From 44d2187e7fcea0683c75db530458088b8371bb4e Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 22 Jul 2020 13:23:19 -0700 Subject: [PATCH] Disable base role testing that runs code on localhost The workspace setup role requires local code execution on the executor. This is not allowed from an untrusted context so we disable it. The previous assertions about the zuul-cloner setup depend on the workspace setup running successfully. Disable those extra assertions. subunit fetching role assertions grepped the html file for validity on localhost. Disable this as well. Change-Id: I7449749f50b6e4a34c4615b00836a7148e01c768 --- test-playbooks/base-roles/base.yaml | 3 +- .../base-roles/fetch-subunit-output.yaml | 65 ++++++++++--------- .../base-roles/fetch-zuul-cloner.yaml | 53 ++++++++------- 3 files changed, 66 insertions(+), 55 deletions(-) diff --git a/test-playbooks/base-roles/base.yaml b/test-playbooks/base-roles/base.yaml index d760f4af6..24813285f 100644 --- a/test-playbooks/base-roles/base.yaml +++ b/test-playbooks/base-roles/base.yaml @@ -6,7 +6,8 @@ # Note: set-zuul-log-path-fact is tested by emit-job-header.yaml - import_playbook: emit-job-header.yaml - import_playbook: ensure-output-dirs.yaml -- import_playbook: prepare-workspace-git.yaml +# This runs local code so cannot be tested in this way. +# - import_playbook: prepare-workspace-git.yaml - import_playbook: configure-mirrors.yaml - import_playbook: fetch-zuul-cloner.yaml - import_playbook: validate-host.yaml diff --git a/test-playbooks/base-roles/fetch-subunit-output.yaml b/test-playbooks/base-roles/fetch-subunit-output.yaml index 0f1665420..0851603f3 100644 --- a/test-playbooks/base-roles/fetch-subunit-output.yaml +++ b/test-playbooks/base-roles/fetch-subunit-output.yaml @@ -68,21 +68,25 @@ - local_html_test_results is not changed - local_html_test_results is succeeded + # Disabled as we cannot run shell on localhost outside of a + # trusted context. # only one subunit file; the failed result should be hidden - - name: Check the content of the HTML file - delegate_to: localhost - shell: | - GLOBAL_RESULT=1 - zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ - {{ zuul.executor.log_root }}/testr_results.html - T1=$? - zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ - {{ zuul.executor.log_root }}/testr_results.html - T2=$? - if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then - GLOBAL_RESULT=0 - fi - exit $GLOBAL_RESULT + # - name: Check the content of the HTML file + # delegate_to: localhost + # shell: | + # GLOBAL_RESULT=1 + # zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ + # {{ zuul.executor.log_root }}/testr_results.html + # T1=$? + # zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ + # {{ zuul.executor.log_root }}/testr_results.html + # T2=$? + # if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then + # GLOBAL_RESULT=0 + # fi + # exit $GLOBAL_RESULT + - name: nooping task because yamllint complains about the comment above + debug: {} # The following test(s) require(s) the previous playbook - name: Run the fetch-subunit-output role with multiple subunits @@ -113,18 +117,21 @@ - local_subunit_file is succeeded - local_html_test_results is not changed - local_html_test_results is succeeded - - - name: Check the content of the HTML file - delegate_to: localhost - shell: | - GLOBAL_RESULT=1 - zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ - {{ zuul.executor.log_root }}/testr_results.html - T1=$? - zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ - {{ zuul.executor.log_root }}/testr_results.html - T2=$? - if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then - GLOBAL_RESULT=0 - fi - exit $GLOBAL_RESULT + # Disabled as we cannot run shell on localhost outside of a + # trusted context. + # - name: Check the content of the HTML file + # delegate_to: localhost + # shell: | + # GLOBAL_RESULT=1 + # zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \ + # {{ zuul.executor.log_root }}/testr_results.html + # T1=$? + # zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \ + # {{ zuul.executor.log_root }}/testr_results.html + # T2=$? + # if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then + # GLOBAL_RESULT=0 + # fi + # exit $GLOBAL_RESULT + - name: nooping task because yamllint complains about the comment above + debug: {} diff --git a/test-playbooks/base-roles/fetch-zuul-cloner.yaml b/test-playbooks/base-roles/fetch-zuul-cloner.yaml index 55dcc9153..425481368 100644 --- a/test-playbooks/base-roles/fetch-zuul-cloner.yaml +++ b/test-playbooks/base-roles/fetch-zuul-cloner.yaml @@ -25,29 +25,32 @@ - cloner.stat.exists - cloner.stat.mode == "0755" - - name: Zuul clone something in required-projects - shell: - executable: /bin/bash - cmd: | - CLONEMAP=`mktemp` - function cleanup { - rm -f $CLONEMAP - } - trap cleanup EXIT - cat > $CLONEMAP << EOF - clonemap: - - name: opendev/base-jobs - dest: {{ ansible_user_dir }} - EOF - /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \ - --cache-dir /opt/git https://opendev.org \ - opendev/base-jobs - register: clone_with_required + # Disabled as this depends on running workspace setup which requires + # being able to run code on the executor from an untrusted context and + # this is not allowed. + # - name: Zuul clone something in required-projects + # shell: + # executable: /bin/bash + # cmd: | + # CLONEMAP=`mktemp` + # function cleanup { + # rm -f $CLONEMAP + # } + # trap cleanup EXIT + # cat > $CLONEMAP << EOF + # clonemap: + # - name: opendev/base-jobs + # dest: {{ ansible_user_dir }} + # EOF + # /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \ + # --cache-dir /opt/git https://opendev.org \ + # opendev/base-jobs + # register: clone_with_required - - name: Check if repository was cloned - stat: - path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs" - register: with_required_stat + # - name: Check if repository was cloned + # stat: + # path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs" + # register: with_required_stat - name: Zuul clone something not in required-projects shell: @@ -77,8 +80,8 @@ - name: Validate zuul-cloner shim results assert: that: - - clone_with_required is succeeded - - clone_with_required is changed - - with_required_stat.stat.exists + # - clone_with_required is succeeded + # - clone_with_required is changed + # - with_required_stat.stat.exists - clone_without_required is failed - not without_required_stat.stat.exists