This is an archive of the discontinued Mercurial Phabricator instance.

Differential D6513

phabricator: auto-sanitise API tokens and HTTP cookies from VCR recordings
ClosedPublic

Authored by Kwan on Jun 11 2019, 2:56 PM.

Download Raw Diff

Details

Reviewers

None

Group Reviewers

hg-reviewers

Commits

rHGd3c81439e2ee: phabricator: auto-sanitise API tokens and HTTP cookies from VCR recordings

Summary

Currently when making VCR recordings one needs to manually sanitise sensitive
credentials before committing and submitting them as part of tests. It is easy
to imagine this being accidentally missed one time by a fallible human and said
credentials being leaked. It is also possible that it wouldn't be noticed to
alert the user to the leak since the recording files are so large and
practically unreviewable. Thus do so automatically, so the only place that needs
checking is in the test-phabricator.t file.

Diff Detail

Repository

rHG Mercurial

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Kwan created this revision.Jun 11 2019, 2:56 PM

Herald added a reviewer: hg-reviewers. · View Herald TranscriptJun 11 2019, 2:56 PM

Herald added a subscriber: mercurial-devel. · View Herald Transcript

Kwan added a commit: rHGd3c81439e2ee: phabricator: auto-sanitise API tokens and HTTP cookies from VCR recordings.Jun 12 2019, 12:44 PM

This revision was not accepted when it landed; it landed in state Needs Review.

Closed by commit rHGd3c81439e2ee: phabricator: auto-sanitise API tokens and HTTP cookies from VCR recordings (authored by Kwan). · Explain Why

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

			Path	Packages
M			hgext/phabricator.py (15 lines)
M			tests/test-phabricator.t (4 lines)

Diff 15453

hgext/phabricator.py

	fullflags = flags + _VCR_FLAGS			fullflags = flags + _VCR_FLAGS
	def hgmatcher(r1, r2):			def hgmatcher(r1, r2):
	if r1.uri != r2.uri or r1.method != r2.method:			if r1.uri != r2.uri or r1.method != r2.method:
	return False			return False
	r1params = r1.body.split(b'&')			r1params = r1.body.split(b'&')
	r2params = r2.body.split(b'&')			r2params = r2.body.split(b'&')
	return set(r1params) == set(r2params)			return set(r1params) == set(r2params)

				def sanitiserequest(request):
				request.body = re.sub(
				r'cli-[a-z0-9]+',
				r'cli-hahayouwish',
				request.body
				)
				return request

				def sanitiseresponse(response):
				if r'set-cookie' in response[r'headers']:
				del response[r'headers'][r'set-cookie']
				return response

	def decorate(fn):			def decorate(fn):
	def inner(args, *kwargs):			def inner(args, *kwargs):
	cassette = pycompat.fsdecode(kwargs.pop(r'test_vcr', None))			cassette = pycompat.fsdecode(kwargs.pop(r'test_vcr', None))
	if cassette:			if cassette:
	import hgdemandimport			import hgdemandimport
	with hgdemandimport.deactivated():			with hgdemandimport.deactivated():
	import vcr as vcrmod			import vcr as vcrmod
	import vcr.stubs as stubs			import vcr.stubs as stubs
	vcr = vcrmod.VCR(			vcr = vcrmod.VCR(
	serializer=r'json',			serializer=r'json',
				before_record_request=sanitiserequest,
				before_record_response=sanitiseresponse,
	custom_patches=[			custom_patches=[
	(urlmod, r'httpconnection',			(urlmod, r'httpconnection',
	stubs.VCRHTTPConnection),			stubs.VCRHTTPConnection),
	(urlmod, r'httpsconnection',			(urlmod, r'httpsconnection',
	stubs.VCRHTTPSConnection),			stubs.VCRHTTPSConnection),
	])			])
	vcr.register_matcher(r'hgmatcher', hgmatcher)			vcr.register_matcher(r'hgmatcher', hgmatcher)
	with vcr.use_cassette(cassette, match_on=[r'hgmatcher']):			with vcr.use_cassette(cassette, match_on=[r'hgmatcher']):

tests/test-phabricator.t

	> url = https://phab.mercurial-scm.org/			> url = https://phab.mercurial-scm.org/
	> callsign = HG			> callsign = HG
	>			>
	> [auth]			> [auth]
	> hgphab.schemes = https			> hgphab.schemes = https
	> hgphab.prefix = phab.mercurial-scm.org			> hgphab.prefix = phab.mercurial-scm.org
	> # When working on the extension and making phabricator interaction			> # When working on the extension and making phabricator interaction
	> # changes, edit this to be a real phabricator token. When done, edit			> # changes, edit this to be a real phabricator token. When done, edit
	> # it back, and make sure to also edit your VCR transcripts to match			> # it back. The VCR transcripts will be auto-sanitised to replace your real
	> # whatever value you put here.			> # token with this value.
	> hgphab.phabtoken = cli-hahayouwish			> hgphab.phabtoken = cli-hahayouwish
	> EOF			> EOF
	$ VCR="$TESTDIR/phabricator"			$ VCR="$TESTDIR/phabricator"

	Error is handled reasonably. We override the phabtoken here so that			Error is handled reasonably. We override the phabtoken here so that
	when you're developing changes to phabricator.py you can edit the			when you're developing changes to phabricator.py you can edit the
	above config and have a real token in the test but not have to edit			above config and have a real token in the test but not have to edit
	this test.			this test.

Diff	ID	Description	Created	Lint	Unit
Base		Base
Diff 1	15448		Jun 11 2019, 2:56 PM	★	★
Diff 2	15453	rHGd3c81439e2ee874fc78953aaf577c67dd5c8b4c9	Jun 11 2019, 2:37 PM	★	★