Make Variable key not secret43316-controller-parameters-handling-sensitive-information-should-use-a-more-specific-name

12 files changed, 21 insertions, 24 deletions

diff --git a/app/assets/javascripts/ci_variable_list/ci_variable_list.js b/app/assets/javascripts/ci_variable_list/ci_variable_list.js
index c0bfe615478..e177a3bfdc7 100644
--- a/app/assets/javascripts/ci_variable_list/ci_variable_list.js
+++ b/app/assets/javascripts/ci_variable_list/ci_variable_list.js
@@ -29,7 +29,7 @@ export default class VariableList {
         selector: '.js-ci-variable-input-id',
         default: '',
       },
-      secret_key: {
+      key: {
         selector: '.js-ci-variable-input-key',
         default: '',
       },
@@ -174,7 +174,7 @@ export default class VariableList {
   }
 
   toggleEnableRow(isEnabled = true) {
-    this.$container.find(this.inputMap.secret_key.selector).attr('disabled', !isEnabled);
+    this.$container.find(this.inputMap.key.selector).attr('disabled', !isEnabled);
     this.$container.find('.js-row-remove-button').attr('disabled', !isEnabled);
   }
 
diff --git a/app/controllers/groups/variables_controller.rb b/app/controllers/groups/variables_controller.rb
index 91e394c8ce8..6142e75b4c1 100644
--- a/app/controllers/groups/variables_controller.rb
+++ b/app/controllers/groups/variables_controller.rb
@@ -39,7 +39,7 @@ module Groups
     end
 
     def variable_params_attributes
-      %i[id secret_key secret_value protected _destroy]
+      %i[id key secret_value protected _destroy]
     end
 
     def authorize_admin_build!
diff --git a/app/controllers/projects/pipeline_schedules_controller.rb b/app/controllers/projects/pipeline_schedules_controller.rb
index 6c087dfb71e..fa258f3d9af 100644
--- a/app/controllers/projects/pipeline_schedules_controller.rb
+++ b/app/controllers/projects/pipeline_schedules_controller.rb
@@ -92,7 +92,7 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
   def schedule_params
     params.require(:schedule)
       .permit(:description, :cron, :cron_timezone, :ref, :active,
-        variables_attributes: [:id, :secret_key, :secret_value, :_destroy] )
+        variables_attributes: [:id, :key, :secret_value, :_destroy] )
   end
 
   def authorize_play_pipeline_schedule!
diff --git a/app/controllers/projects/variables_controller.rb b/app/controllers/projects/variables_controller.rb
index ffe93522ca6..517d0b026c2 100644
--- a/app/controllers/projects/variables_controller.rb
+++ b/app/controllers/projects/variables_controller.rb
@@ -36,6 +36,6 @@ class Projects::VariablesController < Projects::ApplicationController
   end
 
   def variable_params_attributes
-    %i[id secret_key secret_value protected _destroy]
+    %i[id key secret_value protected _destroy]
   end
 end
diff --git a/app/models/ci/group_variable.rb b/app/models/ci/group_variable.rb
index 65399557289..62d768cc6cf 100644
--- a/app/models/ci/group_variable.rb
+++ b/app/models/ci/group_variable.rb
@@ -6,7 +6,6 @@ module Ci
 
     belongs_to :group
 
-    alias_attribute :secret_key, :key
     alias_attribute :secret_value, :value
 
     validates :key, uniqueness: {
diff --git a/app/models/ci/pipeline_schedule_variable.rb b/app/models/ci/pipeline_schedule_variable.rb
index 2e30612a88e..03df4e3e638 100644
--- a/app/models/ci/pipeline_schedule_variable.rb
+++ b/app/models/ci/pipeline_schedule_variable.rb
@@ -5,7 +5,6 @@ module Ci
 
     belongs_to :pipeline_schedule
 
-    alias_attribute :secret_key, :key
     alias_attribute :secret_value, :value
 
     validates :key, uniqueness: { scope: :pipeline_schedule_id }
diff --git a/app/models/ci/variable.rb b/app/models/ci/variable.rb
index bcad55f115f..452cb910bca 100644
--- a/app/models/ci/variable.rb
+++ b/app/models/ci/variable.rb
@@ -6,7 +6,6 @@ module Ci
 
     belongs_to :project
 
-    alias_attribute :secret_key, :key
     alias_attribute :secret_value, :value
 
     validates :key, uniqueness: {
diff --git a/app/views/ci/variables/_variable_row.html.haml b/app/views/ci/variables/_variable_row.html.haml
index e72e48385da..5d4229c80af 100644
--- a/app/views/ci/variables/_variable_row.html.haml
+++ b/app/views/ci/variables/_variable_row.html.haml
@@ -9,7 +9,7 @@
 
 - id_input_name = "#{form_field}[variables_attributes][][id]"
 - destroy_input_name = "#{form_field}[variables_attributes][][_destroy]"
-- key_input_name = "#{form_field}[variables_attributes][][secret_key]"
+- key_input_name = "#{form_field}[variables_attributes][][key]"
 - value_input_name = "#{form_field}[variables_attributes][][secret_value]"
 - protected_input_name = "#{form_field}[variables_attributes][][protected]"
 
diff --git a/spec/controllers/projects/pipeline_schedules_controller_spec.rb b/spec/controllers/projects/pipeline_schedules_controller_spec.rb
index 11d0c41fe76..3506305f755 100644
--- a/spec/controllers/projects/pipeline_schedules_controller_spec.rb
+++ b/spec/controllers/projects/pipeline_schedules_controller_spec.rb
@@ -80,7 +80,7 @@ describe Projects::PipelineSchedulesController do
       context 'when variables_attributes has one variable' do
         let(:schedule) do
           basic_param.merge({
-            variables_attributes: [{ secret_key: 'AAA', secret_value: 'AAA123' }]
+            variables_attributes: [{ key: 'AAA', secret_value: 'AAA123' }]
           })
         end
 
@@ -101,8 +101,8 @@ describe Projects::PipelineSchedulesController do
       context 'when variables_attributes has two variables and duplicated' do
         let(:schedule) do
           basic_param.merge({
-            variables_attributes: [{ secret_key: 'AAA', secret_value: 'AAA123' },
-                                   { secret_key: 'AAA', secret_value: 'BBB123' }]
+            variables_attributes: [{ key: 'AAA', secret_value: 'AAA123' },
+                                   { key: 'AAA', secret_value: 'BBB123' }]
           })
         end
 
@@ -153,7 +153,7 @@ describe Projects::PipelineSchedulesController do
         context 'when params include one variable' do
           let(:schedule) do
             basic_param.merge({
-              variables_attributes: [{ secret_key: 'AAA', secret_value: 'AAA123' }]
+              variables_attributes: [{ key: 'AAA', secret_value: 'AAA123' }]
             })
           end
 
@@ -170,8 +170,8 @@ describe Projects::PipelineSchedulesController do
         context 'when params include two duplicated variables' do
           let(:schedule) do
             basic_param.merge({
-              variables_attributes: [{ secret_key: 'AAA', secret_value: 'AAA123' },
-                                     { secret_key: 'AAA', secret_value: 'BBB123' }]
+              variables_attributes: [{ key: 'AAA', secret_value: 'AAA123' },
+                                     { key: 'AAA', secret_value: 'BBB123' }]
             })
           end
 
@@ -196,7 +196,7 @@ describe Projects::PipelineSchedulesController do
         context 'when adds a new variable' do
           let(:schedule) do
             basic_param.merge({
-              variables_attributes: [{ secret_key: 'AAA', secret_value: 'AAA123' }]
+              variables_attributes: [{ key: 'AAA', secret_value: 'AAA123' }]
             })
           end
 
@@ -211,7 +211,7 @@ describe Projects::PipelineSchedulesController do
         context 'when adds a new duplicated variable' do
           let(:schedule) do
             basic_param.merge({
-              variables_attributes: [{ secret_key: 'CCC', secret_value: 'AAA123' }]
+              variables_attributes: [{ key: 'CCC', secret_value: 'AAA123' }]
             })
           end
 
@@ -254,7 +254,7 @@ describe Projects::PipelineSchedulesController do
           let(:schedule) do
             basic_param.merge({
               variables_attributes: [{ id: pipeline_schedule_variable.id, _destroy: true },
-                                     { secret_key: 'CCC', secret_value: 'CCC123' }]
+                                     { key: 'CCC', secret_value: 'CCC123' }]
             })
           end
 
diff --git a/spec/features/projects/pipeline_schedules_spec.rb b/spec/features/projects/pipeline_schedules_spec.rb
index 0c9aa2d1497..065d00d51d4 100644
--- a/spec/features/projects/pipeline_schedules_spec.rb
+++ b/spec/features/projects/pipeline_schedules_spec.rb
@@ -159,9 +159,9 @@ feature 'Pipeline Schedules', :js do
         visit_pipelines_schedules
         click_link 'New schedule'
         fill_in_schedule_form
-        all('[name="schedule[variables_attributes][][secret_key]"]')[0].set('AAA')
+        all('[name="schedule[variables_attributes][][key]"]')[0].set('AAA')
         all('[name="schedule[variables_attributes][][secret_value]"]')[0].set('AAA123')
-        all('[name="schedule[variables_attributes][][secret_key]"]')[1].set('BBB')
+        all('[name="schedule[variables_attributes][][key]"]')[1].set('BBB')
         all('[name="schedule[variables_attributes][][secret_value]"]')[1].set('BBB123')
         save_pipeline_schedule
       end
diff --git a/spec/javascripts/ci_variable_list/native_form_variable_list_spec.js b/spec/javascripts/ci_variable_list/native_form_variable_list_spec.js
index d3bcbdd92c1..94a0c999d66 100644
--- a/spec/javascripts/ci_variable_list/native_form_variable_list_spec.js
+++ b/spec/javascripts/ci_variable_list/native_form_variable_list_spec.js
@@ -19,7 +19,7 @@ describe('NativeFormVariableList', () => {
   describe('onFormSubmit', () => {
     it('should clear out the `name` attribute on the inputs for the last empty row on form submission (avoid BE validation)', () => {
       const $row = $wrapper.find('.js-row');
-      expect($row.find('.js-ci-variable-input-key').attr('name')).toBe('schedule[variables_attributes][][secret_key]');
+      expect($row.find('.js-ci-variable-input-key').attr('name')).toBe('schedule[variables_attributes][][key]');
       expect($row.find('.js-ci-variable-input-value').attr('name')).toBe('schedule[variables_attributes][][secret_value]');
 
       $wrapper.closest('form').trigger('trigger-submit');
diff --git a/spec/support/shared_examples/controllers/variables_shared_examples.rb b/spec/support/shared_examples/controllers/variables_shared_examples.rb
index 7c7e345f715..b615a8f54cf 100644
--- a/spec/support/shared_examples/controllers/variables_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/variables_shared_examples.rb
@@ -15,12 +15,12 @@ end
 shared_examples 'PATCH #update updates variables' do
   let(:variable_attributes) do
     { id: variable.id,
-      secret_key: variable.key,
+      key: variable.key,
       secret_value: variable.value,
       protected: variable.protected?.to_s }
   end
   let(:new_variable_attributes) do
-    { secret_key: 'new_key',
+    { key: 'new_key',
       secret_value: 'dummy_value',
       protected: 'false' }
   end
@@ -29,7 +29,7 @@ shared_examples 'PATCH #update updates variables' do
     let(:variables_attributes) do
       [
         variable_attributes.merge(secret_value: 'other_value'),
-        new_variable_attributes.merge(secret_key: '...?')
+        new_variable_attributes.merge(key: '...?')
       ]
     end