Merge pull request #225 from chaen/bandit

test: bandit CI

.github/workflows/make_release.py

@@ -29,6 +29,7 @@ def make_release(version, commit_hash, release_notes=""):
             "prerelease": Version(version).is_prerelease,
         },
         headers=headers,
+        timeout=60,
     )
     r.raise_for_status()
     release_data = r.json()
@@ -41,6 +42,7 @@ def make_release(version, commit_hash, release_notes=""):
             "draft": False,
         },
         headers=headers,
+        timeout=60,
     )
     r.raise_for_status()
     release_data = r.json()

README.md

@@ -1,5 +1,6 @@
 ![DiracX tests](https://github.com/DIRACGrid/diracx/actions/workflows/main.yml/badge.svg?branch=main)
 ![Legacy tests](https://github.com/DIRACGrid/diracx/actions/workflows/integration.yml/badge.svg?branch=main)
+![security: bandit](https://github.com/DIRACGrid/diracx/actions/workflows/main.yml/badge.svg?branch=main)
 
 # DiracX Prototype
 

containers/client/Dockerfile

@@ -2,7 +2,7 @@ FROM ghcr.io/diracgrid/diracx/client-base
 
 ARG EXTRA_PACKAGES_TO_INSTALL
 
-RUN --mount=type=bind,source=.,target=/bindmount DIRACX_CUSTOM_SOURCE_PREFIXES=/bindmount /entrypoint.sh bash -ec "pip install --no-deps ${EXTRA_PACKAGES_TO_INSTALL} && pip check"
+RUN --mount=type=bind,source=.,target=/bindmount DIRACX_CUSTOM_SOURCE_PREFIXES=/bindmount /entrypoint.sh bash -ec "pip install --no-deps ${EXTRA_PACKAGES_TO_INSTALL} && echo 'Running pip check' && pip check"
 
 # In many clusters the container is ran as a random uid for security reasons.
 # If we mark the conda directory as group 0 and give it group write permissions

containers/services/Dockerfile

@@ -2,7 +2,7 @@ FROM ghcr.io/diracgrid/diracx/services-base
 
 ARG EXTRA_PACKAGES_TO_INSTALL
 
-RUN --mount=type=bind,source=.,target=/bindmount DIRACX_CUSTOM_SOURCE_PREFIXES=/bindmount /entrypoint.sh bash -ec "pip install --no-deps ${EXTRA_PACKAGES_TO_INSTALL} && pip check"
+RUN --mount=type=bind,source=.,target=/bindmount DIRACX_CUSTOM_SOURCE_PREFIXES=/bindmount /entrypoint.sh bash -ec "pip install --no-deps ${EXTRA_PACKAGES_TO_INSTALL} && echo 'Running pip check' && pip check"
 
 # In many clusters the container is ran as a random uid for security reasons.
 # If we mark the conda directory as group 0 and give it group write permissions

diracx-cli/src/diracx/cli/__init__.py

@@ -99,7 +99,8 @@ async def logout():
             # Revoke refresh token
             try:
                 await api.auth.revoke_refresh_token(credentials["refresh_token"])
-            except Exception:
+            except Exception as e:
+                print(f"Error revoking the refresh token {e!r}")
                 pass
 
             # Remove credentials

diracx-routers/src/diracx/routers/auth/utils.py

@@ -73,7 +73,7 @@ class GrantType(StrEnum):
 
     authorization_code = "authorization_code"
     device_code = "urn:ietf:params:oauth:grant-type:device_code"
-    refresh_token = "refresh_token"
+    refresh_token = "refresh_token"  # noqa: S105   # False positive of Bandit about hard coded password
 
 
 class ScopeInfoDict(TypedDict):

pyproject.toml

@@ -4,26 +4,19 @@ description = "Client installation for users of DiracX installations"
 readme = "README.md"
 requires-python = ">=3.10"
 keywords = []
-license = {text = "GPL-3.0-only"}
+license = { text = "GPL-3.0-only" }
 classifiers = [
     "Intended Audience :: Science/Research",
     "License :: OSI Approved :: GNU General Public License v3 (GPLv3)",
     "Programming Language :: Python :: 3",
     "Topic :: Scientific/Engineering",
     "Topic :: System :: Distributed Computing",
 ]
-dependencies = [
-    "diracx-api",
-    "diracx-cli",
-    "diracx-client",
-    "diracx-core",
-]
+dependencies = ["diracx-api", "diracx-cli", "diracx-client", "diracx-core"]
 dynamic = ["version"]
 
 [project.optional-dependencies]
-testing = [
-    "diracx-testing",
-]
+testing = ["diracx-testing"]
 
 [tool.setuptools]
 packages = []
@@ -35,27 +28,51 @@ build-backend = "setuptools.build_meta"
 [tool.setuptools_scm]
 
 [tool.ruff]
-select = [
-    "E",    # pycodestyle errrors
-    "F",    # pyflakes
-    "B",    # flake8-bugbear
-    "I",    # isort
-    "PLE",  # pylint errors
-    # "UP",   # pyUpgrade
-    "FLY",  # flynt
-    "DTZ",  # flake8-datetimez
-]
-ignore = ["B905", "B008", "B006"]
 line-length = 120
 src = ["diracx-*/src", "diracx-*/tests"]
 exclude = ["diracx-client/src/diracx/client/"]
 
+
+[tool.ruff.lint]
+select = [
+    "E",   # pycodestyle errrors
+    "F",   # pyflakes
+    "B",   # flake8-bugbear
+    "I",   # isort
+    "PLE", # pylint errors
+    # "UP",   # pyUpgrade
+    "FLY", # flynt
+    "DTZ", # flake8-datetimez
+    "S",   # flake8-bandit
+]
+
+ignore = [
+    "B905",
+    "B008",
+    "B006",
+    "S101", # bandit: use of assert https://docs.astral.sh/ruff/rules/assert/
+]
+
+
+[tool.ruff.lint.per-file-ignores]
+# Ignore Bandit security checks in the test directories
+"diracx-testing/*" = ["S"]
+"diracx-*/tests/*" = ["S"]
+
+[tool.ruff.lint.flake8-bugbear]
+# Allow default arguments like, e.g., `data: List[str] = fastapi.Query(None)`.
+extend-immutable-calls = [
+    "fastapi.Depends",
+    "fastapi.Query",
+    "fastapi.Path",
+    "fastapi.Body",
+    "fastapi.Header",
+]
+
+
 [tool.isort]
 profile = "black"
 
-[tool.ruff.flake8-bugbear]
-# Allow default arguments like, e.g., `data: List[str] = fastapi.Query(None)`.
-extend-immutable-calls = ["fastapi.Depends", "fastapi.Query", "fastapi.Path", "fastapi.Body", "fastapi.Header"]
 
 [tool.mypy]
 files = [
@@ -100,8 +117,10 @@ testpaths = [
 ]
 addopts = [
     "-v",
-    "--cov=diracx", "--cov-report=term-missing",
-    "-pdiracx.testing", "-pdiracx.testing.osdb",
+    "--cov=diracx",
+    "--cov-report=term-missing",
+    "-pdiracx.testing",
+    "-pdiracx.testing.osdb",
     "--import-mode=importlib",
 ]
 asyncio_mode = "auto"