Report portal ci#554
Closed
sshmulev wants to merge 6 commits into
Closed
Conversation
Adding new cloud provider - OCI to CIV
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- In
get_instances_oci,values['source_details'][0]['source_id']assumessource_detailsis a list, butOCIConfigBuilderdefines it as a dict; consider accessingsource_detailsdefensively (supporting both shapes or aligning them) to avoid runtime key/index errors. - The heuristic in
get_oci_username_by_instance_name(sanitized in tf_resource_name) can match multiple instances when names share substrings; consider using an exact or anchored match (e.g., full resource name or a clearer naming convention) to avoid returning the wrong username. - In
ci/rp_merge.pyall HTTP calls useverify=False, which disables TLS verification globally; consider making TLS verification configurable via a CLI flag or environment variable so production runs can keep certificate checks enabled.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In `get_instances_oci`, `values['source_details'][0]['source_id']` assumes `source_details` is a list, but `OCIConfigBuilder` defines it as a dict; consider accessing `source_details` defensively (supporting both shapes or aligning them) to avoid runtime key/index errors.
- The heuristic in `get_oci_username_by_instance_name` (`sanitized in tf_resource_name`) can match multiple instances when names share substrings; consider using an exact or anchored match (e.g., full resource name or a clearer naming convention) to avoid returning the wrong username.
- In `ci/rp_merge.py` all HTTP calls use `verify=False`, which disables TLS verification globally; consider making TLS verification configurable via a CLI flag or environment variable so production runs can keep certificate checks enabled.
## Individual Comments
### Comment 1
<location path="ci/rp_merge.py" line_range="60" />
<code_context>
+ url = f"{rp_url}/api/v1/{project}/launch"
+ params = {"filter.has.attributeValue": group_token, "page.size": 50}
+ try:
+ resp = requests.get(url, headers=headers, params=params, verify=False, timeout=30)
+ resp.raise_for_status()
+ return resp.json().get("content", [])
</code_context>
<issue_to_address>
**🚨 issue (security):** Unconditional `verify=False` on HTTP requests weakens TLS security and should be controllable.
This call (and others in the script) hardcodes `verify=False` and suppresses `InsecureRequestWarning`, fully disabling TLS verification. Please make verification configurable (e.g., a `--insecure` flag or env var) with a secure default (`verify=True`), and consider supporting a custom CA bundle instead of always skipping verification.
</issue_to_address>
### Comment 2
<location path="test_suite/cloud/test_oci.py" line_range="6-13" />
<code_context>
+import pytest
+
+
+@pytest.fixture
+def instance_data_oci_web(host):
+ """
+ Fetch instance metadata from OCI IMDS (Instance Metadata Service).
+ """
+ oci_metadata_url = 'http://169.254.169.254/opc/v2/instance/'
+ command_to_run = f'curl -s -H "Authorization: Bearer Oracle" "{oci_metadata_url}"'
+ return json.loads(host.check_output(command_to_run))
+
+
</code_context>
<issue_to_address>
**suggestion (testing):** Make the OCI metadata fixture more resilient to temporary IMDS failures or malformed responses
This fixture currently assumes `curl` always succeeds and returns valid JSON, so any transient IMDS issue (network/rate limiting/partial response) will hard-fail all dependent tests.
Please consider:
- Wrapping `host.check_output` / `json.loads` in try/except and using `pytest.skip` or `xfail` with a clear message when IMDS is unreachable or returns bad JSON.
- Adding a short timeout to curl (e.g. `curl -s --max-time 2 ...`) to avoid a hung IMDS call blocking the test run.
That way, these tests stay focused on configuration validation instead of being fragile to infra noise.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| url = f"{rp_url}/api/v1/{project}/launch" | ||
| params = {"filter.has.attributeValue": group_token, "page.size": 50} | ||
| try: | ||
| resp = requests.get(url, headers=headers, params=params, verify=False, timeout=30) |
There was a problem hiding this comment.
🚨 issue (security): Unconditional verify=False on HTTP requests weakens TLS security and should be controllable.
This call (and others in the script) hardcodes verify=False and suppresses InsecureRequestWarning, fully disabling TLS verification. Please make verification configurable (e.g., a --insecure flag or env var) with a secure default (verify=True), and consider supporting a custom CA bundle instead of always skipping verification.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.