Addresses review feedback on the selectable encryption engine PR. Posture:
authenticated checks gate decisions; unauthenticated paths never silently win.
- Unknown engine name fails closed. An unrecognized
SQLALCHEMY_ENCRYPTED_FIELD_ENGINE now raises at field-construction (startup)
instead of silently degrading to unauthenticated AES-CBC. The value is
normalized (trim/lower/underscores→hyphens) to match the CLI's
case-insensitive click.Choice, and the offending value is kept out of the
error message (same clear-text-logging rationale as the CodeQL fix). Absent
key still defaults to "aes" (no behavior change for existing installs).
- Rollback (GCM→CBC) no longer mis-skips. The "already in target form" fast
path trusted any successful target decrypt — but unauthenticated CBC can
coincidentally decrypt a GCM blob, counting it skipped and leaving GCM
ciphertext that bricks on the next config flip while the run reports success.
When the target engine is unauthenticated, the value is now first probed
under any authenticated engine (current + previous key); an authenticated
decrypt wins. Generalized on "is the target authenticated", not engine names.
- De-dup the redundant previous-key decryptor when prev_key == SECRET_KEY (the
column's own engine is already decryptors[0]).
- Runbook: add the post-restart re-run step (sweeps secrets written CBC during
the migration window) and a quiet-window note (multi-worker cutover is not
zero-downtime).
Tests: flip the unknown-engine test to assert the fail-closed raise (and that
the value isn't leaked); add a normalization test; add the rollback
ordering-invariant test (authenticated probe wins over a forced-spurious CBC
skip); add combined key-rotation + engine-migration coverage at both the
migrator and CLI levels; hoist the function-local AesGcmEngine imports.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* Added code that properly accepts the -s flag on the import-datasources cli command. Also added unit tests for all of the edge cases (with both metrics & columns, with just columns, and with just metrics)
* Files were reformated using the 'pre-commit run --all-files' command
* added '*args: Any' back into v0.py as it did not need to be removed. Removing it might cause headaches for someone trying to work on this particular piece of code in the future
* Fixed the merge conflict as the cli.py was moved to another directory
* Modified my created unit tests to work with the new format of uni tests since the merge
* Modified my created unit tests to work with the new format of uni tests since the merge
* Fixed errors which were encountered while using the unit tests
* Update db setup fixture scope
* Load data into db only once
* Update fixture scopes for data loading
* cleanup imports
* try import
* Update scope
* fix cleanup
* Import all fixtures
* Separate data log and metadata creation
* Retain table description
* fix dtype
Co-authored-by: Bogdan Kyryliuk <bogdankyryliuk@dropbox.com>
* Test that failing export or import is done properly
For each CLI entry-point we will modify, we make sure that:
- a failing process exits with a non-0 exit code,
- an error is logged.
Signed-off-by: Étienne Boisseau-Sierra <etienne.boisseau-sierra@unipart.io>
* Exit process with error if export/import failed
Bubble exception up when failing import or export
During a CLI import or export of dashboards, if the process fails, the
exception it caught and a simple message is sent to the logger.
This makes that from a shell point of view, the script was successfull —
cf. #16956.
To prevent this, we want to ensure that the process exits with an error
(i.e., a non-0 exit-code) should the export or import fail mid-flight.
Signed-off-by: Étienne Boisseau-Sierra <etienne.boisseau-sierra@unipart.io>