commit df91ab36e1fb1c7f861aef1ef8ffa22ebf4756c1
author James E. Blair <jeblair@redhat.com> Wed Oct 25 17:57:13 2017 -0700
committer James E. Blair <jeblair@redhat.com> Thu Oct 26 14:28:03 2017 -0700
tree 0b152a0edfdc7bf797db959d560badf6b38b66cb
parent c32a83538a1a3464ecb398068531b471ee380a07

Move test_job_auth_inheritance to test_v3

Move this into configuration files so that we can test the
functionality end-to-end rather than relying on internal APIs
which are frequently changing.

Change-Id: If1f75cf332732af31386e597b607e45253ecee1f

tests/unit/test_v3.py

diff --git a/tests/unit/test_v3.py b/tests/unit/test_v3.py
index 2a2a446..70b898e 100755
--- a/tests/unit/test_v3.py
+++ b/tests/unit/test_v3.py
@@ -1947,6 +1947,122 @@
         self.assertHistory([])
 
 
+class TestSecretInheritance(ZuulTestCase):
+    tenant_config_file = 'config/secret-inheritance/main.yaml'
+
+    def _getSecrets(self, job, pbtype):
+        secrets = []
+        build = self.getJobFromHistory(job)
+        for pb in build.parameters[pbtype]:
+            secrets.append(pb['secrets'])
+        return secrets
+
+    def _checkTrustedSecrets(self):
+        secret = {'longpassword': 'test-passwordtest-password',
+                  'password': 'test-password',
+                  'username': 'test-username'}
+        self.assertEqual(
+            self._getSecrets('trusted-secrets', 'playbooks'),
+            [{'trusted-secret': secret}, {}])
+        self.assertEqual(
+            self._getSecrets('trusted-secrets', 'pre_playbooks'), [])
+        self.assertEqual(
+            self._getSecrets('trusted-secrets', 'post_playbooks'), [])
+
+        self.assertEqual(
+            self._getSecrets('trusted-secrets-trusted-child',
+                             'playbooks'),
+            [{}, {'trusted-secret': secret}, {}])
+        self.assertEqual(
+            self._getSecrets('trusted-secrets-trusted-child',
+                             'pre_playbooks'), [])
+        self.assertEqual(
+            self._getSecrets('trusted-secrets-trusted-child',
+                             'post_playbooks'), [])
+
+        self.assertEqual(
+            self._getSecrets('trusted-secrets-untrusted-child',
+                             'playbooks'),
+            [{}, {'trusted-secret': secret}, {}])
+        self.assertEqual(
+            self._getSecrets('trusted-secrets-untrusted-child',
+                             'pre_playbooks'), [])
+        self.assertEqual(
+            self._getSecrets('trusted-secrets-untrusted-child',
+                             'post_playbooks'), [])
+
+    def _checkUntrustedSecrets(self):
+        secret = {'longpassword': 'test-passwordtest-password',
+                  'password': 'test-password',
+                  'username': 'test-username'}
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets', 'playbooks'),
+            [{'untrusted-secret': secret}, {}])
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets', 'pre_playbooks'), [])
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets', 'post_playbooks'), [])
+
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets-trusted-child',
+                             'playbooks'),
+            [{}, {'untrusted-secret': secret}, {}])
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets-trusted-child',
+                             'pre_playbooks'), [])
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets-trusted-child',
+                             'post_playbooks'), [])
+
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets-untrusted-child',
+                             'playbooks'),
+            [{}, {'untrusted-secret': secret}, {}])
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets-untrusted-child',
+                             'pre_playbooks'), [])
+        self.assertEqual(
+            self._getSecrets('untrusted-secrets-untrusted-child',
+                             'post_playbooks'), [])
+
+    def test_trusted_secret_inheritance_check(self):
+        A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A')
+        self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
+        self.waitUntilSettled()
+        self.assertHistory([
+            dict(name='trusted-secrets', result='SUCCESS', changes='1,1'),
+            dict(name='trusted-secrets-trusted-child',
+                 result='SUCCESS', changes='1,1'),
+            dict(name='trusted-secrets-untrusted-child',
+                 result='SUCCESS', changes='1,1'),
+        ], ordered=False)
+
+        self._checkTrustedSecrets()
+
+    def test_untrusted_secret_inheritance_gate(self):
+        A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A')
+        A.addApproval('Code-Review', 2)
+        self.fake_gerrit.addEvent(A.addApproval('Approved', 1))
+        self.waitUntilSettled()
+        self.assertHistory([
+            dict(name='untrusted-secrets', result='SUCCESS', changes='1,1'),
+            dict(name='untrusted-secrets-trusted-child',
+                 result='SUCCESS', changes='1,1'),
+            dict(name='untrusted-secrets-untrusted-child',
+                 result='SUCCESS', changes='1,1'),
+        ], ordered=False)
+
+        self._checkUntrustedSecrets()
+
+    def test_untrusted_secret_inheritance_check(self):
+        A = self.fake_gerrit.addFakeChange('org/project', 'master', 'A')
+        self.fake_gerrit.addEvent(A.getPatchsetCreatedEvent(1))
+        self.waitUntilSettled()
+        # This configuration tries to run untrusted secrets in an
+        # non-post-review pipeline and should therefore run no jobs.
+        self.assertHistory([])
+
+
 class TestSecretLeaks(AnsibleZuulTestCase):
     tenant_config_file = 'config/secret-leaks/main.yaml'