spec/models/concerns/ci/has_variable_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Ci::HasVariable do
  subject { build(:ci_variable) }

  it { is_expected.to validate_presence_of(:key) }
  it { is_expected.to validate_length_of(:key).is_at_most(255) }
  it { is_expected.to allow_value('foo').for(:key) }
  it { is_expected.not_to allow_value('foo bar').for(:key) }
  it { is_expected.not_to allow_value('foo/bar').for(:key) }

  describe 'scopes' do
    describe '.by_key' do
      let!(:matching_variable) { create(:ci_variable, key: 'example') }
      let!(:non_matching_variable) { create(:ci_variable, key: 'other') }

      subject { Ci::Variable.by_key('example') }

      it { is_expected.to contain_exactly(matching_variable) }
    end
  end

  describe '#key=' do
    context 'when the new key is nil' do
      it 'strips leading and trailing whitespaces' do
        subject.key = nil

        expect(subject.key).to eq('')
      end
    end

    context 'when the new key has leadind and trailing whitespaces' do
      it 'strips leading and trailing whitespaces' do
        subject.key = ' my key '

        expect(subject.key).to eq('my key')
      end
    end
  end

  describe '#value' do
    before do
      subject.value = 'secret'
    end

    it 'stores the encrypted value' do
      expect(subject.encrypted_value).not_to be_nil
    end

    it 'stores an iv for value' do
      expect(subject.encrypted_value_iv).not_to be_nil
    end

    it 'stores a salt for value' do
      expect(subject.encrypted_value_salt).not_to be_nil
    end

    it 'fails to decrypt if iv is incorrect' do
      # attr_encrypted expects the IV to be 16 bytes and base64-encoded
      subject.encrypted_value_iv = [SecureRandom.hex(8)].pack('m')
      subject.instance_variable_set(:@value, nil)

      expect { subject.value }
        .to raise_error(OpenSSL::Cipher::CipherError, 'bad decrypt')
    end
  end

  describe '#to_runner_variable' do
    let_it_be(:ci_variable) { create(:ci_variable) }

    subject { ci_variable }

    it 'returns a hash for the runner' do
      expect(subject.to_runner_variable)
        .to include(key: subject.key, value: subject.value, public: false)
    end

    context 'with RequestStore enabled', :request_store do
      let(:expected) do
        {
          file: false,
          key: subject.key,
          value: subject.value,
          public: false,
          masked: false
        }
      end

      it 'decrypts once' do
        expect(OpenSSL::PKCS5).to receive(:pbkdf2_hmac).once.and_call_original

        2.times { expect(subject.reload.to_runner_variable).to eq(expected) }
      end

      it 'does not cache similar keys', :aggregate_failures do
        group_var = create(:ci_group_variable, key: subject.key, value: 'group')
        project_var = create(:ci_variable, key: subject.key, value: 'project')

        expect(subject.to_runner_variable).to include(key: subject.key, value: subject.value)
        expect(group_var.to_runner_variable).to include(key: subject.key, value: 'group')
        expect(project_var.to_runner_variable).to include(key: subject.key, value: 'project')
      end

      it 'does not cache unpersisted values' do
        new_variable = Ci::Variable.new(key: SecureRandom.hex, value: "12345")
        old_value = new_variable.to_runner_variable
        new_variable.value = '98765'

        expect(new_variable.to_runner_variable).not_to eq(old_value)
      end
    end
  end
end