Fix #8168 - AWS secrets should not be exposed while running tests #8169
Conversation
|
/kind changelog-not-required |
github-actions
bot
added
the
kind/changelog-not-required
this won't solve problem where test is ran on the system where some $ cd pkg/repository/config/
$ export AWS_ACCESS_KEY_ID=exposed_creds
$ go test ./...
$ cat ~/.aws/credentials
[default]
aws_access_key_id = exposed_key
aws_secret_access_key = exposed_access_key
$ go test ./... |
|
We should make unit tests not read from local credentials at all IMO. |
|
As discussed offline on Slack with @kaovilai there may be an issue with running tests in parallel with this proposed change. The I would like to know if that is an issue here? |
|
probably not an issue. When Setenv is used, isEnvSet is true, and any call to t.Parallel() after will panic. When we make tests more parallel we'll figure it out then. This is still an enhancement from before.. better an enhancement than no enhancement. |
|
@kaovilai I could first check if those vars are set and only then use them, how about that? This will mitigate the problem a bit because in the container run scenario it should never execute TB.SetEnv |
|
These are internal to go testing package and the check is already done for you if you check the link |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8169 +/- ##
==========================================
+ Coverage 59.05% 59.09% +0.03%
==========================================
Files 364 364
Lines 30324 30342 +18
==========================================
+ Hits 17909 17931 +22
+ Misses 10972 10968 -4
Partials 1443 1443 ☔ View full report in Codecov by Sentry. |
blackpiglet
added
kind/changelog-not-required
|
please fix lint |
…ng tests Changed the tests to use mocked function that will not read actual secrets from env variables nor AWS config file that may be on the system that is running tests. As a second guard against exposed secrets comparison for the values does not shows the actual values for the AWS data. This is to prevent situation where programming error may still allow the test to read AWS config/env variables instead of using mocked function. Signed-off-by: Michal Pryc <[email protected]>
mpryc
force-pushed
the
aws_creds_exposed
branch
from
86d5243
to
6d0f726
Compare
Thank you for contributing to Velero!
Please add a summary of your change
Changed the tests to use mocked function that will not read actual secrets from env variables nor AWS config file that may be on the system that is running tests.
As a second guard against exposed secrets comparison for the values does not shows the actual values for the AWS data. This is to prevent situation where programming error may still allow the test to read AWS config/env variables instead of using mocked function.
This change also fixes the test run on the system with AWS creds where the test was failing.
Does your change fix a particular issue?
Fixes #8168 8168
Please indicate you've done the following:
/kind changelog-not-requiredas a comment on this pull request.site/content/docs/main.