params: include(masked_params)))
+
+        put api("/projects/#{project.id}/variables/#{variable.key}", user),
+          params: { value: 'SENSITIVE', protected: true }
+      end
+
       it 'responds with 404 Not Found if requesting non-existing variable' do
         put api("/projects/#{project.id}/variables/non_existing_variable", user)