python jdbc environment-variables pytest jaydebeapi

jaydebeapi under pytest leaking environment variable content in logs

I am connecting to a db using jaydebeapi and a jdbc driver using the following snippet, that works fine when the all parameters are correctly specified. I am storing my credentials in environment variables e.g. os.environ.get('credentials')

import jaydebeapi as dbdriver
import os
cnxn = None
server_name=''
server_jdbc_port=
server_database=''
name_env_credentials=''
name_env_pwd=''

try:

    driver_path = "XXXXXXX"
    conn_uri = "jdbc:://%s:%s/%s?" % (server_name,server_jdbc_port,   server_database)

    cnxn = dbdriver.connect( "XXXXXXX",
                    conn_uri,
                    driver_args = {"user": os.environ.get(name_env_credentials),
    "password":  os.environ.get(name_env_pwd)},
                    jars = driver_path)
    print('Connection open')
except (Exception) as error:
    raise error
finally: # in any case close connection and free resources
    if cnxn is not None:
        cnxn.close()
        print('Database connection closed.')

If there are some errors in my credentials/access rights I get, which is ok.

java.sql.SQLExceptionPyRaisable: java.sql.SQLException: authentication error: 
Insufficient privileges to connect to the database 'XXXXX'

However, when I wrap the above into a function, pytest-parametrized on server_name,server_jdbc_port,server_database,name_env_credentials,name_env_pwd.

######test_issue.py   
@pytest.mark.parametrize("server_name,server_jdbc_port,server_database,name_env_credentials,name_env_pwd", testdata)
    def test_connectivity():
           # above code

When I run

pytest test_issue.py

and an error in raised, the I find my credentials in plain text in the logs, which is a problem. To be precise, I am not seeing the content name_env_credentials (would be acceptable) but really the contents of os.environ.get(name_env_credentials) (below for example MYPLAINTEXTUSERNAME) in the test logs/tracebacks

test_issue.py:56: in test_connectivity
    cnxn = dbdriver.connect( "--------",
/opt/conda/lib/python3.8/site-packages/jaydebeapi/__init__.py:412: in connect
    jconn = _jdbc_connect(jclassname, url, driver_args, jars, libs)

[........]
driver_args = {'password': MYPLAINTEXTPASSWORD, 'user': MYPLAINTEXTUSERNAME}
[........]


jaydebeapi.__version__='1.2.3'

Solution

You are using the default traceback logger of pytest, which also logs the arguments passed to a specific function. One way to solve this kind of leak is to use another traceback mode. You can find the general documentation at this link. In that link you can find two interesting traceback modes:

--tb=short
--tb=native

Both give you all the information you need during your specific test since:

They still give you information about the tests failed or succeded
Since you are using parametrized tests, the logs about failures will look like FAILED test_issue.py::test_connectivity[server_name-server_jdbc_port-server_database-name_env_credentials-name_env_pwd], in this way you can identify the actual failing test

Mind that this solution, while avoiding to log the credentials used at test time, these credentials used during testing must not be the same that will be used outside the test environment. If you are concerned with the fact that in case of failures in production, the logger could leak your credentials, you should setup you logger accordingly and avoid to log the default text of the exception.