Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

debug messages for wca auth #1317

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 34 additions & 60 deletions .tekton/ansible-ai-connect-service-pull-request.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@ metadata:
build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
== "main"
pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main"
creationTimestamp: null
labels:
appstudio.openshift.io/application: ansible-ai-connect-service
Expand Down Expand Up @@ -45,7 +44,7 @@ spec:
- name: name
value: show-sbom
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:9cd4bf015b18621834f40ed02c8dccda1f7834c7d989521a8314bdb3a596e96b
value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:8e0f8cad75e6f674d72a874385b69c4651afc0c9dcc59feffe0d85844687d852
- name: kind
value: task
resolver: bundles
Expand All @@ -64,7 +63,7 @@ spec:
- name: name
value: summary
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:51d5aaa4e13e9fb4303f667e38d07e758820040032ed9fb3ab5f6afaaffc60d8
value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:abdf426424f1331c27be80ed98a0fbcefb8422767d1724308b9d57b37f977155
- name: kind
value: task
resolver: bundles
Expand All @@ -83,13 +82,11 @@ spec:
name: output-image
type: string
- default: .
description: Path to the source code of an application's component from where
to build image.
description: Path to the source code of an application's component from where to build image.
name: path-context
type: string
- default: Dockerfile
description: Path to the Dockerfile inside the context specified by parameter
path-context
description: Path to the Dockerfile inside the context specified by parameter path-context
name: dockerfile
type: string
- default: "false"
Expand Down Expand Up @@ -117,16 +114,14 @@ spec:
name: java
type: string
- default: ""
description: Image tag expiration time, time values could be something like
1h, 2d, 3w for hours, days, and weeks, respectively.
description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
name: image-expires-after
- default: "false"
description: Build a source image.
name: build-source-image
type: string
- default: ""
description: Path to a file with build arguments which will be passed to podman
during build
description: Path to a file with build arguments which will be passed to podman during build
name: build-args-file
type: string
results:
Expand Down Expand Up @@ -159,7 +154,7 @@ spec:
- name: name
value: init
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:b23c7a924f303a67b3a00b32a6713ae1a4fccbc5327daa76a6edd250501ea7a3
value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:596b7c11572bb94eb67d9ffb4375068426e2a8249ff2792ce04ad2a4bc593a63
- name: kind
value: task
resolver: bundles
Expand All @@ -176,7 +171,7 @@ spec:
- name: name
value: git-clone
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:ae1249aa49e82da5f99cc23b256172dce8f7c7951ece68ca0419240c4ecb52e2
value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:9e6c4db5a666ea0e1e747e03d63f46e5617a6b9852c26871f9d50891d778dfa2
- name: kind
value: task
resolver: bundles
Expand All @@ -201,7 +196,7 @@ spec:
- name: name
value: prefetch-dependencies
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:9aec3ae9f0f50a05abdc739faf4cbc82832cff16c77ac74e1d54072a882c0503
value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:eea8bd511343b4014dab46a77e7215510f7a63820937d1267c6dc428e10ffbe4
- name: kind
value: task
resolver: bundles
Expand Down Expand Up @@ -244,7 +239,7 @@ spec:
- name: name
value: buildah-10gb
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-10gb:0.1
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-10gb:0.2
- name: kind
value: task
resolver: bundles
Expand Down Expand Up @@ -277,35 +272,33 @@ spec:
runAfter:
- clone-repository
workspaces:
- name: source
workspace: workspace
- name: source
workspace: workspace
taskSpec:
workspaces:
- name: source
- name: source
steps:
- name: get-commit-timestamp
image: alpine/git
script: |
#!/bin/sh
set -euo pipefail
cd "$(workspaces.source.path)/source"
echo -n $(date -d @$(git log -1 --format=%at) "+%Y%m%d%H%M") > $(results.commit-timestamp.path)
- name: get-commit-timestamp
image: alpine/git
script: |
#!/bin/sh
set -euo pipefail
cd "$(workspaces.source.path)/source"
echo -n $(date -d @$(git log -1 --format=%at) "+%Y%m%d%H%M") > $(results.commit-timestamp.path)
results:
- name: commit-timestamp
- name: commit-timestamp
- name: build-source-image
params:
- name: BINARY_IMAGE
value: $(params.output-image)
- name: BASE_IMAGES
value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
runAfter:
- build-container
taskRef:
params:
- name: name
value: source-build
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:1a976a35adee9163e455d0c5aee5d9bf9cb3c6a770656ae347558f8c54977709
value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:14b91ad9124b722b44222685013faaf9af8ac5b66030d9abeb1c61da3c118cdd
- name: kind
value: task
resolver: bundles
Expand All @@ -323,8 +316,6 @@ spec:
workspace: workspace
- name: deprecated-base-image-check
params:
- name: BASE_IMAGES_DIGESTS
value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
- name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- name: IMAGE_DIGEST
Expand All @@ -336,7 +327,7 @@ spec:
- name: name
value: deprecated-image-check
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:3793fbf59e7dadff9d1f7e7ea4cc430c69a2de620b20c7fd69d71bdd5f6c4a60
value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:1f17ef7ab9859d6e2215ef2ed532ebc15e516ba09226b8cae77907a7a8b7cedd
- name: kind
value: task
resolver: bundles
Expand All @@ -358,7 +349,7 @@ spec:
- name: name
value: clair-scan
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:44d0df70080e082e72d2694b14130ff512e5e7f2611190161a9b016b4df9fb22
value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:b8c51079ea1110e1095c229e184e3c340120ba211a63a200e836706f5a35361c
- name: kind
value: task
resolver: bundles
Expand All @@ -378,7 +369,7 @@ spec:
- name: name
value: ecosystem-cert-preflight-checks
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:d468554fb6bede46f828db315eec8d8213a71cfd5bc37e934830759db7065b65
value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:fc2cda064580364bb80c3ad6f438002de0033963fc33985d01ad249346b93433
- name: kind
value: task
resolver: bundles
Expand All @@ -389,13 +380,13 @@ spec:
- "false"
- name: sast-snyk-check
runAfter:
- clone-repository
- build-container
taskRef:
params:
- name: name
value: sast-snyk-check
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:242acc527a06a11fac9dd6524467f62f3a086c186c5f885973e5780a04d4289c
value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.2@sha256:479bd0d9aaa7b377ff5f8ad93168d44807455646f2161688637cb2e4e0b990d9
- name: kind
value: task
resolver: bundles
Expand All @@ -407,42 +398,25 @@ spec:
workspaces:
- name: workspace
workspace: workspace
- name: clamav-scan
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
params:
- name: name
value: clamav-scan
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:5dbe6c646c3502ddc7fbe6016b8584bed6ce3ab7028b0c405ebaabc7e6e9e64c
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- "false"
- name: sbom-json-check
- name: clamav-scan
params:
- name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- name: IMAGE_DIGEST
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
params:
- name: name
value: sbom-json-check
value: clamav-scan
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:f9cc253c3a07594bfb51e09c78b46598591cb353e19b16ef514f8312a8b0bada
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:7bb17b937c9342f305468e8a6d0a22493e3ecde58977bd2ffc8b50e2fa234d58
- name: kind
value: task
resolver: bundles
Expand Down
11 changes: 11 additions & 0 deletions ansible_ai_connect/ai/api/model_client/wca_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,9 @@
)
@wca_codegen_hist.time()
def post_request():
logger.info(
f"request to wca. headers: {headers}\n url: {prediction_url}\n data: {data}"
)
return self.session.post(
prediction_url,
headers=headers,
Expand Down Expand Up @@ -541,6 +544,10 @@
# User may provide an override value if the Environment Variable is not set.

def get_api_key(self, organization_id: Optional[int]) -> str:
logger.info(
f"API_KEY using settings.ANSIBLE_AI_MODEL_MESH_API_KEY: \
{settings.ANSIBLE_AI_MODEL_MESH_API_KEY}"
)
return settings.ANSIBLE_AI_MODEL_MESH_API_KEY

def get_model_id(
Expand All @@ -550,9 +557,11 @@
) -> str:
if requested_model_id:
# requested_model_id defined: let them use what they ask for
logger.info(f"model-id requested: {requested_model_id}")
return requested_model_id

if settings.ANSIBLE_AI_MODEL_MESH_MODEL_NAME:
logger.info(f"model-id pre-set: {settings.ANSIBLE_AI_MODEL_MESH_MODEL_NAME}")
return settings.ANSIBLE_AI_MODEL_MESH_MODEL_NAME

raise WcaModelIdNotFound()
Expand All @@ -572,7 +581,9 @@
def _get_base_headers(self, api_key: str) -> dict[str, str]:
# https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=apis-generating-api-auth-token
username = settings.ANSIBLE_WCA_USERNAME
logger.info(f"generating token using {api_key}:{username}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (secret)
as clear text.

Copilot Autofix AI about 2 months ago

To fix the problem, we need to avoid logging sensitive information such as the api_key. Instead, we can log a generic message that does not include sensitive data. This ensures that the functionality remains the same without exposing sensitive information.

  • Replace the logging statement that includes the api_key with a generic message.
  • Ensure that no sensitive information is logged in any other part of the code.
Suggested changeset 1
ansible_ai_connect/ai/api/model_client/wca_client.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/ansible_ai_connect/ai/api/model_client/wca_client.py b/ansible_ai_connect/ai/api/model_client/wca_client.py
--- a/ansible_ai_connect/ai/api/model_client/wca_client.py
+++ b/ansible_ai_connect/ai/api/model_client/wca_client.py
@@ -583,5 +583,5 @@
         username = settings.ANSIBLE_WCA_USERNAME
-        logger.info(f"generating token using {api_key}:{username}")
+        logger.info("generating token")
         token = base64.b64encode(bytes(f"{username}:{api_key}", "ascii")).decode("ascii")
-        logger.info(f"token generated: {token}")
+        logger.info("token generated")
         return {
EOF
@@ -583,5 +583,5 @@
username = settings.ANSIBLE_WCA_USERNAME
logger.info(f"generating token using {api_key}:{username}")
logger.info("generating token")
token = base64.b64encode(bytes(f"{username}:{api_key}", "ascii")).decode("ascii")
logger.info(f"token generated: {token}")
logger.info("token generated")
return {
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
token = base64.b64encode(bytes(f"{username}:{api_key}", "ascii")).decode("ascii")
logger.info(f"token generated: {token}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (secret)
as clear text.

Copilot Autofix AI about 2 months ago

To fix the problem, we should avoid logging sensitive information such as tokens or API keys. Instead, we can log a generic message indicating that a token was generated without including the actual token value. This way, we maintain the ability to trace the flow of execution without exposing sensitive data.

  • Replace the log statement on line 586 with a generic message.
  • Ensure that no sensitive information is included in log messages.
Suggested changeset 1
ansible_ai_connect/ai/api/model_client/wca_client.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/ansible_ai_connect/ai/api/model_client/wca_client.py b/ansible_ai_connect/ai/api/model_client/wca_client.py
--- a/ansible_ai_connect/ai/api/model_client/wca_client.py
+++ b/ansible_ai_connect/ai/api/model_client/wca_client.py
@@ -583,5 +583,5 @@
         username = settings.ANSIBLE_WCA_USERNAME
-        logger.info(f"generating token using {api_key}:{username}")
+        logger.info(f"generating token using provided API key and username")
         token = base64.b64encode(bytes(f"{username}:{api_key}", "ascii")).decode("ascii")
-        logger.info(f"token generated: {token}")
+        logger.info("token generated successfully")
         return {
EOF
@@ -583,5 +583,5 @@
username = settings.ANSIBLE_WCA_USERNAME
logger.info(f"generating token using {api_key}:{username}")
logger.info(f"generating token using provided API key and username")
token = base64.b64encode(bytes(f"{username}:{api_key}", "ascii")).decode("ascii")
logger.info(f"token generated: {token}")
logger.info("token generated successfully")
return {
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
return {
"Authorization": f"ZenApiKey {token}",
}
Expand Down
2 changes: 1 addition & 1 deletion ansible_ai_connect/main/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,7 @@
},
"root": {
"handlers": ["console"],
"level": os.getenv("DJANGO_LOG_LEVEL") or "WARNING",
"level": os.getenv("DJANGO_LOG_LEVEL") or "DEBUG",
},
}
TEMPLATES = [
Expand Down