openstack/openstack-helm
Code Issues Proposed changes

Merge "Scan templated python files with bandit"

Browse Source
This commit is contained in:
Zuul 2019-01-31 13:53:16 +00:00 committed by Gerrit Code Review
commit 326200bf93
6 changed files with 67 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
keystone/templates/bin/_endpoint-update.py.tpl
View File

@ -73,9 +73,8 @@ except:
# Set Internal Endpoint # Set Internal Endpoint
try: try:
endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL'] endpoint_url = os.environ['OS_BOOTSTRAP_INTERNAL_URL']
user_engine.execute( cmd = "update endpoint set url = %s where interface ='internal' and service_id = (select id from service where service.type = 'identity')"
"update endpoint set url = '{0}' where interface ='internal' and service_id = (select id from service where service.type = 'identity')". user_engine.execute(cmd, (endpoint_url,))
format(endpoint_url))
except: except:
logger.critical("Could not update internal endpoint") logger.critical("Could not update internal endpoint")
raise raise
@ -83,9 +82,8 @@ except:
# Set Admin Endpoint # Set Admin Endpoint
try: try:
endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL'] endpoint_url = os.environ['OS_BOOTSTRAP_ADMIN_URL']
user_engine.execute( cmd = "update endpoint set url = %s where interface ='admin' and service_id = (select id from service where service.type = 'identity')"
"update endpoint set url = '{0}' where interface ='admin' and service_id = (select id from service where service.type = 'identity')". user_engine.execute(cmd, (endpoint_url,))
format(endpoint_url))
except: except:
logger.critical("Could not update admin endpoint") logger.critical("Could not update admin endpoint")
raise raise
@ -93,9 +91,8 @@ except:
# Set Public Endpoint # Set Public Endpoint
try: try:
endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL'] endpoint_url = os.environ['OS_BOOTSTRAP_PUBLIC_URL']
user_engine.execute( cmd = "update endpoint set url = %s where interface ='public' and service_id = (select id from service where service.type = 'identity')"
"update endpoint set url = '{0}' where interface ='public' and service_id = (select id from service where service.type = 'identity')". user_engine.execute(cmd, (endpoint_url,))
format(endpoint_url))
except: except:
logger.critical("Could not update public endpoint") logger.critical("Could not update public endpoint")
raise raise

4
keystone/templates/bin/_fernet-manage.py.tpl
View File

@ -25,7 +25,7 @@ import os
import pwd import pwd
import re import re
import six import six
import subprocess import subprocess #nosec
import sys import sys
import time import time
@ -127,7 +127,7 @@ def execute_command(cmd):
LOG.info("Executing 'keystone-manage %s --keystone-user=%s " LOG.info("Executing 'keystone-manage %s --keystone-user=%s "
"--keystone-group=%s' command.", "--keystone-group=%s' command.",
cmd, KEYSTONE_USER, KEYSTONE_GROUP) cmd, KEYSTONE_USER, KEYSTONE_GROUP)
subprocess.call(['keystone-manage', cmd, subprocess.call(['keystone-manage', cmd, #nosec
'--keystone-user=%s' % KEYSTONE_USER, '--keystone-user=%s' % KEYSTONE_USER,
'--keystone-group=%s' % KEYSTONE_GROUP]) '--keystone-group=%s' % KEYSTONE_GROUP])

16
tools/gate/files/template-python.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
EXCLUDES="helm-toolkit doc tests tools logs tmp roles playbooks releasenotes zuul.d python-files"
DIRS=`ls -d */ | cut -f1 -d'/'`
for EX in $EXCLUDES; do
DIRS=`echo $DIRS | sed "s/\b$EX\b//g"`
done
for DIR in $DIRS; do
PYFILES=$(helm template $DIR | yq 'select(.data != null) | .data | to_entries | map(select(.key | test(".*\\.py"))) | select(length > 0) | values[] | {(.key) : (.value)}' | jq -s add)
PYKEYS=$(echo "$PYFILES" | jq -r 'select(. != null) | keys[]')
for KEY in $PYKEYS; do
echo "$PYFILES" | jq -r --arg KEY "$KEY" '.[$KEY]' > ./python-files/"$DIR-$KEY"
done
done

28
tools/gate/playbooks/osh-bandit.yaml Normal file
View File

@ -0,0 +1,28 @@
- hosts: all
name: openstack-helm-bandit
tasks:
- name: Install Required Packages and Setup Host
shell: |
set -xe;
./tools/deployment/common/install-packages.sh
./tools/deployment/common/deploy-k8s.sh
sudo -H pip install yq bandit
environment:
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
args:
chdir: "{{ zuul.project.src_dir }}"
- name: Template out python files
shell: |
set -xe;
make all
mkdir -p python-files
./tools/gate/files/template-python.sh
args:
chdir: "{{ zuul.project.src_dir }}"
- name: Run bandit against python files
shell: bandit -r ./python-files
args:
chdir: "{{ zuul.project.src_dir }}"

14
zuul.d/jobs-openstack-helm.yaml
View File

@ -24,6 +24,20 @@
- ^doc/.*$ - ^doc/.*$
- ^releasenotes/.*$ - ^releasenotes/.*$
- job:
name: openstack-helm-bandit
timeout: 3600
run: tools/gate/playbooks/osh-bandit.yaml
required-projects:
- openstack/openstack-helm-infra
# NOTE(gagehugo): Look into only running this for py.tpl file changes
# files:
# - ^.*\.py\.tpl$
irrelevant-files:
- ^.*\.rst$
- ^doc/.*$
- ^releasenotes/.*$
- job: - job:
name: openstack-helm-chart-deploy name: openstack-helm-chart-deploy
parent: openstack-helm-functional-temp parent: openstack-helm-functional-temp

1
zuul.d/project.yaml
View File

@ -24,6 +24,7 @@
check: check:
jobs: jobs:
- openstack-helm-lint - openstack-helm-lint
- openstack-helm-bandit
- openstack-helm-keystone - openstack-helm-keystone
- openstack-helm-keystone-ldap - openstack-helm-keystone-ldap
- openstack-helm-glance - openstack-helm-glance