From 1c9f9310d05281e6dbde0e9bad66868fbc0c844b Mon Sep 17 00:00:00 2001 From: Hiro Asari Date: Fri, 17 Mar 2017 10:09:05 -0400 Subject: [PATCH] Add secure_env_vars_removed to payload travis-build will look at this information, and warn when PR comes from a fork and secure environment variables are not available. --- lib/travis/scheduler/serialize/worker.rb | 1 + lib/travis/scheduler/serialize/worker/job.rb | 9 +++++++ .../scheduler/serialize/worker/job_spec.rb | 25 ++++++++++++++++++- .../travis/scheduler/serialize/worker_spec.rb | 3 +++ 4 files changed, 37 insertions(+), 1 deletion(-) diff --git a/lib/travis/scheduler/serialize/worker.rb b/lib/travis/scheduler/serialize/worker.rb index 041ad916..c42bf760 100644 --- a/lib/travis/scheduler/serialize/worker.rb +++ b/lib/travis/scheduler/serialize/worker.rb @@ -51,6 +51,7 @@ def job_data pull_request: build.pull_request? ? build.pull_request_number : false, state: job.state.to_s, secure_env_enabled: job.secure_env?, + secure_env_vars_removed: job.secure_env_vars_removed?, debug_options: job.debug_options || {}, queued_at: format_date(job.queued_at), allow_failure: job.allow_failure, diff --git a/lib/travis/scheduler/serialize/worker/job.rb b/lib/travis/scheduler/serialize/worker/job.rb index 63a4ce9c..e9963ddd 100644 --- a/lib/travis/scheduler/serialize/worker/job.rb +++ b/lib/travis/scheduler/serialize/worker/job.rb @@ -30,6 +30,15 @@ def same_repo_pull_request? request.same_repo_pull_request? end + def secure_env_vars_removed? + !secure_env? && + [:env, :global_env].any? do |key| + config.has_key?(key) && + config[key].respond_to?(:has_key?) && + config[key].has_key?(:secure) + end + end + def ssh_key config[:source_key] end diff --git a/spec/travis/scheduler/serialize/worker/job_spec.rb b/spec/travis/scheduler/serialize/worker/job_spec.rb index eebe911d..ea45dfb3 100644 --- a/spec/travis/scheduler/serialize/worker/job_spec.rb +++ b/spec/travis/scheduler/serialize/worker/job_spec.rb @@ -1,7 +1,8 @@ describe Travis::Scheduler::Serialize::Worker::Job do let(:request) { Request.new } let(:build) { Build.new(request: request) } - let(:job) { Job.new(source: build) } + let(:job) { Job.new(source: build, config: config) } + let(:config) { {} } subject { described_class.new(job) } describe 'env_vars' do @@ -40,4 +41,26 @@ end end end + + describe '#secure_env_vars_removed?' do + describe 'with a push event' do + before { build.event_type = 'push' } + it { expect(subject.secure_env_vars_removed?).to eq(false) } + end + + describe 'with a pull_request event' do + before { build.event_type = 'pull_request' } + + describe 'from the same repository' do + before { request.stubs(:same_repo_pull_request?).returns(true) } + it { expect(subject.secure_env_vars_removed?).to eq(false) } + end + + describe 'from a different repository' do + let(:config) { { env: { secure: "secret" } } } + before { request.stubs(:same_repo_pull_request?).returns(false) } + it { expect(subject.secure_env_vars_removed?).to eq(true) } + end + end + end end diff --git a/spec/travis/scheduler/serialize/worker_spec.rb b/spec/travis/scheduler/serialize/worker_spec.rb index 3e0e5b23..6e494189 100644 --- a/spec/travis/scheduler/serialize/worker_spec.rb +++ b/spec/travis/scheduler/serialize/worker_spec.rb @@ -60,6 +60,7 @@ def encrypted(value) pull_request: false, state: 'queued', secure_env_enabled: true, + secure_env_vars_removed: false, debug_options: {}, queued_at: '2016-01-01T10:30:00Z', allow_failure: allow_failure @@ -122,6 +123,7 @@ def encrypted(value) pull_request: false, state: 'queued', secure_env_enabled: true, + secure_env_vars_removed: false, debug_options: {}, queued_at: '2016-01-01T10:30:00Z', allow_failure: false, @@ -213,6 +215,7 @@ def encrypted(value) pull_request: 180, state: 'queued', secure_env_enabled: false, + secure_env_vars_removed: false, debug_options: {}, queued_at: '2016-01-01T10:30:00Z', pull_request_head_branch: 'head_branch',