Merge branch 'security-10-3-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-3'

Filter out sensitive fields from the project services API

See merge request gitlab/gitlabhq!2281

(cherry picked from commit 476f2576444632f2a9a61b4cead9c1077f2c81d7)

2bcbbda0 Filter out sensitive fields from the project services API

3 files changed, 38 insertions, 8 deletions

diff --git a/spec/models/service_spec.rb b/spec/models/service_spec.rb
index ab6678cab38..15c1e57c9e4 100644
--- a/spec/models/service_spec.rb
+++ b/spec/models/service_spec.rb
@@ -255,6 +255,7 @@ describe Service do
     end
   end
 
+<<<<<<< HEAD
   describe "#deprecated?" do
     let(:project) { create(:project, :repository) }
 
@@ -278,6 +279,39 @@ describe Service do
 
     it 'returns service template' do
       expect(KubernetesService.find_by_template).to eq(kubernetes_service)
+=======
+  describe '#api_field_names' do
+    let(:fake_service) do
+      Class.new(Service) do
+        def fields
+          [
+            { name: 'token' },
+            { name: 'api_token' },
+            { name: 'key' },
+            { name: 'api_key' },
+            { name: 'password' },
+            { name: 'password_field' },
+            { name: 'safe_field' }
+          ]
+        end
+      end
+    end
+
+    let(:service) do
+      fake_service.new(properties: [
+        { token: 'token-value' },
+        { api_token: 'api_token-value' },
+        { key: 'key-value' },
+        { api_key: 'api_key-value' },
+        { password: 'password-value' },
+        { password_field: 'password_field-value' },
+        { safe_field: 'safe_field-value' }
+      ])
+    end
+
+    it 'filters out sensitive fields' do
+      expect(service.api_field_names).to eq(['safe_field'])
+>>>>>>> Merge branch 'security-10-3-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-3'
     end
   end
 end
diff --git a/spec/requests/api/services_spec.rb b/spec/requests/api/services_spec.rb
index 26d56c04862..236f8d7faf5 100644
--- a/spec/requests/api/services_spec.rb
+++ b/spec/requests/api/services_spec.rb
@@ -83,14 +83,14 @@ describe API::Services do
         get api("/projects/#{project.id}/services/#{dashed_service}", admin)
 
         expect(response).to have_gitlab_http_status(200)
-        expect(json_response['properties'].keys.map(&:to_sym)).to match_array(service_attrs_list.map)
+        expect(json_response['properties'].keys).to match_array(service_instance.api_field_names)
       end
 
       it "returns properties of service #{service} other than passwords when authenticated as project owner" do
         get api("/projects/#{project.id}/services/#{dashed_service}", user)
 
         expect(response).to have_gitlab_http_status(200)
-        expect(json_response['properties'].keys.map(&:to_sym)).to match_array(service_attrs_list_without_passwords)
+        expect(json_response['properties'].keys).to match_array(service_instance.api_field_names)
       end
 
       it "returns error when authenticated but not a project owner" do
diff --git a/spec/support/services_shared_context.rb b/spec/support/services_shared_context.rb
index 3f1fd169b72..23f9b46ae0c 100644
--- a/spec/support/services_shared_context.rb
+++ b/spec/support/services_shared_context.rb
@@ -3,13 +3,9 @@ Service.available_services_names.each do |service|
     let(:dashed_service) { service.dasherize }
     let(:service_method) { "#{service}_service".to_sym }
     let(:service_klass) { "#{service}_service".classify.constantize }
-    let(:service_fields) { service_klass.new.fields }
+    let(:service_instance) { service_klass.new }
+    let(:service_fields) { service_instance.fields }
     let(:service_attrs_list) { service_fields.inject([]) {|arr, hash| arr << hash[:name].to_sym } }
-    let(:service_attrs_list_without_passwords) do
-      service_fields
-        .select { |field| field[:type] != 'password' }
-        .map { |field| field[:name].to_sym}
-    end
     let(:service_attrs) do
       service_attrs_list.inject({}) do |hash, k|
         if k =~ /^(token*|.*_token|.*_key)/