Merge "Don't override allowed-projects"
This commit is contained in:
commit
246f929c64
|
@ -0,0 +1,2 @@
|
|||
- hosts: all
|
||||
tasks: []
|
|
@ -0,0 +1,27 @@
|
|||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
success:
|
||||
gerrit:
|
||||
Verified: 1
|
||||
failure:
|
||||
gerrit:
|
||||
Verified: -1
|
||||
|
||||
- job:
|
||||
name: base
|
||||
run: playbooks/base.yaml
|
||||
parent: null
|
||||
|
||||
- job:
|
||||
name: restricted-job
|
||||
allowed-projects:
|
||||
- org/project1
|
||||
|
||||
- project:
|
||||
name: common-config
|
||||
check:
|
||||
jobs: []
|
|
@ -0,0 +1,10 @@
|
|||
- job:
|
||||
name: test-project1
|
||||
parent: restricted-job
|
||||
|
||||
- project:
|
||||
name: org/project1
|
||||
check:
|
||||
jobs:
|
||||
- test-project1
|
||||
- restricted-job
|
|
@ -0,0 +1,11 @@
|
|||
- job:
|
||||
name: test-project2
|
||||
parent: restricted-job
|
||||
allowed-projects:
|
||||
- org/project2
|
||||
|
||||
- project:
|
||||
name: org/project2
|
||||
check:
|
||||
jobs:
|
||||
- test-project2
|
|
@ -0,0 +1,5 @@
|
|||
- project:
|
||||
name: org/project3
|
||||
check:
|
||||
jobs:
|
||||
- restricted-job
|
|
@ -0,0 +1,10 @@
|
|||
- tenant:
|
||||
name: tenant-one
|
||||
source:
|
||||
gerrit:
|
||||
config-projects:
|
||||
- common-config
|
||||
untrusted-projects:
|
||||
- org/project1
|
||||
- org/project2
|
||||
- org/project3
|
|
@ -320,50 +320,6 @@ class TestJob(BaseTestCase):
|
|||
"to shadow job base in base_project"):
|
||||
layout.addJob(base2)
|
||||
|
||||
def test_job_allowed_projects(self):
|
||||
job = configloader.JobParser.fromYaml(self.tenant, self.layout, {
|
||||
'_source_context': self.context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'job',
|
||||
'parent': None,
|
||||
'allowed-projects': ['project'],
|
||||
})
|
||||
self.layout.addJob(job)
|
||||
|
||||
project2 = model.Project('project2', self.source)
|
||||
tpc2 = model.TenantProjectConfig(project2)
|
||||
self.tenant.addUntrustedProject(tpc2)
|
||||
context2 = model.SourceContext(project2, 'master',
|
||||
'test', True)
|
||||
|
||||
project_template_parser = configloader.ProjectTemplateParser(
|
||||
self.tenant, self.layout)
|
||||
project_parser = configloader.ProjectParser(
|
||||
self.tenant, self.layout, project_template_parser)
|
||||
project2_config = project_parser.fromYaml(
|
||||
[{
|
||||
'_source_context': context2,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'project2',
|
||||
'gate': {
|
||||
'jobs': [
|
||||
'job'
|
||||
]
|
||||
}
|
||||
}]
|
||||
)
|
||||
self.layout.addProjectConfig(project2_config)
|
||||
|
||||
change = model.Change(project2)
|
||||
# Test master
|
||||
change.branch = 'master'
|
||||
item = self.queue.enqueueChange(change)
|
||||
item.layout = self.layout
|
||||
with testtools.ExpectedException(
|
||||
Exception,
|
||||
"Project project2 is not allowed to run job job"):
|
||||
item.freezeJobGraph()
|
||||
|
||||
def test_job_pipeline_allow_untrusted_secrets(self):
|
||||
self.pipeline.post_review = False
|
||||
job = configloader.JobParser.fromYaml(self.tenant, self.layout, {
|
||||
|
|
|
@ -533,6 +533,36 @@ class TestBranchMismatch(ZuulTestCase):
|
|||
], ordered=False)
|
||||
|
||||
|
||||
class TestAllowedProjects(ZuulTestCase):
|
||||
tenant_config_file = 'config/allowed-projects/main.yaml'
|
||||
|
||||
def test_allowed_projects(self):
|
||||
A = self.fake_gerrit.addFakeChange('org/project1', 'master', 'A')
|
||||
self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
|
||||
self.waitUntilSettled()
|
||||
self.assertEqual(A.reported, 1)
|
||||
self.assertIn('Build succeeded', A.messages[0])
|
||||
|
||||
B = self.fake_gerrit.addFakeChange('org/project2', 'master', 'B')
|
||||
self.fake_gerrit.addEvent(B.getPatchsetCreatedEvent(1))
|
||||
self.waitUntilSettled()
|
||||
self.assertEqual(B.reported, 1)
|
||||
self.assertIn('Project org/project2 is not allowed '
|
||||
'to run job test-project2', B.messages[0])
|
||||
|
||||
C = self.fake_gerrit.addFakeChange('org/project3', 'master', 'C')
|
||||
self.fake_gerrit.addEvent(C.getPatchsetCreatedEvent(1))
|
||||
self.waitUntilSettled()
|
||||
self.assertEqual(C.reported, 1)
|
||||
self.assertIn('Project org/project3 is not allowed '
|
||||
'to run job restricted-job', C.messages[0])
|
||||
|
||||
self.assertHistory([
|
||||
dict(name='test-project1', result='SUCCESS', changes='1,1'),
|
||||
dict(name='restricted-job', result='SUCCESS', changes='1,1'),
|
||||
], ordered=False)
|
||||
|
||||
|
||||
class TestCentralJobs(ZuulTestCase):
|
||||
tenant_config_file = 'config/central-jobs/main.yaml'
|
||||
|
||||
|
|
|
@ -1060,7 +1060,8 @@ class Job(object):
|
|||
"from other projects."
|
||||
% (repr(self), this_origin))
|
||||
if k not in set(['pre_run', 'run', 'post_run', 'roles',
|
||||
'variables', 'required_projects']):
|
||||
'variables', 'required_projects',
|
||||
'allowed_projects']):
|
||||
# TODO(jeblair): determine if deepcopy is required
|
||||
setattr(self, k, copy.deepcopy(other._get(k)))
|
||||
|
||||
|
@ -1097,6 +1098,12 @@ class Job(object):
|
|||
self.updateVariables(other.variables)
|
||||
if other._get('required_projects') is not None:
|
||||
self.updateProjects(other.required_projects)
|
||||
if (other._get('allowed_projects') is not None and
|
||||
self._get('allowed_projects') is not None):
|
||||
self.allowed_projects = self.allowed_projects.intersection(
|
||||
other.allowed_projects)
|
||||
elif other._get('allowed_projects') is not None:
|
||||
self.allowed_projects = copy.deepcopy(other.allowed_projects)
|
||||
|
||||
for k in self.context_attributes:
|
||||
if (other._get(k) is not None and
|
||||
|
@ -2828,7 +2835,7 @@ class Layout(object):
|
|||
item.debug("No matching pipeline variants for {jobname}".
|
||||
format(jobname=jobname), indent=2)
|
||||
continue
|
||||
if (frozen_job.allowed_projects and
|
||||
if (frozen_job.allowed_projects is not None and
|
||||
change.project.name not in frozen_job.allowed_projects):
|
||||
raise Exception("Project %s is not allowed to run job %s" %
|
||||
(change.project.name, frozen_job.name))
|
||||
|
|
Loading…
Reference in New Issue