Fail early if people attempt to add zuul vars or secrets
We can block this in config loading before jobs start. Leave the other validation as well to prevent jobs from passing variables as part of the return process. Change-Id: I071a1fcd6037ab0dca78d83ff69b77907d0ccae6
This commit is contained in:
parent
1ae9fb313a
commit
dc698d47f9
|
@ -460,6 +460,8 @@ class JobParser(object):
|
|||
else:
|
||||
secret_name = secret_config['name']
|
||||
secret = layout.secrets[secret_config['secret']]
|
||||
if secret_name == 'zuul':
|
||||
raise Exception("Secrets named 'zuul' are not allowed.")
|
||||
if secret.source_context != job.source_context:
|
||||
raise Exception(
|
||||
"Unable to use secret %s. Secrets must be "
|
||||
|
@ -574,6 +576,8 @@ class JobParser(object):
|
|||
|
||||
variables = conf.get('vars', None)
|
||||
if variables:
|
||||
if 'zuul' in variables:
|
||||
raise Exception("Variables named 'zuul' are not allowed.")
|
||||
job.updateVariables(variables)
|
||||
|
||||
allowed_projects = conf.get('allowed-projects', None)
|
||||
|
|
|
@ -1275,6 +1275,8 @@ class AnsibleJob(object):
|
|||
secrets = playbook['secrets']
|
||||
if secrets:
|
||||
if 'zuul' in secrets:
|
||||
# We block this in configloader, but block it here too to make
|
||||
# sure that a job doesn't pass secrets named zuul.
|
||||
raise Exception("Defining secrets named 'zuul' is not allowed")
|
||||
jobdir_playbook.secrets_content = yaml.safe_dump(
|
||||
secrets, default_flow_style=False)
|
||||
|
@ -1379,6 +1381,8 @@ class AnsibleJob(object):
|
|||
# TODO(mordred) Hack to work around running things with python3
|
||||
all_vars['ansible_python_interpreter'] = '/usr/bin/python2'
|
||||
if 'zuul' in all_vars:
|
||||
# We block this in configloader, but block it here too to make
|
||||
# sure that a job doesn't pass variables named zuul.
|
||||
raise Exception("Defining vars named 'zuul' is not allowed")
|
||||
all_vars['zuul'] = args['zuul'].copy()
|
||||
all_vars['zuul']['executor'] = dict(
|
||||
|
|
Loading…
Reference in New Issue