Avoid leaking keys by mistake with --upload-test-report#4877
Avoid leaking keys by mistake with --upload-test-report#4877boegel merged 12 commits intoeasybuilders:developfrom
--upload-test-report#4877Conversation
|
Where the parts like for pattern in patterns[:2]:
self.assertIn(pattern, res['full'])supposed to test |
|
As suggested in #4877 (comment) |
--upload-test-reports
--upload-test-reports--upload-test-report
|
Should we also add a warning message, something like: Also, if it is possible to tell the user to check what will appear, then we could include instructions of generating a report to see what is in it. |
|
Fixed (0e29f98) the failing test that was introduced by the change at easybuild-framework/test/framework/options.py Lines 3372 to 3414 in 250d36a |
Is there a way to upload a test report of an already performed run? |
|
I am not sure the failed CI is related to this PR? |
|
Tests are taking crazy long, I think if you sync with |
Co-authored-by: ocaisa <[email protected]>
0e29f98 to
04476d3
Compare
|
Rebased onto develop |
| 'LICENSE', | ||
| 'LICENCE', | ||
| ] | ||
| DEFAULT_EXCLUDE_FROM_REPORT_RGX = [ |
There was a problem hiding this comment.
We use regex rather than rgx quite consistently across the EasyBuild codebase, so I prefer also using it here.
Also, the name of the constant should be a bit more descriptive, it's too vague/broad, so something like:
| DEFAULT_EXCLUDE_FROM_REPORT_RGX = [ | |
| DEFAULT_EXCLUDE_FROM_TEST_REPORT_VALUE_REGEX = [ |
Similar above for DEFAULT_EXCLUDE_FROM_REPORT, which I would rename to something like DEFAULT_EXCLUDE_FROM_TEST_REPORT_ENV_VAR_NAMES
Constants are here to stay, they effectively become part of the EasyBuild framework API, so we better try and make sure they have names that don't leave much room for guessing...
| _exclude_env_from_report.append(key.upper()) | ||
|
|
||
|
|
||
| def exclude_env_from_report_clear(): |
There was a problem hiding this comment.
This is only used in the tests, it's fine to twiddle with internal things there, so I wouldn't define a custom function for this, and just play with _exclude_env_from_report directly in the tests?
Likewise for exclude_env_from_report_add
|
|
||
| _log = fancylogger.getLogger('testing', fname=False) | ||
|
|
||
| _exclude_env_from_report = [] |
There was a problem hiding this comment.
It seems like the only reason that this is added is so we have something to play with in the tests?
That's a bad pattern, I think it's better pull tricks in the tests (like changing constants in place and than restoring their original value in the tearDown of the tests) rather than introducing global variables that are only there to play with in the test suite.
There was a problem hiding this comment.
My idea was for this functions to also be used outside of framework, eg for an easyblock to excluded a specific environment variable from reports that is know to contain a secret
There was a problem hiding this comment.
I am not sure if there would be a better solution to implement excluding variables on demand.
In case we want more discussion around that, i think the default excludes should be included ASAP, so i could split this PR in 2 if needed
There was a problem hiding this comment.
The fact that _exclude_env_from_report is a global variable here is a problem, since that means it'll be shared across multiple easyblocks used in a single EasyBuild session...
| environment += ["%s = %s" % (key, value)] | ||
|
|
||
| environment = list(filter( | ||
| lambda x: not any(y in x.upper() for y in DEFAULT_EXCLUDE_FROM_REPORT + _exclude_env_from_report), |
There was a problem hiding this comment.
Can't we also tackle that part above?
I.e. only add a key-value pair if the key (env var name) doesn't have a partial match with anything in DEFAULT_EXCLUDE_FROM_TEST_REPORT_ENV_VAR_NAMES?
The combination of filter with a lambda expression seems way too involved for what's going on here, I'd rather see a 2nd simple condition with a continue above?
No, there's not, but there's |
Reasoning
While setting
EASYBUILD_TEST_REPORT_ENV_FILTERis a viable option to avoid publishing sensitive info from the environment when running a build with--upload-test-report, there should be a way for easyblocks that read keys from the environment to tell easybuild what are this sensitive variables and exclude them automatically.This would guard against mistakes in
EASYBUILD_TEST_REPORT_ENV_FILTERor when requesting PR authors to make a build with--upload-test-reportwhen the reviewer does not have access to a key for testing.The changes in this PRs will make it much more difficult to leak private keys/secrets from the environment when running a build with
--upload-test-reportChanges introduced
exclude_env_from_report_addto add a string pattern to be excluded from reportsexclude_env_from_report_clearto clear the custom list of patterns to be excluded (does not modify the default listPossible list of missing improvements
Possible unexpected behavior
Right now the Environment variable is excluded from all reports.
Another possibility would be to exclude it only from uploaded gists.