Reject some untrusted config objects
We do not permit pipelines to be defined in untrusted projects,
nor do we permit project definitions in untrusted project except
for the project itself. Implement checks for these cases.
Change-Id: If8ce0bf151c2755a884e1861000556ac9dd3b44d
diff --git a/tests/unit/test_v3.py b/tests/unit/test_v3.py
index 18a49db..707515a 100644
--- a/tests/unit/test_v3.py
+++ b/tests/unit/test_v3.py
@@ -328,6 +328,46 @@
self.assertIn('not permitted to shadow', A.messages[0],
"A should have a syntax error reported")
+ def test_untrusted_pipeline_error(self):
+ in_repo_conf = textwrap.dedent(
+ """
+ - pipeline:
+ name: test
+ """)
+
+ file_dict = {'.zuul.yaml': in_repo_conf}
+ A = self.fake_gerrit.addFakeChange('org/project', 'master', 'A',
+ files=file_dict)
+ A.addApproval('code-review', 2)
+ self.fake_gerrit.addEvent(A.addApproval('approved', 1))
+ self.waitUntilSettled()
+
+ self.assertEqual(A.data['status'], 'NEW')
+ self.assertEqual(A.reported, 1,
+ "A should report failure")
+ self.assertIn('Pipelines may not be defined', A.messages[0],
+ "A should have a syntax error reported")
+
+ def test_untrusted_project_error(self):
+ in_repo_conf = textwrap.dedent(
+ """
+ - project:
+ name: org/project1
+ """)
+
+ file_dict = {'.zuul.yaml': in_repo_conf}
+ A = self.fake_gerrit.addFakeChange('org/project', 'master', 'A',
+ files=file_dict)
+ A.addApproval('code-review', 2)
+ self.fake_gerrit.addEvent(A.addApproval('approved', 1))
+ self.waitUntilSettled()
+
+ self.assertEqual(A.data['status'], 'NEW')
+ self.assertEqual(A.reported, 1,
+ "A should report failure")
+ self.assertIn('the only project definition permitted', A.messages[0],
+ "A should have a syntax error reported")
+
class TestAnsible(AnsibleZuulTestCase):
# A temporary class to hold new tests while others are disabled