Reputation: 797
Running Test Code on Server without access to Secrets
So, I have a project I'm working on. Part of the project uses an API with a secret API key that I've stored in a separate file called config.py which I've listed in .gitignore. This works reasonably well on my computer, but breaks on GitHub's automated testing. I don't need this API key for my test cases to work since they use saved data, so it seems like I could just do the bottom and call it a day:
try:
from config import API_KEY
except ImportError:
LOG.debug("This is running without the secrets.")
But I wanted to ask the community first to see what the best practices are. How should I fix this?
Edit:
I'm aware that different platforms have their own way of managing secrets, but I want to do this in a platform-independent way. Essentially, I have a config.py file that isn't stored on git, but I want someone who has git cloned the repo to be able to run the test cases successfully. This assumes that none of the test cases need a valid API_KEY to pass.
Edit2:
Currently, I have changed it to this, which seems to be working, but is there a better way?
API_KEY = 'debug'
try:
from config import API_KEY
except:
print("Could not import config.")
Upvotes: 1
Views: 470
Answers (3)
Reputation: 791
You should treat all your different environments uniformly. Thats is, your code shouldn’t handle the different sources of the api key differently: the project needs an api key, period. The source of this information depends on the environment, but the application always obtains it the same way.
Having said that, move the decision of loading the config one layer down. The app asks for a debug key and it gets one in return, or null. The service that makes use of it will:
- throw an error in production/development because the api key it requires is not there
- work correctly in testing because the service is ok with a null api key.
Alternatively, create a sample config with default values and commit it to your repository, and use it as the base config. If the environment defines a specific config, merge it on top of the base one. This approach requires developers to always add the keys to the base config, but its a reasonable thing to ask for and has the benefit that it acts as a self documenting config file.
Upvotes: 1
Reputation: 28239
Generic answer - Use Mock/MagicMock.
In your case, add this to the beginning of the test:
import sys
from unittest import mock
sys.modules['config'] = mock.MagicMock()
Refer: Mock examples
Upvotes: 1
Reputation: 571
There is a section on the GitHub Actions docs specifically on this issue.
Edit:
With your second code snippet as a starting point, I would include the name of the except clause as ImportError (to ensure that exceptions are only raised because of a missing import), and would modify the error message to direct the user towards consulting the docs.
Upvotes: 0
Related Questions
- How to get a secret into a pytest test?
- Parsing env files
- How to add CI tests on Github without exposing secrets?
- How to Call the Credentials from .secrets File in Python
- How to hide a secret key on a user's machine(NOT your own server)?
- Python Unit Test with User-Entered Password
- Testinfra ssh execution with private key
- Set Python Flask Secret Key in Windows
- Disguising username & password on distributed python scripts
- Running Python code from a server?