diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ed28bfb --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security Policy + +## Supported Versions + +Only the latest release version of _python-sample-app_ is supported by security +updates. + +| Version | Supported | +| ---------------- | ------------------ | +| Latest Release | :white_check_mark: | +| Earlier Releases | :x: | + +## Reporting a Vulnerability + +If you find a vulnerability in _python-sample-app_, please report it as a security +vulnerability on GitHub: + diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index e4523a8..5eb87d6 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -111,12 +111,8 @@ spec: mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }} readOnly: true env: - - name: IAM_CLIENT_ID - value: {{ index .Values "clientId" | quote }} - - name: IAM_CLIENT_SECRET - value: {{ index .Values "clientSecret" | quote }} - - name: IAM_BASE_URL - value: {{ index .Values "iamBaseUrl" | quote }} + - name: EIC_HOST_URL + value: {{ index .Values "eicHostUrl" | quote }} - name: LOG_ENDPOINT value: {{ index .Values "logEndpoint" | quote }} - name: CA_CERT_FILE_PATH diff --git a/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml b/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml index 6dc9da5..913974b 100644 --- a/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml @@ -15,9 +15,6 @@ spec: app: eric-oss-hello-world-python-app ingress: - from: - - podSelector: - matchLabels: - app: eric-eo-api-gateway - podSelector: matchLabels: app: eric-sef-exposure-api-gateway diff --git a/eric-oss-hello-world-python-app/config.py b/eric-oss-hello-world-python-app/config.py index 28266c4..39a7e9a 100644 --- a/eric-oss-hello-world-python-app/config.py +++ b/eric-oss-hello-world-python-app/config.py @@ -5,9 +5,7 @@ def get_config(): """get env and return config with all env vals required""" - iam_client_id = get_os_env_string("IAM_CLIENT_ID", "") - iam_client_secret = get_os_env_string("IAM_CLIENT_SECRET", "") - iam_base_url = get_os_env_string("IAM_BASE_URL", "") + eic_host_url = get_os_env_string("EIC_HOST_URL", "") ca_cert_file_name = get_os_env_string("CA_CERT_FILE_NAME", "") ca_cert_file_path = get_os_env_string("CA_CERT_FILE_PATH", "") log_ctrl_file = get_os_env_string("LOG_CTRL_FILE", "") @@ -19,9 +17,7 @@ def get_config(): client_id_file_name = get_os_env_string("CLIENT_ID_FILE_NAME", "") config = { - "iam_client_id": iam_client_id, - "iam_client_secret": iam_client_secret, - "iam_base_url": iam_base_url, + "eic_host_url": eic_host_url, "ca_cert_file_name": ca_cert_file_name, "ca_cert_file_path": ca_cert_file_path, "log_ctrl_file": log_ctrl_file, diff --git a/eric-oss-hello-world-python-app/login.py b/eric-oss-hello-world-python-app/login.py index 9e100a7..4cbfe07 100644 --- a/eric-oss-hello-world-python-app/login.py +++ b/eric-oss-hello-world-python-app/login.py @@ -22,7 +22,7 @@ def login(): """ config = get_config() login_path = "/auth/realms/master/protocol/openid-connect/token" - login_url = urljoin(config.get("iam_base_url"), login_path) + login_url = urljoin(config.get("eic_host_url"), login_path) headers = {"Content-Type": "application/x-www-form-urlencoded"} resp = tls_login(login_url, headers) resp = json.loads(resp.decode("utf-8")) diff --git a/eric-oss-hello-world-python-app/tests/conftest.py b/eric-oss-hello-world-python-app/tests/conftest.py index 28eb8fb..d0b60bb 100644 --- a/eric-oss-hello-world-python-app/tests/conftest.py +++ b/eric-oss-hello-world-python-app/tests/conftest.py @@ -31,24 +31,13 @@ def match_request_data(request): ] ] ) - uses_legacy = all( - [ - parameter in request.text - for parameter in [ - "grant_type=client_credentials", - "tenant_id=master", - "client_id=IAM_CLIENT_ID", - "client_secret=IAM_CLIENT_SECRET", - ] - ] - ) - return uses_x509 or uses_legacy + return uses_x509 @pytest.fixture(name="mock_login_api") def fixture_mock_login_api(config): login_endpoint = urljoin( - config.get("iam_base_url"), "/auth/realms/master/protocol/openid-connect/token" + config.get("eic_host_url"), "/auth/realms/master/protocol/openid-connect/token" ) with requests_mock.Mocker() as request_mocker: request_mocker.post( @@ -109,9 +98,7 @@ def no_log_certs(): def populate_environment_variables(): - os.environ["IAM_CLIENT_ID"] = "IAM_CLIENT_ID" - os.environ["IAM_CLIENT_SECRET"] = "IAM_CLIENT_SECRET" - os.environ["IAM_BASE_URL"] = "https://www.iam-base-url.com" + os.environ["EIC_HOST_URL"] = "https://www.eic-host-url.com" os.environ["CA_CERT_FILE_NAME"] = "CA_CERT_FILE_NAME" os.environ["CA_CERT_FILE_PATH"] = "CA_CERT_MOUNT_PATH" os.environ["LOG_ENDPOINT"] = "LOG_ENDPOINT" diff --git a/eric-oss-hello-world-python-app/tests/test_login.py b/eric-oss-hello-world-python-app/tests/test_login.py index be0a91d..7f23bee 100644 --- a/eric-oss-hello-world-python-app/tests/test_login.py +++ b/eric-oss-hello-world-python-app/tests/test_login.py @@ -15,7 +15,7 @@ def test_login_receives_token_x509(mock_login_api, config): def test_login_bad_credentials(requests_mock, config): """Ensure we get an error if credentials are bad""" login_url = urljoin( - config.get("iam_base_url"), "/auth/realms/master/protocol/openid-connect/token" + config.get("eic_host_url"), "/auth/realms/master/protocol/openid-connect/token" ) requests_mock.post( login_url, status_code=400, json={"error": "invalid_request"}