Add bandit to pipeline

2021-12-15 10:58:58 +03:00 · 2021-12-15 10:58:58 +03:00 · c6873c2af3
parent 2f64397730
commit c6873c2af3
10 changed files with 195 additions and 6 deletions
--- a/.coveragerc
+++ b/.coveragerc
@ -1,2 +1,4 @@
 [run]
-source = selfprivacy_api
+source = selfprivacy_api
+[report]
+omit = selfprivacy_api/app.py
--- a/.drone.yml
+++ b/.drone.yml
@ -10,4 +10,7 @@ steps:
 - name: test
  commands:
  - coverage run -m pytest -q
-  - coverage xml
+  - coverage xml
+- name: bandit
+  commands:
+  - bandit -ll -r selfprivacy_api
--- a/selfprivacy_api/restic_controller/init.py
+++ b/selfprivacy_api/restic_controller/init.py
@ -181,7 +181,7 @@ class ResticController:
            "backup",
            "/var",
        ]
-        with open("/tmp/backup.log", "w", encoding="utf-8") as log_file:
+        with open("/var/backup.log", "w", encoding="utf-8") as log_file:
            subprocess.Popen(
                backup_command,
                shell=False,
@ -196,7 +196,7 @@ class ResticController:
        """
        Check progress of ongoing backup operation
        """
-        backup_status_check_command = ["tail", "-1", "/tmp/backup.log"]
+        backup_status_check_command = ["tail", "-1", "/var/backup.log"]

        if (
            self.state == ResticStates.NO_KEY
@ -205,7 +205,7 @@ class ResticController:
            return

        # If the log file does not exists
-        if os.path.exists("/tmp/backup.log") is False:
+        if os.path.exists("/var/backup.log") is False:
            self.state = ResticStates.INITIALIZED

        with subprocess.Popen(
--- a/selfprivacy_api/utils.py
+++ b/selfprivacy_api/utils.py
@ -5,11 +5,12 @@ import portalocker


 USERDATA_FILE = "/etc/nixos/userdata/userdata.json"
+DOMAIN_FILE = "/var/domain"


 def get_domain():
    """Get domain from /var/domain without trailing new line"""
-    with open("/var/domain", "r", encoding="utf-8") as domain_file:
+    with open(DOMAIN_FILE, "r", encoding="utf-8") as domain_file:
        domain = domain_file.readline().rstrip()
    return domain

--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -31,12 +31,26 @@ class AuthorizedClient(testing.FlaskClient):
        kwargs["headers"]["Authorization"] = f"Bearer {self.token}"
        return super().open(*args, **kwargs)

+class WrongAuthClient(testing.FlaskClient):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.token = "WRONG_TOKEN"
+
+    def open(self, *args, **kwargs):
+        if "headers" not in kwargs:
+            kwargs["headers"] = {}
+        kwargs["headers"]["Authorization"] = f"Bearer {self.token}"
+        return super().open(*args, **kwargs)

@pytest.fixture
 def authorized_client(app):
    app.test_client_class = AuthorizedClient
    return app.test_client()

+@pytest.fixture
+def wrong_auth_client(app):
+    app.test_client_class = WrongAuthClient
+    return app.test_client()

@pytest.fixture
 def runner(app):
--- a/tests/test_system.py
+++ b/tests/test_system.py
@ -0,0 +1,17 @@
+# pylint: disable=redefined-outer-name
+# pylint: disable=unused-argument
+import json
+import pytest
+from selfprivacy_api.utils import get_domain
+
+@pytest.fixture
+def domain_file(mocker, datadir):
+    mocker.patch("selfprivacy_api.utils.DOMAIN_FILE", datadir / "domain")
+    return datadir
+
+def test_wrong_auth(wrong_auth_client):
+    response = wrong_auth_client.get("/system/pythonVersion")
+    assert response.status_code == 401
+
+def test_get_domain(authorized_client, domain_file):
+    assert get_domain() == "test-domain.tld"
--- a/tests/test_system/domain
+++ b/tests/test_system/domain
@ -0,0 +1 @@
+test-domain.tld
--- a/tests/test_system/turned_off.json
+++ b/tests/test_system/turned_off.json
@ -0,0 +1,52 @@
+{
+    "backblaze": {
+        "accountId": "ID",
+        "accountKey": "KEY",
+        "bucket": "selfprivacy"
+    },
+    "api": {
+        "token": "TEST_TOKEN",
+        "enableSwagger": false
+    },
+    "bitwarden": {
+        "enable": true
+    },
+    "cloudflare": {
+        "apiKey": "TOKEN"
+    },
+    "databasePassword": "PASSWORD",
+    "domain": "test.tld",
+    "hashedMasterPassword": "HASHED_PASSWORD",
+    "hostname": "test-instance",
+    "nextcloud": {
+        "adminPassword": "ADMIN",
+        "databasePassword": "ADMIN",
+        "enable": true
+    },
+    "resticPassword": "PASS",
+    "ssh": {
+        "enable": true,
+        "passwordAuthentication": true,
+        "rootKeys": [
+            "ssh-ed25519 KEY test@pc"
+        ]
+    },
+    "username": "tester",
+    "gitea": {
+        "enable": false
+    },
+    "ocserv": {
+        "enable": true
+    },
+    "pleroma": {
+        "enable": true
+    },
+    "autoUpgrade": {
+        "enable": false,
+        "allowReboot": false
+    },
+    "timezone": "Europe/Moscow",
+    "sshKeys": [
+        "ssh-rsa KEY test@pc"
+    ]
+}
--- a/tests/test_system/turned_on.json
+++ b/tests/test_system/turned_on.json
@ -0,0 +1,52 @@
+{
+    "backblaze": {
+        "accountId": "ID",
+        "accountKey": "KEY",
+        "bucket": "selfprivacy"
+    },
+    "api": {
+        "token": "TEST_TOKEN",
+        "enableSwagger": false
+    },
+    "bitwarden": {
+        "enable": true
+    },
+    "cloudflare": {
+        "apiKey": "TOKEN"
+    },
+    "databasePassword": "PASSWORD",
+    "domain": "test.tld",
+    "hashedMasterPassword": "HASHED_PASSWORD",
+    "hostname": "test-instance",
+    "nextcloud": {
+        "adminPassword": "ADMIN",
+        "databasePassword": "ADMIN",
+        "enable": true
+    },
+    "resticPassword": "PASS",
+    "ssh": {
+        "enable": true,
+        "passwordAuthentication": true,
+        "rootKeys": [
+            "ssh-ed25519 KEY test@pc"
+        ]
+    },
+    "username": "tester",
+    "gitea": {
+        "enable": false
+    },
+    "ocserv": {
+        "enable": true
+    },
+    "pleroma": {
+        "enable": true
+    },
+    "autoUpgrade": {
+        "enable": true,
+        "allowReboot": true
+    },
+    "timezone": "Europe/Moscow",
+    "sshKeys": [
+        "ssh-rsa KEY test@pc"
+    ]
+}
--- a/tests/test_system/undefined.json
+++ b/tests/test_system/undefined.json
@ -0,0 +1,47 @@
+{
+    "backblaze": {
+        "accountId": "ID",
+        "accountKey": "KEY",
+        "bucket": "selfprivacy"
+    },
+    "api": {
+        "token": "TEST_TOKEN",
+        "enableSwagger": false
+    },
+    "bitwarden": {
+        "enable": true
+    },
+    "cloudflare": {
+        "apiKey": "TOKEN"
+    },
+    "databasePassword": "PASSWORD",
+    "domain": "test.tld",
+    "hashedMasterPassword": "HASHED_PASSWORD",
+    "hostname": "test-instance",
+    "nextcloud": {
+        "adminPassword": "ADMIN",
+        "databasePassword": "ADMIN",
+        "enable": true
+    },
+    "resticPassword": "PASS",
+    "ssh": {
+        "enable": true,
+        "passwordAuthentication": true,
+        "rootKeys": [
+            "ssh-ed25519 KEY test@pc"
+        ]
+    },
+    "username": "tester",
+    "gitea": {
+        "enable": false
+    },
+    "ocserv": {
+        "enable": true
+    },
+    "pleroma": {
+        "enable": true
+    },
+    "sshKeys": [
+        "ssh-rsa KEY test@pc"
+    ]
+}