Differential D143

Introduce SHOW_DB_URI config value
ClosedPublic
Actions

Authored by mkrizek on Jun 17 2014, 9:00 AM.

Details

Reviewers
tflink
jskladan
Maniphest Tasks
T220: Fix ResultsDB Database URI Leak
Commits
rRSDB55bfa3c97e0a: Introduce SHOW_DB_URI config value
Summary

Fixes T220

Test Plan

Run run_cli.py with TEST and/or PROD set to true and see if DB URI is shown.

Diff Detail

Repository
rRSDB resultsdb
Lint
Lint Skipped
Unit
Unit Tests Skipped
mkrizek retitled this revision from to Introduce SHOW_DB_URI config value.Jun 17 2014, 9:00 AM
mkrizek updated this object.
mkrizek edited the test plan for this revision. (Show Details)
mkrizek added reviewers: tflink, jskladan.
mkrizek added a task: T220: Fix ResultsDB Database URI Leak.
tflink requested changes to this revision.Jun 17 2014, 11:11 AM
tflink added inline comments.
resultsdb/config.py
50

Unfortunately, this still leaks the DBURI by default since DevelopmentConfig is the config used if nothing else is selected.

I'd rather see it false in config.py and maybe commented out or set to false in conf/settings.py.example

This revision now requires changes to proceed.Jun 17 2014, 11:11 AM
mkrizek added inline comments.Jun 17 2014, 11:17 AM
resultsdb/config.py
50

Unfortunately, this still leaks the DBURI by default since DevelopmentConfig is the config used if nothing else is selected.

Isn't it expected that the DBURI is shown in DevelopmentConfig?

tflink added a comment.Jun 17 2014, 12:10 PM

If you have other ideas on how to keep the DBURI from leaking to logs by default, I'm not set on a single particular solution

resultsdb/config.py
50

Perhaps but my concern is that the complete DBURI is leaking by default. I just don't want to have to run around changing db passwords every time I forget to put PROD='true' in front of a command

mkrizek updated this revision to Diff 421.Jun 17 2014, 2:35 PM

Address issue mentioned in the review

tflink accepted this revision.Jun 17 2014, 2:45 PM

Looks good to me

This revision is now accepted and ready to land.Jun 17 2014, 2:45 PM
mkrizek closed this revision.Jun 23 2014, 9:26 AM
mkrizek updated this revision to Diff 427.

Closed by commit rRSDB55bfa3c97e0a (authored by @mkrizek).

Revision Contents

PathPackages
Mconf/settings.py.example (1 line)
Mresultsdb/__init__.py (3 lines)
Mresultsdb/config.py (2 lines)

Diff 427

View Options

conf/settings.py.example

1# while you can use this as a template, we recommend that you use the blockerbugs 1# while you can use this as a template, we recommend that you use the blockerbugs
2# cli to generate a config file 2# cli to generate a config file
3SECRET_KEY = 'not-really-a-secret' 3SECRET_KEY = 'not-really-a-secret'
4SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://dbuser:dbpassword@dbhost:dbport/dbname' 4SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://dbuser:dbpassword@dbhost:dbport/dbname'
5FAS_ADMIN_GROUP = "magic-fas-group" 5FAS_ADMIN_GROUP = "magic-fas-group"
6FAS_USER = "magicuser@unicornsarereal.com" 6FAS_USER = "magicuser@unicornsarereal.com"
7FAS_PASSWORD = "password" 7FAS_PASSWORD = "password"
8BUGZILLA_COOKIE = None 8BUGZILLA_COOKIE = None
9FILE_LOGGING = False 9FILE_LOGGING = False
10LOGFILR = '/var/log/resultsdb/resultsdb.log' 10LOGFILR = '/var/log/resultsdb/resultsdb.log'
11SYSLOG_LOGGING = False 11SYSLOG_LOGGING = False
12STREAM_LOGGING = True 12STREAM_LOGGING = True
13SHOW_DB_URI = False
View Options

resultsdb/__init__.py

Show First 20 LinesShow All 104 Lines▼ Show 20 Line(s)103 if app.config['FILE_LOGGING'] and app.config['LOGFILE']:
105 file_handler = logging.handlers.RotatingFileHandler(app.config['LOGFILE'], maxBytes=500000, backupCount=5) 105 file_handler = logging.handlers.RotatingFileHandler(app.config['LOGFILE'], maxBytes=500000, backupCount=5)
106 file_handler.setLevel(loglevel) 106 file_handler.setLevel(loglevel)
107 file_handler.setFormatter(formatter) 107 file_handler.setFormatter(formatter)
108 root_logger.addHandler(file_handler) 108 root_logger.addHandler(file_handler)
109 app.logger.addHandler(file_handler) 109 app.logger.addHandler(file_handler)
110 110
111setup_logging() 111setup_logging()
112 112
113app.logger.debug('using DBURI: %s' % app.config['SQLALCHEMY_DATABASE_URI']) 113if app.config['SHOW_DB_URI']:
114 app.logger.debug('using DBURI: %s' % app.config['SQLALCHEMY_DATABASE_URI'])
114 115
115 116
116# database 117# database
117db = SQLAlchemy(app) 118db = SQLAlchemy(app)
118 119
119# setup login manager 120# setup login manager
120login_manager = LoginManager() 121login_manager = LoginManager()
121login_manager.setup_app(app) 122login_manager.setup_app(app)
Show All 15 Lines
View Options

resultsdb/config.py

Show All 27 Lines22class Config(object):
28 SYSLOG_LOGGING = False 28 SYSLOG_LOGGING = False
29 STREAM_LOGGING = True 29 STREAM_LOGGING = True
30 30
31 HOST = None 31 HOST = None
32 PORT = None 32 PORT = None
33 33
34 PRODUCTION = False 34 PRODUCTION = False
35 35
36 SHOW_DB_URI = False
37
36 38
37class ProductionConfig(Config): 39class ProductionConfig(Config):
38 DEBUG = False 40 DEBUG = False
39 PRODUCTION = True 41 PRODUCTION = True
40 42
41 43
42class DevelopmentConfig(Config): 44class DevelopmentConfig(Config):
43 TRAP_BAD_REQUEST_ERRORS = True 45 TRAP_BAD_REQUEST_ERRORS = True
44 SQLALCHEMY_DATABASE_URI = \ 46 SQLALCHEMY_DATABASE_URI = \
45 'mysql://resultsdb:TOP_SECRET_PASSWORD@localhost/resultsdb' 47 'mysql://resultsdb:TOP_SECRET_PASSWORD@localhost/resultsdb'
46 HOST = '0.0.0.0' 48 HOST = '0.0.0.0'
47 PORT = 5000 49 PORT = 5000
48 50
tflinkUnsubmitted
Not Done

Unfortunately, this still leaks the DBURI by default since DevelopmentConfig is the config used if nothing else is selected.

I'd rather see it false in config.py and maybe commented out or set to false in conf/settings.py.example

mkrizekAuthorUnsubmitted
Not Done

Unfortunately, this still leaks the DBURI by default since DevelopmentConfig is the config used if nothing else is selected.

Isn't it expected that the DBURI is shown in DevelopmentConfig?

tflinkUnsubmitted
Not Done

Perhaps but my concern is that the complete DBURI is leaking by default. I just don't want to have to run around changing db passwords every time I forget to put PROD='true' in front of a command

49 51
50class TestingConfig(Config): 52class TestingConfig(Config):
51 TRAP_BAD_REQUEST_ERRORS = True 53 TRAP_BAD_REQUEST_ERRORS = True
52 TESTING = True 54 TESTING = True