Skip to content

Commit

Permalink
Merge pull request #489 from rackerlabs/bandit-fixes
Browse files Browse the repository at this point in the history
fix(workflows): enable bandit on the code
  • Loading branch information
nicholaskuechler authored Nov 18, 2024
2 parents 5f856fb + 8589740 commit 2eaf60b
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 6 deletions.
14 changes: 14 additions & 0 deletions python/ironic-understack/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,17 @@ addopts = "-ra --cov=ironic_understack"
testpaths = [
"tests",
]

[tool.ruff]
target-version = "py310"
fix = true

[tool.ruff.lint]
select = [
"S", # flake8-bandit
]

[tool.ruff.lint.per-file-ignores]
"ironic_understack/tests/*.py" = [
"S101", # allow 'assert' for pytest
]
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
urllib3.disable_warnings()


DEFAULT_TOKEN_FILENAME = "/run/secrets/kubernetes.io/serviceaccount/token"
DEFAULT_TOKEN_FILENAME = "/run/secrets/kubernetes.io/serviceaccount/token" # noqa: S105


class ArgoClient:
Expand Down Expand Up @@ -42,7 +42,8 @@ def submit(
f"{self.api_url}/api/v1/workflows/{self.namespace}/submit",
headers=self.headers,
json=json_body,
verify=False,
verify=False, # noqa: S501 we should revisit this
timeout=30,
)
response.raise_for_status()
if self.logger:
Expand All @@ -68,7 +69,8 @@ def check_status(self, name: str):
f"{self.api_url}/api/v1/workflows/{self.namespace}/{name}",
headers=self.headers,
json={"fields": "status.phase"},
verify=False,
verify=False, # noqa: S501 we should revisit this
timeout=30,
)
response.raise_for_status()
return response.json()["status"]["phase"]
Expand Down
6 changes: 6 additions & 0 deletions python/neutron-understack/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ select = [
"F", # pyflakes
"B", # flake8-bugbear
"I", # isort
"S", # flake8-bandit
"UP", # pyupgrade
"ASYNC", # flake8-async
]
Expand All @@ -69,6 +70,11 @@ ignore = [
# enable the google doc style rules by default
convention = "google"

[tool.ruff.lint.per-file-ignores]
"neutron_understack/tests/*.py" = [
"S311", # allow non-cryptographic secure bits for test data
]

[tool.poetry.plugins."neutron.ml2.mechanism_drivers"]
understack = "neutron_understack.neutron_understack_mech:UnderstackDriver"

Expand Down
8 changes: 8 additions & 0 deletions python/understack-workflows/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ select = [
"F", # pyflakes
"B", # flake8-bugbear
"I", # isort
"S", # flake8-bandit
"UP", # pyupgrade
"ASYNC", # flake8-async
]
Expand All @@ -101,3 +102,10 @@ convention = "google"
"understack_workflows/nautobot_device.py" = ["UP031"]
"tests/test_nautobot_event_parser.py" = ["E501"]
"tests/test_bmc_credentials.py" = ["B017"]
"tests/**/*.py" = [
"S101", # allow 'assert' for pytest
"S105", # allow hardcoded passwords for testing
]
"understack_workflows/main/bmc_display_password.py" = [
"S607", # allow the kubectl call
]
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # type: ignore

FACTORY_PASSWORD = "calvin"
FACTORY_PASSWORD = "calvin" # noqa: S105 we know this is hardcoded

logger = setup_logger(__name__)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ def main():

ip_addr = sys.argv[1]
master_key = (
subprocess.check_output(
subprocess.check_output( # noqa: S603
[
"kubectl",
"get",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ def update_nautobot_for_tenant(

logger.debug(f"Running Nautobot prep_switch_interface job {uri=} {payload=}")

response = requests.request("POST", uri, headers=headers, json=payload)
response = requests.request("POST", uri, headers=headers, json=payload, timeout=30)
response_data = response.json()
logger.debug(f"Nautobot prep_switch_interface result: {response} {response_data=}")
response.raise_for_status()
Expand Down

0 comments on commit 2eaf60b

Please sign in to comment.