From 40c535eeac5930811d6dbac2051146a53dc11991 Mon Sep 17 00:00:00 2001
From: Theo Chatzimichos <tampakrap@opensuse.org>
Date: Nov 20 2017 10:45:14 +0000
Subject: Add test that validates secrets' related stuff:


- pillar/secrets/**/*.sls fileshave the #!yaml|gpg header
- no other sls has this header
- no sls that is out of pillar/secrets/**/*.sls files contains secrets

---

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index cfec9b4..ad869cd 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,6 +2,12 @@ stages:
   - test
   - deploy
 
+test_secrets:
+  stage: test
+  script: bin/test_secrets.sh
+  tags:
+    - docker
+
 test_roles:
   stage: test
   before_script:
diff --git a/bin/run_tests_locally.sh b/bin/run_tests_locally.sh
index a41e681..4f0f591 100755
--- a/bin/run_tests_locally.sh
+++ b/bin/run_tests_locally.sh
@@ -29,6 +29,7 @@ SALT_DIRS=(
     /var/cache/salt
 )
 
+bin/test_secrets.sh
 bin/test_roles.py
 bin/test_custom_grains.py
 bin/prepare_test_show_highstate_env.sh
diff --git a/bin/test_secrets.sh b/bin/test_secrets.sh
new file mode 100755
index 0000000..6fc4dc6
--- /dev/null
+++ b/bin/test_secrets.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Script that validates that the pillar/secret/*/*.sls files contain the
+# appropriate header, and that none other pillar files contain this header or
+# any secrets
+
+HEADER="#!yaml|gpg"
+
+for secret_sls in $(find pillar/secrets -name '*.sls'); do
+    if [[ $(head -n 1 $secret_sls) != "$HEADER" ]]; then
+        echo "$secret_sls is missing the \"$HEADER\" header or it is not on the first line"
+        STATUS=1
+    fi
+done
+
+for sls in $(find pillar/ -not -path 'pillar/secrets/*' -name '*.sls'); do
+    if $(grep -q "$HEADER" $sls); then
+        echo "$sls has the \"$HEADER\" header, please remove it"
+        STATUS=1
+    fi
+    if $(grep -q "BEGIN GPG MESSAGE" $sls); then
+        echo "$sls contains secrets. Please move them to pillar/secrets/${sls#*/}"
+        STATUS=1
+    fi
+done
+
+exit $STATUS