From 9766f9b5d341ada240ac933bb789f017a06491ed Mon Sep 17 00:00:00 2001 From: Martin Raspaud Date: Tue, 23 Apr 2024 09:20:15 +0200 Subject: [PATCH] Forbid passing password in storage options --- src/pytroll_watchers/local_watcher.py | 4 +++- tests/test_local_watcher.py | 28 +++++++++++++++++++++++---- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/src/pytroll_watchers/local_watcher.py b/src/pytroll_watchers/local_watcher.py index 08876bd..b6de7f4 100644 --- a/src/pytroll_watchers/local_watcher.py +++ b/src/pytroll_watchers/local_watcher.py @@ -10,7 +10,7 @@ from upath import UPath from pytroll_watchers.backends.local import listen_to_local_events -from pytroll_watchers.publisher import file_publisher_from_generator, parse_metadata +from pytroll_watchers.publisher import SecurityError, file_publisher_from_generator, parse_metadata logger = logging.getLogger(__name__) @@ -25,6 +25,8 @@ def file_publisher(fs_config, publisher_config, message_config): with the file metadata, and passed directly to posttroll's Message constructor. """ logger.info(f"Starting watch on '{fs_config['directory']}'") + if "password" in fs_config.get("storage_options", []): + raise SecurityError("A password cannot be published safely.") generator = file_generator(**fs_config) return file_publisher_from_generator(generator, publisher_config, message_config) diff --git a/tests/test_local_watcher.py b/tests/test_local_watcher.py index 730b2d5..34accca 100644 --- a/tests/test_local_watcher.py +++ b/tests/test_local_watcher.py @@ -6,6 +6,7 @@ from posttroll.message import Message from posttroll.testing import patched_publisher from pytroll_watchers import local_watcher +from pytroll_watchers.publisher import SecurityError from pytroll_watchers.testing import patched_local_events # noqa @@ -34,13 +35,13 @@ def test_watchdog_generator_with_protocol(tmp_path, patched_local_events): # no protocol = "ssh" storage_options = {"parameter": "value", - "host": "somehost.pytroll.org"} + "host": "somehost.pytroll.org"} generator = local_watcher.file_generator(tmp_path, - file_pattern=fname_pattern, - protocol=protocol, - storage_options=storage_options) + file_pattern=fname_pattern, + protocol=protocol, + storage_options=storage_options) path, metadata = next(generator) assert path.as_uri().startswith("ssh://") @@ -97,3 +98,22 @@ def test_publish_paths(tmp_path, patched_local_events, caplog): # noqa assert message.data["sensor"] == "viirs" assert "fs" not in message.data assert f"Starting watch on '{local_settings['directory']}'" in caplog.text + + +def test_publish_paths_forbids_passing_password(tmp_path, patched_local_events, caplog): # noqa + """Test publishing paths.""" + filename = os.fspath(tmp_path / "foo.txt") + password = "very strong" # noqa + + local_settings = dict(directory=tmp_path, protocol="ssh", + storage_options=dict(host="myhost.pytroll.org", username="user", password=password)) + publisher_settings = dict(nameservers=False, port=1979) + message_settings = dict(subject="/segment/viirs/l1b/", atype="file", data=dict(sensor="viirs")) + + caplog.set_level("INFO") + with patched_local_events([filename]): + with patched_publisher(): + with pytest.raises(SecurityError): + local_watcher.file_publisher(fs_config=local_settings, + publisher_config=publisher_settings, + message_config=message_settings)