From dc698d47f94a251de2c45abecacdd3ee6c3874a3 Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Fri, 14 Jul 2017 12:08:00 -0500
Subject: [PATCH] Fail early if people attempt to add zuul vars or secrets

We can block this in config loading before jobs start. Leave the other
validation as well to prevent jobs from passing variables as part of the
return process.

Change-Id: I071a1fcd6037ab0dca78d83ff69b77907d0ccae6
---
 zuul/configloader.py    | 4 ++++
 zuul/executor/server.py | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/zuul/configloader.py b/zuul/configloader.py
index c9250245eb..f175bab8d6 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py
@@ -460,6 +460,8 @@ class JobParser(object):
             else:
                 secret_name = secret_config['name']
                 secret = layout.secrets[secret_config['secret']]
+            if secret_name == 'zuul':
+                raise Exception("Secrets named 'zuul' are not allowed.")
             if secret.source_context != job.source_context:
                 raise Exception(
                     "Unable to use secret %s.  Secrets must be "
@@ -574,6 +576,8 @@ class JobParser(object):
 
         variables = conf.get('vars', None)
         if variables:
+            if 'zuul' in variables:
+                raise Exception("Variables named 'zuul' are not allowed.")
             job.updateVariables(variables)
 
         allowed_projects = conf.get('allowed-projects', None)
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index 8f4cc1d443..cb139c63ee 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -1275,6 +1275,8 @@ class AnsibleJob(object):
         secrets = playbook['secrets']
         if secrets:
             if 'zuul' in secrets:
+                # We block this in configloader, but block it here too to make
+                # sure that a job doesn't pass secrets named zuul.
                 raise Exception("Defining secrets named 'zuul' is not allowed")
             jobdir_playbook.secrets_content = yaml.safe_dump(
                 secrets, default_flow_style=False)
@@ -1379,6 +1381,8 @@ class AnsibleJob(object):
         # TODO(mordred) Hack to work around running things with python3
         all_vars['ansible_python_interpreter'] = '/usr/bin/python2'
         if 'zuul' in all_vars:
+            # We block this in configloader, but block it here too to make
+            # sure that a job doesn't pass variables named zuul.
             raise Exception("Defining vars named 'zuul' is not allowed")
         all_vars['zuul'] = args['zuul'].copy()
         all_vars['zuul']['executor'] = dict(