ericsson-iap · don2112e · Nov 21, 2025 · Oct 21, 2025 · Oct 31, 2025 · Oct 31, 2025
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest release version of _python-sample-app_ is supported by security
+updates.
+
+| Version          | Supported          |
+| ---------------- | ------------------ |
+| Latest Release   | :white_check_mark: |
+| Earlier Releases | :x:                |
+
+## Reporting a Vulnerability
+
+If you find a vulnerability in _python-sample-app_, please report it as a security
+vulnerability on GitHub:
+<https://github.com/ericsson-iap/python-sample-app/security/advisories/new>
diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml
@@ -111,12 +111,8 @@ spec:
               mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}
               readOnly: true
           env:
-            - name: IAM_CLIENT_ID
-              value: {{ index .Values "clientId" | quote }}
-            - name: IAM_CLIENT_SECRET
-              value: {{ index .Values "clientSecret" | quote }}
-            - name: IAM_BASE_URL
-              value: {{ index .Values "iamBaseUrl" | quote }}
+            - name: EIC_HOST_URL
+              value: {{ index .Values "eicHostUrl" | quote }}
             - name: LOG_ENDPOINT
               value: {{ index .Values "logEndpoint" | quote }}
             - name: CA_CERT_FILE_PATH

diff --git a/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml b/charts/eric-oss-hello-world-python-app/templates/network-policy/network-policy.yaml
@@ -15,9 +15,6 @@ spec:
       app: eric-oss-hello-world-python-app
   ingress:
   - from:
-    - podSelector:
-        matchLabels:
-          app: eric-eo-api-gateway
     - podSelector:
         matchLabels:
           app: eric-sef-exposure-api-gateway

diff --git a/eric-oss-hello-world-python-app/config.py b/eric-oss-hello-world-python-app/config.py
@@ -5,9 +5,7 @@
 
 def get_config():
     """get env and return config with all env vals required"""
-    iam_client_id = get_os_env_string("IAM_CLIENT_ID", "")
-    iam_client_secret = get_os_env_string("IAM_CLIENT_SECRET", "")
-    iam_base_url = get_os_env_string("IAM_BASE_URL", "")
+    eic_host_url = get_os_env_string("EIC_HOST_URL", "")
     ca_cert_file_name = get_os_env_string("CA_CERT_FILE_NAME", "")
     ca_cert_file_path = get_os_env_string("CA_CERT_FILE_PATH", "")
     log_ctrl_file = get_os_env_string("LOG_CTRL_FILE", "")
@@ -19,9 +17,7 @@ def get_config():
     client_id_file_name = get_os_env_string("CLIENT_ID_FILE_NAME", "")
 
     config = {
-        "iam_client_id": iam_client_id,
-        "iam_client_secret": iam_client_secret,
-        "iam_base_url": iam_base_url,
+        "eic_host_url": eic_host_url,
         "ca_cert_file_name": ca_cert_file_name,
         "ca_cert_file_path": ca_cert_file_path,
         "log_ctrl_file": log_ctrl_file,

diff --git a/eric-oss-hello-world-python-app/login.py b/eric-oss-hello-world-python-app/login.py
@@ -22,7 +22,7 @@ def login():
     """
     config = get_config()
     login_path = "/auth/realms/master/protocol/openid-connect/token"
-    login_url = urljoin(config.get("iam_base_url"), login_path)
+    login_url = urljoin(config.get("eic_host_url"), login_path)
     headers = {"Content-Type": "application/x-www-form-urlencoded"}
     resp = tls_login(login_url, headers)
     resp = json.loads(resp.decode("utf-8"))

diff --git a/eric-oss-hello-world-python-app/tests/conftest.py b/eric-oss-hello-world-python-app/tests/conftest.py
@@ -31,24 +31,13 @@ def match_request_data(request):
             ]
         ]
     )
-    uses_legacy = all(
-        [
-            parameter in request.text
-            for parameter in [
-                "grant_type=client_credentials",
-                "tenant_id=master",
-                "client_id=IAM_CLIENT_ID",
-                "client_secret=IAM_CLIENT_SECRET",
-            ]
-        ]
-    )
-    return uses_x509 or uses_legacy
+    return uses_x509
 
 
 @pytest.fixture(name="mock_login_api")
 def fixture_mock_login_api(config):
     login_endpoint = urljoin(
-        config.get("iam_base_url"), "/auth/realms/master/protocol/openid-connect/token"
+        config.get("eic_host_url"), "/auth/realms/master/protocol/openid-connect/token"
     )
     with requests_mock.Mocker() as request_mocker:
         request_mocker.post(
@@ -109,9 +98,7 @@ def no_log_certs():
 
 
 def populate_environment_variables():
-    os.environ["IAM_CLIENT_ID"] = "IAM_CLIENT_ID"
-    os.environ["IAM_CLIENT_SECRET"] = "IAM_CLIENT_SECRET"
-    os.environ["IAM_BASE_URL"] = "https://www.iam-base-url.com"
+    os.environ["EIC_HOST_URL"] = "https://www.eic-host-url.com"
     os.environ["CA_CERT_FILE_NAME"] = "CA_CERT_FILE_NAME"
     os.environ["CA_CERT_FILE_PATH"] = "CA_CERT_MOUNT_PATH"
     os.environ["LOG_ENDPOINT"] = "LOG_ENDPOINT"

diff --git a/eric-oss-hello-world-python-app/tests/test_login.py b/eric-oss-hello-world-python-app/tests/test_login.py
@@ -15,7 +15,7 @@ def test_login_receives_token_x509(mock_login_api, config):
 def test_login_bad_credentials(requests_mock, config):
     """Ensure we get an error if credentials are bad"""
     login_url = urljoin(
-        config.get("iam_base_url"), "/auth/realms/master/protocol/openid-connect/token"
+        config.get("eic_host_url"), "/auth/realms/master/protocol/openid-connect/token"
     )
     requests_mock.post(
         login_url, status_code=400, json={"error": "invalid_request"}