Bind secrets to their playbooks Secrets are proving less useful than originally hoped because they can not be effectively used in any jobs with untrusted children. This change binds the secrets to the playbooks which use them, so that child jobs are unable to access the secrets. This allows us to create jobs with pre/post playbooks which use secrets which are suitable for other jobs to inherit from. Change-Id: I67dd12563f3abd242d6356675afed1de0cb144cf

commit: 892cca6afa7c29757922b6ad584fcfe984cad3e3 [log] [tgz]
author: James E. Blair <jeblair@redhat.com> Wed Aug 09 11:36:58 2017 -0700
committer: James E. Blair <jeblair@redhat.com> Thu Aug 10 09:13:46 2017 -0700
tree: c9f18ca8620b5635c835012616e89cf48d25af3e
parent: ad966ccc46bcceb9c1c29da972b14dd6967ff6a4 [diff] [blame]
diff --git a/tests/unit/test_scheduler.py b/tests/unit/test_scheduler.py
index e80a30a..960a922 100755
--- a/tests/unit/test_scheduler.py
+++ b/tests/unit/test_scheduler.py

@@ -2818,6 +2818,18 @@
         self.assertEqual(B.data['status'], 'MERGED')
         self.assertEqual(B.reported, 2)
 
+    @simple_layout('layouts/untrusted-secrets.yaml')
+    def test_untrusted_secrets(self):
+        "Test untrusted secrets"
+        A = self.fake_gerrit.addFakeChange('org/project1', 'master', 'A')
+        self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
+        self.waitUntilSettled()
+
+        self.assertHistory([])
+        self.assertEqual(A.patchsets[0]['approvals'][0]['value'], "-1")
+        self.assertIn('does not allow jobs with secrets',
+                      A.messages[0])
+
     @simple_layout('layouts/tags.yaml')
     def test_tags(self):
         "Test job tags"
commit	892cca6afa7c29757922b6ad584fcfe984cad3e3	[log] [tgz]
author	James E. Blair <jeblair@redhat.com>	Wed Aug 09 11:36:58 2017 -0700
committer	James E. Blair <jeblair@redhat.com>	Thu Aug 10 09:13:46 2017 -0700
tree	c9f18ca8620b5635c835012616e89cf48d25af3e
parent	ad966ccc46bcceb9c1c29da972b14dd6967ff6a4 [diff] [blame]