zuul
/
zuul-jobs
Code Issues Proposed changes

Disable base role testing that runs code on localhost 

The workspace setup role requires local code execution on the executor.
This is not allowed from an untrusted context so we disable it.

The previous assertions about the zuul-cloner setup depend on the
workspace setup running successfully. Disable those extra assertions.

subunit fetching role assertions grepped the html file for validity on
localhost. Disable this as well.

Change-Id: I7449749f50b6e4a34c4615b00836a7148e01c768
This commit is contained in:
Clark Boylan 2020-07-22 13:23:19 -07:00
parent 919fe2e8a7
commit 44d2187e7f
3 changed files with 66 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
test-playbooks/base-roles/base.yaml
View File

@ -6,7 +6,8 @@
# Note: set-zuul-log-path-fact is tested by emit-job-header.yaml
- import_playbook: emit-job-header.yaml
- import_playbook: ensure-output-dirs.yaml
- import_playbook: prepare-workspace-git.yaml
# This runs local code so cannot be tested in this way.
# - import_playbook: prepare-workspace-git.yaml
- import_playbook: configure-mirrors.yaml
- import_playbook: fetch-zuul-cloner.yaml
- import_playbook: validate-host.yaml

65
test-playbooks/base-roles/fetch-subunit-output.yaml
View File

@ -68,21 +68,25 @@
- local_html_test_results is not changed
- local_html_test_results is succeeded
# Disabled as we cannot run shell on localhost outside of a
# trusted context.
# only one subunit file; the failed result should be hidden
- name: Check the content of the HTML file
delegate_to: localhost
shell: |
GLOBAL_RESULT=1
zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
{{ zuul.executor.log_root }}/testr_results.html
T1=$?
zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
{{ zuul.executor.log_root }}/testr_results.html
T2=$?
if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
GLOBAL_RESULT=0
fi
exit $GLOBAL_RESULT
# - name: Check the content of the HTML file
# delegate_to: localhost
# shell: |
# GLOBAL_RESULT=1
# zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
# {{ zuul.executor.log_root }}/testr_results.html
# T1=$?
# zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
# {{ zuul.executor.log_root }}/testr_results.html
# T2=$?
# if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
# GLOBAL_RESULT=0
# fi
# exit $GLOBAL_RESULT
- name: nooping task because yamllint complains about the comment above
debug: {}
# The following test(s) require(s) the previous playbook
- name: Run the fetch-subunit-output role with multiple subunits
@ -113,18 +117,21 @@
- local_subunit_file is succeeded
- local_html_test_results is not changed
- local_html_test_results is succeeded
- name: Check the content of the HTML file
delegate_to: localhost
shell: |
GLOBAL_RESULT=1
zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
{{ zuul.executor.log_root }}/testr_results.html
T1=$?
zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
{{ zuul.executor.log_root }}/testr_results.html
T2=$?
if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
GLOBAL_RESULT=0
fi
exit $GLOBAL_RESULT
# Disabled as we cannot run shell on localhost outside of a
# trusted context.
# - name: Check the content of the HTML file
# delegate_to: localhost
# shell: |
# GLOBAL_RESULT=1
# zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
# {{ zuul.executor.log_root }}/testr_results.html
# T1=$?
# zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
# {{ zuul.executor.log_root }}/testr_results.html
# T2=$?
# if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
# GLOBAL_RESULT=0
# fi
# exit $GLOBAL_RESULT
- name: nooping task because yamllint complains about the comment above
debug: {}

53
test-playbooks/base-roles/fetch-zuul-cloner.yaml
View File

@ -25,29 +25,32 @@
- cloner.stat.exists
- cloner.stat.mode == "0755"
- name: Zuul clone something in required-projects
shell:
executable: /bin/bash
cmd: |
CLONEMAP=`mktemp`
function cleanup {
rm -f $CLONEMAP
}
trap cleanup EXIT
cat > $CLONEMAP << EOF
clonemap:
- name: opendev/base-jobs
dest: {{ ansible_user_dir }}
EOF
/usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
--cache-dir /opt/git https://opendev.org \
opendev/base-jobs
register: clone_with_required
# Disabled as this depends on running workspace setup which requires
# being able to run code on the executor from an untrusted context and
# this is not allowed.
# - name: Zuul clone something in required-projects
# shell:
# executable: /bin/bash
# cmd: |
# CLONEMAP=`mktemp`
# function cleanup {
# rm -f $CLONEMAP
# }
# trap cleanup EXIT
# cat > $CLONEMAP << EOF
# clonemap:
# - name: opendev/base-jobs
# dest: {{ ansible_user_dir }}
# EOF
# /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
# --cache-dir /opt/git https://opendev.org \
# opendev/base-jobs
# register: clone_with_required
- name: Check if repository was cloned
stat:
path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
register: with_required_stat
# - name: Check if repository was cloned
# stat:
# path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
# register: with_required_stat
- name: Zuul clone something not in required-projects
shell:
@ -77,8 +80,8 @@
- name: Validate zuul-cloner shim results
assert:
that:
- clone_with_required is succeeded
- clone_with_required is changed
- with_required_stat.stat.exists
# - clone_with_required is succeeded
# - clone_with_required is changed
# - with_required_stat.stat.exists
- clone_without_required is failed
- not without_required_stat.stat.exists