From 892dc6a095160ac2f84be3981c581079c2c406b3 Mon Sep 17 00:00:00 2001
From: Tristan Cacqueray <tdecacqu@redhat.com>
Date: Wed, 22 Nov 2017 14:05:49 +0000
Subject: [PATCH] revoke-sudo: only revoke when zuul is sudoer

This change makes unittests jobs usable on read-only environment.

Change-Id: I36cfe7e5849687dbed510396a825dc0ec45542b3
---
 roles/revoke-sudo/tasks/main.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/revoke-sudo/tasks/main.yaml b/roles/revoke-sudo/tasks/main.yaml
index 477c3c873..bb4af9126 100644
--- a/roles/revoke-sudo/tasks/main.yaml
+++ b/roles/revoke-sudo/tasks/main.yaml
@@ -1,11 +1,18 @@
+- name: Check if zuul is sudoer
+  command: sudo -n true
+  failed_when: false
+  register: zuul_is_sudoer
+
 - name: Remove sudo access for zuul user.
   become: yes
   file:
     path: /etc/sudoers.d/zuul
     state: absent
+  when: zuul_is_sudoer.rc == 0
 
 - name: Prove that general sudo access is actually revoked.
   shell: '! sudo -n true'
   tags:
     # We really need shell above, skip warning
     - skip_ansible_lint
+  when: zuul_is_sudoer.rc == 0