fix: redact sensitive strings (opendatahub-io#360)

adolfo-ab · web-flow · commit 993a83705f77 · 2025-06-19T09:55:14.000+02:00
* fix: redact sensitive strings

* fix: improve RedactedString instantiation
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -44,6 +44,7 @@
     Protocols,
 )
 from utilities.infra import update_configmap_data
+from utilities.logger import RedactedString
 from utilities.minio import create_minio_data_connection_secret
 from utilities.operator_utils import get_csv_related_images
 
@@ -68,7 +69,7 @@ def tests_tmp_dir(request: FixtureRequest, tmp_path_factory: TempPathFactory) ->
 
 @pytest.fixture(scope="session")
 def current_client_token(admin_client: DynamicClient) -> str:
-    return get_openshift_token()
+    return RedactedString(value=get_openshift_token())
 
 
 @pytest.fixture(scope="session")
diff --git a/tests/model_explainability/trustyai_service/conftest.py b/tests/model_explainability/trustyai_service/conftest.py
@@ -50,6 +50,7 @@
     create_isvc_getter_service_account,
     create_isvc_getter_token_secret,
 )
+from utilities.logger import RedactedString
 from utilities.operator_utils import get_cluster_service_version
 
 from utilities.constants import Timeout, KServeDeploymentType, Labels
@@ -369,4 +370,4 @@ def isvc_getter_token_secret(
 
 @pytest.fixture(scope="class")
 def isvc_getter_token(isvc_getter_service_account: ServiceAccount, isvc_getter_token_secret: Secret) -> str:
-    return create_inference_token(model_service_account=isvc_getter_service_account)
+    return RedactedString(value=create_inference_token(model_service_account=isvc_getter_service_account))
diff --git a/tests/model_serving/model_server/authentication/conftest.py b/tests/model_serving/model_server/authentication/conftest.py
@@ -27,6 +27,7 @@
     RuntimeTemplates,
 )
 from utilities.jira import is_jira_open
+from utilities.logger import RedactedString
 from utilities.serving_runtime import ServingRuntimeFromTemplate
 from utilities.constants import Annotations
 
@@ -152,12 +153,12 @@ def http_raw_role_binding(
 
 @pytest.fixture(scope="class")
 def http_inference_token(model_service_account: ServiceAccount, http_role_binding: RoleBinding) -> str:
-    return create_inference_token(model_service_account=model_service_account)
+    return RedactedString(value=create_inference_token(model_service_account=model_service_account))
 
 
 @pytest.fixture(scope="class")
 def http_raw_inference_token(model_service_account: ServiceAccount, http_raw_role_binding: RoleBinding) -> str:
-    return create_inference_token(model_service_account=model_service_account)
+    return RedactedString(value=create_inference_token(model_service_account=model_service_account))
 
 
 @pytest.fixture()
@@ -249,7 +250,7 @@ def grpc_role_binding(
 
 @pytest.fixture(scope="class")
 def grpc_inference_token(grpc_model_service_account: ServiceAccount, grpc_role_binding: RoleBinding) -> str:
-    return create_inference_token(model_service_account=grpc_model_service_account)
+    return RedactedString(value=create_inference_token(model_service_account=grpc_model_service_account))
 
 
 @pytest.fixture(scope="class")
@@ -398,4 +399,4 @@ def http_model_mesh_role_binding(
 def http_model_mesh_inference_token(
     ci_service_account: ServiceAccount, http_model_mesh_role_binding: RoleBinding
 ) -> str:
-    return create_inference_token(model_service_account=ci_service_account)
+    return RedactedString(value=create_inference_token(model_service_account=ci_service_account))
diff --git a/tests/model_serving/model_server/ovms/model_mesh/conftest.py b/tests/model_serving/model_server/ovms/model_mesh/conftest.py
@@ -12,6 +12,7 @@
     Protocols,
 )
 from utilities.infra import create_inference_token, create_isvc_view_role
+from utilities.logger import RedactedString
 
 
 @pytest.fixture(scope="class")
@@ -51,7 +52,7 @@ def model_mesh_inference_token(
     ci_service_account: ServiceAccount,
     model_mesh_role_binding: RoleBinding,
 ) -> str:
-    return create_inference_token(model_service_account=ci_service_account)
+    return RedactedString(value=create_inference_token(model_service_account=ci_service_account))
 
 
 @pytest.fixture()
diff --git a/utilities/logger.py b/utilities/logger.py
@@ -9,6 +9,18 @@
 LOGGER = logging.getLogger(__name__)
 
 
+class RedactedString(str):
+    """
+    Used to redact the representation of a sensitive string.
+    """
+
+    def __new__(cls, *, value: object) -> "RedactedString":
+        return super().__new__(cls, value)
+
+    def __repr__(self) -> str:
+        return "'***REDACTED***'"
+
+
 def setup_logging(log_level: int, log_file: str = "/tmp/pytest-tests.log") -> QueueListener:
     """
     Setup basic/root logging using QueueHandler/QueueListener
