fix(tests): use context-aware regex for ds_password normalization

tychtjan · tychtjan · commit 8d12b0e15058 · 2026-04-07T14:12:08.000+02:00
Replace naive string substitution for ds_password with a regex that
only matches 'password: &lt;value&gt;' in YAML and '"password": "&lt;value&gt;"'
in JSON contexts.

The previous plain-text replacement of 'secret' corrupted values
containing it as a substring (e.g. 'client-secret' in data source IDs).

risk: low
diff --git a/packages/tests-support/src/tests_support/vcrpy_utils.py b/packages/tests-support/src/tests_support/vcrpy_utils.py
@@ -56,6 +56,7 @@
 # Each entry is (source_string, replacement_string).
 # Ordered longest-first so more specific patterns match before substrings.
 _normalization_replacements: list[tuple[str, str]] = []
+_password_replacements: list[tuple[re.Pattern, str]] = []
 _normalization_configured: bool = False
 
 # --- Timestamp normalization ---
@@ -121,8 +122,9 @@ def configure_normalization(test_config: dict[str, Any]) -> None:
         rm -rf packages/gooddata-sdk/.tox
         uv cache clean tests-support --force
     """
-    global _normalization_replacements, _normalization_configured
+    global _normalization_replacements, _password_replacements, _normalization_configured
     replacements: list[tuple[str, str]] = []
+    _password_replacements = []
 
     parsed = urlparse(test_config.get("host", _CANONICAL_HOST))
     active_scheme = parsed.scheme or "http"
@@ -177,9 +179,16 @@ def configure_normalization(test_config: dict[str, Any]) -> None:
         replacements.append((active_ds_url, _CANONICAL_DS_URL))
 
     # Data source password: staging password → local password
+    # Uses regex (not plain string replacement) to avoid corrupting values
+    # that contain the password as a substring (e.g. "client-secret").
     active_ds_password = test_config.get("ds_password", _CANONICAL_DS_PASSWORD)
     if active_ds_password and active_ds_password != _CANONICAL_DS_PASSWORD:
-        replacements.append((active_ds_password, _CANONICAL_DS_PASSWORD))
+        _ds_password_re = re.compile(
+            r'(?<="password": ")' + re.escape(active_ds_password) + r'(?=")'  # JSON
+            r"|"
+            r"(?<=password: )" + re.escape(active_ds_password) + r"(?=\s|$)"  # YAML
+        )
+        _password_replacements.append((_ds_password_re, _CANONICAL_DS_PASSWORD))
 
     # Sort by length descending so longer patterns are replaced first,
     # preventing partial matches from corrupting longer strings.
@@ -193,6 +202,8 @@ def _apply_replacements(text: str) -> str:
     """Apply all configured normalization replacements to a string."""
     for source, target in _normalization_replacements:
         text = text.replace(source, target)
+    for pattern, target in _password_replacements:
+        text = pattern.sub(target, text)
     return text
 
 
