updated

Author: alexbritodev

config.py

@@ -10,7 +10,8 @@
 basedir = os.path.abspath(os.path.dirname(__file__))
 load_dotenv(os.path.join(basedir, '.env'))
 LOCAL_SECRET_KEY_PATH = os.path.join(basedir, 'database', '.finora_secret_key')
-LOCAL_SECRET_KEY_PREFIX = 'finora-key:v1:'
+LOCAL_SECRET_KEY_PREFIX = 'finora-local:v1:'  # nosec B105
+LEGACY_LOCAL_SECRET_KEY_PREFIX = 'finora-key:v1:'  # nosec B105
 DEFAULT_UPDATE_MANIFEST_PATH = os.path.join(basedir, 'updates', 'manifest.json')
 
 
@@ -47,10 +48,16 @@ def _decrypt_persisted_local_secret(persisted_value):
     persisted_value = (persisted_value or '').strip()
     if not persisted_value:
         return ''
-    if not persisted_value.startswith(LOCAL_SECRET_KEY_PREFIX):
+    matched_prefix = None
+    for prefix in (LOCAL_SECRET_KEY_PREFIX, LEGACY_LOCAL_SECRET_KEY_PREFIX):
+        if persisted_value.startswith(prefix):
+            matched_prefix = prefix
+            break
+
+    if matched_prefix is None:
         return persisted_value
 
-    encrypted_payload = persisted_value[len(LOCAL_SECRET_KEY_PREFIX):].encode('utf-8')
+    encrypted_payload = persisted_value[len(matched_prefix):].encode('utf-8')
     decrypted_secret = _get_local_secret_cipher().decrypt(encrypted_payload)
     return decrypted_secret.decode('utf-8')
 

services/update_service.py

@@ -381,8 +381,8 @@ def _run_database_upgrade(app):
     target_root = _get_update_target_root(app)
     environment = _build_upgrade_environment(app)
 
-    # nosec B603,B607 - fixed interpreter command with sanitized cwd and environment.
-    result = subprocess.run(  # nosec
+    # Fixed interpreter command with sanitized cwd and environment.
+    result = subprocess.run(  # nosec B603,B607
         [sys.executable, '-m', 'flask', 'db', 'upgrade'],
         cwd=target_root,
         env=environment,

tests/test_ci_coverage_support.py

@@ -110,8 +110,7 @@ def exception(self, *args):
     assert mail_service.send_email(app, '', 'Assunto', 'Corpo')['reason'] == 'missing_recipient'
     assert mail_service.send_email(app, 'dest@example.com', 'Assunto', 'Corpo')['delivery'] == 'log'
     assert 'info' in logged
-    _message, *payload = logged['info']
-    assert payload[-1] == len('Corpo')
+    assert logged['info'][-1] == len('Corpo')
 
     class FakeSMTP:
         def __init__(self, *_args, **_kwargs):

tests/test_update_service_phase8.py

@@ -147,11 +147,10 @@ def test_apply_update_restores_backup_when_upgrade_fails(app, tmp_path, monkeypa
         },
     )
 
-    monkeypatch.setattr(
-        update_service,
-        '_run_database_upgrade',
-        lambda _app: (_ for _ in ()).throw(RuntimeError('migration failed')),
-    )
+    def raise_migration_failed(_app):
+        raise RuntimeError('migration failed')
+
+    monkeypatch.setattr(update_service, '_run_database_upgrade', raise_migration_failed)
 
     app.config['UPDATE_MANIFEST_URL'] = str(manifest_path)
     app.config['UPDATE_TARGET_ROOT'] = str(target_root)

tests/test_validation_and_schema_round8.py

@@ -159,5 +159,8 @@ def flaky_operation():
 
 def test_run_idempotent_db_operation_does_not_hide_non_retryable_errors(app):
     with app.app_context():
+        def failing_operation():
+            raise RuntimeError('boom')
+
         with pytest.raises(RuntimeError):
-            run_idempotent_db_operation(lambda: (_ for _ in ()).throw(RuntimeError('boom')))
+            run_idempotent_db_operation(failing_operation)