only decrypt the secret when the key exists

Takashi Matsuo · Takashi Matsuo · commit 2e143a0c24fc · 2020-05-28T22:43:48.000Z
also prevents decrypt-secrets.sh to override existing files.
also stop unnecessary (and harmful) workaround.
diff --git a/.kokoro/tests/run_tests.sh b/.kokoro/tests/run_tests.sh
@@ -43,19 +43,18 @@ export PATH="${HOME}/.local/bin:${PATH}"
 # install nox for testing
 pip install --user -q nox
 
-# Use secrets acessor service account to get secrets
+# Use secrets acessor service account to get secrets.
 if [[ -f "${KOKORO_GFILE_DIR}/secrets_viewer_service_account.json" ]]; then
     gcloud auth activate-service-account \
 	   --key-file="${KOKORO_GFILE_DIR}/secrets_viewer_service_account.json" \
 	   --project="cloud-devrel-kokoro-resources"
+    # This script will create 3 files:
+    # - testing/test-env.sh
+    # - testing/service-account.json
+    # - testing/client-secrets.json
+    ./scripts/decrypt-secrets.sh
 fi
 
-# This script will create 3 files:
-# - testing/test-env.sh
-# - testing/service-account.json
-# - testing/client-secrets.json
-./scripts/decrypt-secrets.sh
-
 source ./testing/test-env.sh
 export GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/testing/service-account.json
 
@@ -176,7 +175,4 @@ for file in **/requirements.txt; do
 done
 cd "$ROOT"
 
-# Workaround for Kokoro permissions issue: delete secrets
-rm testing/{test-env.sh,client-secrets.json,service-account.json}
-
 exit "$RTN"
diff --git a/scripts/decrypt-secrets.sh b/scripts/decrypt-secrets.sh
@@ -20,6 +20,14 @@ ROOT=$( dirname "$DIR" )
 # Work from the project root.
 cd $ROOT
 
+# Prevent it from overriding files.
+if [[ -f "testing/test-env.sh" ]] || \
+       [[ -f "testing/service-account.json" ]] || \
+       [[ -f "testing/client-secrets.json" ]]; then
+    echo "One or more target files exist, aborting."
+    exit 1
+fi
+
 # Use SECRET_MANAGER_PROJECT if set, fallback to cloud-devrel-kokoro-resources.
 PROJECT_ID="${SECRET_MANAGER_PROJECT:-cloud-devrel-kokoro-resources}"
 
