Move test_job_auth_inheritance to test_v3
Move this into configuration files so that we can test the
functionality end-to-end rather than relying on internal APIs
which are frequently changing.
Change-Id: If1f75cf332732af31386e597b607e45253ecee1f
diff --git a/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets-trusted-child.yaml b/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets-trusted-child.yaml
new file mode 100644
index 0000000..f679dce
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets-trusted-child.yaml
@@ -0,0 +1,2 @@
+- hosts: all
+ tasks: []
diff --git a/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets.yaml b/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets.yaml
new file mode 100644
index 0000000..f679dce
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/trusted-secrets.yaml
@@ -0,0 +1,2 @@
+- hosts: all
+ tasks: []
diff --git a/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/untrusted-secrets-trusted-child.yaml b/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/untrusted-secrets-trusted-child.yaml
new file mode 100644
index 0000000..f679dce
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/common-config/playbooks/untrusted-secrets-trusted-child.yaml
@@ -0,0 +1,2 @@
+- hosts: all
+ tasks: []
diff --git a/tests/fixtures/config/secret-inheritance/git/common-config/zuul.yaml b/tests/fixtures/config/secret-inheritance/git/common-config/zuul.yaml
new file mode 100644
index 0000000..d5fa2bc
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/common-config/zuul.yaml
@@ -0,0 +1,103 @@
+- pipeline:
+ name: check
+ manager: independent
+ trigger:
+ gerrit:
+ - event: patchset-created
+ success:
+ gerrit:
+ Verified: 1
+ failure:
+ gerrit:
+ Verified: -1
+
+- pipeline:
+ name: gate
+ manager: dependent
+ post-review: True
+ trigger:
+ gerrit:
+ - event: comment-added
+ approval:
+ - Approved: 1
+ success:
+ gerrit:
+ Verified: 2
+ submit: true
+ failure:
+ gerrit:
+ Verified: -2
+ start:
+ gerrit:
+ Verified: 0
+ precedence: high
+
+- job:
+ name: base
+ parent: null
+
+- job:
+ name: trusted-secrets
+ secrets:
+ - trusted-secret
+
+- job:
+ name: trusted-secrets-trusted-child
+ parent: trusted-secrets
+
+- job:
+ name: untrusted-secrets-trusted-child
+ parent: untrusted-secrets
+
+- project:
+ name: common-config
+ check:
+ jobs:
+ - trusted-secrets
+ - trusted-secrets-trusted-child
+ - trusted-secrets-untrusted-child
+ gate:
+ jobs:
+ - untrusted-secrets
+ - untrusted-secrets-trusted-child
+ - untrusted-secrets-untrusted-child
+
+- secret:
+ name: trusted-secret
+ data:
+ username: test-username
+ longpassword: !encrypted/pkcs1-oaep
+ - BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
+ Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
+ oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
+ gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
+ bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
+ ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
+ Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
+ 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
+ naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
+ AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
+ vIs=
+ - BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
+ Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
+ oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
+ gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
+ bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
+ ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
+ Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
+ 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
+ naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
+ AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
+ vIs=
+ password: !encrypted/pkcs1-oaep |
+ BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
+ Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
+ oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
+ gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
+ bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
+ ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
+ Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
+ 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
+ naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
+ AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
+ vIs=
diff --git a/tests/fixtures/config/secret-inheritance/git/org_project/.zuul.yaml b/tests/fixtures/config/secret-inheritance/git/org_project/.zuul.yaml
new file mode 100644
index 0000000..5eeced2
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/org_project/.zuul.yaml
@@ -0,0 +1,63 @@
+- job:
+ name: untrusted-secrets
+ secrets:
+ - untrusted-secret
+
+- job:
+ name: trusted-secrets-untrusted-child
+ parent: trusted-secrets
+
+- job:
+ name: untrusted-secrets-untrusted-child
+ parent: untrusted-secrets
+
+- project:
+ name: org/project
+ check:
+ jobs:
+ - trusted-secrets
+ - trusted-secrets-trusted-child
+ - trusted-secrets-untrusted-child
+ - untrusted-secrets
+ - untrusted-secrets-trusted-child
+ - untrusted-secrets-untrusted-child
+
+- secret:
+ name: untrusted-secret
+ data:
+ username: test-username
+ longpassword: !encrypted/pkcs1-oaep
+ - BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
+ Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
+ oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
+ gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
+ bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
+ ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
+ Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
+ 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
+ naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
+ AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
+ vIs=
+ - BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
+ Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
+ oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
+ gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
+ bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
+ ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
+ Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
+ 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
+ naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
+ AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
+ vIs=
+ password: !encrypted/pkcs1-oaep |
+ BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
+ Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
+ oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
+ gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
+ bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
+ ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
+ Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
+ 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
+ naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
+ AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
+ vIs=
diff --git a/tests/fixtures/config/secret-inheritance/git/org_project/README b/tests/fixtures/config/secret-inheritance/git/org_project/README
new file mode 100644
index 0000000..9daeafb
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/org_project/README
@@ -0,0 +1 @@
+test
diff --git a/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/trusted-secrets-untrusted-child.yaml b/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/trusted-secrets-untrusted-child.yaml
new file mode 100644
index 0000000..f679dce
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/trusted-secrets-untrusted-child.yaml
@@ -0,0 +1,2 @@
+- hosts: all
+ tasks: []
diff --git a/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets-untrusted-child.yaml b/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets-untrusted-child.yaml
new file mode 100644
index 0000000..f679dce
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets-untrusted-child.yaml
@@ -0,0 +1,2 @@
+- hosts: all
+ tasks: []
diff --git a/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets.yaml b/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets.yaml
new file mode 100644
index 0000000..f679dce
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/git/org_project/playbooks/untrusted-secrets.yaml
@@ -0,0 +1,2 @@
+- hosts: all
+ tasks: []
diff --git a/tests/fixtures/config/secret-inheritance/main.yaml b/tests/fixtures/config/secret-inheritance/main.yaml
new file mode 100644
index 0000000..208e274
--- /dev/null
+++ b/tests/fixtures/config/secret-inheritance/main.yaml
@@ -0,0 +1,8 @@
+- tenant:
+ name: tenant-one
+ source:
+ gerrit:
+ config-projects:
+ - common-config
+ untrusted-projects:
+ - org/project
diff --git a/tests/unit/test_model.py b/tests/unit/test_model.py
index 27a1d98..11f4eeb 100644
--- a/tests/unit/test_model.py
+++ b/tests/unit/test_model.py
@@ -15,7 +15,6 @@
import os
import random
-from unittest import skip
import fixtures
import testtools
@@ -147,164 +146,6 @@
"Unable to modify final job"):
job.applyVariant(bad_final)
- @skip("This test relied on early-binding inheritance")
- def test_job_auth_inheritance(self):
- tenant = self.tenant
- layout = self.layout
-
- conf = yaml.safe_load('''
-- secret:
- name: trusted-secret
- data:
- username: test-username
- longpassword: !encrypted/pkcs1-oaep
- - BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
- Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
- oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
- gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
- bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
- ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
- Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
- 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
- naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
- AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
- vIs=
- - BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
- Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
- oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
- gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
- bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
- ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
- Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
- 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
- naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
- AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
- vIs=
- password: !encrypted/pkcs1-oaep |
- BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71Y
- Usi1wGZZL0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4j
- oeusC9drN3AA8a4oykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CR
- gd0QBMPl6VDoFgBPB8vxtJw+3m0rqBYZCLZgCXekqlny8s2s92nJMuUABbJOEcDRarzi
- bDsSXsfJt1y+5n7yOURsC7lovMg4GF/vCl/0YMKjBO5bpv9EM5fToeKYyPGSKQoHOnCY
- ceb3cAVcv5UawcCic8XjhEhp4K7WPdYf2HVAC/qtxhbpjTxG4U5Q/SoppOJ60WqEkQvb
- Xs6n5Dvy7xmph6GWmU/bAv3eUK3pdD3xa2Ue1lHWz3U+rsYraI+AKYsMYx3RBlfAmCeC
- 1ve2BXPrqnOo7G8tnUvfdYPbK4Aakk0ds/AVqFHEZN+S6hRBmBjLaRFWZ3QSO1NjbBxW
- naHKZYT7nkrJm8AMCgZU0ZArFLpaufKCeiK5ECSsDxic4FIsY1OkWT42qEUfL0Wd+150
- AKGNZpPJnnP3QYY4W/MWcKH/zdO400+zWN52WevbSqZy90tqKDJrBkMl1ydqbuw1E4ZH
- vIs=
-''')[0]['secret']
-
- conf['_source_context'] = self.context
- conf['_start_mark'] = self.start_mark
-
- trusted_secret = configloader.SecretParser.fromYaml(layout, conf)
- layout.addSecret(trusted_secret)
-
- conf['name'] = 'untrusted-secret'
- conf['_source_context'] = self.untrusted_context
-
- untrusted_secret = configloader.SecretParser.fromYaml(layout, conf)
- layout.addSecret(untrusted_secret)
-
- base = configloader.JobParser.fromYaml(self.tenant, self.layout, {
- '_source_context': self.context,
- '_start_mark': self.start_mark,
- 'name': 'base',
- 'parent': None,
- 'timeout': 30,
- })
- layout.addJob(base)
-
- trusted_secrets_job = configloader.JobParser.fromYaml(
- tenant, layout, {
- '_source_context': self.context,
- '_start_mark': self.start_mark,
- 'name': 'trusted-secrets',
- 'parent': 'base',
- 'timeout': 40,
- 'secrets': [
- 'trusted-secret',
- ]
- })
- layout.addJob(trusted_secrets_job)
- untrusted_secrets_job = configloader.JobParser.fromYaml(
- tenant, layout, {
- '_source_context': self.untrusted_context,
- '_start_mark': self.start_mark,
- 'name': 'untrusted-secrets',
- 'parent': 'base',
- 'timeout': 40,
- 'secrets': [
- 'untrusted-secret',
- ]
- })
- layout.addJob(untrusted_secrets_job)
- trusted_secrets_trusted_child_job = configloader.JobParser.fromYaml(
- tenant, layout, {
- '_source_context': self.context,
- '_start_mark': self.start_mark,
- 'name': 'trusted-secrets-trusted-child',
- 'parent': 'trusted-secrets',
- })
- layout.addJob(trusted_secrets_trusted_child_job)
- trusted_secrets_untrusted_child_job = configloader.JobParser.fromYaml(
- tenant, layout, {
- '_source_context': self.untrusted_context,
- '_start_mark': self.start_mark,
- 'name': 'trusted-secrets-untrusted-child',
- 'parent': 'trusted-secrets',
- })
- layout.addJob(trusted_secrets_untrusted_child_job)
- untrusted_secrets_trusted_child_job = configloader.JobParser.fromYaml(
- tenant, layout, {
- '_source_context': self.context,
- '_start_mark': self.start_mark,
- 'name': 'untrusted-secrets-trusted-child',
- 'parent': 'untrusted-secrets',
- })
- layout.addJob(untrusted_secrets_trusted_child_job)
- untrusted_secrets_untrusted_child_job = \
- configloader.JobParser.fromYaml(
- tenant, layout, {
- '_source_context': self.untrusted_context,
- '_start_mark': self.start_mark,
- 'name': 'untrusted-secrets-untrusted-child',
- 'parent': 'untrusted-secrets',
- })
- layout.addJob(untrusted_secrets_untrusted_child_job)
-
- self.assertIsNone(trusted_secrets_job.post_review)
- self.assertTrue(untrusted_secrets_job.post_review)
- self.assertIsNone(
- trusted_secrets_trusted_child_job.post_review)
- self.assertIsNone(
- trusted_secrets_untrusted_child_job.post_review)
- self.assertTrue(
- untrusted_secrets_trusted_child_job.post_review)
- self.assertTrue(
- untrusted_secrets_untrusted_child_job.post_review)
-
- self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].name,
- 'trusted-secret')
- self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].
- secret_data['longpassword'],
- 'test-passwordtest-password')
- self.assertEqual(trusted_secrets_job.implied_run[0].secrets[0].
- secret_data['password'],
- 'test-password')
- self.assertEqual(
- len(trusted_secrets_trusted_child_job.implied_run[0].secrets), 0)
- self.assertEqual(
- len(trusted_secrets_untrusted_child_job.implied_run[0].secrets), 0)
-
- self.assertEqual(untrusted_secrets_job.implied_run[0].secrets[0].name,
- 'untrusted-secret')
- self.assertEqual(
- len(untrusted_secrets_trusted_child_job.implied_run[0].secrets), 0)
- self.assertEqual(
- len(untrusted_secrets_untrusted_child_job.implied_run[0].secrets),
- 0)
-
def test_job_inheritance_job_tree(self):
tenant = model.Tenant('tenant')
layout = model.Layout(tenant)
diff --git a/tests/unit/test_v3.py b/tests/unit/test_v3.py
index 2a2a446..70b898e 100755
--- a/tests/unit/test_v3.py
+++ b/tests/unit/test_v3.py
@@ -1947,6 +1947,122 @@
self.assertHistory([])
+class TestSecretInheritance(ZuulTestCase):
+ tenant_config_file = 'config/secret-inheritance/main.yaml'
+
+ def _getSecrets(self, job, pbtype):
+ secrets = []
+ build = self.getJobFromHistory(job)
+ for pb in build.parameters[pbtype]:
+ secrets.append(pb['secrets'])
+ return secrets
+
+ def _checkTrustedSecrets(self):
+ secret = {'longpassword': 'test-passwordtest-password',
+ 'password': 'test-password',
+ 'username': 'test-username'}
+ self.assertEqual(
+ self._getSecrets('trusted-secrets', 'playbooks'),
+ [{'trusted-secret': secret}, {}])
+ self.assertEqual(
+ self._getSecrets('trusted-secrets', 'pre_playbooks'), [])
+ self.assertEqual(
+ self._getSecrets('trusted-secrets', 'post_playbooks'), [])
+
+ self.assertEqual(
+ self._getSecrets('trusted-secrets-trusted-child',
+ 'playbooks'),
+ [{}, {'trusted-secret': secret}, {}])
+ self.assertEqual(
+ self._getSecrets('trusted-secrets-trusted-child',
+ 'pre_playbooks'), [])
+ self.assertEqual(
+ self._getSecrets('trusted-secrets-trusted-child',
+ 'post_playbooks'), [])
+
+ self.assertEqual(
+ self._getSecrets('trusted-secrets-untrusted-child',
+ 'playbooks'),
+ [{}, {'trusted-secret': secret}, {}])
+ self.assertEqual(
+ self._getSecrets('trusted-secrets-untrusted-child',
+ 'pre_playbooks'), [])
+ self.assertEqual(
+ self._getSecrets('trusted-secrets-untrusted-child',
+ 'post_playbooks'), [])
+
+ def _checkUntrustedSecrets(self):
+ secret = {'longpassword': 'test-passwordtest-password',
+ 'password': 'test-password',
+ 'username': 'test-username'}
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets', 'playbooks'),
+ [{'untrusted-secret': secret}, {}])
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets', 'pre_playbooks'), [])
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets', 'post_playbooks'), [])
+
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets-trusted-child',
+ 'playbooks'),
+ [{}, {'untrusted-secret': secret}, {}])
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets-trusted-child',
+ 'pre_playbooks'), [])
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets-trusted-child',
+ 'post_playbooks'), [])
+
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets-untrusted-child',
+ 'playbooks'),
+ [{}, {'untrusted-secret': secret}, {}])
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets-untrusted-child',
+ 'pre_playbooks'), [])
+ self.assertEqual(
+ self._getSecrets('untrusted-secrets-untrusted-child',
+ 'post_playbooks'), [])
+
+ def test_trusted_secret_inheritance_check(self):
+ A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A')
+ self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
+ self.waitUntilSettled()
+ self.assertHistory([
+ dict(name='trusted-secrets', result='SUCCESS', changes='1,1'),
+ dict(name='trusted-secrets-trusted-child',
+ result='SUCCESS', changes='1,1'),
+ dict(name='trusted-secrets-untrusted-child',
+ result='SUCCESS', changes='1,1'),
+ ], ordered=False)
+
+ self._checkTrustedSecrets()
+
+ def test_untrusted_secret_inheritance_gate(self):
+ A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A')
+ A.addApproval('Code-Review', 2)
+ self.fake_gerrit.addEvent(A.addApproval('Approved', 1))
+ self.waitUntilSettled()
+ self.assertHistory([
+ dict(name='untrusted-secrets', result='SUCCESS', changes='1,1'),
+ dict(name='untrusted-secrets-trusted-child',
+ result='SUCCESS', changes='1,1'),
+ dict(name='untrusted-secrets-untrusted-child',
+ result='SUCCESS', changes='1,1'),
+ ], ordered=False)
+
+ self._checkUntrustedSecrets()
+
+ def test_untrusted_secret_inheritance_check(self):
+ A = self.fake_gerrit.addFakeChange('org/project', 'master', 'A')
+ self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
+ self.waitUntilSettled()
+ # This configuration tries to run untrusted secrets in an
+ # non-post-review pipeline and should therefore run no jobs.
+ self.assertHistory([])
+
+
class TestSecretLeaks(AnsibleZuulTestCase):
tenant_config_file = 'config/secret-leaks/main.yaml'