Skip to content

Use a neutral name to hopefully avoid false alarm #586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rayluo merged 1 commit into from
Jul 27, 2023
Merged

Use a neutral name to hopefully avoid false alarm #586

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 5 additions & 6 deletions tests/test_e2e.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -465,7 +465,7 @@ def test_device_flow(self):

def get_lab_app(
env_client_id="LAB_APP_CLIENT_ID",
env_client_secret="LAB_APP_CLIENT_SECRET",
env_name2="LAB_APP_CLIENT_SECRET", # A var name that hopefully avoids false alarm
Copy link

@gladjohn gladjohn Jul 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LAB_APP_CLIENT_SECRET Will this be reported next? I would only think it should be the value more than the variable name itself. We used to have this issue in the Labs, and we had to remove the word secret from our code. Is changing LAB_APP_CLIENT_SECRET to something else too hard?

Copy link
Contributor Author

@rayluo rayluo Jul 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LAB_APP_CLIENT_SECRET Will this be reported next? I would only think it should be the value more than the variable name itself. We used to have this issue in the Labs, and we had to remove the word secret from our code.

That is a fair point, @gladjohn . We do not really know what the CodeQL looks into. On the other hand, the two existing (false) alarms were specifically on the lines of logging env_client_secret, not on the line of "LAB_APP_CLIENT_SECRET".

Is changing LAB_APP_CLIENT_SECRET to something else too hard?

It would require us to change more files (.env) spreading across many machines that we are using, also changing the env var setup in our GitHub Actions. Let's do this variable name change first, and see whether it is good enough.

authority="https://login.microsoftonline.com/"
"72f988bf-86f1-41af-91ab-2d7cd011db47", # Microsoft tenant ID
timeout=None,
Expand All @@ -477,18 +477,17 @@ def get_lab_app(
logger.info(
"Reading ENV variables %s and %s for lab app defined at "
"https://docs.msidlab.com/accounts/confidentialclient.html",
env_client_id, env_client_secret)
if os.getenv(env_client_id) and os.getenv(env_client_secret):
env_client_id, env_name2)
if os.getenv(env_client_id) and os.getenv(env_name2):
# A shortcut mainly for running tests on developer's local development machine
# or it could be setup on Travis CI
# https://docs.travis-ci.com/user/environment-variables/#defining-variables-in-repository-settings
# Data came from here
# https://docs.msidlab.com/accounts/confidentialclient.html
client_id = os.getenv(env_client_id)
client_secret = os.getenv(env_client_secret)
client_secret = os.getenv(env_name2)
else:
logger.info("ENV variables %s and/or %s are not defined. Fall back to MSI.",
env_client_id, env_client_secret)
logger.info("ENV variables are not defined. Fall back to MSI.")
# See also https://microsoft.sharepoint-df.com/teams/MSIDLABSExtended/SitePages/Programmatically-accessing-LAB-API's.aspx
raise unittest.SkipTest("MSI-based mechanism has not been implemented yet")
return msal.ConfidentialClientApplication(
Expand Down