Fail early if people attempt to add zuul vars or secrets

We can block this in config loading before jobs start. Leave the other
validation as well to prevent jobs from passing variables as part of the
return process.

Change-Id: I071a1fcd6037ab0dca78d83ff69b77907d0ccae6
Monty Taylor 5 years ago
parent 1ae9fb313a
commit dc698d47f9
No known key found for this signature in database
GPG Key ID: 7BAE94BC7141A594
  1. 4
  2. 4

@ -460,6 +460,8 @@ class JobParser(object):
secret_name = secret_config['name']
secret = layout.secrets[secret_config['secret']]
if secret_name == 'zuul':
raise Exception("Secrets named 'zuul' are not allowed.")
if secret.source_context != job.source_context:
raise Exception(
"Unable to use secret %s. Secrets must be "
@ -574,6 +576,8 @@ class JobParser(object):
variables = conf.get('vars', None)
if variables:
if 'zuul' in variables:
raise Exception("Variables named 'zuul' are not allowed.")
allowed_projects = conf.get('allowed-projects', None)

@ -1275,6 +1275,8 @@ class AnsibleJob(object):
secrets = playbook['secrets']
if secrets:
if 'zuul' in secrets:
# We block this in configloader, but block it here too to make
# sure that a job doesn't pass secrets named zuul.
raise Exception("Defining secrets named 'zuul' is not allowed")
jobdir_playbook.secrets_content = yaml.safe_dump(
secrets, default_flow_style=False)
@ -1379,6 +1381,8 @@ class AnsibleJob(object):
# TODO(mordred) Hack to work around running things with python3
all_vars['ansible_python_interpreter'] = '/usr/bin/python2'
if 'zuul' in all_vars:
# We block this in configloader, but block it here too to make
# sure that a job doesn't pass variables named zuul.
raise Exception("Defining vars named 'zuul' is not allowed")
all_vars['zuul'] = args['zuul'].copy()
all_vars['zuul']['executor'] = dict(