From 1e44016a420dfa6ea75a55127e36aff77986f017 Mon Sep 17 00:00:00 2001
From: Christophe Haen <christophe.haen@cern.ch>
Date: Sun, 24 Mar 2024 06:59:20 +0100
Subject: [PATCH] Introduce Bandit security check

---
 .github/workflows/make_release.py               |  2 ++
 README.md                                       |  1 +
 diracx-cli/src/diracx/cli/__init__.py           |  3 ++-
 diracx-routers/src/diracx/routers/auth/utils.py |  2 +-
 pyproject.toml                                  | 13 ++++++++++++-
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/make_release.py b/.github/workflows/make_release.py
index 9ebb58d12..9e8517daf 100755
--- a/.github/workflows/make_release.py
+++ b/.github/workflows/make_release.py
@@ -29,6 +29,7 @@ def make_release(version, commit_hash, release_notes=""):
             "prerelease": Version(version).is_prerelease,
         },
         headers=headers,
+        timeout=60,
     )
     r.raise_for_status()
     release_data = r.json()
@@ -41,6 +42,7 @@ def make_release(version, commit_hash, release_notes=""):
             "draft": False,
         },
         headers=headers,
+        timeout=60,
     )
     r.raise_for_status()
     release_data = r.json()
diff --git a/README.md b/README.md
index dec413424..058450cfd 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 ![DiracX tests](https://github.com/DIRACGrid/diracx/actions/workflows/main.yml/badge.svg?branch=main)
 ![Legacy tests](https://github.com/DIRACGrid/diracx/actions/workflows/integration.yml/badge.svg?branch=main)
+![security: bandit](https://github.com/DIRACGrid/diracx/actions/workflows/main.yml/badge.svg?branch=main)
 
 # DiracX Prototype
 
diff --git a/diracx-cli/src/diracx/cli/__init__.py b/diracx-cli/src/diracx/cli/__init__.py
index 09c335d38..ed76821c5 100644
--- a/diracx-cli/src/diracx/cli/__init__.py
+++ b/diracx-cli/src/diracx/cli/__init__.py
@@ -99,7 +99,8 @@ async def logout():
             # Revoke refresh token
             try:
                 await api.auth.revoke_refresh_token(credentials["refresh_token"])
-            except Exception:
+            except Exception as e:
+                print(f"Error revoking the refresh token {e!r}")
                 pass
 
             # Remove credentials
diff --git a/diracx-routers/src/diracx/routers/auth/utils.py b/diracx-routers/src/diracx/routers/auth/utils.py
index 87cb0d6a2..758c8bd71 100644
--- a/diracx-routers/src/diracx/routers/auth/utils.py
+++ b/diracx-routers/src/diracx/routers/auth/utils.py
@@ -73,7 +73,7 @@ class GrantType(StrEnum):
 
     authorization_code = "authorization_code"
     device_code = "urn:ietf:params:oauth:grant-type:device_code"
-    refresh_token = "refresh_token"
+    refresh_token = "refresh_token"  # noqa: S105   # False positif of Bandit about hard coded password
 
 
 class ScopeInfoDict(TypedDict):
diff --git a/pyproject.toml b/pyproject.toml
index d2880347c..85fa81e42 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -44,12 +44,23 @@ select = [
     # "UP",   # pyUpgrade
     "FLY",  # flynt
     "DTZ",  # flake8-datetimez
+    "S", # flake8-bandit
 ]
-ignore = ["B905", "B008", "B006"]
+ignore = ["B905",
+          "B008",
+          "B006",
+          "S101", # bandit: use of assert https://docs.astral.sh/ruff/rules/assert/
+          ]
 line-length = 120
 src = ["diracx-*/src", "diracx-*/tests"]
 exclude = ["diracx-client/src/diracx/client/"]
 
+
+[tool.ruff.lint.per-file-ignores]
+# Ignore Bandit security checks in the test directories
+"diracx-testing/*" = ["S"]
+"diracx-*/tests/*" = ["S"]
+
 [tool.isort]
 profile = "black"