Merge "Rename allow-secrets to post-review" into feature/zuulv3
This commit is contained in:
commit
6345e20e56
|
@ -184,19 +184,19 @@ success, the pipeline reports back to Gerrit with ``Verified`` vote of
|
|||
For more detail on the theory and operation of Zuul's
|
||||
dependent pipeline manager, see: :doc:`gating`.
|
||||
|
||||
.. attr:: allow-secrets
|
||||
.. attr:: post-review
|
||||
:default: false
|
||||
|
||||
This is a boolean which can be used to prevent jobs which use
|
||||
secrets in the untrusted security context from running in this
|
||||
pipeline. Some pipelines run on proposed changes and therefore
|
||||
execute code which has not yet been reviewed. In such a case,
|
||||
allowing a job to use a secret could result in that secret being
|
||||
exposed. The default is ``false``, meaning that in order to run
|
||||
jobs which use secrets in the untrusted security context, this
|
||||
must be explicitly enabled on each Pipeline where that is safe.
|
||||
This is a boolean which indicates that this pipeline executes
|
||||
code that has been reviewed. Some jobs perform actions which
|
||||
should not be permitted with unreviewed code. When this value
|
||||
is ``false`` those jobs will not be permitted to run in the
|
||||
pipeline. If a pipeline is designed only to be used after
|
||||
changes are reviewed or merged, set this value to ``true`` to
|
||||
permit such jobs.
|
||||
|
||||
For more information, see :ref:`secret`.
|
||||
For more information, see :ref:`secret` and
|
||||
:attr:`job.post-review`.
|
||||
|
||||
.. attr:: description
|
||||
|
||||
|
@ -895,16 +895,18 @@ Here is an example of two job definitions:
|
|||
it should be able to run this job, then it must be explicitly
|
||||
listed. By default, all projects may use the job.
|
||||
|
||||
.. attr:: untrusted-secrets
|
||||
.. attr:: post-review
|
||||
:default: false
|
||||
|
||||
A boolean value which indicates that this job should not be used
|
||||
in a pipeline where allow-secrets is ``false``. This is
|
||||
automatically set to ``true`` if this job is defined in a
|
||||
:term:`untrusted-project`. It may be explicitly set to obtain
|
||||
the same behavior for jobs defined in :term:`config projects
|
||||
<config-project>`. Once this is set to ``true`` anywhere in the
|
||||
inheritance hierarchy for a job, it will remain set for all
|
||||
child jobs and variants (it can not be set to ``false``).
|
||||
A boolean value which indicates whether this job may only be
|
||||
used in pipelines where :attr:`pipeline.post-review` is
|
||||
``true``. This is automatically set to ``true`` if this job is
|
||||
defined in a :term:`untrusted-project`. It may be explicitly
|
||||
set to obtain the same behavior for jobs defined in
|
||||
:term:`config projects <config-project>`. Once this is set to
|
||||
``true`` anywhere in the inheritance hierarchy for a job, it
|
||||
will remain set for all child jobs and variants (it can not be
|
||||
set to ``false``).
|
||||
|
||||
.. _project:
|
||||
|
||||
|
@ -1078,12 +1080,19 @@ types of pipelines. However, because playbooks defined in an
|
|||
untrusted project are run in the :term:`untrusted execution context`
|
||||
where proposed changes are used in job execution, it is dangerous to
|
||||
allow those secrets to be used in pipelines which are used to execute
|
||||
proposed but unreviewed changes. By default, pipelines will refuse to
|
||||
run jobs which have playbooks that use secrets in the untrusted
|
||||
execution context to protect against someone proposing a change which
|
||||
exposes a secret. To permit this (for instance, in a pipeline which
|
||||
only runs after code review), the :attr:`pipeline.allow-secrets`
|
||||
attribute may be set.
|
||||
proposed but unreviewed changes. By default, pipelines are considered
|
||||
`pre-review` and will refuse to run jobs which have playbooks that use
|
||||
secrets in the untrusted execution context to protect against someone
|
||||
proposing a change which exposes a secret. To permit this (for
|
||||
instance, in a pipeline which only runs after code review), the
|
||||
:attr:`pipeline.post-review` attribute may be explicitly set to
|
||||
``true``.
|
||||
|
||||
In some cases, it may be desirable to prevent a job which is defined
|
||||
in a config project from running in a pre-review pipeline (e.g., a job
|
||||
used to publish an artifact). In these cases, the
|
||||
:attr:`job.post-review` attribute may be explicitly set to ``true`` to
|
||||
indicate the job should only run in post-review pipelines.
|
||||
|
||||
If a job with secrets is unsafe to be used by other projects, the
|
||||
`allowed-projects` job attribute can be used to restrict the projects
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
allow-secrets: true
|
||||
post-review: true
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
allow-secrets: true
|
||||
post-review: true
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
allow-secrets: true
|
||||
post-review: true
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
allow-secrets: true
|
||||
post-review: true
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
allow-secrets: true
|
||||
post-review: true
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
|
||||
- job:
|
||||
name: project1-test
|
||||
untrusted-secrets: true
|
||||
post-review: true
|
||||
|
||||
- project:
|
||||
name: org/project1
|
||||
|
|
|
@ -461,16 +461,16 @@ class TestJob(BaseTestCase):
|
|||
})
|
||||
layout.addJob(untrusted_secrets_untrusted_child_job)
|
||||
|
||||
self.assertIsNone(trusted_secrets_job.untrusted_secrets)
|
||||
self.assertTrue(untrusted_secrets_job.untrusted_secrets)
|
||||
self.assertIsNone(trusted_secrets_job.post_review)
|
||||
self.assertTrue(untrusted_secrets_job.post_review)
|
||||
self.assertIsNone(
|
||||
trusted_secrets_trusted_child_job.untrusted_secrets)
|
||||
trusted_secrets_trusted_child_job.post_review)
|
||||
self.assertIsNone(
|
||||
trusted_secrets_untrusted_child_job.untrusted_secrets)
|
||||
trusted_secrets_untrusted_child_job.post_review)
|
||||
self.assertTrue(
|
||||
untrusted_secrets_trusted_child_job.untrusted_secrets)
|
||||
untrusted_secrets_trusted_child_job.post_review)
|
||||
self.assertTrue(
|
||||
untrusted_secrets_untrusted_child_job.untrusted_secrets)
|
||||
untrusted_secrets_untrusted_child_job.post_review)
|
||||
|
||||
self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].name,
|
||||
'trusted-secret')
|
||||
|
@ -697,15 +697,15 @@ class TestJob(BaseTestCase):
|
|||
"Project project2 is not allowed to run job job"):
|
||||
item.freezeJobGraph()
|
||||
|
||||
def test_job_pipeline_allow_secrets(self):
|
||||
self.pipeline.allow_secrets = False
|
||||
def test_job_pipeline_allow_untrusted_secrets(self):
|
||||
self.pipeline.post_review = False
|
||||
job = configloader.JobParser.fromYaml(self.tenant, self.layout, {
|
||||
'_source_context': self.context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'job',
|
||||
'parent': None,
|
||||
})
|
||||
job.untrusted_secrets = True
|
||||
job.post_review = True
|
||||
|
||||
self.layout.addJob(job)
|
||||
|
||||
|
@ -730,7 +730,7 @@ class TestJob(BaseTestCase):
|
|||
item.current_build_set.layout = self.layout
|
||||
with testtools.ExpectedException(
|
||||
Exception,
|
||||
"Pipeline gate does not allow jobs with secrets"):
|
||||
"Pre-review pipeline gate does not allow post-review job"):
|
||||
item.freezeJobGraph()
|
||||
|
||||
|
||||
|
|
|
@ -2827,7 +2827,7 @@ class TestScheduler(ZuulTestCase):
|
|||
|
||||
self.assertHistory([])
|
||||
self.assertEqual(A.patchsets[0]['approvals'][0]['value'], "-1")
|
||||
self.assertIn('does not allow jobs with secrets',
|
||||
self.assertIn('does not allow post-review job',
|
||||
A.messages[0])
|
||||
|
||||
@simple_layout('layouts/tags.yaml')
|
||||
|
|
|
@ -369,7 +369,7 @@ class JobParser(object):
|
|||
'allowed-projects': to_list(str),
|
||||
'override-branch': str,
|
||||
'description': str,
|
||||
'untrusted-secrets': bool
|
||||
'post-review': bool
|
||||
}
|
||||
|
||||
return vs.Schema(job)
|
||||
|
@ -465,14 +465,14 @@ class JobParser(object):
|
|||
# through inheritance to ensure that we don't run this job in
|
||||
# an unsafe check pipeline.
|
||||
if secrets and not conf['_source_context'].trusted:
|
||||
job.untrusted_secrets = True
|
||||
job.post_review = True
|
||||
|
||||
if 'untrusted-secrets' in conf:
|
||||
if conf['untrusted-secrets']:
|
||||
job.untrusted_secrets = True
|
||||
if 'post-review' in conf:
|
||||
if conf['post-review']:
|
||||
job.post_review = True
|
||||
else:
|
||||
raise Exception("Once set, the untrusted_secrets "
|
||||
"attribute may not be unset")
|
||||
raise Exception("Once set, the post-review attribute "
|
||||
"may not be unset")
|
||||
|
||||
# Roles are part of the playbook context so we must establish
|
||||
# them earlier than playbooks.
|
||||
|
@ -836,7 +836,7 @@ class PipelineParser(object):
|
|||
'footer-message': str,
|
||||
'dequeue-on-new-patchset': bool,
|
||||
'ignore-dependencies': bool,
|
||||
'allow-secrets': bool,
|
||||
'post-review': bool,
|
||||
'disable-after-consecutive-failures':
|
||||
vs.All(int, vs.Range(min=1)),
|
||||
'window': window,
|
||||
|
@ -886,7 +886,8 @@ class PipelineParser(object):
|
|||
'dequeue-on-new-patchset', True)
|
||||
pipeline.ignore_dependencies = conf.get(
|
||||
'ignore-dependencies', False)
|
||||
pipeline.allow_secrets = conf.get('allow-secrets', False)
|
||||
pipeline.post_review = conf.get(
|
||||
'post-review', False)
|
||||
|
||||
for conf_key, action in PipelineParser.reporter_actions.items():
|
||||
reporter_set = []
|
||||
|
|
|
@ -98,7 +98,7 @@ class Pipeline(object):
|
|||
self.success_message = None
|
||||
self.footer_message = None
|
||||
self.start_message = None
|
||||
self.allow_secrets = False
|
||||
self.post_review = False
|
||||
self.dequeue_on_new_patchset = True
|
||||
self.ignore_dependencies = False
|
||||
self.manager = None
|
||||
|
@ -801,7 +801,7 @@ class Job(object):
|
|||
required_projects={},
|
||||
allowed_projects=None,
|
||||
override_branch=None,
|
||||
untrusted_secrets=None,
|
||||
post_review=None,
|
||||
)
|
||||
|
||||
# These are generally internal attributes which are not
|
||||
|
@ -2322,9 +2322,9 @@ class Layout(object):
|
|||
change.project.name not in frozen_job.allowed_projects):
|
||||
raise Exception("Project %s is not allowed to run job %s" %
|
||||
(change.project.name, frozen_job.name))
|
||||
if ((not pipeline.allow_secrets) and frozen_job.untrusted_secrets):
|
||||
raise Exception("Pipeline %s does not allow jobs with "
|
||||
"secrets (job %s)" % (
|
||||
if ((not pipeline.post_review) and frozen_job.post_review):
|
||||
raise Exception("Pre-review pipeline %s does not allow "
|
||||
"post-review job %s" % (
|
||||
pipeline.name, frozen_job.name))
|
||||
job_graph.addJob(frozen_job)
|
||||
|
||||
|
|
Loading…
Reference in New Issue