Skip to content

fix(ai): require stable artifact signing secret #189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
huazhuang80-star wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(ai): require stable artifact signing secret #189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions app/ai-service/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
from pydantic_settings import BaseSettings, SettingsConfigDict
import logging
import os
import secrets

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -70,7 +69,7 @@ class Settings(BaseSettings):
# Verification artifact access settings
verification_artifacts_dir: str = "./artifacts/verification"
verification_artifact_url_ttl_seconds: int = 300
artifact_signing_secret: str = secrets.token_urlsafe(32)
artifact_signing_secret: str = "dev-artifact-signing-secret-change-me"

model_config = SettingsConfigDict(
env_file=".env",
Expand Down Expand Up @@ -101,6 +100,10 @@ def apply_environment_defaults(self) -> "Settings":
raise ValueError(
"Production environment requires OPENAI_API_KEY, GROQ_API_KEY, or TEST_PROVIDER_MODE=true"
)
if "ARTIFACT_SIGNING_SECRET" not in os.environ:
raise ValueError(
"Production environment requires ARTIFACT_SIGNING_SECRET"
)

return self

Expand All @@ -124,4 +127,4 @@ def get_active_provider(self) -> Optional[str]:


def get_settings() -> Settings:
return settings
return settings
28 changes: 28 additions & 0 deletions app/ai-service/tests/test_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,24 @@ def test_validate_api_keys_returns_true_when_test_provider_mode(monkeypatch):
assert settings.validate_api_keys() is True


def test_artifact_signing_secret_can_be_set_from_environment(monkeypatch):
monkeypatch.setenv("ARTIFACT_SIGNING_SECRET", "stable-secret-from-env")

settings = Settings()

assert settings.artifact_signing_secret == "stable-secret-from-env"


def test_artifact_signing_secret_has_stable_development_default(monkeypatch):
monkeypatch.delenv("ARTIFACT_SIGNING_SECRET", raising=False)

first_settings = Settings()
second_settings = Settings()

assert first_settings.artifact_signing_secret == second_settings.artifact_signing_secret
assert first_settings.artifact_signing_secret == "dev-artifact-signing-secret-change-me"


def test_staging_environment_defaults_to_safe_test_settings(monkeypatch):
monkeypatch.setenv("APP_ENV", "staging")
monkeypatch.delenv("OPENAI_API_KEY", raising=False)
Expand Down Expand Up @@ -70,9 +88,19 @@ def test_production_environment_requires_provider_configuration(monkeypatch):
Settings()


def test_production_environment_requires_artifact_signing_secret(monkeypatch):
monkeypatch.setenv("APP_ENV", "production")
monkeypatch.setenv("TEST_PROVIDER_MODE", "true")
monkeypatch.delenv("ARTIFACT_SIGNING_SECRET", raising=False)

with pytest.raises(ValueError, match="ARTIFACT_SIGNING_SECRET"):
Settings()


def test_production_environment_allows_test_provider_when_enabled(monkeypatch):
monkeypatch.setenv("APP_ENV", "production")
monkeypatch.setenv("TEST_PROVIDER_MODE", "true")
monkeypatch.setenv("ARTIFACT_SIGNING_SECRET", "production-signing-secret")

settings = Settings()

Expand Down