Merge "Test zuul-client encrypt subcommand"

2020-12-03 13:37:01 +00:00 · 2020-12-03 13:37:01 +00:00 · 60587c79c2
parent 0691295078 aa103f6f27
commit 60587c79c2
1 changed files with 129 additions and 3 deletions
--- a/tests/zuul_client/test_zuulclient.py
+++ b/tests/zuul_client/test_zuulclient.py
@ -14,7 +14,10 @@

 import time
 import jwt
+import os
 import subprocess
+import tempfile
+import textwrap

 import zuul.web
 import zuul.rpcclient
@ -23,9 +26,7 @@ from tests.base import iterate_timeout
 from tests.unit.test_web import BaseTestWeb


-class TestZuulClient(BaseTestWeb):
-    config_file = 'zuul-admin-web.conf'
-
+class TestSmokeZuulClient(BaseTestWeb):
    def test_is_installed(self):
        """Test that the CLI is installed"""
        test_version = subprocess.check_output(
@ -33,6 +34,131 @@ class TestZuulClient(BaseTestWeb):
            stderr=subprocess.STDOUT)
        self.assertTrue(b'Zuul-client version:' in test_version)

+
+class TestZuulClientEncrypt(BaseTestWeb):
+    """Test using zuul-client to encrypt secrets"""
+    tenant_config_file = 'config/secrets/main.yaml'
+    config_file = 'zuul-admin-web.conf'
+    secret = {'password': 'zuul-client'}
+
+    def setUp(self):
+        super(TestZuulClientEncrypt, self).setUp()
+        self.executor_server.hold_jobs_in_build = False
+
+    def _getSecrets(self, job, pbtype):
+        secrets = []
+        build = self.getJobFromHistory(job)
+        for pb in build.parameters[pbtype]:
+            secrets.append(pb['secrets'])
+        return secrets
+
+    def test_encrypt(self):
+        """Test that we can use zuul-client to generate a project secret"""
+        p = subprocess.Popen(
+            ['zuul-client',
+             '--zuul-url', self.base_url,
+             'encrypt', '--tenant', 'tenant-one', '--project', 'org/project2',
+             '--secret-name', 'my_secret', '--field-name', 'password'],
+            stdout=subprocess.PIPE, stdin=subprocess.PIPE)
+        p.stdin.write(
+            str.encode(self.secret['password'])
+        )
+        output, error = p.communicate()
+        p.stdin.close()
+        self._test_encrypt(output, error)
+
+    def test_encrypt_outfile(self):
+        """Test that we can use zuul-client to generate a project secret to a
+        file"""
+        outfile = tempfile.NamedTemporaryFile(delete=False)
+        p = subprocess.Popen(
+            ['zuul-client',
+             '--zuul-url', self.base_url,
+             'encrypt', '--tenant', 'tenant-one', '--project', 'org/project2',
+             '--secret-name', 'my_secret', '--field-name', 'password',
+             '--outfile', outfile.name],
+            stdout=subprocess.PIPE, stdin=subprocess.PIPE)
+        p.stdin.write(
+            str.encode(self.secret['password'])
+        )
+        _, error = p.communicate()
+        p.stdin.close()
+        output = outfile.read()
+        self._test_encrypt(output, error)
+
+    def test_encrypt_infile(self):
+        """Test that we can use zuul-client to generate a project secret from
+        a file"""
+        infile = tempfile.NamedTemporaryFile(delete=False)
+        infile.write(
+            str.encode(self.secret['password'])
+        )
+        infile.close()
+        p = subprocess.Popen(
+            ['zuul-client',
+             '--zuul-url', self.base_url,
+             'encrypt', '--tenant', 'tenant-one', '--project', 'org/project2',
+             '--secret-name', 'my_secret', '--field-name', 'password',
+             '--infile', infile.name],
+            stdout=subprocess.PIPE)
+        output, error = p.communicate()
+        os.unlink(infile.name)
+        self._test_encrypt(output, error)
+
+    def _test_encrypt(self, output, error):
+        self.assertEqual(None, error, error)
+        self.assertTrue(b'- secret:' in output, output.decode())
+        new_repo_conf = output.decode()
+        new_repo_conf += textwrap.dedent(
+            """
+
+            - job:
+                parent: base
+                name: project2-secret
+                run: playbooks/secret.yaml
+                secrets:
+                  - my_secret
+
+            - project:
+                check:
+                  jobs:
+                    - project2-secret
+                gate:
+                  jobs:
+                    - noop
+            """
+        )
+        file_dict = {'zuul.yaml': new_repo_conf}
+        A = self.fake_gerrit.addFakeChange('org/project2', 'master',
+                                           'Add secret',
+                                           files=file_dict)
+        A.addApproval('Code-Review', 2)
+        self.fake_gerrit.addEvent(A.addApproval('Approved', 1))
+        self.waitUntilSettled()
+        self.assertEqual(A.data['status'], 'MERGED')
+        self.fake_gerrit.addEvent(A.getChangeMergedEvent())
+        self.waitUntilSettled()
+        # check that the secret is used from there on
+        B = self.fake_gerrit.addFakeChange('org/project2', 'master',
+                                           'test secret',
+                                           files={'newfile': 'xxx'})
+        self.fake_gerrit.addEvent(B.getPatchsetCreatedEvent(1))
+        self.waitUntilSettled()
+        self.assertEqual(B.reported, 1, "B should report success")
+        self.assertHistory([
+            dict(name='project2-secret', result='SUCCESS', changes='2,1'),
+        ])
+        secrets = self._getSecrets('project2-secret', 'playbooks')
+        self.assertEqual(
+            secrets,
+            [{'my_secret': self.secret}],
+            secrets)
+
+
+class TestZuulClientAdmin(BaseTestWeb):
+    """Test the admin commands of zuul-client"""
+    config_file = 'zuul-admin-web.conf'
+
    def test_autohold(self):
        """Test that autohold can be set with the Web client"""
        authz = {'iss': 'zuul_operator',