build: Fix make test-all by implementing pii_check (#527)

timmc-edx · web-flow · commit 94de36dc5b81 · 2024-01-10T14:22:14.000Z
Copied code from cookiecutter-django-app.
diff --git a/.annotation_safe_list.yml b/.annotation_safe_list.yml
@@ -0,0 +1,41 @@
+# This is a Code Annotations automatically-generated Django model safelist file.
+# These models must be annotated as follows in order to be counted in the coverage report.
+# See https://code-annotations.readthedocs.io/en/latest/safelist.html for more information.
+#
+# fake_app_1.FakeModelName:
+#    ".. no_pii:": "This model has no PII"
+# fake_app_2.FakeModel2:
+#    ".. choice_annotation:": foo, bar, baz
+
+admin.LogEntry:
+  ".. no_pii:": "This model has no PII"
+auth.Group:
+  ".. no_pii:": "This model has no PII"
+auth.Permission:
+  ".. no_pii:": "This model has no PII"
+auth.User:
+  ".. pii": "This model minimally contains a username, password, and email"
+  ".. pii_types": "username, email_address, password"
+  ".. pii_retirement": "consumer_api"
+contenttypes.ContentType:
+  ".. no_pii:": "This model has no PII"
+sessions.Session:
+  ".. no_pii:": "This model has no PII"
+social_django.Association:
+  ".. no_pii:": "This model has no PII"
+social_django.Code:
+  ".. pii:": "Email address"
+  ".. pii_types:": other
+  ".. pii_retirement:": local_api
+social_django.Nonce:
+  ".. no_pii:": "This model has no PII"
+social_django.Partial:
+  ".. no_pii:": "This model has no PII"
+social_django.UserSocialAuth:
+  ".. no_pii:": "This model has no PII"
+waffle.Flag:
+  ".. no_pii:": "This model has no PII"
+waffle.Sample:
+  ".. no_pii:": "This model has no PII"
+waffle.Switch:
+  ".. no_pii:": "This model has no PII"
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,4 @@ build/
 **/private.py
 .coverage
 dist/
+/pii_report/*.yaml
diff --git a/.pii_annotations.yml b/.pii_annotations.yml
@@ -0,0 +1,35 @@
+source_path: ./
+report_path: pii_report
+safelist_path: .annotation_safe_list.yml
+coverage_target: 100.0
+annotations:
+    ".. no_pii:":
+    "pii_group":
+        - ".. pii:":
+        - ".. pii_types:":
+            choices:
+              - id # Unique identifier for the user which is shared across systems
+              - name # Used for any part of the user's name
+              - username
+              - password
+              - location # Used for any part of any type address or country stored
+              - phone_number # Used for phone or fax numbers
+              - email_address
+              - birth_date # Used for any part of a stored birth date
+              - ip # IP address
+              - external_service # Used for external service ids or links such as social media links or usernames, website links, etc.
+              - biography # Any type of free-form biography field
+              - gender
+              - sex
+              - image
+              - video
+              - other
+        - ".. pii_retirement:":
+            choices:
+              - retained     # Intentionally kept for legal reasons
+              - local_api    # An API exists in this repository for retiring this information
+              - consumer_api # The data's consumer must implement an API for retiring this information
+              - third_party  # A third party API exists to retire this data
+extensions:
+    python:
+        - py
diff --git a/tox.ini b/tox.ini
@@ -73,6 +73,14 @@ commands =
     isort --check-only --diff edx_arch_experiments manage.py setup.py test_settings.py
     make selfcheck
 
+[testenv:pii_check]
+setenv =
+    DJANGO_SETTINGS_MODULE = test_settings
+deps =
+    -r{toxinidir}/requirements/test.txt
+commands =
+    code_annotations django_find_annotations --config_file .pii_annotations.yml --lint --report --coverage
+
 [testenv:scripts]
 setenv =
     DJANGO_SETTINGS_MODULE = edx_arch_experiments.settings.scripts
