Add bandit to pep8 job

Add the bandit security scanner to the pep8 job. * convert assert statement to raise AssertionError * Don't hard code '/tmp' in test * skip B404 Change-Id: Ie30163d32dc6884667f0725f5aced809c0de82d0
author: ChangBo Guo(gcb) <eric.guo@easystack.cn> 2017-12-07 13:47:29 +0800
committer: ChangBo Guo(gcb) <eric.guo@easystack.cn> 2017-12-13 11:25:50 +0800
commit: 24156a438fa543e2753fe8a2e7b0e639c7227d21 (patch)
tree: 4afa4d2ec6dc82ddc361bbfde8772c8e83e6544f
parent: a73ed854d3665ce6e26ea760354cb03577d4e992 (diff)
download: oslo-rootwrap-24156a438fa543e2753fe8a2e7b0e639c7227d21.tar.gz
4 files changed, 22 insertions, 9 deletions
diff --git a/oslo_rootwrap/client.py b/oslo_rootwrap/client.py
index ecf730f..ee64b74 100644
--- a/oslo_rootwrap/client.py
+++ b/oslo_rootwrap/client.py
@@ -116,7 +116,8 @@ class Client(object):
 
     def _restart(self, proxy):
         with self._mutex:
-            assert self._initialized
+            if not self._initialized:
+                raise AssertionError("Client should be initialized.")
             # Verify if someone has already restarted this.
             if self._proxy is proxy:
                 self._finalize()
diff --git a/oslo_rootwrap/tests/test_rootwrap.py b/oslo_rootwrap/tests/test_rootwrap.py
index 658fcb0..bca5cf9 100644
--- a/oslo_rootwrap/tests/test_rootwrap.py
+++ b/oslo_rootwrap/tests/test_rootwrap.py
@@ -15,6 +15,7 @@
 import logging
 import logging.handlers
 import os
+import tempfile
 import uuid
 
 import fixtures
@@ -511,7 +512,8 @@ class PathFilterTestCase(testtools.TestCase):
     def setUp(self):
         super(PathFilterTestCase, self).setUp()
 
-        tmpdir = fixtures.TempDir('/tmp')
+        self.tmp_root_dir = tempfile.mkdtemp()
+        tmpdir = fixtures.TempDir(self.tmp_root_dir)
         self.useFixture(tmpdir)
 
         self.f = filters.PathFilter('/bin/chown', 'root', 'nova', tmpdir.path)
@@ -519,7 +521,7 @@ class PathFilterTestCase(testtools.TestCase):
         gen_name = lambda: str(uuid.uuid4())
 
         self.SIMPLE_FILE_WITHIN_DIR = os.path.join(tmpdir.path, 'some')
-        self.SIMPLE_FILE_OUTSIDE_DIR = os.path.join('/tmp', 'some')
+        self.SIMPLE_FILE_OUTSIDE_DIR = os.path.join(self.tmp_root_dir, 'some')
         self.TRAVERSAL_WITHIN_DIR = os.path.join(tmpdir.path, 'a', '..',
                                                  'some')
         self.TRAVERSAL_OUTSIDE_DIR = os.path.join(tmpdir.path, '..', 'some')
@@ -538,7 +540,8 @@ class PathFilterTestCase(testtools.TestCase):
         os.symlink(os.path.join(tmpdir.path, 'a'), self.SYMLINK_WITHIN_DIR)
 
         self.SYMLINK_OUTSIDE_DIR = os.path.join(tmpdir.path, gen_name())
-        os.symlink(os.path.join('/tmp', 'some_file'), self.SYMLINK_OUTSIDE_DIR)
+        os.symlink(os.path.join(self.tmp_root_dir, 'some_file'),
+                   self.SYMLINK_OUTSIDE_DIR)
 
     def test_empty_args(self):
         self.assertFalse(self.f.match([]))
@@ -551,12 +554,13 @@ class PathFilterTestCase(testtools.TestCase):
         self.assertTrue(f.match(args))
 
     def test_argument_equality_constraint(self):
-        f = filters.PathFilter('/bin/chown', 'root', 'nova', '/tmp/spam/eggs')
+        temp_file_path = os.path.join(self.tmp_root_dir, 'spam/eggs')
+        f = filters.PathFilter('/bin/chown', 'root', 'nova', temp_file_path)
 
-        args = ['chown', 'nova', '/tmp/spam/eggs']
+        args = ['chown', 'nova', temp_file_path]
         self.assertTrue(f.match(args))
 
-        args = ['chown', 'quantum', '/tmp/spam/eggs']
+        args = ['chown', 'quantum', temp_file_path]
         self.assertFalse(f.match(args))
 
     def test_wrong_arguments_number(self):
@@ -654,6 +658,6 @@ class DaemonCleanupTestCase(testtools.TestCase):
     @mock.patch('multiprocessing.managers.BaseManager.get_server',
                 side_effect=DaemonCleanupException)
     def test_daemon_no_cleanup_for_uninitialized_server(self, gs, mkd, *args):
-        mkd.return_value = '/tmp/123'
+        mkd.return_value = '/just_dir/123'
         self.assertRaises(DaemonCleanupException, daemon.daemon_start,
                           config=None, filters=None)
diff --git a/test-requirements.txt b/test-requirements.txt
index e8710fd..fc370e7 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -21,3 +21,6 @@ mock>=2.0.0 # BSD
 eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
 
 reno>=2.5.0 # Apache-2.0
+
+# Bandit security code scanner
+bandit>=1.1.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 51ce23c..94b3d6b 100644
--- a/tox.ini
+++ b/tox.ini
@@ -16,7 +16,12 @@ commands =
   env TEST_EVENTLET=1 python setup.py testr --slowest --testr-args='tests.test_functional_eventlet'
 
 [testenv:pep8]
-commands = flake8
+deps =
+  -r{toxinidir}/test-requirements.txt
+commands =
+  flake8
+  # Run security linter
+  bandit -r oslo_rootwrap tests -n5 --skip B404
 
 [testenv:cover]
 deps = {[testenv]deps}
author	ChangBo Guo(gcb) <eric.guo@easystack.cn>	2017-12-07 13:47:29 +0800
committer	ChangBo Guo(gcb) <eric.guo@easystack.cn>	2017-12-13 11:25:50 +0800
commit	24156a438fa543e2753fe8a2e7b0e639c7227d21 (patch)
tree	4afa4d2ec6dc82ddc361bbfde8772c8e83e6544f
parent	a73ed854d3665ce6e26ea760354cb03577d4e992 (diff)
download	oslo-rootwrap-24156a438fa543e2753fe8a2e7b0e639c7227d21.tar.gz