Test that secrets don't leak into logs This executes a job which writes a secret into a file in the jobdir, which is typical of how we would expect many jobs which use secrets to operate. It also executes a similar job where ansible fails to write the file, to test that error-handling code doesn't helpfully leak the secret. It runs both of those tests with and without '-vvv' set. It then searches for that secret in all files in the jobdir and ensures it doesn't show up in any unexpected files. This includes the ansible log(s). Change-Id: Ie6ebe301f256d20e482b5f6c64f3ce2fb2b5135d

commit: db08903c810e1c33cb33c33f81fc0de0c091e802 [log] [tgz]
author: James E. Blair <jeblair@redhat.com> Tue Aug 15 13:42:12 2017 -0700
committer: James E. Blair <jeblair@redhat.com> Tue Aug 15 13:53:07 2017 -0700
tree: dd96ea4041670e13cb5f18435abd728d55ca5d5e
parent: 6345e20e56097bb9e973b35966f52538789c522f [diff] [blame]
diff --git a/tests/fixtures/config/secret-leaks/main.yaml b/tests/fixtures/config/secret-leaks/main.yaml
new file mode 100644
index 0000000..208e274
--- /dev/null
+++ b/tests/fixtures/config/secret-leaks/main.yaml

@@ -0,0 +1,8 @@
+- tenant:
+    name: tenant-one
+    source:
+      gerrit:
+        config-projects:
+          - common-config
+        untrusted-projects:
+          - org/project
commit	db08903c810e1c33cb33c33f81fc0de0c091e802	[log] [tgz]
author	James E. Blair <jeblair@redhat.com>	Tue Aug 15 13:42:12 2017 -0700
committer	James E. Blair <jeblair@redhat.com>	Tue Aug 15 13:53:07 2017 -0700
tree	dd96ea4041670e13cb5f18435abd728d55ca5d5e
parent	6345e20e56097bb9e973b35966f52538789c522f [diff] [blame]