Remove 'auth' dict from jobs
The only thing left in it is the list of secrets; just put that
on the job itself.
Change-Id: I36fb0fe1658de5b776f4843432f1c9965379a2ea
diff --git a/doc/source/user/config.rst b/doc/source/user/config.rst
index 0eb7bc7..7ccce28 100644
--- a/doc/source/user/config.rst
+++ b/doc/source/user/config.rst
@@ -667,21 +667,13 @@
are in the docs directory. A regular expression or list of
regular expressions.
- .. attr:: auth
+ .. attr:: secrets
- Authentication information to be made available to the job.
- This is a dictionary with two potential keys:
-
- .. attr:: secrets
-
- A list of secrets which may be used by the job. A
- :ref:`secret` is a named collection of private information
- defined separately in the configuration. The secrets that
- appear here must be defined in the same project as this job
- definition.
-
- In the future, other types of authentication information may
- be added.
+ A list of secrets which may be used by the job. A
+ :ref:`secret` is a named collection of private information
+ defined separately in the configuration. The secrets that
+ appear here must be defined in the same project as this job
+ definition.
.. attr:: nodes
@@ -1058,14 +1050,14 @@
unencrypted as well for convenience.
A Secret may only be used by jobs defined within the same project. To
-use a secret, a :ref:`job` must specify the secret within its `auth`
-section. Secrets are bound to the playbooks associated with the
-specific job definition where they were declared. Additional pre or
-post playbooks which appear in child jobs will not have access to the
-secrets, nor will playbooks which override the main playbook (if any)
-of the job which declared the secret. This protects against jobs in
-other repositories declaring a job with a secret as a parent and then
-exposing that secret.
+use a secret, a :ref:`job` must specify the secret in
+:attr:`job.secrets`. Secrets are bound to the playbooks associated
+with the specific job definition where they were declared. Additional
+pre or post playbooks which appear in child jobs will not have access
+to the secrets, nor will playbooks which override the main playbook
+(if any) of the job which declared the secret. This protects against
+jobs in other repositories declaring a job with a secret as a parent
+and then exposing that secret.
It is possible to use secrets for jobs defined in :term:`config
projects <config-project>` as well as :term:`untrusted projects
diff --git a/tests/fixtures/config/ansible/git/common-config/zuul.yaml b/tests/fixtures/config/ansible/git/common-config/zuul.yaml
index c70191f..ba6227b 100644
--- a/tests/fixtures/config/ansible/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/ansible/git/common-config/zuul.yaml
@@ -87,9 +87,8 @@
flagpath: '{{zuul._test.test_root}}/{{zuul.build}}.flag'
roles:
- zuul: bare-role
- auth:
- secrets:
- - test_secret
+ secrets:
+ - test_secret
- job:
parent: python27
@@ -106,10 +105,9 @@
vartest_job: vartest_job
vartest_secret: vartest_job
vartest_site: vartest_job
- auth:
- secrets:
- - vartest_site
- - vartest_secret
+ secrets:
+ - vartest_site
+ - vartest_secret
- job:
parent: base-urls
diff --git a/tests/unit/test_model.py b/tests/unit/test_model.py
index 00f2592..9cc7195 100644
--- a/tests/unit/test_model.py
+++ b/tests/unit/test_model.py
@@ -410,11 +410,9 @@
'name': 'trusted-secrets',
'parent': 'base',
'timeout': 40,
- 'auth': {
- 'secrets': [
- 'trusted-secret',
- ]
- }
+ 'secrets': [
+ 'trusted-secret',
+ ]
})
layout.addJob(trusted_secrets_job)
untrusted_secrets_job = configloader.JobParser.fromYaml(
@@ -424,11 +422,9 @@
'name': 'untrusted-secrets',
'parent': 'base',
'timeout': 40,
- 'auth': {
- 'secrets': [
- 'untrusted-secret',
- ]
- }
+ 'secrets': [
+ 'untrusted-secret',
+ ]
})
layout.addJob(untrusted_secrets_job)
trusted_secrets_trusted_child_job = configloader.JobParser.fromYaml(
diff --git a/zuul/configloader.py b/zuul/configloader.py
index d453b74..708a132 100644
--- a/zuul/configloader.py
+++ b/zuul/configloader.py
@@ -324,10 +324,6 @@
@staticmethod
def getSchema():
- auth = {'secrets': to_list(str),
- 'inherit': bool,
- }
-
node = {vs.Required('name'): str,
vs.Required('label'): str,
}
@@ -355,7 +351,7 @@
'tags': to_list(str),
'branches': to_list(str),
'files': to_list(str),
- 'auth': auth,
+ 'secrets': to_list(str),
'irrelevant-files': to_list(str),
'nodes': vs.Any([node], str),
'timeout': int,
@@ -452,16 +448,15 @@
# Secrets are part of the playbook context so we must establish
# them earlier than playbooks.
secrets = []
- if 'auth' in conf:
- for secret_name in conf['auth'].get('secrets', []):
- secret = layout.secrets[secret_name]
- if secret.source_context != job.source_context:
- raise Exception(
- "Unable to use secret %s. Secrets must be "
- "defined in the same project in which they "
- "are used" % secret_name)
- secrets.append(secret.decrypt(
- job.source_context.project.private_key))
+ for secret_name in conf.get('secrets', []):
+ secret = layout.secrets[secret_name]
+ if secret.source_context != job.source_context:
+ raise Exception(
+ "Unable to use secret %s. Secrets must be "
+ "defined in the same project in which they "
+ "are used" % secret_name)
+ secrets.append(secret.decrypt(
+ job.source_context.project.private_key))
# A job in an untrusted repo that uses secrets requires
# special care. We must note this, and carry this flag