Add bandit check to osh-infra

This change adds a non-voting bandit check to openstack-helm-infra similar to what is ran in the openstack-helm repo. This check will be made voting in a future change once the current failures are addressed. Similarly this check will be modified in a future change to only be ran when affected python files are changed. Change-Id: I177940f7b050fbe8882d298628c458bbd935ee89
2019-10-09 16:40:01 -05:00 · 2019-10-09 16:40:01 -05:00 · 30c66126ee
parent cd6f3442e9
commit 30c66126ee
4 changed files with 56 additions and 0 deletions
--- a/playbooks/osh-infra-bandit.yaml
+++ b/playbooks/osh-infra-bandit.yaml
@ -0,0 +1,28 @@
+- hosts: all
+  name: openstack-helm-infra-bandit
+  tasks:
+
+    - name: Install Required Packages and Setup Host
+      shell: |
+        set -xe;
+        ./tools/deployment/common/000-install-packages.sh
+        ./tools/deployment/common/005-deploy-k8s.sh
+        sudo -H pip install yq bandit
+      environment:
+        zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      args:
+        chdir: "{{ zuul.project.src_dir }}"
+
+    - name: Template out python files
+      shell: |
+        set -xe;
+        make all
+        mkdir -p python-files
+        ./tools/gate/template-python.sh
+      args:
+        chdir: "{{ zuul.project.src_dir }}"
+
+    - name: Run bandit against python files
+      shell: bandit -r ./python-files
+      args:
+        chdir: "{{ zuul.project.src_dir }}"
--- a/tools/gate/template-python.sh
+++ b/tools/gate/template-python.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+
+EXCLUDES="helm-toolkit doc tests tools logs tmp roles playbooks releasenotes zuul.d python-files"
+DIRS=`ls -d */ | cut -f1 -d'/'`
+
+for EX in $EXCLUDES; do
+  DIRS=`echo $DIRS | sed "s/\b$EX\b//g"`
+done
+
+for DIR in $DIRS; do
+  PYFILES=$(helm template $DIR | yq 'select(.data != null) | .data | to_entries | map(select(.key | test(".*\\.py"))) | select(length > 0) | values[] | {(.key) : (.value)}' | jq -s add)
+  PYKEYS=$(echo "$PYFILES" | jq -r 'select(. != null) | keys[]')
+  for KEY in $PYKEYS; do
+    echo "$PYFILES" | jq -r --arg KEY "$KEY" '.[$KEY]' > ./python-files/"$DIR-$KEY"
+  done
+done
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -30,6 +30,16 @@
    run: playbooks/zuul-linter.yaml
    nodeset: openstack-helm-single-node

+- job:
+    name: openstack-helm-infra-bandit
+    run: playbooks/osh-infra-bandit.yaml
+    nodeset: openstack-helm-single-node
+# Note(gagehugo): Uncomment this once it passes so that it only runs
+# when python related files are changed.
+#    files:
+#      - ^.*\.py\.tpl$
+#      - ^.*\.py$
+
 - job:
    name: openstack-helm-infra
    parent: openstack-helm-infra-functional
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@ -19,6 +19,8 @@
    check:
      jobs:
        - openstack-helm-lint
+        - openstack-helm-infra-bandit:
+            voting: false
        - openstack-helm-infra-aio-logging
        - openstack-helm-infra-aio-monitoring
        - openstack-helm-infra-federated-monitoring: