Test that secrets don't leak into logs
This executes a job which writes a secret into a file in the jobdir,
which is typical of how we would expect many jobs which use secrets
to operate.
It also executes a similar job where ansible fails to write the file,
to test that error-handling code doesn't helpfully leak the secret.
It runs both of those tests with and without '-vvv' set.
It then searches for that secret in all files in the jobdir and
ensures it doesn't show up in any unexpected files. This includes
the ansible log(s).
Change-Id: Ie6ebe301f256d20e482b5f6c64f3ce2fb2b5135d
diff --git a/tests/fixtures/config/secret-leaks/main.yaml b/tests/fixtures/config/secret-leaks/main.yaml
new file mode 100644
index 0000000..208e274
--- /dev/null
+++ b/tests/fixtures/config/secret-leaks/main.yaml
@@ -0,0 +1,8 @@
+- tenant:
+ name: tenant-one
+ source:
+ gerrit:
+ config-projects:
+ - common-config
+ untrusted-projects:
+ - org/project