-
Notifications
You must be signed in to change notification settings - Fork 808
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(execution): remove spinnaker accounts from execution context (#4656
) * feat(execution): Add a method to build AuthenticationDetails without Spinnaker accounts * feat(execution): Add the execution.includeAllowedAccounts feature flag When true, includes accounts in the pipeline execution. When false, excludes them * feat(execution): Add feature flag when building a PIPELINE ExecutionType to include or exclude the list of allowed accounts from the execution context * test(execution): Define the behavior when building a PIPELINE ExecutionType --------- Co-authored-by: Daniel Zheng <[email protected]>
- Loading branch information
Showing
8 changed files
with
226 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,13 +16,14 @@ | |
|
||
package com.netflix.spinnaker.orca.pipeline; | ||
|
||
import static org.assertj.core.api.AssertionsForClassTypes.assertThat; | ||
import static org.mockito.ArgumentMatchers.any; | ||
import static org.mockito.ArgumentMatchers.anyString; | ||
import static org.mockito.Mockito.never; | ||
import static org.mockito.Mockito.verify; | ||
import static org.mockito.Mockito.*; | ||
|
||
import com.fasterxml.jackson.databind.ObjectMapper; | ||
import com.netflix.spectator.api.Registry; | ||
import com.netflix.spinnaker.kork.common.Header; | ||
import com.netflix.spinnaker.orca.api.pipeline.models.ExecutionType; | ||
import com.netflix.spinnaker.orca.api.pipeline.models.PipelineExecution; | ||
import com.netflix.spinnaker.orca.config.ExecutionConfigurationProperties; | ||
|
@@ -31,12 +32,14 @@ | |
import java.time.Clock; | ||
import java.util.Map; | ||
import java.util.Optional; | ||
import java.util.Set; | ||
import org.junit.jupiter.api.BeforeEach; | ||
import org.junit.jupiter.api.DisplayName; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.ExtendWith; | ||
import org.mockito.Mock; | ||
import org.mockito.junit.jupiter.MockitoExtension; | ||
import org.slf4j.MDC; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.boot.context.properties.EnableConfigurationProperties; | ||
import org.springframework.boot.test.context.SpringBootTest; | ||
|
@@ -73,6 +76,7 @@ public void setup() { | |
clock = Clock.systemUTC(); | ||
pipelineValidator = Optional.empty(); | ||
registry = Optional.empty(); | ||
MDC.clear(); | ||
|
||
executionLauncher = | ||
new ExecutionLauncher( | ||
|
@@ -199,6 +203,135 @@ public void testOrchestrationExecutionWhenUserIsNotInAllowList() throws Exceptio | |
+ " disabled for user: [email protected]"); | ||
} | ||
|
||
@DisplayName( | ||
"when includeAllowedAccounts: true, then the orchestration should contain Spinnaker accounts") | ||
@Test | ||
public void testIncludeSpinnakerAccountsInOrchestration() throws Exception { | ||
// given | ||
MDC.put(Header.USER.getHeader(), "SpinnakerUser"); | ||
MDC.put(Header.ACCOUNTS.getHeader(), "Account1,Account2"); | ||
|
||
// override properties to allow orchestration executions | ||
ExecutionConfigurationProperties executionConfigurationProperties = | ||
new ExecutionConfigurationProperties(); | ||
executionConfigurationProperties.setBlockOrchestrationExecutions(false); | ||
executionLauncher = | ||
new ExecutionLauncher( | ||
objectMapper, | ||
executionRepository, | ||
executionRunner, | ||
clock, | ||
applicationEventPublisher, | ||
pipelineValidator, | ||
registry, | ||
executionConfigurationProperties); | ||
|
||
// when | ||
PipelineExecution pipelineExecution = | ||
executionLauncher.start( | ||
ExecutionType.ORCHESTRATION, getConfigJson("ad-hoc/deploy-manifest.json")); | ||
|
||
// then | ||
// verify that the execution runner attempted to start the execution as expected | ||
verify(executionRunner).start(pipelineExecution); | ||
// verify that accounts are set in the pipeline execution | ||
assertThat(pipelineExecution.getAuthentication().getAllowedAccounts()) | ||
.isEqualTo(Set.of("Account1", "Account2")); | ||
} | ||
|
||
@DisplayName( | ||
"when includeAllowedAccounts: false, then the orchestration should not contain Spinnaker accounts") | ||
@Test | ||
public void testExcludeSpinnakerAccountsFromOrchestration() throws Exception { | ||
// given | ||
MDC.put(Header.USER.getHeader(), "SpinnakerUser"); | ||
MDC.put(Header.ACCOUNTS.getHeader(), "Account1,Account2"); | ||
|
||
// override properties to 1. allow orchestration executions and 2. set includeAllowedAccounts to | ||
// false | ||
ExecutionConfigurationProperties executionConfigurationProperties = | ||
new ExecutionConfigurationProperties(); | ||
executionConfigurationProperties.setBlockOrchestrationExecutions(false); | ||
executionConfigurationProperties.setIncludeAllowedAccounts(false); | ||
executionLauncher = | ||
new ExecutionLauncher( | ||
objectMapper, | ||
executionRepository, | ||
executionRunner, | ||
clock, | ||
applicationEventPublisher, | ||
pipelineValidator, | ||
registry, | ||
executionConfigurationProperties); | ||
|
||
// when | ||
PipelineExecution pipelineExecution = | ||
executionLauncher.start( | ||
ExecutionType.ORCHESTRATION, getConfigJson("ad-hoc/deploy-manifest.json")); | ||
|
||
// then | ||
// verify that the execution runner attempted to start the execution as expected | ||
verify(executionRunner).start(pipelineExecution); | ||
// verify that accounts are not set in the pipeline execution | ||
assertThat(pipelineExecution.getAuthentication().getAllowedAccounts()).isEqualTo(Set.of()); | ||
} | ||
|
||
@DisplayName( | ||
"when includeAllowedAccounts: true, then the pipeline should contain Spinnaker accounts") | ||
@Test | ||
public void testIncludeSpinnakerAccountsInPipeline() throws Exception { | ||
// given | ||
MDC.put(Header.USER.getHeader(), "SpinnakerUser"); | ||
MDC.put(Header.ACCOUNTS.getHeader(), "Account1,Account2"); | ||
|
||
// when | ||
PipelineExecution pipelineExecution = | ||
executionLauncher.start( | ||
ExecutionType.PIPELINE, getConfigJson("ad-hoc/deploy-manifest.json")); | ||
|
||
// then | ||
// verify that the execution runner attempted to start the execution as expected | ||
verify(executionRunner).start(pipelineExecution); | ||
// verify that accounts are set in the pipeline execution | ||
assertThat(pipelineExecution.getAuthentication().getAllowedAccounts()) | ||
.isEqualTo(Set.of("Account1", "Account2")); | ||
} | ||
|
||
@DisplayName( | ||
"when includeAllowedAccounts: false, then the pipeline should not contain Spinnaker accounts") | ||
@Test | ||
public void testExcludeSpinnakerAccountsFromPipeline() throws Exception { | ||
// given | ||
MDC.put(Header.USER.getHeader(), "SpinnakerUser"); | ||
MDC.put(Header.ACCOUNTS.getHeader(), "Account1,Account2"); | ||
|
||
// override properties to set includeAllowedAccounts to false | ||
ExecutionConfigurationProperties executionConfigurationProperties = | ||
new ExecutionConfigurationProperties(); | ||
executionConfigurationProperties.setIncludeAllowedAccounts(false); | ||
executionLauncher = | ||
new ExecutionLauncher( | ||
objectMapper, | ||
executionRepository, | ||
executionRunner, | ||
clock, | ||
applicationEventPublisher, | ||
pipelineValidator, | ||
registry, | ||
executionConfigurationProperties); | ||
|
||
// when | ||
PipelineExecution pipelineExecution = | ||
executionLauncher.start( | ||
ExecutionType.PIPELINE, getConfigJson("ad-hoc/deploy-manifest.json")); | ||
|
||
// then | ||
// verify that the execution runner attempted to start the execution as expected | ||
verify(executionRunner).start(pipelineExecution); | ||
// verify that accounts are not set in the pipeline execution | ||
assertThat(pipelineExecution.getAuthentication().getAllowedAccounts()).isEqualTo(Set.of()); | ||
} | ||
|
||
private Map<String, Object> getConfigJson(String resource) throws Exception { | ||
return objectMapper.readValue( | ||
ExecutionLauncherTest.class.getResourceAsStream(resource), Map.class); | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters