Disable base role testing that runs code on localhost

The workspace setup role requires local code execution on the executor. This is not allowed from an untrusted context so we disable it. The previous assertions about the zuul-cloner setup depend on the workspace setup running successfully. Disable those extra assertions. subunit fetching role assertions grepped the html file for validity on localhost. Disable this as well. Change-Id: I7449749f50b6e4a34c4615b00836a7148e01c768
2020-07-22 13:23:19 -07:00 · 2020-07-22 13:23:19 -07:00 · 44d2187e7f
commit 44d2187e7f
parent 919fe2e8a7
3 changed files with 66 additions and 55 deletions
--- a/test-playbooks/base-roles/base.yaml
+++ b/test-playbooks/base-roles/base.yaml
@ -6,7 +6,8 @@
 # Note: set-zuul-log-path-fact is tested by emit-job-header.yaml
 - import_playbook: emit-job-header.yaml
 - import_playbook: ensure-output-dirs.yaml
- import_playbook: prepare-workspace-git.yaml
+# This runs local code so cannot be tested in this way.
 # - import_playbook: prepare-workspace-git.yaml
 - import_playbook: configure-mirrors.yaml
 - import_playbook: fetch-zuul-cloner.yaml
 - import_playbook: validate-host.yaml
--- a/test-playbooks/base-roles/fetch-subunit-output.yaml
+++ b/test-playbooks/base-roles/fetch-subunit-output.yaml
@ -68,21 +68,25 @@
          - local_html_test_results is not changed
          - local_html_test_results is succeeded
    # Disabled as we cannot run shell on localhost outside of a
    # trusted context.
    # only one subunit file; the failed result should be hidden
-    - name: Check the content of the HTML file
+    # - name: Check the content of the HTML file
-      delegate_to: localhost
+    #   delegate_to: localhost
-      shell: |
+    #   shell: |
-        GLOBAL_RESULT=1
+    #     GLOBAL_RESULT=1
-        zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
+    #     zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
-            {{ zuul.executor.log_root }}/testr_results.html
+    #         {{ zuul.executor.log_root }}/testr_results.html
-        T1=$?
+    #     T1=$?
-        zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
+    #     zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
-            {{ zuul.executor.log_root }}/testr_results.html
+    #         {{ zuul.executor.log_root }}/testr_results.html
-        T2=$?
+    #     T2=$?
-        if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
+    #     if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
-            GLOBAL_RESULT=0
+    #         GLOBAL_RESULT=0
-        fi
+    #     fi
-        exit $GLOBAL_RESULT
+    #     exit $GLOBAL_RESULT
    - name: nooping task because yamllint complains about the comment above
      debug: {}
 # The following test(s) require(s) the previous playbook
 - name: Run the fetch-subunit-output role with multiple subunits
@ -113,18 +117,21 @@
          - local_subunit_file is succeeded
          - local_html_test_results is not changed
          - local_html_test_results is succeeded
-
+    # Disabled as we cannot run shell on localhost outside of a
-    - name: Check the content of the HTML file
+    # trusted context.
-      delegate_to: localhost
+    # - name: Check the content of the HTML file
-      shell: |
+    #   delegate_to: localhost
-        GLOBAL_RESULT=1
+    #   shell: |
-        zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
+    #     GLOBAL_RESULT=1
-            {{ zuul.executor.log_root }}/testr_results.html
+    #     zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
-        T1=$?
+    #         {{ zuul.executor.log_root }}/testr_results.html
-        zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
+    #     T1=$?
-            {{ zuul.executor.log_root }}/testr_results.html
+    #     zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
-        T2=$?
+    #         {{ zuul.executor.log_root }}/testr_results.html
-        if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
+    #     T2=$?
-            GLOBAL_RESULT=0
+    #     if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
-        fi
+    #         GLOBAL_RESULT=0
-        exit $GLOBAL_RESULT
+    #     fi
    #     exit $GLOBAL_RESULT
    - name: nooping task because yamllint complains about the comment above
      debug: {}
--- a/test-playbooks/base-roles/fetch-zuul-cloner.yaml
+++ b/test-playbooks/base-roles/fetch-zuul-cloner.yaml
@ -25,29 +25,32 @@
          - cloner.stat.exists
          - cloner.stat.mode == "0755"
-    - name: Zuul clone something in required-projects
+    # Disabled as this depends on running workspace setup which requires
-      shell:
+    # being able to run code on the executor from an untrusted context and
-        executable: /bin/bash
+    # this is not allowed.
-        cmd: |
+    # - name: Zuul clone something in required-projects
-          CLONEMAP=`mktemp`
+    #   shell:
-          function cleanup {
+    #     executable: /bin/bash
-              rm -f $CLONEMAP
+    #     cmd: |
-          }
+    #       CLONEMAP=`mktemp`
-          trap cleanup EXIT
+    #       function cleanup {
-          cat > $CLONEMAP << EOF
+    #           rm -f $CLONEMAP
-          clonemap:
+    #       }
-            - name: opendev/base-jobs
+    #       trap cleanup EXIT
-              dest: {{ ansible_user_dir }}
+    #       cat > $CLONEMAP << EOF
-          EOF
+    #       clonemap:
-          /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
+    #         - name: opendev/base-jobs
-              --cache-dir /opt/git https://opendev.org \
+    #           dest: {{ ansible_user_dir }}
-              opendev/base-jobs
+    #       EOF
-      register: clone_with_required
+    #       /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
    #           --cache-dir /opt/git https://opendev.org \
    #           opendev/base-jobs
    #   register: clone_with_required
-    - name: Check if repository was cloned
+    # - name: Check if repository was cloned
-      stat:
+    #   stat:
-        path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
+    #     path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
-      register: with_required_stat
+    #   register: with_required_stat
    - name: Zuul clone something not in required-projects
      shell:
@ -77,8 +80,8 @@
    - name: Validate zuul-cloner shim results
      assert:
        that:
-          - clone_with_required is succeeded
+          # - clone_with_required is succeeded
-          - clone_with_required is changed
+          # - clone_with_required is changed
-          - with_required_stat.stat.exists
+          # - with_required_stat.stat.exists
          - clone_without_required is failed
          - not without_required_stat.stat.exists