Move test_job_auth_inheritance to test_v3
Move this into configuration files so that we can test the functionality end-to-end rather than relying on internal APIs which are frequently changing. Change-Id: If1f75cf332732af31386e597b607e45253ecee1f
This commit is contained in:
parent
c32a83538a
commit
df91ab36e1
@ -0,0 +1,2 @@
|
||||
- hosts: all
|
||||
tasks: []
|
2
tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets.yaml
vendored
Normal file
2
tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets.yaml
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
- hosts: all
|
||||
tasks: []
|
@ -0,0 +1,2 @@
|
||||
- hosts: all
|
||||
tasks: []
|
103
tests/fixtures/config/secret-inheritance/git/common-config/zuul.yaml
vendored
Normal file
103
tests/fixtures/config/secret-inheritance/git/common-config/zuul.yaml
vendored
Normal file
@ -0,0 +1,103 @@
|
||||
- pipeline:
|
||||
name: check
|
||||
manager: independent
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: patchset-created
|
||||
success:
|
||||
gerrit:
|
||||
Verified: 1
|
||||
failure:
|
||||
gerrit:
|
||||
Verified: -1
|
||||
|
||||
- pipeline:
|
||||
name: gate
|
||||
manager: dependent
|
||||
post-review: True
|
||||
trigger:
|
||||
gerrit:
|
||||
- event: comment-added
|
||||
approval:
|
||||
- Approved: 1
|
||||
success:
|
||||
gerrit:
|
||||
Verified: 2
|
||||
submit: true
|
||||
failure:
|
||||
gerrit:
|
||||
Verified: -2
|
||||
start:
|
||||
gerrit:
|
||||
Verified: 0
|
||||
precedence: high
|
||||
|
||||
- job:
|
||||
name: base
|
||||
parent: null
|
||||
|
||||
- job:
|
||||
name: trusted-secrets
|
||||
secrets:
|
||||
- trusted-secret
|
||||
|
||||
- job:
|
||||
name: trusted-secrets-trusted-child
|
||||
parent: trusted-secrets
|
||||
|
||||
- job:
|
||||
name: untrusted-secrets-trusted-child
|
||||
parent: untrusted-secrets
|
||||
|
||||
- project:
|
||||
name: common-config
|
||||
check:
|
||||
jobs:
|
||||
- trusted-secrets
|
||||
- trusted-secrets-trusted-child
|
||||
- trusted-secrets-untrusted-child
|
||||
gate:
|
||||
jobs:
|
||||
- untrusted-secrets
|
||||
- untrusted-secrets-trusted-child
|
||||
- untrusted-secrets-untrusted-child
|
||||
|
||||
- secret:
|
||||
name: trusted-secret
|
||||
data:
|
||||
username: test-username
|
||||
longpassword: !encrypted/pkcs1-oaep
|
||||
- BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
||||
- BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
||||
password: !encrypted/pkcs1-oaep |
|
||||
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
63
tests/fixtures/config/secret-inheritance/git/org_project/.zuul.yaml
vendored
Normal file
63
tests/fixtures/config/secret-inheritance/git/org_project/.zuul.yaml
vendored
Normal file
@ -0,0 +1,63 @@
|
||||
- job:
|
||||
name: untrusted-secrets
|
||||
secrets:
|
||||
- untrusted-secret
|
||||
|
||||
- job:
|
||||
name: trusted-secrets-untrusted-child
|
||||
parent: trusted-secrets
|
||||
|
||||
- job:
|
||||
name: untrusted-secrets-untrusted-child
|
||||
parent: untrusted-secrets
|
||||
|
||||
- project:
|
||||
name: org/project
|
||||
check:
|
||||
jobs:
|
||||
- trusted-secrets
|
||||
- trusted-secrets-trusted-child
|
||||
- trusted-secrets-untrusted-child
|
||||
- untrusted-secrets
|
||||
- untrusted-secrets-trusted-child
|
||||
- untrusted-secrets-untrusted-child
|
||||
|
||||
- secret:
|
||||
name: untrusted-secret
|
||||
data:
|
||||
username: test-username
|
||||
longpassword: !encrypted/pkcs1-oaep
|
||||
- BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
||||
- BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
||||
password: !encrypted/pkcs1-oaep |
|
||||
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
1
tests/fixtures/config/secret-inheritance/git/org_project/README
vendored
Normal file
1
tests/fixtures/config/secret-inheritance/git/org_project/README
vendored
Normal file
@ -0,0 +1 @@
|
||||
test
|
@ -0,0 +1,2 @@
|
||||
- hosts: all
|
||||
tasks: []
|
@ -0,0 +1,2 @@
|
||||
- hosts: all
|
||||
tasks: []
|
2
tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets.yaml
vendored
Normal file
2
tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets.yaml
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
- hosts: all
|
||||
tasks: []
|
8
tests/fixtures/config/secret-inheritance/main.yaml
vendored
Normal file
8
tests/fixtures/config/secret-inheritance/main.yaml
vendored
Normal file
@ -0,0 +1,8 @@
|
||||
- tenant:
|
||||
name: tenant-one
|
||||
source:
|
||||
gerrit:
|
||||
config-projects:
|
||||
- common-config
|
||||
untrusted-projects:
|
||||
- org/project
|
@ -15,7 +15,6 @@
|
||||
|
||||
import os
|
||||
import random
|
||||
from unittest import skip
|
||||
|
||||
import fixtures
|
||||
import testtools
|
||||
@ -147,164 +146,6 @@ class TestJob(BaseTestCase):
|
||||
"Unable to modify final job"):
|
||||
job.applyVariant(bad_final)
|
||||
|
||||
@skip("This test relied on early-binding inheritance")
|
||||
def test_job_auth_inheritance(self):
|
||||
tenant = self.tenant
|
||||
layout = self.layout
|
||||
|
||||
conf = yaml.safe_load('''
|
||||
- secret:
|
||||
name: trusted-secret
|
||||
data:
|
||||
username: test-username
|
||||
longpassword: !encrypted/pkcs1-oaep
|
||||
- BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
||||
- BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
||||
password: !encrypted/pkcs1-oaep |
|
||||
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
|
||||
Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
|
||||
oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
|
||||
gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
|
||||
bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
|
||||
ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
|
||||
Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
|
||||
1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
|
||||
naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
|
||||
AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
|
||||
vIs=
|
||||
''')[0]['secret']
|
||||
|
||||
conf['_source_context'] = self.context
|
||||
conf['_start_mark'] = self.start_mark
|
||||
|
||||
trusted_secret = configloader.SecretParser.fromYaml(layout, conf)
|
||||
layout.addSecret(trusted_secret)
|
||||
|
||||
conf['name'] = 'untrusted-secret'
|
||||
conf['_source_context'] = self.untrusted_context
|
||||
|
||||
untrusted_secret = configloader.SecretParser.fromYaml(layout, conf)
|
||||
layout.addSecret(untrusted_secret)
|
||||
|
||||
base = configloader.JobParser.fromYaml(self.tenant, self.layout, {
|
||||
'_source_context': self.context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'base',
|
||||
'parent': None,
|
||||
'timeout': 30,
|
||||
})
|
||||
layout.addJob(base)
|
||||
|
||||
trusted_secrets_job = configloader.JobParser.fromYaml(
|
||||
tenant, layout, {
|
||||
'_source_context': self.context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'trusted-secrets',
|
||||
'parent': 'base',
|
||||
'timeout': 40,
|
||||
'secrets': [
|
||||
'trusted-secret',
|
||||
]
|
||||
})
|
||||
layout.addJob(trusted_secrets_job)
|
||||
untrusted_secrets_job = configloader.JobParser.fromYaml(
|
||||
tenant, layout, {
|
||||
'_source_context': self.untrusted_context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'untrusted-secrets',
|
||||
'parent': 'base',
|
||||
'timeout': 40,
|
||||
'secrets': [
|
||||
'untrusted-secret',
|
||||
]
|
||||
})
|
||||
layout.addJob(untrusted_secrets_job)
|
||||
trusted_secrets_trusted_child_job = configloader.JobParser.fromYaml(
|
||||
tenant, layout, {
|
||||
'_source_context': self.context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'trusted-secrets-trusted-child',
|
||||
'parent': 'trusted-secrets',
|
||||
})
|
||||
layout.addJob(trusted_secrets_trusted_child_job)
|
||||
trusted_secrets_untrusted_child_job = configloader.JobParser.fromYaml(
|
||||
tenant, layout, {
|
||||
'_source_context': self.untrusted_context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'trusted-secrets-untrusted-child',
|
||||
'parent': 'trusted-secrets',
|
||||
})
|
||||
layout.addJob(trusted_secrets_untrusted_child_job)
|
||||
untrusted_secrets_trusted_child_job = configloader.JobParser.fromYaml(
|
||||
tenant, layout, {
|
||||
'_source_context': self.context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'untrusted-secrets-trusted-child',
|
||||
'parent': 'untrusted-secrets',
|
||||
})
|
||||
layout.addJob(untrusted_secrets_trusted_child_job)
|
||||
untrusted_secrets_untrusted_child_job = \
|
||||
configloader.JobParser.fromYaml(
|
||||
tenant, layout, {
|
||||
'_source_context': self.untrusted_context,
|
||||
'_start_mark': self.start_mark,
|
||||
'name': 'untrusted-secrets-untrusted-child',
|
||||
'parent': 'untrusted-secrets',
|
||||
})
|
||||
layout.addJob(untrusted_secrets_untrusted_child_job)
|
||||
|
||||
self.assertIsNone(trusted_secrets_job.post_review)
|
||||
self.assertTrue(untrusted_secrets_job.post_review)
|
||||
self.assertIsNone(
|
||||
trusted_secrets_trusted_child_job.post_review)
|
||||
self.assertIsNone(
|
||||
trusted_secrets_untrusted_child_job.post_review)
|
||||
self.assertTrue(
|
||||
untrusted_secrets_trusted_child_job.post_review)
|
||||
self.assertTrue(
|
||||
untrusted_secrets_untrusted_child_job.post_review)
|
||||
|
||||
self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].name,
|
||||
'trusted-secret')
|
||||
self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].
|
||||
secret_data['longpassword'],
|
||||
'test-passwordtest-password')
|
||||
self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].
|
||||
secret_data['password'],
|
||||
'test-password')
|
||||
self.assertEqual(
|
||||
len(trusted_secrets_trusted_child_job.implied_run[0].secrets), 0)
|
||||
self.assertEqual(
|
||||
len(trusted_secrets_untrusted_child_job.implied_run[0].secrets), 0)
|
||||
|
||||
self.assertEqual(untrusted_secrets_job.implied_run[0].secrets[0].name,
|
||||
'untrusted-secret')
|
||||
self.assertEqual(
|
||||
len(untrusted_secrets_trusted_child_job.implied_run[0].secrets), 0)
|
||||
self.assertEqual(
|
||||
len(untrusted_secrets_untrusted_child_job.implied_run[0].secrets),
|
||||
0)
|
||||
|
||||
def test_job_inheritance_job_tree(self):
|
||||
tenant = model.Tenant('tenant')
|
||||
layout = model.Layout(tenant)
|
||||
|
@ -1947,6 +1947,122 @@ class TestBaseJobs(ZuulTestCase):
|
||||
self.assertHistory([])
|
||||
|
||||
|
||||
class TestSecretInheritance(ZuulTestCase):
|
||||
tenant_config_file = 'config/secret-inheritance/main.yaml'
|
||||
|
||||
def _getSecrets(self, job, pbtype):
|
||||
secrets = []
|
||||
build = self.getJobFromHistory(job)
|
||||
for pb in build.parameters[pbtype]:
|
||||
secrets.append(pb['secrets'])
|
||||
return secrets
|
||||
|
||||
def _checkTrustedSecrets(self):
|
||||
secret = {'longpassword': 'test-passwordtest-password',
|
||||
'password': 'test-password',
|
||||
'username': 'test-username'}
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets', 'playbooks'),
|
||||
[{'trusted-secret': secret}, {}])
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets', 'pre_playbooks'), [])
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets', 'post_playbooks'), [])
|
||||
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets-trusted-child',
|
||||
'playbooks'),
|
||||
[{}, {'trusted-secret': secret}, {}])
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets-trusted-child',
|
||||
'pre_playbooks'), [])
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets-trusted-child',
|
||||
'post_playbooks'), [])
|
||||
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets-untrusted-child',
|
||||
'playbooks'),
|
||||
[{}, {'trusted-secret': secret}, {}])
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets-untrusted-child',
|
||||
'pre_playbooks'), [])
|
||||
self.assertEqual(
|
||||
self._getSecrets('trusted-secrets-untrusted-child',
|
||||
'post_playbooks'), [])
|
||||
|
||||
def _checkUntrustedSecrets(self):
|
||||
secret = {'longpassword': 'test-passwordtest-password',
|
||||
'password': 'test-password',
|
||||
'username': 'test-username'}
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets', 'playbooks'),
|
||||
[{'untrusted-secret': secret}, {}])
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets', 'pre_playbooks'), [])
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets', 'post_playbooks'), [])
|
||||
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets-trusted-child',
|
||||
'playbooks'),
|
||||
[{}, {'untrusted-secret': secret}, {}])
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets-trusted-child',
|
||||
'pre_playbooks'), [])
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets-trusted-child',
|
||||
'post_playbooks'), [])
|
||||
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets-untrusted-child',
|
||||
'playbooks'),
|
||||
[{}, {'untrusted-secret': secret}, {}])
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets-untrusted-child',
|
||||
'pre_playbooks'), [])
|
||||
self.assertEqual(
|
||||
self._getSecrets('untrusted-secrets-untrusted-child',
|
||||
'post_playbooks'), [])
|
||||
|
||||
def test_trusted_secret_inheritance_check(self):
|
||||
A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A')
|
||||
self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
|
||||
self.waitUntilSettled()
|
||||
self.assertHistory([
|
||||
dict(name='trusted-secrets', result='SUCCESS', changes='1,1'),
|
||||
dict(name='trusted-secrets-trusted-child',
|
||||
result='SUCCESS', changes='1,1'),
|
||||
dict(name='trusted-secrets-untrusted-child',
|
||||
result='SUCCESS', changes='1,1'),
|
||||
], ordered=False)
|
||||
|
||||
self._checkTrustedSecrets()
|
||||
|
||||
def test_untrusted_secret_inheritance_gate(self):
|
||||
A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A')
|
||||
A.addApproval('Code-Review', 2)
|
||||
self.fake_gerrit.addEvent(A.addApproval('Approved', 1))
|
||||
self.waitUntilSettled()
|
||||
self.assertHistory([
|
||||
dict(name='untrusted-secrets', result='SUCCESS', changes='1,1'),
|
||||
dict(name='untrusted-secrets-trusted-child',
|
||||
result='SUCCESS', changes='1,1'),
|
||||
dict(name='untrusted-secrets-untrusted-child',
|
||||
result='SUCCESS', changes='1,1'),
|
||||
], ordered=False)
|
||||
|
||||
self._checkUntrustedSecrets()
|
||||
|
||||
def test_untrusted_secret_inheritance_check(self):
|
||||
A = self.fake_gerrit.addFakeChange('org/project', 'master', 'A')
|
||||
self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
|
||||
self.waitUntilSettled()
|
||||
# This configuration tries to run untrusted secrets in an
|
||||
# non-post-review pipeline and should therefore run no jobs.
|
||||
self.assertHistory([])
|
||||
|
||||
|
||||
class TestSecretLeaks(AnsibleZuulTestCase):
|
||||
tenant_config_file = 'config/secret-leaks/main.yaml'
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user