From 96956d47ef94dd69537105dfe67e3c5e74f3a1e6 Mon Sep 17 00:00:00 2001
From: Lin Jen-Shin <godfat@godfat.org>
Date: Wed, 24 May 2017 16:18:05 +0000
Subject: Backend implementation for protected variables

---
 app/models/ci/build.rb                                 |  1 +
 app/models/project.rb                                  | 18 +++++++++++++++---
 .../20170524161101_add_protected_to_ci_variables.rb    | 15 +++++++++++++++
 db/schema.rb                                           |  3 ++-
 4 files changed, 33 insertions(+), 4 deletions(-)
 create mode 100644 db/migrate/20170524161101_add_protected_to_ci_variables.rb

diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index 760ec8e5919..0dfc192bc7d 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -186,6 +186,7 @@ module Ci
       variables += yaml_variables
       variables += user_variables
       variables += project.secret_variables
+      variables += project.protected_variables if ProtectedBranch.protected?(project, ref)
       variables += trigger_request.user_variables if trigger_request
       variables
     end
diff --git a/app/models/project.rb b/app/models/project.rb
index cfca0dcd2f2..90586825f3f 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1257,9 +1257,15 @@ class Project < ActiveRecord::Base
   end
 
   def secret_variables
-    variables.map do |variable|
-      { key: variable.key, value: variable.value, public: false }
-    end
+    filtered_variables = variables.to_a.reject(&:protected?)
+
+    build_variables(filtered_variables)
+  end
+
+  def protected_variables
+    filtered_variables = variables.to_a.select(&:protected?)
+
+    build_variables(filtered_variables)
   end
 
   def deployment_variables
@@ -1412,4 +1418,10 @@ class Project < ActiveRecord::Base
 
     raise ex
   end
+
+  def build_variables(filtered_variables)
+    filtered_variables.map do |variable|
+      { key: variable.key, value: variable.value, public: false }
+    end
+  end
 end
diff --git a/db/migrate/20170524161101_add_protected_to_ci_variables.rb b/db/migrate/20170524161101_add_protected_to_ci_variables.rb
new file mode 100644
index 00000000000..99d4861e889
--- /dev/null
+++ b/db/migrate/20170524161101_add_protected_to_ci_variables.rb
@@ -0,0 +1,15 @@
+class AddProtectedToCiVariables < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:ci_variables, :protected, :boolean, default: false)
+  end
+
+  def down
+    remove_column(:ci_variables, :protected)
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 84e25427d7f..60a95408ac2 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20170521184006) do
+ActiveRecord::Schema.define(version: 20170524161101) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -355,6 +355,7 @@ ActiveRecord::Schema.define(version: 20170521184006) do
     t.string "encrypted_value_salt"
     t.string "encrypted_value_iv"
     t.integer "project_id", null: false
+    t.boolean "protected", default: false
   end
 
   add_index "ci_variables", ["project_id"], name: "index_ci_variables_on_project_id", using: :btree
-- 
cgit v1.2.1