Revert "Disable base role testing that runs code on localhost"

We can now run untrusted code on the executor, so we can re-enable these tests. This reverts commit 44d2187e7f. Change-Id: I65960af09a3cf3da1e780a96b6d13ddba3ce73d8
2023-09-18 10:17:33 -07:00 · 2023-09-18 10:17:33 -07:00 · fbd9ba8144
commit fbd9ba8144
parent 10ffca9ba8
3 changed files with 55 additions and 66 deletions
--- a/test-playbooks/base-roles/base.yaml
+++ b/test-playbooks/base-roles/base.yaml
@ -6,8 +6,7 @@
 # Note: set-zuul-log-path-fact is tested by emit-job-header.yaml
 - import_playbook: emit-job-header.yaml
 - import_playbook: ensure-output-dirs.yaml
-# This runs local code so cannot be tested in this way.
+- import_playbook: prepare-workspace-git.yaml
 # - import_playbook: prepare-workspace-git.yaml
 - import_playbook: configure-mirrors.yaml
 - import_playbook: fetch-zuul-cloner.yaml
 - import_playbook: validate-host.yaml
--- a/test-playbooks/base-roles/fetch-subunit-output.yaml
+++ b/test-playbooks/base-roles/fetch-subunit-output.yaml
@ -68,25 +68,21 @@
          - local_html_test_results is not changed
          - local_html_test_results is succeeded
    # Disabled as we cannot run shell on localhost outside of a
    # trusted context.
    # only one subunit file; the failed result should be hidden
-    # - name: Check the content of the HTML file
+    - name: Check the content of the HTML file
-    #   delegate_to: localhost
+      delegate_to: localhost
-    #   shell: |
+      shell: |
-    #     GLOBAL_RESULT=1
+        GLOBAL_RESULT=1
-    #     zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
+        zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
-    #         {{ zuul.executor.log_root }}/testr_results.html
+            {{ zuul.executor.log_root }}/testr_results.html
-    #     T1=$?
+        T1=$?
-    #     zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
+        zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
-    #         {{ zuul.executor.log_root }}/testr_results.html
+            {{ zuul.executor.log_root }}/testr_results.html
-    #     T2=$?
+        T2=$?
-    #     if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
+        if [ ${T1} -eq 0 ] && [ ${T2} -ne 0 ]; then
-    #         GLOBAL_RESULT=0
+            GLOBAL_RESULT=0
-    #     fi
+        fi
-    #     exit $GLOBAL_RESULT
+        exit $GLOBAL_RESULT
    - name: nooping task because yamllint complains about the comment above
      debug: {}
 # The following test(s) require(s) the previous playbook
 - name: Run the fetch-subunit-output role with multiple subunits
@ -117,21 +113,18 @@
          - local_subunit_file is succeeded
          - local_html_test_results is not changed
          - local_html_test_results is succeeded
-    # Disabled as we cannot run shell on localhost outside of a
+
-    # trusted context.
+    - name: Check the content of the HTML file
-    # - name: Check the content of the HTML file
+      delegate_to: localhost
-    #   delegate_to: localhost
+      shell: |
-    #   shell: |
+        GLOBAL_RESULT=1
-    #     GLOBAL_RESULT=1
+        zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
-    #     zgrep -q -E 'subunit_tests.test_working.WorkingTest.test_success$' \
+            {{ zuul.executor.log_root }}/testr_results.html
-    #         {{ zuul.executor.log_root }}/testr_results.html
+        T1=$?
-    #     T1=$?
+        zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
-    #     zgrep -q -E 'subunit_tests.test_failing.FailingTest.test_failure.*_StringException:' \
+            {{ zuul.executor.log_root }}/testr_results.html
-    #         {{ zuul.executor.log_root }}/testr_results.html
+        T2=$?
-    #     T2=$?
+        if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
-    #     if [ ${T1} -eq 0 ] && [ ${T2} -eq 0 ]; then
+            GLOBAL_RESULT=0
-    #         GLOBAL_RESULT=0
+        fi
-    #     fi
+        exit $GLOBAL_RESULT
    #     exit $GLOBAL_RESULT
    - name: nooping task because yamllint complains about the comment above
      debug: {}
--- a/test-playbooks/base-roles/fetch-zuul-cloner.yaml
+++ b/test-playbooks/base-roles/fetch-zuul-cloner.yaml
@ -25,32 +25,29 @@
          - cloner.stat.exists
          - cloner.stat.mode == "0755"
-    # Disabled as this depends on running workspace setup which requires
+    - name: Zuul clone something in required-projects
-    # being able to run code on the executor from an untrusted context and
+      shell:
-    # this is not allowed.
+        executable: /bin/bash
-    # - name: Zuul clone something in required-projects
+        cmd: |
-    #   shell:
+          CLONEMAP=`mktemp`
-    #     executable: /bin/bash
+          function cleanup {
-    #     cmd: |
+              rm -f $CLONEMAP
-    #       CLONEMAP=`mktemp`
+          }
-    #       function cleanup {
+          trap cleanup EXIT
-    #           rm -f $CLONEMAP
+          cat > $CLONEMAP << EOF
-    #       }
+          clonemap:
-    #       trap cleanup EXIT
+            - name: opendev/base-jobs
-    #       cat > $CLONEMAP << EOF
+              dest: {{ ansible_user_dir }}
-    #       clonemap:
+          EOF
-    #         - name: opendev/base-jobs
+          /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
-    #           dest: {{ ansible_user_dir }}
+              --cache-dir /opt/git https://opendev.org \
-    #       EOF
+              opendev/base-jobs
-    #       /usr/zuul-env/bin/zuul-cloner -m $CLONEMAP \
+      register: clone_with_required
    #           --cache-dir /opt/git https://opendev.org \
    #           opendev/base-jobs
    #   register: clone_with_required
-    # - name: Check if repository was cloned
+    - name: Check if repository was cloned
-    #   stat:
+      stat:
-    #     path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
+        path: "{{ ansible_user_dir }}/src/opendev.org/opendev/base-jobs"
-    #   register: with_required_stat
+      register: with_required_stat
    - name: Zuul clone something not in required-projects
      shell:
@ -80,8 +77,8 @@
    - name: Validate zuul-cloner shim results
      assert:
        that:
-          # - clone_with_required is succeeded
+          - clone_with_required is succeeded
-          # - clone_with_required is changed
+          - clone_with_required is changed
-          # - with_required_stat.stat.exists
+          - with_required_stat.stat.exists
          - clone_without_required is failed
          - not without_required_stat.stat.exists