Introduce Bandit security check

DIRACGrid · Mar 24, 2024 · 6cb997c · 6cb997c
1 parent c729082
commit 6cb997c
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 3 deletions.
diff --git a/.github/workflows/make_release.py b/.github/workflows/make_release.py
@@ -29,6 +29,7 @@ def make_release(version, commit_hash, release_notes=""):
             "prerelease": Version(version).is_prerelease,
         },
         headers=headers,
+        timeout=60,
     )
     r.raise_for_status()
     release_data = r.json()
@@ -41,6 +42,7 @@ def make_release(version, commit_hash, release_notes=""):
             "draft": False,
         },
         headers=headers,
+        timeout=60,
     )
     r.raise_for_status()
     release_data = r.json()

diff --git a/README.md b/README.md
@@ -1,5 +1,6 @@
 ![DiracX tests](https://github.com/DIRACGrid/diracx/actions/workflows/main.yml/badge.svg?branch=main)
 ![Legacy tests](https://github.com/DIRACGrid/diracx/actions/workflows/integration.yml/badge.svg?branch=main)
+![security: bandit](https://github.com/DIRACGrid/diracx/actions/workflows/main.yml/badge.svg?branch=main)
 
 # DiracX Prototype
 

diff --git a/diracx-cli/src/diracx/cli/__init__.py b/diracx-cli/src/diracx/cli/__init__.py
@@ -99,7 +99,8 @@ async def logout():
             # Revoke refresh token
             try:
                 await api.auth.revoke_refresh_token(credentials["refresh_token"])
-            except Exception:
+            except Exception as e:
+                print(f"Error revoking the refresh token {e!r}")
                 pass
 
             # Remove credentials

diff --git a/diracx-routers/src/diracx/routers/auth/utils.py b/diracx-routers/src/diracx/routers/auth/utils.py
@@ -73,7 +73,7 @@ class GrantType(StrEnum):
 
     authorization_code = "authorization_code"
     device_code = "urn:ietf:params:oauth:grant-type:device_code"
-    refresh_token = "refresh_token"
+    refresh_token = "refresh_token"  # noqa: S105   # False positif of Bandit about hard coded password
 
 
 class ScopeInfoDict(TypedDict):

diff --git a/pyproject.toml b/pyproject.toml
@@ -44,12 +44,23 @@ select = [
     # "UP",   # pyUpgrade
     "FLY",  # flynt
     "DTZ",  # flake8-datetimez
+    "S", # flake8-bandit
 ]
-ignore = ["B905", "B008", "B006"]
+ignore = ["B905",
+          "B008",
+          "B006",
+          "S101", # bandit: use of assert https://docs.astral.sh/ruff/rules/assert/
+          ]
 line-length = 120
 src = ["diracx-*/src", "diracx-*/tests"]
 exclude = ["diracx-client/src/diracx/client/"]
 
+
+[tool.ruff.lint.per-file-ignores]
+# Ignore Bandit security checks in the test directories
+"diracx-testing/*" = ["S"]
+"diracx-*/tests/*" = ["S"]
+
 [tool.isort]
 profile = "black"