Skip to content

Commit e61eb55

Browse files
Address PR review: atomic cache write, [[ ]] tests, redact auth secret
- java cli.sh: write jar_help cache to a temp file then mv, so concurrent xdist workers never read a partially written cache (gemini/coderabbit). - java/js cli.sh: use [[ ]] for the new conditionals (SonarCloud SC2292). - js cli.sh: mask the --auth secret in echoed commands so CI logs don't capture client credentials (coderabbit).
1 parent a2f609c commit e61eb55

2 files changed

Lines changed: 28 additions & 6 deletions

File tree

xtest/sdk/java/cli.sh

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,12 @@ jar_help() {
5555
local uid
5656
uid=$(id -u 2>/dev/null || echo default)
5757
local cache="${TMPDIR:-/tmp}/xtest-java-help-${uid}-${mtime}-${key}"
58-
if [ ! -f "$cache" ]; then
59-
java -jar "$jar" help "$@" >"$cache" 2>/dev/null
58+
if [[ ! -f "$cache" ]]; then
59+
# Write to a process-unique temp file, then rename: concurrent xdist
60+
# workers see either no cache or the complete file, never a partial read.
61+
local tmp="${cache}.$$"
62+
java -jar "$jar" help "$@" >"$tmp" 2>/dev/null
63+
mv -f "$tmp" "$cache"
6064
fi
6165
cat "$cache"
6266
}

xtest/sdk/js/cli.sh

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -136,8 +136,8 @@ _pre_clientsecret="${CLIENTSECRET:-}"
136136
source "$XTEST_DIR"/test.env
137137

138138
# Restore caller overrides (e.g. from pytest monkeypatch for DPoP client).
139-
[ -n "$_pre_clientid" ] && CLIENTID="$_pre_clientid"
140-
[ -n "$_pre_clientsecret" ] && CLIENTSECRET="$_pre_clientsecret"
139+
[[ -n "$_pre_clientid" ]] && CLIENTID="$_pre_clientid"
140+
[[ -n "$_pre_clientsecret" ]] && CLIENTSECRET="$_pre_clientsecret"
141141

142142
src_file=$(realpath "$2")
143143
dst_file=$(realpath "$(dirname "$3")")/$(basename "$3")
@@ -204,6 +204,24 @@ if ! cd "$SCRIPT_DIR"; then
204204
exit 1
205205
fi
206206

207+
# Echo a CLI invocation with the --auth secret masked, so CI logs never capture
208+
# client credentials. The real (unmasked) args are still used for execution.
209+
echo_redacted() {
210+
local out=() a mask_next=0
211+
for a in "$@"; do
212+
if [[ "$mask_next" == 1 ]]; then
213+
out+=("${a%%:*}:***")
214+
mask_next=0
215+
elif [[ "$a" == "--auth" ]]; then
216+
out+=("$a")
217+
mask_next=1
218+
else
219+
out+=("$a")
220+
fi
221+
done
222+
echo "${out[@]}"
223+
}
224+
207225
if [ "$1" == "encrypt" ]; then
208226
if npx $CTL help | grep autoconfigure; then
209227
args+=(--policyEndpoint "$PLATFORMURL" --autoconfigure true)
@@ -224,7 +242,7 @@ if [ "$1" == "encrypt" ]; then
224242
args+=(--tdfSpecVersion "$XT_WITH_TARGET_MODE")
225243
fi
226244

227-
echo npx $CTL encrypt "$src_file" "${args[@]}"
245+
echo_redacted npx $CTL encrypt "$src_file" "${args[@]}"
228246
npx $CTL encrypt "$src_file" "${args[@]}"
229247
elif [ "$1" == "decrypt" ]; then
230248
if [ "$XT_WITH_VERIFY_ASSERTIONS" == 'false' ]; then
@@ -246,7 +264,7 @@ elif [ "$1" == "decrypt" ]; then
246264
args+=(--ignoreAllowList)
247265
fi
248266

249-
echo npx $CTL decrypt "$src_file" "${args[@]}"
267+
echo_redacted npx $CTL decrypt "$src_file" "${args[@]}"
250268
npx $CTL decrypt "$src_file" "${args[@]}"
251269
else
252270
echo "Incorrect argument provided"

0 commit comments

Comments
 (0)