Fix problems reported by Bandit

conf/settings.py.example

@@ -1,5 +1,5 @@
 # Copy this file to `conf/settings.py` to put it into effect. It overrides the values defined
 # in `greenwave/config.py`.
-SECRET_KEY = 'replace-me-with-something-random'
-HOST = '0.0.0.0'
+SECRET_KEY = 'replace-me-with-something-random'  # nosec
+HOST = '127.0.0.1'
 PORT = 5005

docker/greenwave-settings.py

@@ -1,5 +1,5 @@
 SECRET_KEY = 'greenwave'
-HOST = '0.0.0.0'
+HOST = '127.0.0.1'
 PORT = 8080
 DEBUG = True
 POLICIES_DIR = '/etc/greenwave/policies/'

docker/waiverdb-settings.py

@@ -5,7 +5,7 @@
 if os.getenv('TEST') == 'true':
     DATABASE_URI += '_test'
 
-HOST = '0.0.0.0'
+HOST = '127.0.0.1'
 PORT = 5004
 #AUTH_METHOD = 'OIDC'
 AUTH_METHOD = 'dummy'

greenwave/api_v1.py

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: GPL-2.0+
 
 import logging
-import random
 from flask import Blueprint, request, current_app, jsonify, url_for, redirect, Response
 from werkzeug.exceptions import BadRequest
 from prometheus_client import generate_latest
@@ -430,38 +429,3 @@ def validate_gating_yaml_post():
 @api.route('/metrics', methods=['GET'])
 def metrics():
     return Response(generate_latest(registry))
-
-
-@api.route('/life-decision', methods=['GET'])
-@jsonp
-def life_decision():
-    # Ask a question and Greenwave gives you an advice for your
-    # life decisions.
-    data = request.args
-    if not data or not data.get('question'):
-        return 'You need to ask me a question. Use the "question" parameter to ask me something'
-    RESPONSES = [
-        'If you take a step on every stone you find, you\'ll never arrive in Rome.',
-        'Keep on doing what you do with passion, and you\'ll never regret it.',
-        'Look inside yourself and you\'ll find the answer that you are looking for.',
-        'A smile will gain you ten more years of life.',
-        'A bird does not sing because it has an answer. It sings because it has a song.',
-        'Be not afraid of growing slowly, be afraid only of standing still.',
-        'Patience is a bitter plant, but its fruit is sweet.',
-        'Whatever you\'ll decide to do, is going to be a success if it is your own decision.',
-        'Never regret your own decision, better to follow your heart, than follow a fool.',
-        'I see great things in your future.',
-        'Why are you asking me, if you already know the answer?',
-        'I know you already know the answer.',
-        'Whatever will happen, face it with a smile.',
-        'I will always be here, ready to reply when you\'ll need me.',
-        'Good things will happen to you.',
-        'If you fail, try again.',
-        'I don\'t understand this questions.',
-        'That\'s a good question. Are you really sure you should ask it to me?.',
-        'If you want to find out about the road ahead, then ask about it from those coming back.',
-        'Small people think they are small, great people never know they are great.',
-        'If you are patient in one moment of anger, you will escape a hundred days of sorrow.',
-        'Ask Jan Kaluza, he will know it.',
-    ]
-    return random.choice(RESPONSES)

greenwave/app_factory.py

@@ -21,7 +21,7 @@ def create_app(config_obj=None):
     app = Flask(__name__)
 
     app.config.update(load_config(config_obj))
-    if app.config['PRODUCTION'] and app.secret_key == 'replace-me-with-something-random':
+    if app.config['PRODUCTION'] and app.secret_key == 'replace-me-with-something-random':  # nosec
         raise Warning("You need to change the app.secret_key value for production")
 
     logging_config = app.config.get('LOGGING')

greenwave/config.py

@@ -14,10 +14,10 @@ class Config(object):
     DEBUG = True
     # We configure logging explicitly, turn off the Flask-supplied log handler.
     LOGGER_HANDLER_POLICY = 'never'
-    HOST = '0.0.0.0'
+    HOST = '127.0.0.1'
     PORT = 5005
     PRODUCTION = False
-    SECRET_KEY = 'replace-me-with-something-random'
+    SECRET_KEY = 'replace-me-with-something-random'  # nosec
 
     RESULTSDB_API_URL = 'https://taskotron.fedoraproject.org/resultsdb_api/api/v2.0'
     WAIVERDB_API_URL = 'https://waiverdb.fedoraproject.org/api/v1.0'

greenwave/policies.py

@@ -450,7 +450,7 @@ def _summarize_answers_without_errored(answers):
     if all(answer.is_satisfied for answer in answers):
         return 'All required tests passed'
 
-    assert False, 'Unexpected unsatisfied result'
+    logging.error('Unexpected unsatisfied result')
     return 'inexplicable result'
 
 

greenwave/tests/test_api_v1.py

@@ -223,15 +223,6 @@ def test_make_decision_with_missing_required_gating_yaml(mock_results, mock_waiv
             mock_waivers.assert_called_once()
 
 
-def test_life_decision(client):
-    data = {
-        'question': 'Where am I going to be in 5 years?'
-    }
-    response = client.get('/api/v1.0/life-decision', json=data)
-    assert response.status_code == 200
-    assert type(response.data.decode("utf-8")) == str
-
-
 def test_subject_types(client):
     response = client.get('/api/v1.0/subject_types')
     assert response.status_code == 200

greenwave/utils.py

@@ -133,7 +133,7 @@ def sha1_mangle_key(key):
     Python 3 with str keys (which must be encoded to bytes before passing them
     to hashlib.sha1()).
     """
-    return hashlib.sha1(key.encode('utf-8')).hexdigest()
+    return hashlib.sha1(key.encode('utf-8')).hexdigest()  # nosec
 
 
 def add_to_timestamp(timestamp, **kwargs):

tox.ini

@@ -22,7 +22,9 @@ skip_install = true
 deps =
     bandit
 commands =
-    bandit -r greenwave
+    bandit \
+        --exclude functional-tests,greenwave/tests \
+        --recursive greenwave
 
 [testenv:docs]
 changedir = docs