Merge "Rename allow-secrets to post-review" into feature/zuulv3
diff --git a/doc/source/user/config.rst b/doc/source/user/config.rst
index 4898e17..7ff7106 100644
--- a/doc/source/user/config.rst
+++ b/doc/source/user/config.rst
@@ -184,19 +184,19 @@
For more detail on the theory and operation of Zuul's
dependent pipeline manager, see: :doc:`gating`.
- .. attr:: allow-secrets
+ .. attr:: post-review
:default: false
- This is a boolean which can be used to prevent jobs which use
- secrets in the untrusted security context from running in this
- pipeline. Some pipelines run on proposed changes and therefore
- execute code which has not yet been reviewed. In such a case,
- allowing a job to use a secret could result in that secret being
- exposed. The default is ``false``, meaning that in order to run
- jobs which use secrets in the untrusted security context, this
- must be explicitly enabled on each Pipeline where that is safe.
+ This is a boolean which indicates that this pipeline executes
+ code that has been reviewed. Some jobs perform actions which
+ should not be permitted with unreviewed code. When this value
+ is ``false`` those jobs will not be permitted to run in the
+ pipeline. If a pipeline is designed only to be used after
+ changes are reviewed or merged, set this value to ``true`` to
+ permit such jobs.
- For more information, see :ref:`secret`.
+ For more information, see :ref:`secret` and
+ :attr:`job.post-review`.
.. attr:: description
@@ -895,16 +895,18 @@
it should be able to run this job, then it must be explicitly
listed. By default, all projects may use the job.
- .. attr:: untrusted-secrets
+ .. attr:: post-review
+ :default: false
- A boolean value which indicates that this job should not be used
- in a pipeline where allow-secrets is ``false``. This is
- automatically set to ``true`` if this job is defined in a
- :term:`untrusted-project`. It may be explicitly set to obtain
- the same behavior for jobs defined in :term:`config projects
- <config-project>`. Once this is set to ``true`` anywhere in the
- inheritance hierarchy for a job, it will remain set for all
- child jobs and variants (it can not be set to ``false``).
+ A boolean value which indicates whether this job may only be
+ used in pipelines where :attr:`pipeline.post-review` is
+ ``true``. This is automatically set to ``true`` if this job is
+ defined in a :term:`untrusted-project`. It may be explicitly
+ set to obtain the same behavior for jobs defined in
+ :term:`config projects <config-project>`. Once this is set to
+ ``true`` anywhere in the inheritance hierarchy for a job, it
+ will remain set for all child jobs and variants (it can not be
+ set to ``false``).
.. _project:
@@ -1078,12 +1080,19 @@
untrusted project are run in the :term:`untrusted execution context`
where proposed changes are used in job execution, it is dangerous to
allow those secrets to be used in pipelines which are used to execute
-proposed but unreviewed changes. By default, pipelines will refuse to
-run jobs which have playbooks that use secrets in the untrusted
-execution context to protect against someone proposing a change which
-exposes a secret. To permit this (for instance, in a pipeline which
-only runs after code review), the :attr:`pipeline.allow-secrets`
-attribute may be set.
+proposed but unreviewed changes. By default, pipelines are considered
+`pre-review` and will refuse to run jobs which have playbooks that use
+secrets in the untrusted execution context to protect against someone
+proposing a change which exposes a secret. To permit this (for
+instance, in a pipeline which only runs after code review), the
+:attr:`pipeline.post-review` attribute may be explicitly set to
+``true``.
+
+In some cases, it may be desirable to prevent a job which is defined
+in a config project from running in a pre-review pipeline (e.g., a job
+used to publish an artifact). In these cases, the
+:attr:`job.post-review` attribute may be explicitly set to ``true`` to
+indicate the job should only run in post-review pipelines.
If a job with secrets is unsafe to be used by other projects, the
`allowed-projects` job attribute can be used to restrict the projects
diff --git a/tests/fixtures/config/ansible/git/common-config/zuul.yaml b/tests/fixtures/config/ansible/git/common-config/zuul.yaml
index ba6227b..d90f5e2 100644
--- a/tests/fixtures/config/ansible/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/ansible/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/data-return/git/common-config/zuul.yaml b/tests/fixtures/config/data-return/git/common-config/zuul.yaml
index 4db7eb6..906dc5b 100644
--- a/tests/fixtures/config/data-return/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/data-return/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml b/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml
index 4a13e73..893ea05 100644
--- a/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/disk-accountant/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/inventory/git/common-config/zuul.yaml b/tests/fixtures/config/inventory/git/common-config/zuul.yaml
index d2179b7..7809c5d 100644
--- a/tests/fixtures/config/inventory/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/inventory/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml b/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml
index 0a6c557..16d1966 100644
--- a/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/pre-playbook/git/common-config/zuul.yaml
@@ -1,7 +1,7 @@
- pipeline:
name: check
manager: independent
- allow-secrets: true
+ post-review: true
trigger:
gerrit:
- event: patchset-created
diff --git a/tests/fixtures/layouts/untrusted-secrets.yaml b/tests/fixtures/layouts/untrusted-secrets.yaml
index cfa03e0..b90d3d7 100644
--- a/tests/fixtures/layouts/untrusted-secrets.yaml
+++ b/tests/fixtures/layouts/untrusted-secrets.yaml
@@ -17,7 +17,7 @@
- job:
name: project1-test
- untrusted-secrets: true
+ post-review: true
- project:
name: org/project1
diff --git a/tests/unit/test_model.py b/tests/unit/test_model.py
index 9cc7195..ce30e7c 100644
--- a/tests/unit/test_model.py
+++ b/tests/unit/test_model.py
@@ -461,16 +461,16 @@
})
layout.addJob(untrusted_secrets_untrusted_child_job)
- self.assertIsNone(trusted_secrets_job.untrusted_secrets)
- self.assertTrue(untrusted_secrets_job.untrusted_secrets)
+ self.assertIsNone(trusted_secrets_job.post_review)
+ self.assertTrue(untrusted_secrets_job.post_review)
self.assertIsNone(
- trusted_secrets_trusted_child_job.untrusted_secrets)
+ trusted_secrets_trusted_child_job.post_review)
self.assertIsNone(
- trusted_secrets_untrusted_child_job.untrusted_secrets)
+ trusted_secrets_untrusted_child_job.post_review)
self.assertTrue(
- untrusted_secrets_trusted_child_job.untrusted_secrets)
+ untrusted_secrets_trusted_child_job.post_review)
self.assertTrue(
- untrusted_secrets_untrusted_child_job.untrusted_secrets)
+ untrusted_secrets_untrusted_child_job.post_review)
self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].name,
'trusted-secret')
@@ -697,15 +697,15 @@
"Project project2 is not allowed to run job job"):
item.freezeJobGraph()
- def test_job_pipeline_allow_secrets(self):
- self.pipeline.allow_secrets = False
+ def test_job_pipeline_allow_untrusted_secrets(self):
+ self.pipeline.post_review = False
job = configloader.JobParser.fromYaml(self.tenant, self.layout, {
'_source_context': self.context,
'_start_mark': self.start_mark,
'name': 'job',
'parent': None,
})
- job.untrusted_secrets = True
+ job.post_review = True
self.layout.addJob(job)
@@ -730,7 +730,7 @@
item.current_build_set.layout = self.layout
with testtools.ExpectedException(
Exception,
- "Pipeline gate does not allow jobs with secrets"):
+ "Pre-review pipeline gate does not allow post-review job"):
item.freezeJobGraph()
diff --git a/tests/unit/test_scheduler.py b/tests/unit/test_scheduler.py
index 960a922..97d53e0 100755
--- a/tests/unit/test_scheduler.py
+++ b/tests/unit/test_scheduler.py
@@ -2827,7 +2827,7 @@
self.assertHistory([])
self.assertEqual(A.patchsets[0]['approvals'][0]['value'], "-1")
- self.assertIn('does not allow jobs with secrets',
+ self.assertIn('does not allow post-review job',
A.messages[0])
@simple_layout('layouts/tags.yaml')
diff --git a/zuul/configloader.py b/zuul/configloader.py
index 86459b0..8b459b3 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py
@@ -369,7 +369,7 @@
'allowed-projects': to_list(str),
'override-branch': str,
'description': str,
- 'untrusted-secrets': bool
+ 'post-review': bool
}
return vs.Schema(job)
@@ -465,14 +465,14 @@
# through inheritance to ensure that we don't run this job in
# an unsafe check pipeline.
if secrets and not conf['_source_context'].trusted:
- job.untrusted_secrets = True
+ job.post_review = True
- if 'untrusted-secrets' in conf:
- if conf['untrusted-secrets']:
- job.untrusted_secrets = True
+ if 'post-review' in conf:
+ if conf['post-review']:
+ job.post_review = True
else:
- raise Exception("Once set, the untrusted_secrets "
- "attribute may not be unset")
+ raise Exception("Once set, the post-review attribute "
+ "may not be unset")
# Roles are part of the playbook context so we must establish
# them earlier than playbooks.
@@ -836,7 +836,7 @@
'footer-message': str,
'dequeue-on-new-patchset': bool,
'ignore-dependencies': bool,
- 'allow-secrets': bool,
+ 'post-review': bool,
'disable-after-consecutive-failures':
vs.All(int, vs.Range(min=1)),
'window': window,
@@ -886,7 +886,8 @@
'dequeue-on-new-patchset', True)
pipeline.ignore_dependencies = conf.get(
'ignore-dependencies', False)
- pipeline.allow_secrets = conf.get('allow-secrets', False)
+ pipeline.post_review = conf.get(
+ 'post-review', False)
for conf_key, action in PipelineParser.reporter_actions.items():
reporter_set = []
diff --git a/zuul/model.py b/zuul/model.py
index cf57851..5a157bc 100644
--- a/zuul/model.py
+++ b/zuul/model.py
@@ -98,7 +98,7 @@
self.success_message = None
self.footer_message = None
self.start_message = None
- self.allow_secrets = False
+ self.post_review = False
self.dequeue_on_new_patchset = True
self.ignore_dependencies = False
self.manager = None
@@ -801,7 +801,7 @@
required_projects={},
allowed_projects=None,
override_branch=None,
- untrusted_secrets=None,
+ post_review=None,
)
# These are generally internal attributes which are not
@@ -2322,9 +2322,9 @@
change.project.name not in frozen_job.allowed_projects):
raise Exception("Project %s is not allowed to run job %s" %
(change.project.name, frozen_job.name))
- if ((not pipeline.allow_secrets) and frozen_job.untrusted_secrets):
- raise Exception("Pipeline %s does not allow jobs with "
- "secrets (job %s)" % (
+ if ((not pipeline.post_review) and frozen_job.post_review):
+ raise Exception("Pre-review pipeline %s does not allow "
+ "post-review job %s" % (
pipeline.name, frozen_job.name))
job_graph.addJob(frozen_job)