Update expose settings to also mask cache_uri (#1006)

* Update expose settings mask_value to also mask Url type

* Bumpversion to 4.2.0rc3

Author: tjeerddie

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 4.2.0rc2
+current_version = 4.2.0rc3
 commit = False
 tag = False
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(rc(?P<build>\d+))?

orchestrator/__init__.py

@@ -13,7 +13,7 @@
 
 """This is the orchestrator workflow engine."""
 
-__version__ = "4.2.0rc2"
+__version__ = "4.2.0rc3"
 
 from orchestrator.app import OrchestratorCore
 from orchestrator.settings import app_settings

orchestrator/services/settings_env_variables.py

@@ -14,7 +14,7 @@
 from typing import Any, Dict, Type
 
 from pydantic import SecretStr as PydanticSecretStr
-from pydantic_core import MultiHostUrl
+from pydantic_core import MultiHostUrl, Url
 from pydantic_settings import BaseSettings
 
 from orchestrator.utils.expose_settings import SecretStr as OrchSecretStr
@@ -32,21 +32,9 @@ def expose_settings(settings_name: str, base_settings: Type[BaseSettings]) -> Ty
 
 def mask_value(key: str, value: Any) -> Any:
     key_lower = key.lower()
+    is_sensitive_key = "secret" in key_lower or "password" in key_lower
 
-    if "secret" in key_lower or "password" in key_lower:
-        # Mask sensitive information
-        return MASK
-
-    if isinstance(value, PydanticSecretStr):
-        # Need to convert SecretStr to str for serialization
-        return str(value)
-
-    if isinstance(value, OrchSecretStr):
-        return MASK
-
-    # PostgresDsn is just MultiHostUrl with extra metadata (annotations)
-    if isinstance(value, MultiHostUrl):
-        # Convert PostgresDsn to str for serialization
+    if is_sensitive_key or isinstance(value, (OrchSecretStr, PydanticSecretStr, MultiHostUrl, Url)):
         return MASK
 
     return value

orchestrator/settings.py

@@ -72,7 +72,7 @@ class AppSettings(BaseSettings):
     TRACING_ENABLED: bool = False
     TRACE_HOST: str = "http://localhost:4317"
     TRANSLATIONS_DIR: Path | None = None
-    WEBSOCKET_BROADCASTER_URL: str = "memory://"
+    WEBSOCKET_BROADCASTER_URL: OrchSecretStr = "memory://"  # type: ignore
     ENABLE_WEBSOCKETS: bool = True
     DISABLE_INSYNC_CHECK: bool = False
     DEFAULT_PRODUCT_WORKFLOWS: list[str] = ["modify_note"]

test/unit_tests/services/test_expose_settings.py

@@ -1,4 +1,4 @@
-from pydantic import PostgresDsn
+from pydantic import PostgresDsn, RedisDsn
 from pydantic import SecretStr as PydanticSecretStr
 from pydantic_settings import BaseSettings
 
@@ -14,6 +14,7 @@ class MySettings(BaseSettings):
         debug_mode: bool = True
         secret_test: str = "test_secret"  # noqa: S105
         uri: PostgresDsn = "postgresql://user:password@localhost/dbname"
+        cache_uri: RedisDsn = "rediss://user:password@localhost/dbname"
 
     my_settings = MySettings()
     expose_settings("my_settings", my_settings)
@@ -25,11 +26,12 @@ class MySettings(BaseSettings):
 
     assert exposed_settings[my_settings_index].name == "my_settings"
 
-    assert len(exposed_settings[my_settings_index].variables) == 5
+    assert len(exposed_settings[my_settings_index].variables) == 6
 
     # Assert that sensitive values are masked
     assert exposed_settings[my_settings_index].variables[0].env_value == MASK  # api_key
     assert exposed_settings[my_settings_index].variables[1].env_value == MASK  # db_password
     assert exposed_settings[my_settings_index].variables[2].env_value is True  # debug_mode
     assert exposed_settings[my_settings_index].variables[3].env_value == MASK  # secret_test
     assert exposed_settings[my_settings_index].variables[4].env_value == MASK  # uri
+    assert exposed_settings[my_settings_index].variables[5].env_value == MASK  # cache_uri