Merge "Rename allow-secrets to post-review" into feature/zuulv3

doc/source/user/config.rst

@@ -184,19 +184,19 @@ success, the pipeline reports back to Gerrit with ``Verified`` vote of
          For more detail on the theory and operation of Zuul's
          dependent pipeline manager, see: :doc:`gating`.
 
-   .. attr:: allow-secrets
+   .. attr:: post-review
       :default: false
 
-      This is a boolean which can be used to prevent jobs which use
-      secrets in the untrusted security context from running in this
-      pipeline.  Some pipelines run on proposed changes and therefore
-      execute code which has not yet been reviewed.  In such a case,
-      allowing a job to use a secret could result in that secret being
-      exposed.  The default is ``false``, meaning that in order to run
-      jobs which use secrets in the untrusted security context, this
-      must be explicitly enabled on each Pipeline where that is safe.
+      This is a boolean which indicates that this pipeline executes
+      code that has been reviewed.  Some jobs perform actions which
+      should not be permitted with unreviewed code.  When this value
+      is ``false`` those jobs will not be permitted to run in the
+      pipeline.  If a pipeline is designed only to be used after
+      changes are reviewed or merged, set this value to ``true`` to
+      permit such jobs.
 
-      For more information, see :ref:`secret`.
+      For more information, see :ref:`secret` and
+      :attr:`job.post-review`.
 
    .. attr:: description
 
@@ -895,16 +895,18 @@ Here is an example of two job definitions:
       it should be able to run this job, then it must be explicitly
       listed.  By default, all projects may use the job.
 
-   .. attr:: untrusted-secrets
+   .. attr:: post-review
+      :default: false
 
-      A boolean value which indicates that this job should not be used
-      in a pipeline where allow-secrets is ``false``.  This is
-      automatically set to ``true`` if this job is defined in a
-      :term:`untrusted-project`.  It may be explicitly set to obtain
-      the same behavior for jobs defined in :term:`config projects
-      <config-project>`.  Once this is set to ``true`` anywhere in the
-      inheritance hierarchy for a job, it will remain set for all
-      child jobs and variants (it can not be set to ``false``).
+      A boolean value which indicates whether this job may only be
+      used in pipelines where :attr:`pipeline.post-review` is
+      ``true``.  This is automatically set to ``true`` if this job is
+      defined in a :term:`untrusted-project`.  It may be explicitly
+      set to obtain the same behavior for jobs defined in
+      :term:`config projects <config-project>`.  Once this is set to
+      ``true`` anywhere in the inheritance hierarchy for a job, it
+      will remain set for all child jobs and variants (it can not be
+      set to ``false``).
 
 .. _project:
 
@@ -1078,12 +1080,19 @@ types of pipelines.  However, because playbooks defined in an
 untrusted project are run in the :term:`untrusted execution context`
 where proposed changes are used in job execution, it is dangerous to
 allow those secrets to be used in pipelines which are used to execute
-proposed but unreviewed changes.  By default, pipelines will refuse to
-run jobs which have playbooks that use secrets in the untrusted
-execution context to protect against someone proposing a change which
-exposes a secret.  To permit this (for instance, in a pipeline which
-only runs after code review), the :attr:`pipeline.allow-secrets`
-attribute may be set.
+proposed but unreviewed changes.  By default, pipelines are considered
+`pre-review` and will refuse to run jobs which have playbooks that use
+secrets in the untrusted execution context to protect against someone
+proposing a change which exposes a secret.  To permit this (for
+instance, in a pipeline which only runs after code review), the
+:attr:`pipeline.post-review` attribute may be explicitly set to
+``true``.
+
+In some cases, it may be desirable to prevent a job which is defined
+in a config project from running in a pre-review pipeline (e.g., a job
+used to publish an artifact).  In these cases, the
+:attr:`job.post-review` attribute may be explicitly set to ``true`` to
+indicate the job should only run in post-review pipelines.
 
 If a job with secrets is unsafe to be used by other projects, the
 `allowed-projects` job attribute can be used to restrict the projects

tests/fixtures/config/ansible/git/common-config/zuul.yaml

@@ -1,7 +1,7 @@
 - pipeline:
     name: check
     manager: independent
-    allow-secrets: true
+    post-review: true
     trigger:
       gerrit:
         - event: patchset-created

tests/fixtures/config/data-return/git/common-config/zuul.yaml

@@ -1,7 +1,7 @@
 - pipeline:
     name: check
     manager: independent
-    allow-secrets: true
+    post-review: true
     trigger:
       gerrit:
         - event: patchset-created

tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml

@@ -1,7 +1,7 @@
 - pipeline:
     name: check
     manager: independent
-    allow-secrets: true
+    post-review: true
     trigger:
       gerrit:
         - event: patchset-created

tests/fixtures/config/inventory/git/common-config/zuul.yaml

@@ -1,7 +1,7 @@
 - pipeline:
     name: check
     manager: independent
-    allow-secrets: true
+    post-review: true
     trigger:
       gerrit:
         - event: patchset-created

tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml

@@ -1,7 +1,7 @@
 - pipeline:
     name: check
     manager: independent
-    allow-secrets: true
+    post-review: true
     trigger:
       gerrit:
         - event: patchset-created

tests/fixtures/layouts/untrusted-secrets.yaml

@@ -17,7 +17,7 @@
 
 - job:
     name: project1-test
-    untrusted-secrets: true
+    post-review: true
 
 - project:
     name: org/project1

tests/unit/test_model.py

@@ -461,16 +461,16 @@ class TestJob(BaseTestCase):
                 })
         layout.addJob(untrusted_secrets_untrusted_child_job)
 
-        self.assertIsNone(trusted_secrets_job.untrusted_secrets)
-        self.assertTrue(untrusted_secrets_job.untrusted_secrets)
+        self.assertIsNone(trusted_secrets_job.post_review)
+        self.assertTrue(untrusted_secrets_job.post_review)
         self.assertIsNone(
-            trusted_secrets_trusted_child_job.untrusted_secrets)
+            trusted_secrets_trusted_child_job.post_review)
         self.assertIsNone(
-            trusted_secrets_untrusted_child_job.untrusted_secrets)
+            trusted_secrets_untrusted_child_job.post_review)
         self.assertTrue(
-            untrusted_secrets_trusted_child_job.untrusted_secrets)
+            untrusted_secrets_trusted_child_job.post_review)
         self.assertTrue(
-            untrusted_secrets_untrusted_child_job.untrusted_secrets)
+            untrusted_secrets_untrusted_child_job.post_review)
 
         self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].name,
                          'trusted-secret')
@@ -697,15 +697,15 @@ class TestJob(BaseTestCase):
                 "Project project2 is not allowed to run job job"):
             item.freezeJobGraph()
 
-    def test_job_pipeline_allow_secrets(self):
-        self.pipeline.allow_secrets = False
+    def test_job_pipeline_allow_untrusted_secrets(self):
+        self.pipeline.post_review = False
         job = configloader.JobParser.fromYaml(self.tenant, self.layout, {
             '_source_context': self.context,
             '_start_mark': self.start_mark,
             'name': 'job',
             'parent': None,
         })
-        job.untrusted_secrets = True
+        job.post_review = True
 
         self.layout.addJob(job)
 
@@ -730,7 +730,7 @@ class TestJob(BaseTestCase):
         item.current_build_set.layout = self.layout
         with testtools.ExpectedException(
                 Exception,
-                "Pipeline gate does not allow jobs with secrets"):
+                "Pre-review pipeline gate does not allow post-review job"):
             item.freezeJobGraph()
 
 

tests/unit/test_scheduler.py

@@ -2827,7 +2827,7 @@ class TestScheduler(ZuulTestCase):
 
         self.assertHistory([])
         self.assertEqual(A.patchsets[0]['approvals'][0]['value'], "-1")
-        self.assertIn('does not allow jobs with secrets',
+        self.assertIn('does not allow post-review job',
                       A.messages[0])
 
     @simple_layout('layouts/tags.yaml')

zuul/configloader.py

@@ -369,7 +369,7 @@ class JobParser(object):
                'allowed-projects': to_list(str),
                'override-branch': str,
                'description': str,
-               'untrusted-secrets': bool
+               'post-review': bool
                }
 
         return vs.Schema(job)
@@ -465,14 +465,14 @@ class JobParser(object):
         # through inheritance to ensure that we don't run this job in
         # an unsafe check pipeline.
         if secrets and not conf['_source_context'].trusted:
-            job.untrusted_secrets = True
+            job.post_review = True
 
-        if 'untrusted-secrets' in conf:
-            if conf['untrusted-secrets']:
-                job.untrusted_secrets = True
+        if 'post-review' in conf:
+            if conf['post-review']:
+                job.post_review = True
             else:
-                raise Exception("Once set, the untrusted_secrets "
-                                "attribute may not be unset")
+                raise Exception("Once set, the post-review attribute "
+                                "may not be unset")
 
         # Roles are part of the playbook context so we must establish
         # them earlier than playbooks.
@@ -836,7 +836,7 @@ class PipelineParser(object):
                     'footer-message': str,
                     'dequeue-on-new-patchset': bool,
                     'ignore-dependencies': bool,
-                    'allow-secrets': bool,
+                    'post-review': bool,
                     'disable-after-consecutive-failures':
                         vs.All(int, vs.Range(min=1)),
                     'window': window,
@@ -886,7 +886,8 @@ class PipelineParser(object):
             'dequeue-on-new-patchset', True)
         pipeline.ignore_dependencies = conf.get(
             'ignore-dependencies', False)
-        pipeline.allow_secrets = conf.get('allow-secrets', False)
+        pipeline.post_review = conf.get(
+            'post-review', False)
 
         for conf_key, action in PipelineParser.reporter_actions.items():
             reporter_set = []

zuul/model.py

@@ -98,7 +98,7 @@ class Pipeline(object):
         self.success_message = None
         self.footer_message = None
         self.start_message = None
-        self.allow_secrets = False
+        self.post_review = False
         self.dequeue_on_new_patchset = True
         self.ignore_dependencies = False
         self.manager = None
@@ -801,7 +801,7 @@ class Job(object):
             required_projects={},
             allowed_projects=None,
             override_branch=None,
-            untrusted_secrets=None,
+            post_review=None,
         )
 
         # These are generally internal attributes which are not
@@ -2322,9 +2322,9 @@ class Layout(object):
                 change.project.name not in frozen_job.allowed_projects):
                 raise Exception("Project %s is not allowed to run job %s" %
                                 (change.project.name, frozen_job.name))
-            if ((not pipeline.allow_secrets) and frozen_job.untrusted_secrets):
-                raise Exception("Pipeline %s does not allow jobs with "
-                                "secrets (job %s)" % (
+            if ((not pipeline.post_review) and frozen_job.post_review):
+                raise Exception("Pre-review pipeline %s does not allow "
+                                "post-review job %s" % (
                                     pipeline.name, frozen_job.name))
             job_graph.addJob(frozen_job)