zuul
/
zuul-jobs
Code Issues Proposed changes

Revert "Disable base role testing that runs code on localhost" 

We can now run untrusted code on the executor, so we can re-enable
these tests.

This reverts commit 44d2187e7f.

Change-Id: I65960af09a3cf3da1e780a96b6d13ddba3ce73d8
This commit is contained in:
James E. Blair 2023-09-18 10:17:33 -07:00
parent 10ffca9ba8
commit fbd9ba8144
3 changed files with 55 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
test-playbooks/base-roles/base.yaml
View File

@ -6,8 +6,7 @@
# Note: set-zuul-log-path-fact is tested by emit-job-header.yaml
- import_playbook: emit-job-header.yaml
- import_playbook: ensure-output-dirs.yaml
# This runs local code so cannot be tested in this way.
# - import_playbook: prepare-workspace-git.yaml
- import_playbook: prepare-workspace-git.yaml
- import_playbook: configure-mirrors.yaml
- import_playbook: fetch-zuul-cloner.yaml
- import_playbook: validate-host.yaml

65
test-playbooks/base-roles/fetch-subunit-output.yaml
View File

@ -68,25 +68,21 @@
- local_html_test_results is not changed
- local_html_test_results is succeeded
# Disabled as we cannot run shell on localhost outside of a
# trusted context.
# only one subunit file; the failed result should be hidden
# - name: Check the content of the HTML file
# delegate_to: localhost
# shell: |
# GLOBAL_RESULT=1
# zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
# {{ zuul.executor.log_root }}/testr_results.html
# T1=$?
# zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
# {{ zuul.executor.log_root }}/testr_results.html
# T2=$?
# if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
# GLOBAL_RESULT=0
# fi
# exit $GLOBAL_RESULT
- name: nooping task because yamllint complains about the comment above
debug: {}
- name: Check the content of the HTML file
delegate_to: localhost
shell: |
GLOBAL_RESULT=1
zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
{{ zuul.executor.log_root }}/testr_results.html
T1=$?
zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
{{ zuul.executor.log_root }}/testr_results.html
T2=$?
if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
GLOBAL_RESULT=0
fi
exit $GLOBAL_RESULT
# The following test(s) require(s) the previous playbook
- name: Run the fetch-subunit-output role with multiple subunits
@ -117,21 +113,18 @@
- local_subunit_file is succeeded
- local_html_test_results is not changed
- local_html_test_results is succeeded
# Disabled as we cannot run shell on localhost outside of a
# trusted context.
# - name: Check the content of the HTML file
# delegate_to: localhost
# shell: |
# GLOBAL_RESULT=1
# zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
# {{ zuul.executor.log_root }}/testr_results.html
# T1=$?
# zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
# {{ zuul.executor.log_root }}/testr_results.html
# T2=$?
# if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
# GLOBAL_RESULT=0
# fi
# exit $GLOBAL_RESULT
- name: nooping task because yamllint complains about the comment above
debug: {}
- name: Check the content of the HTML file
delegate_to: localhost
shell: |
GLOBAL_RESULT=1
zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
{{ zuul.executor.log_root }}/testr_results.html
T1=$?
zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
{{ zuul.executor.log_root }}/testr_results.html
T2=$?
if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
GLOBAL_RESULT=0
fi
exit $GLOBAL_RESULT

53
test-playbooks/base-roles/fetch-zuul-cloner.yaml
View File

@ -25,32 +25,29 @@
- cloner.stat.exists
- cloner.stat.mode == "0755"
# Disabled as this depends on running workspace setup which requires
# being able to run code on the executor from an untrusted context and
# this is not allowed.
# - name: Zuul clone something in required-projects
# shell:
# executable: /bin/bash
# cmd: |
# CLONEMAP=`mktemp`
# function cleanup {
# rm -f $CLONEMAP
# }
# trap cleanup EXIT
# cat > $CLONEMAP << EOF
# clonemap:
# - name: opendev/base-jobs
# dest: {{ ansible_user_dir }}
# EOF
# /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
# --cache-dir /opt/git https://opendev.org \
# opendev/base-jobs
# register: clone_with_required
- name: Zuul clone something in required-projects
shell:
executable: /bin/bash
cmd: |
CLONEMAP=`mktemp`
function cleanup {
rm -f $CLONEMAP
}
trap cleanup EXIT
cat > $CLONEMAP << EOF
clonemap:
- name: opendev/base-jobs
dest: {{ ansible_user_dir }}
EOF
/usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
--cache-dir /opt/git https://opendev.org \
opendev/base-jobs
register: clone_with_required
# - name: Check if repository was cloned
# stat:
# path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
# register: with_required_stat
- name: Check if repository was cloned
stat:
path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
register: with_required_stat
- name: Zuul clone something not in required-projects
shell:
@ -80,8 +77,8 @@
- name: Validate zuul-cloner shim results
assert:
that:
# - clone_with_required is succeeded
# - clone_with_required is changed
# - with_required_stat.stat.exists
- clone_with_required is succeeded
- clone_with_required is changed
- with_required_stat.stat.exists
- clone_without_required is failed
- not without_required_stat.stat.exists