add ansible-lint rules to ensure no static secrets and empty defaults are present in the code#526
add ansible-lint rules to ensure no static secrets and empty defaults are present in the code#526evgeni wants to merge 9 commits into
Conversation
evgeni
force-pushed
the
lint-empty-defaults
branch
from
8ed56d7 to
93be9bb
Compare
| def test_empty_defaults_are_flagged( | ||
| config_options: Options, | ||
| app: object, | ||
| ) -> None: | ||
| """Null and empty string defaults produce match errors.""" | ||
| rules = RulesCollection(app=app, options=config_options) | ||
| rules.register(EmptyDefaultsRule()) | ||
| results = Runner( | ||
| Lintable("tests/fixtures/ansible-lint/roles/test_empty_defaults"), | ||
| rules=rules, | ||
| ).run() | ||
| empty_results = [r for r in results if r.rule.id == EmptyDefaultsRule.id] | ||
| assert len(empty_results) == 4 | ||
| for result in empty_results: | ||
| assert result.tag == "var-defaults[no-empty]" |
There was a problem hiding this comment.
but isn't this only happy path testing and this but doesn't explicitly verify that edge cases are correctly NOT flagged.
There was a problem hiding this comment.
which edge cases? tests/fixtures/ansible-lint/roles/test_empty_defaults/defaults/main.yml contains 9 variables, and the assertion is that we flag 4 of them as "empty" (the ones that are either null or ""), but others (e.g. false and []) are accepted
There was a problem hiding this comment.
Okay, I see your point with that current cases. 🙌
| return results | ||
|
|
||
| for key, value in meta_data.items(): | ||
| if value is None or value == "": |
There was a problem hiding this comment.
So just to clarify, The test fixture has passed test_empty_defaults_plugins: [] which is not flagged right. Shouldn't empty lists ([]) also be checked in that case? Or is empty list a valid default?
There was a problem hiding this comment.
I've kept [] as allowed, as my trail of thought was: "this is usually used for defining additions (e.g. plugins), so an empty list is ok"
archanaserver
left a comment
archanaserver
left a comment
There was a problem hiding this comment.
Dropped comments just to clarify some thought on this.
|
This is from me testing out a review skill I wrote: empty_defaults.py and no_static_secrets.py — redundant YAML parse
no_static_secrets rule: None/empty secret values slip through
|
|
evgeni
force-pushed
the
lint-empty-defaults
branch
3 times, most recently
from
b950c1f to
f6a48ab
Compare
| candlepin_database_ssl_cert: | ||
| candlepin_database_ssl_key: |
There was a problem hiding this comment.
love finding unused vars :)
| self.create_matcherror( | ||
| message=f"Role default variable '{key}' has an empty value. Use `undef(hint='…')` to indicate defaults that need to be overriden.", | ||
| filename=file, | ||
| tag="var-defaults[no-empty]", |
There was a problem hiding this comment.
this uses id[sub-id] style, as I've used var-naming rule as a base, and this has multiple sub-tags.
after using the two rules in this PR (and also flagging certain vars as noqa for them), I think this is wrong.
We should either:
- Have a single
var-contentrule file with multiple tags (var-content[no-empty-defaults],var-content[no-static-secrets]) - Have dedicated named rules like
no-empty-defaultsandno-static-secrets
I slightly lean towards the dedicated naming, but eager to hear what you think.
evgeni
changed the title
evgeni
force-pushed
the
lint-empty-defaults
branch
from
f6a48ab to
7b0048c
Compare
I guess |
3 participants
Why are you introducing these changes? (Problem description, related links)
#523 (review)
What are the changes introduced in this pull request?
How to test this pull request
Steps to reproduce:
Checklist