diff --git a/tests/unit/test_v3.py b/tests/unit/test_v3.py index 56a80181ab..252f103c9e 100644 --- a/tests/unit/test_v3.py +++ b/tests/unit/test_v3.py @@ -4581,6 +4581,35 @@ class TestSecretPassToParent(ZuulTestCase): ]) self.assertIn('does not allow post-review', B.messages[0]) + def test_secret_pass_to_parent_missing(self): + in_repo_conf = textwrap.dedent( + """ + - job: + name: parent-job-without-secret + pre-run: playbooks/pre.yaml + run: playbooks/run.yaml + post-run: playbooks/post.yaml + + - job: + name: test-job + parent: trusted-parent-job-without-secret + secrets: + - name: my_secret + secret: missing-secret + pass-to-parent: true + + - project: + check: + jobs: + - test-job + """) + file_dict = {'zuul.yaml': in_repo_conf} + A = self.fake_gerrit.addFakeChange('org/project', 'master', 'A', + files=file_dict) + self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1)) + self.waitUntilSettled() + self.assertIn('Secret missing-secret not found', A.messages[0]) + def test_secret_override(self): # Test that secrets passed to parents don't override existing # secrets. diff --git a/zuul/model.py b/zuul/model.py index d19040bc7a..a272371fc5 100644 --- a/zuul/model.py +++ b/zuul/model.py @@ -1607,6 +1607,8 @@ class Job(ConfigObject): decrypted_secrets = [] for secret_use in secrets_for_parents: secret = layout.secrets.get(secret_use.name) + if secret is None: + raise Exception("Secret %s not found" % (secret_use.name,)) decrypted_secret = secret.decrypt( other.source_context.project.private_secrets_key) decrypted_secret.name = secret_use.alias