Skip to content

Pczajka debug ocsp jenkins #2395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: cherrypicks-to-aio-connector-part1
Choose a base branch
from
Draft

Pczajka debug ocsp jenkins #2395

wants to merge 2 commits into from
+2,872 −49,912

Conversation

sfc-gh-pczajka
Copy link
Contributor

DO NOT MERGE - debug jenkins workflow

@sfc-gh-pczajka sfc-gh-pczajka added NO-CHANGELOG-UPDATES This pull request does not need to update CHANGELOG.md DO_NOT_PORT_CHANGES_TO_SP Add this label when changes in this PR do not need to be port to SP connector DO NOT MERGE labels Jul 8, 2025
@sfc-gh-pczajka sfc-gh-pczajka marked this pull request as draft July 8, 2025 12:25
@sfc-gh-pczajka sfc-gh-pczajka force-pushed the pczajka-debug-ocsp-jenkins branch 4 times, most recently from 821f5db to 8a3779d Compare July 9, 2025 11:12
@sfc-gh-pczajka sfc-gh-pczajka force-pushed the pczajka-debug-ocsp-jenkins branch from 8a3779d to 26e3805 Compare July 9, 2025 14:51
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 9, 2025
View reviewed changes
.github/workflows/build_test.yml Outdated
Comment on lines 338 to 398
name: Test asyncio ${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
needs: build
runs-on: ${{ matrix.os.image_name }}
strategy:
fail-fast: false
matrix:
os:
- image_name: ubuntu-latest
download_name: manylinux_x86_64
- image_name: macos-latest
download_name: macosx_x86_64
- image_name: windows-latest
download_name: win_amd64
python-version: ["3.10", "3.11", "3.12"]
cloud-provider: [aws, azure, gcp]
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Display Python version
run: python -c "import sys; print(sys.version)"
- name: Setup parameters file
shell: bash
env:
PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
run: |
gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
.github/workflows/parameters/public/parameters_${{ matrix.cloud-provider }}.py.gpg > test/parameters.py
- name: Download wheel(s)
uses: actions/download-artifact@v4
with:
name: ${{ matrix.os.download_name }}_py${{ matrix.python-version }}
path: dist
- name: Show wheels downloaded
run: ls -lh dist
shell: bash
- name: Upgrade setuptools, pip and wheel
run: python -m pip install -U setuptools pip wheel
- name: Install tox
run: python -m pip install tox>=4
- name: Run tests
run: python -m tox run -e aio
env:
PYTHON_VERSION: ${{ matrix.python-version }}
cloud_provider: ${{ matrix.cloud-provider }}
PYTEST_ADDOPTS: --color=yes --tb=short
TOX_PARALLEL_NO_SPINNER: 1
shell: bash
- name: Combine coverages
run: python -m tox run -e coverage --skip-missing-interpreters false
shell: bash
- uses: actions/upload-artifact@v4
with:
name: coverage_aio_${{ matrix.os.download_name }}-${{ matrix.python-version }}-${{ matrix.cloud-provider }}
path: |
.tox/.coverage
.tox/coverage.xml

test-unsupporeted-aio:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 5 days ago

To resolve this issue, explicit permissions should be added to the workflow file. Since the flagged job (test-aio) does not require elevated permissions other than reading contents and accessing artifacts, the permissions should be set to contents: read. This restricts the scope of the GITHUB_TOKEN and adheres to the principle of least privilege. The permissions block should be added to the root of the workflow file, as it applies to all jobs unless overridden.

Suggested changeset 1
.github/workflows/build_test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -1,5 +1,9 @@
 name: Build and Test
 
+permissions:
+  contents: read
+  id-token: write
+
 on:
     push:
         branches:
EOF
@@ -1,5 +1,9 @@
name: Build and Test

permissions:
contents: read
id-token: write

on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 9, 2025
View reviewed changes
src/snowflake/connector/aio/auth/_auth.py Outdated
Comment on lines 148 to 151
{
k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
for (k, v) in body["data"].items()
},

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.

Copilot Autofix

AI 5 days ago

To fix the detected issue, sensitive data such as passcode must be explicitly masked before being logged. The masking mechanism should ensure that even if the key exists in the whitelist, sensitive values like passcode are substituted with a placeholder (e.g., "******") when logged. This approach avoids accidental exposure of sensitive information in the logs.

Steps to implement:

  1. Modify the logging logic at line 148 to always mask sensitive values like passcode explicitly, regardless of the whitelist configuration.
  2. Update the masking logic to check specifically for sensitive keys (e.g., "PASSCODE") and replace their values with "******".
  3. Ensure that the fix is localized and does not impact the existing functionality of the authentication process.
Suggested changeset 1
src/snowflake/connector/aio/auth/_auth.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/snowflake/connector/aio/auth/_auth.py b/src/snowflake/connector/aio/auth/_auth.py
--- a/src/snowflake/connector/aio/auth/_auth.py
+++ b/src/snowflake/connector/aio/auth/_auth.py
@@ -146,7 +146,7 @@
         logger.debug(
             "body['data']: %s",
             {
-                k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
+                k: "******" if k in {"PASSCODE", "EXT_AUTHN_DUO_METHOD"} else v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
                 for (k, v) in body["data"].items()
             },
         )
EOF
@@ -146,7 +146,7 @@
logger.debug(
"body['data']: %s",
{
k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
k: "******" if k in {"PASSCODE", "EXT_AUTHN_DUO_METHOD"} else v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
for (k, v) in body["data"].items()
},
)
Copilot is powered by AI and may make mistakes. Always verify output.
@sfc-gh-pczajka sfc-gh-pczajka changed the base branch from main to cherrypicks-to-aio-connector-part1 July 9, 2025 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
DO NOT MERGE DO_NOT_PORT_CHANGES_TO_SP Add this label when changes in this PR do not need to be port to SP connector NO-CHANGELOG-UPDATES This pull request does not need to update CHANGELOG.md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sfc-gh-pczajka