openstack
/
ironic-python-agent
Code Issues Proposed changes

Fix Bandit errors 

Bandit 1.7.5 released with a timeout check for all requests and
urllib calls.

Fixed those.

In the process, then exposed a bandit b310 issue, which was already
covered by the code, but explicitly marked it as such.

Also, enables bandit checks to be voting for CI..

Change-Id: If0e87790191f5f3648366d571e1d85dd7393a548
This commit is contained in:
Julia Kreger 2023-04-07 13:38:21 -07:00
parent 32df26a22a
commit e8ab7ded4b
6 changed files with 29 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ironic_python_agent/config.py
View File

@ -329,6 +329,11 @@ cli_opts = [
cfg.BoolOpt('md5_enabled',
default=False,
help='If the MD5 algorithm is enabled for file checksums.'),
cfg.IntOpt('http_request_timeout',
default=30,
min=1,
help='Time in seconds to wait for an HTTP request TCP socket '
'to enter a state where a request can be transmitted.'),
]
CONF.register_cli_opts(cli_opts)

5
ironic_python_agent/hardware_managers/nvidia/nvidia_fw_update.py
View File

@ -415,7 +415,10 @@ class NvidiaNicFirmwareBinary(object):
try:
LOG.info('Downloading file: %s to %s', self.url,
self.dest_file_path)
url_data = request.urlopen(self.url)
# NOTE(TheJulia: nosec b310 rule below is covered by _process_url
url_data = request.urlopen(
self.url,
timeout=CONF.http_request_timeout) # nosec
except urlError.URLError as url_error:
LOG.error('Failed to open URL data: %s', url_error)
raise url_error

6
ironic_python_agent/inspector.py
View File

@ -139,8 +139,10 @@ def call_inspector(data, failures):
wait=tenacity.wait_fixed(_RETRY_WAIT),
reraise=True)
def _post_to_inspector():
return requests.post(CONF.inspection_callback_url, data=data,
verify=verify, cert=cert)
return requests.post(
CONF.inspection_callback_url, data=data,
verify=verify, cert=cert,
timeout=CONF.http_request_timeout)
resp = _post_to_inspector()
if resp.status_code >= 400:

9
ironic_python_agent/tests/unit/test_inspector.py
View File

@ -163,7 +163,8 @@ class TestCallInspector(base.IronicAgentTest):
mock_post.assert_called_once_with('url',
cert=None, verify=True,
data='{"data": 42, "error": null}')
data='{"data": 42, "error": null}',
timeout=30)
self.assertEqual(mock_post.return_value.json.return_value, res)
def test_send_failure(self, mock_post):
@ -176,7 +177,8 @@ class TestCallInspector(base.IronicAgentTest):
mock_post.assert_called_once_with('url',
cert=None, verify=True,
data='{"data": 42, "error": "boom"}')
data='{"data": 42, "error": "boom"}',
timeout=30)
self.assertEqual(mock_post.return_value.json.return_value, res)
def test_inspector_error(self, mock_post):
@ -188,7 +190,8 @@ class TestCallInspector(base.IronicAgentTest):
mock_post.assert_called_once_with('url',
cert=None, verify=True,
data='{"data": 42, "error": null}')
data='{"data": 42, "error": null}',
timeout=30)
self.assertIsNone(res)
@mock.patch.object(inspector, '_RETRY_WAIT', 0.01)

8
releasenotes/notes/bandit-fixes-a971142075b29ca9.yaml Normal file
View File

@ -0,0 +1,8 @@
---
fixes:
- |
Fixes timeout declarations for Bandit 1.7.5 rule additions.
- |
Adds a ``http_request_timeout`` setting to allow for operators
to set the amount of time to wait for a new request socket to
wait.

4
zuul.d/project.yaml
View File

@ -9,6 +9,7 @@
check:
jobs:
- openstack-tox-functional
- ipa-tox-bandit
- ipa-tox-examples
# NOTE(iurygregory) Only run this two jobs since we are testing
# wholedisk + partition on tempest
@ -26,11 +27,10 @@
# Non-voting jobs
- ipa-tempest-ironic-inspector-src:
voting: false
- ipa-tox-bandit:
voting: false
gate:
jobs:
- openstack-tox-functional
- ipa-tox-bandit
- ipa-tox-examples
- ipa-tempest-bios-ipmi-direct-src
- ipa-tempest-uefi-redfish-vmedia-src