From bd4e5a54d72eb453b1652f5dabad337311fbad23 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Wed, 1 Aug 2018 20:21:02 +1000 Subject: [PATCH] trigger-readthedocs: Move secret bits into a dict What I missed when I layed this out was that you setup a secret like - secret: name: rtd_credentials data: username: openstackci password: foo what you have in the job variables is a dictionary called "rtd_credentials". It makes it much simpler to use the role with the secret if it accepts this variable, rather than having to extract the username/password etc out of the secret dictionary into separate variables. Additionally, turn on no_log for the uri calls, to avoid potentially logging any credentials. Change-Id: I514fb1285196aae0b49a98f0efc21326730e4179 --- roles/trigger-readthedocs/README.rst | 33 ++++++++++++----------- roles/trigger-readthedocs/tasks/main.yaml | 24 ++++++++++------- 2 files changed, 32 insertions(+), 25 deletions(-) diff --git a/roles/trigger-readthedocs/README.rst b/roles/trigger-readthedocs/README.rst index 6a1e6af78..f584b5613 100644 --- a/roles/trigger-readthedocs/README.rst +++ b/roles/trigger-readthedocs/README.rst @@ -16,20 +16,23 @@ Trigger readthedocs build for a project This may come from a secret, however it can not be triggered without authentication. -.. zuul:rolevar:: rtd_integration_token +.. zuul:rolevar:: rtd_credentials - The webhook integration token. You'll find this value on the - project's "Integrations" dashboard page in RTD. This is expected - to come from a secret. This can be used instead of - username/password combo. - -.. zuul:rolevar:: rtd_username - - The readthedocs username. If set, this will be used to - authenticate in preference to any token set via - ``rtd_integration_token``. - -.. zuul:rolevar:: rtd_password - - Password for ``rtd_username``. Must be set if password is set. + Complex argument which contains the RTD authentication credentials. This is expected to come from a secret. + + .. zuul:rolevar:: integration_token + + The webhook integration token. You'll find this value on the + project's "Integrations" dashboard page in RTD. This can be used + instead of username/password combo. + + .. zuul:rolevar:: username + + The readthedocs username. If set, this will be used to + authenticate in preference to any token set via + ``rtd_integration_token``. + + .. zuul:rolevar:: password + + Password for ``username``. Must be set if username is set. diff --git a/roles/trigger-readthedocs/tasks/main.yaml b/roles/trigger-readthedocs/tasks/main.yaml index 181220056..4a061049d 100644 --- a/roles/trigger-readthedocs/tasks/main.yaml +++ b/roles/trigger-readthedocs/tasks/main.yaml @@ -5,28 +5,30 @@ - name: Check for an authentication type fail: - msg: Must set either rtd_username or rtd_integration_token - when: (rtd_username is not defined) and (rtd_integration_token is not defined) + msg: Must set either rtd_credentials.username or rtd_credentials.integration_token + when: (rtd_credentials.username is not defined) and (rtd_credentials.integration_token is not defined) -- when: rtd_username is defined +- when: rtd_credentials.username is defined block: - name: Require password fail: - msg: rtd_password is required when using rtd_username - when: rtd_password is not defined + msg: password is required when using rtd_credentials.username + when: rtd_credentials.rtd_password is not defined - name: Trigger readthedocs build webhook via authentication uri: method: POST url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/' - user: '{{ rtd_username }}' - password: '{{ rtd_password }}' + user: '{{ rtd_credentials.username }}' + password: '{{ rtd_credentials.password }}' # NOTE(ianw): testing it seems the API doesn't respond with # 401 so this is required force_basic_auth: yes + # avoid logging any credentials + no_log: true -- when: rtd_integration_token is defined and - rtd_username is not defined +- when: rtd_credentials.integration_token is defined and + rtd_credentials.username is not defined block: - name: Trigger readthedocs build webhook via token uri: @@ -34,5 +36,7 @@ url: 'https://readthedocs.org/api/v2/webhook/{{ rtd_project_name }}/{{ rtd_webhook_id }}/' body_format: form-urlencoded body: - token: '{{ rtd_integration_token }}' + token: '{{ rtd_credentials.integration_token }}' follow_redirects: all + # avoid logging any credentials + no_log: true