added support for doing bandit checks.

2015-11-09 11:56:53 -08:00 · 2015-11-09 11:56:53 -08:00 · ee57dcae8a
parent 891e3a1365
commit ee57dcae8a
9 changed files with 17 additions and 30 deletions
--- a/kollacli/ansible/inventory.py
+++ b/kollacli/ansible/inventory.py
@ -782,5 +782,5 @@ class Inventory(object):
            json_gen_file.write("print('%s')" % json_out)

        # set executable by group
-        os.chmod(json_gen_path, 0o555)
+        os.chmod(json_gen_path, 0o555)  # nosec
        return json_gen_path
--- a/kollacli/ansible/playbook.py
+++ b/kollacli/ansible/playbook.py
@ -13,7 +13,7 @@
 #    under the License.
 import logging
 import os
-import subprocess
+import subprocess  # nosec
 import traceback

 from kollacli.ansible.inventory import Inventory
@ -123,7 +123,7 @@ class AnsiblePlaybook(object):
                    # log the inventory
                    dbg_gen = inventory_path
                    (inv, _) = \
-                        subprocess.Popen(dbg_gen.split(' '),
+                        subprocess.Popen(dbg_gen.split(' '),  # nosec
                                         stdout=subprocess.PIPE,
                                         stderr=subprocess.PIPE).communicate()
                    self.log.debug(inv)
--- a/kollacli/ansible/properties.py
+++ b/kollacli/ansible/properties.py
@ -58,7 +58,7 @@ class AnsibleProperties(object):
                                         ANSIBLE_DEFAULTS_PATH)
                if os.path.isfile(file_name):
                    with open(file_name) as service_file:
-                        service_contents = yaml.load(service_file)
+                        service_contents = yaml.safe_load(service_file)
                        self.file_contents[file_name] = service_contents
                        service_contents = self.filter_jinja2(service_contents)
                        prop_file_name = service_name + ':main.yml'
@ -73,7 +73,7 @@ class AnsibleProperties(object):
        try:
            self.allvars_path = os.path.join(kolla_home, ALLVARS_PATH)
            with open(self.allvars_path) as allvars_file:
-                allvars_contents = yaml.load(allvars_file)
+                allvars_contents = yaml.safe_load(allvars_file)
                self.file_contents[self.allvars_path] = allvars_contents
                allvars_contents = self.filter_jinja2(allvars_contents)
                for key, value in allvars_contents.items():
@ -87,7 +87,7 @@ class AnsibleProperties(object):
        try:
            self.globals_path = os.path.join(kolla_etc, GLOBALS_FILENAME)
            globals_data = sync_read_file(self.globals_path)
-            globals_contents = yaml.load(globals_data)
+            globals_contents = yaml.safe_load(globals_data)
            self.file_contents[self.globals_path] = globals_contents
            globals_contents = self.filter_jinja2(globals_contents)
            for key, value in globals_contents.items():
--- a/kollacli/host.py
+++ b/kollacli/host.py
@ -272,7 +272,7 @@ class HostSetup(Command):
        with open(yml_path, 'r') as hosts_file:
            file_data = hosts_file.read()

-        hosts_info = yaml.load(file_data)
+        hosts_info = yaml.safe_load(file_data)
        if not hosts_info:
            raise CommandError('%s is empty' % yml_path)
        return hosts_info
--- a/kollacli/sshutils.py
+++ b/kollacli/sshutils.py
@ -107,7 +107,7 @@ def _post_setup_checks(net_addr, log):

    try:
        # a basic test
-        ssh_client.exec_command('ls')
+        ssh_client.exec_command('ls')  # nosec

    except Exception as e:
        raise CommandError("remote command 'ls' failed : %s" % e)
@ -120,13 +120,13 @@ def _close_ssh_client(ssh_client):
    if ssh_client:
        try:
            ssh_client.close()
-        except Exception:
+        except Exception:  # nosec
            pass


 def _exec_ssh_cmd(cmd, ssh_client, log):
    log.debug(cmd)
-    _, stdout, stderr = ssh_client.exec_command(cmd, get_pty=True)
+    _, stdout, stderr = ssh_client.exec_command(cmd, get_pty=True)  # nosec
    msg = stdout.read()
    errmsg = stderr.read()
    log.debug('%s : %s' % (msg, errmsg))
--- a/kollacli/utils.py
+++ b/kollacli/utils.py
@ -18,7 +18,6 @@ import pexpect
 import pwd
 import six
 import sys
-import yaml

 from kollacli.exceptions import CommandError
 from oslo_utils.encodeutils import safe_decode
@ -80,23 +79,6 @@ def get_pk_bits():
    return 1024


-def load_etc_yaml(fileName):
-    contents = {}
-    try:
-        with open(get_kollacli_etc() + fileName, 'r') as f:
-            contents = yaml.load(f)
-    except Exception:
-        # TODO(bmace) if file doesn't exist on a load we don't
-        # want to blow up, some better behavior here?
-        pass
-    return contents or {}
-
-
-def save_etc_yaml(fileName, contents):
-    with open(get_kollacli_etc() + fileName, 'w') as f:
-        f.write(yaml.dump(contents))
-
-
 def get_ansible_command(playbook=False):
    """get a python2 ansible command

--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -4,6 +4,7 @@
 # Hacking already pins down pep8, pyflakes and flake8
 hacking>=0.10.2,<0.11

+bandit>=0.13.2
 coverage>=3.6
 discover
 fixtures>=0.3.14
--- a/tests/common.py
+++ b/tests/common.py
@ -258,7 +258,7 @@ class TestConfig(object):
        with open(path, 'r+') as cfg_file:
            yml_data = cfg_file.read()

-        test_cfg = yaml.load(yml_data)
+        test_cfg = yaml.safe_load(yml_data)

        hosts_info = test_cfg['hosts']
        if hosts_info:
--- a/tox.ini
+++ b/tox.ini
@ -1,7 +1,7 @@
 [tox]
 minversion = 1.6
 skipsdist = True
-envlist = py27,pep8
+envlist = py27,pep8,bandit

 [testenv]
 usedevelop = True
@ -25,3 +25,7 @@ commands = {posargs}
 [flake8]
 show-source = True
 exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build
+
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r kollacli