Add untrusted-projects ansible test

We want to properly flex our bubblewrap implementation, this job does
so.

Change-Id: I6647d71434a8d8f6621d3fd34883683ef149775a
Signed-off-by: Paul Belanger <pabelanger@redhat.com>

tests/fixtures/config/ansible/git/common-config/playbooks/hello-post.yaml

@@ -0,0 +1,12 @@
+- hosts: all
+  tasks:
+    - name: Register hello-world.txt file.
+      stat:
+        path: "{{zuul.executor.log_root}}/hello-world.txt"
+      register: st
+
+    - name: Assert hello-world.txt file.
+      assert:
+        that:
+          - st.stat.exists
+          - st.stat.isreg

tests/fixtures/config/ansible/git/common-config/zuul.yaml

@@ -72,3 +72,7 @@
     nodes:
       - name: ubuntu-xenial
         image: ubuntu-xenial
+
+- job:
+    name: hello
+    post-run: hello-post

tests/fixtures/config/ansible/git/org_project/.zuul.yaml

@@ -2,6 +2,10 @@
     parent: python27
     name: faillocal
 
+- job:
+    parent: hello
+    name: hello-world
+
 - project:
     name: org/project
     check:
@@ -10,3 +14,4 @@
         - faillocal
         - check-vars
         - timeout
+        - hello-world

tests/fixtures/config/ansible/git/org_project/playbooks/hello-world.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  tasks:
+    - copy:
+        content: "hello world"
+        dest: "{{zuul.executor.log_root}}/hello-world.txt"

tests/unit/test_v3.py

@@ -344,6 +344,8 @@ class TestAnsible(AnsibleZuulTestCase):
         self.assertEqual(build.result, 'FAILURE')
         build = self.getJobFromHistory('check-vars')
         self.assertEqual(build.result, 'SUCCESS')
+        build = self.getJobFromHistory('hello-world')
+        self.assertEqual(build.result, 'SUCCESS')
         build = self.getJobFromHistory('python27')
         self.assertEqual(build.result, 'SUCCESS')
         flag_path = os.path.join(self.test_root, build.uuid + '.flag')

zuul/ansible/action/copy.py

@@ -25,6 +25,6 @@ class ActionModule(copy.ActionModule):
         source = self._task.args.get('src', None)
         remote_src = self._task.args.get('remote_src', False)
 
-        if not remote_src and not paths._is_safe_path(source):
+        if not remote_src and source and not paths._is_safe_path(source):
             return paths._fail_dict(source)
         return super(ActionModule, self).run(tmp, task_vars)

zuul/driver/bubblewrap/__init__.py

@@ -22,6 +22,8 @@ import pwd
 import subprocess
 import sys
 
+from six.moves import shlex_quote
+
 from zuul.driver import (Driver, WrapperInterface)
 
 
@@ -141,6 +143,9 @@ class BubblewrapDriver(Driver, WrapperInterface):
         kwargs['user_home'] = passwd.pw_dir
         command = [x.format(**kwargs) for x in bwrap_command]
 
+        self.log.debug("Bubblewrap command: %s",
+                       " ".join(shlex_quote(c) for c in command))
+
         wrapped_popen = WrappedPopen(command, passwd_r, group_r)
 
         return wrapped_popen