Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scrub secret vars #9733

Merged
merged 1 commit into from
Apr 16, 2024
Merged

Scrub secret vars #9733

merged 1 commit into from
Apr 16, 2024
+122 −5

Conversation

nielspardon
Copy link
Contributor

resolves #7247

Problem

Currently, dbt only supports secret env variables and only scrubs the values of those secret env variables from log messages. Secret variables being provided via the --vars flag are not being scrubbed and the plaintext values appear in a couple of places.

Solution

With this PR secret variables being provided via the --vars flag are also scrubbed just like env variables reusing the same prefix as for env variables.

  • Scrubs secret vars in RequiredVarNotFoundError
  • Scrubs secret vars in StateCheckVarsHash event
  • Scrubs secret vars in run results

Checklist

  • I have read the contributing guide and understand what's expected of me
  • I have run this code in development and it appears to resolve the stated issue
  • This PR includes tests, or tests are not required/relevant for this PR
  • This PR has no interface changes (e.g. macros, cli, logs, json artifacts, config files, adapter interface, etc) or this PR has already received feedback and approval from Product or DX
  • This PR includes type annotations for new and modified functions

@nielspardon nielspardon requested a review from a team as a code owner March 7, 2024 14:42
@cla-bot cla-bot bot added the cla:yes label Mar 7, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 7, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.11%. Comparing base (ee74a60) to head (457fd68).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9733      +/-   ##
==========================================
+ Coverage   88.09%   88.11%   +0.01%     
==========================================
  Files         180      180              
  Lines       22546    22557      +11     
==========================================
+ Hits        19863    19877      +14     
+ Misses       2683     2680       -3
Flag Coverage Δ
integration 85.42% <100.00%> (+0.02%) ⬆️
unit 62.04% <61.53%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nielspardon nielspardon force-pushed the par-scrub-args branch 2 times, most recently from bea03f4 to 638fbdb Compare March 7, 2024 17:00
@dbeatty10 dbeatty10 added the community This PR is from a community member label Mar 22, 2024
@nielspardon
Copy link
Contributor Author

@dbeatty10 any reviewers available for this PR?

@dbeatty10 dbeatty10 added the ready_for_review Externally contributed PR has functional approval, ready for code review from Core engineering label Apr 8, 2024
dbeatty10
dbeatty10 reviewed Apr 11, 2024
View reviewed changes
Copy link
Contributor

@dbeatty10 dbeatty10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nielspardon I looked at this along with @ChenyuLInx

The main question we have is regarding the test coverage. Could you take a look?

tests/functional/context_methods/test_cli_vars.py Outdated Show resolved Hide resolved
tests/functional/context_methods/test_cli_vars.py Show resolved Hide resolved
@nielspardon nielspardon force-pushed the par-scrub-args branch 3 times, most recently from e3fb9c2 to d3b3336 Compare April 12, 2024 16:03
nielspardon
nielspardon commented Apr 12, 2024
View reviewed changes
tests/unit/test_parse_manifest.py
@@ -108,7 +108,7 @@ def _new_file(self, searched, name, match):
class TestPartialParse(unittest.TestCase):
def setUp(self) -> None:
mock_project = MagicMock(RuntimeConfig)
mock_project.cli_vars = ""
mock_project.cli_vars = {}
Copy link
Contributor Author

@nielspardon nielspardon Apr 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ChenyuLInx looks like you accidentally initialized this to a str but this should be a dict. I fixed it since it broke the tests with my changes.

@nielspardon nielspardon force-pushed the par-scrub-args branch 2 times, most recently from 63cb9c0 to e687342 Compare April 15, 2024 10:01
@nielspardon nielspardon requested a review from dbeatty10 April 15, 2024 10:15
@nielspardon
Scrub secret vars
457fd68 
- Scrub secret vars in RequiredVarNotFoundError
- Scrub secret vars in StateCheckVarsHash event
- Scrub secret vars in run results
ChenyuLInx
ChenyuLInx approved these changes Apr 16, 2024
View reviewed changes
Copy link
Contributor

@ChenyuLInx ChenyuLInx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nielspardon Thanks a bunch for adding this!!!

tests/functional/context_methods/test_cli_vars.py Outdated
}

def test__run_results_scrubbing(self, project):
results = run_dbt(["run", "--vars", "{DBT_ENV_SECRET_simple: abc, unused: def}"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we do both run and test at the same time?

@ChenyuLInx ChenyuLInx added the artifact_minor_upgrade To bypass the CI check by confirming that the change is not breaking label Apr 16, 2024
@ChenyuLInx ChenyuLInx merged commit 8b5884b into dbt-labs:main Apr 16, 2024
59 of 60 checks passed
@fabientra fabientra mentioned this pull request Jul 9, 2024
Closed
2 tasks
@dbeatty10 dbeatty10 mentioned this pull request Jul 10, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChenyuLInx ChenyuLInx ChenyuLInx approved these changes

@dbeatty10 dbeatty10 Awaiting requested review from dbeatty10

Assignees

@ChenyuLInx ChenyuLInx

@dbeatty10 dbeatty10

Labels
artifact_minor_upgrade To bypass the CI check by confirming that the change is not breaking cla:yes community This PR is from a community member ready_for_review Externally contributed PR has functional approval, ready for code review from Core engineering
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CT-2342] [Feature] Support secret --vars, by scrubbing their values from logs (like env vars)
3 participants
@nielspardon @ChenyuLInx @dbeatty10