django/tests/dbshell/test_mysql.py

import os
import subprocess
import sys
from pathlib import Path

from django.db.backends.mysql.client import DatabaseClient
from django.test import SimpleTestCase


class MySqlDbshellCommandTestCase(SimpleTestCase):
    def settings_to_cmd_args_env(self, settings_dict, parameters=None):
        if parameters is None:
            parameters = []
        return DatabaseClient.settings_to_cmd_args_env(settings_dict, parameters)

    def test_fails_with_keyerror_on_incomplete_config(self):
        with self.assertRaises(KeyError):
            self.settings_to_cmd_args_env({})

    def test_basic_params_specified_in_settings(self):
        expected_args = [
            'mysql',
            '--user=someuser',
            '--host=somehost',
            '--port=444',
            'somedbname',
        ]
        expected_env = {'MYSQL_PWD': 'somepassword'}
        self.assertEqual(
            self.settings_to_cmd_args_env({
                'NAME': 'somedbname',
                'USER': 'someuser',
                'PASSWORD': 'somepassword',
                'HOST': 'somehost',
                'PORT': 444,
                'OPTIONS': {},
            }),
            (expected_args, expected_env),
        )

    def test_options_override_settings_proper_values(self):
        settings_port = 444
        options_port = 555
        self.assertNotEqual(settings_port, options_port, 'test pre-req')
        expected_args = [
            'mysql',
            '--user=optionuser',
            '--host=optionhost',
            '--port=%s' % options_port,
            'optiondbname',
        ]
        expected_env = {'MYSQL_PWD': 'optionpassword'}
        self.assertEqual(
            self.settings_to_cmd_args_env({
                'NAME': 'settingdbname',
                'USER': 'settinguser',
                'PASSWORD': 'settingpassword',
                'HOST': 'settinghost',
                'PORT': settings_port,
                'OPTIONS': {
                    'db': 'optiondbname',
                    'user': 'optionuser',
                    'passwd': 'optionpassword',
                    'host': 'optionhost',
                    'port': options_port,
                },
            }),
            (expected_args, expected_env),
        )

    def test_options_password(self):
        expected_args = [
            'mysql',
            '--user=someuser',
            '--host=somehost',
            '--port=444',
            'somedbname',
        ]
        expected_env = {'MYSQL_PWD': 'optionpassword'}
        self.assertEqual(
            self.settings_to_cmd_args_env({
                'NAME': 'somedbname',
                'USER': 'someuser',
                'PASSWORD': 'settingpassword',
                'HOST': 'somehost',
                'PORT': 444,
                'OPTIONS': {'password': 'optionpassword'},
            }),
            (expected_args, expected_env),
        )

    def test_options_charset(self):
        expected_args = [
            'mysql',
            '--user=someuser',
            '--host=somehost',
            '--port=444',
            '--default-character-set=utf8',
            'somedbname',
        ]
        expected_env = {'MYSQL_PWD': 'somepassword'}
        self.assertEqual(
            self.settings_to_cmd_args_env({
                'NAME': 'somedbname',
                'USER': 'someuser',
                'PASSWORD': 'somepassword',
                'HOST': 'somehost',
                'PORT': 444,
                'OPTIONS': {'charset': 'utf8'},
            }),
            (expected_args, expected_env),
        )

    def test_can_connect_using_sockets(self):
        expected_args = [
            'mysql',
            '--user=someuser',
            '--socket=/path/to/mysql.socket.file',
            'somedbname',
        ]
        expected_env = {'MYSQL_PWD': 'somepassword'}
        self.assertEqual(
            self.settings_to_cmd_args_env({
                'NAME': 'somedbname',
                'USER': 'someuser',
                'PASSWORD': 'somepassword',
                'HOST': '/path/to/mysql.socket.file',
                'PORT': None,
                'OPTIONS': {},
            }),
            (expected_args, expected_env),
        )

    def test_ssl_certificate_is_added(self):
        expected_args = [
            'mysql',
            '--user=someuser',
            '--host=somehost',
            '--port=444',
            '--ssl-ca=sslca',
            '--ssl-cert=sslcert',
            '--ssl-key=sslkey',
            'somedbname',
        ]
        expected_env = {'MYSQL_PWD': 'somepassword'}
        self.assertEqual(
            self.settings_to_cmd_args_env({
                'NAME': 'somedbname',
                'USER': 'someuser',
                'PASSWORD': 'somepassword',
                'HOST': 'somehost',
                'PORT': 444,
                'OPTIONS': {
                    'ssl': {
                        'ca': 'sslca',
                        'cert': 'sslcert',
                        'key': 'sslkey',
                    },
                },
            }),
            (expected_args, expected_env),
        )

    def test_parameters(self):
        self.assertEqual(
            self.settings_to_cmd_args_env(
                {
                    'NAME': 'somedbname',
                    'USER': None,
                    'PASSWORD': None,
                    'HOST': None,
                    'PORT': None,
                    'OPTIONS': {},
                },
                ['--help'],
            ),
            (['mysql', 'somedbname', '--help'], None),
        )

    def test_crash_password_does_not_leak(self):
        # The password doesn't leak in an exception that results from a client
        # crash.
        args, env = DatabaseClient.settings_to_cmd_args_env(
            {
                'NAME': 'somedbname',
                'USER': 'someuser',
                'PASSWORD': 'somepassword',
                'HOST': 'somehost',
                'PORT': 444,
                'OPTIONS': {},
            },
            [],
        )
        if env:
            env = {**os.environ, **env}
        fake_client = Path(__file__).with_name('fake_client.py')
        args[0:1] = [sys.executable, str(fake_client)]
        with self.assertRaises(subprocess.CalledProcessError) as ctx:
            subprocess.run(args, check=True, env=env)
        self.assertNotIn('somepassword', str(ctx.exception))
Refs #32061 -- Fixed test_crash_password_does_not_leak() crash on Windows. When env is passed to subprocess.run() we should pass all existing environment variables. This fixes crash on Windows: Fatal Python error: failed to get random numbers to initialize Python Fatal Python error: _Py_HashRandomization_Init: failed to get random numbers to initialize Python Python runtime state: preinitialized 2020-11-03 10:38:40 +00:00			`import os`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`import subprocess`
			`import sys`
			`from pathlib import Path`

Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`from django.db.backends.mysql.client import DatabaseClient`
			`from django.test import SimpleTestCase`


			`class MySqlDbshellCommandTestCase(SimpleTestCase):`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`def settings_to_cmd_args_env(self, settings_dict, parameters=None):`
			`if parameters is None:`
			`parameters = []`
			`return DatabaseClient.settings_to_cmd_args_env(settings_dict, parameters)`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00
			`def test_fails_with_keyerror_on_incomplete_config(self):`
			`with self.assertRaises(KeyError):`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env({})`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00
			`def test_basic_params_specified_in_settings(self):`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`expected_args = [`
			`'mysql',`
			`'--user=someuser',`
			`'--host=somehost',`
			`'--port=444',`
			`'somedbname',`
			`]`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`expected_env = {'MYSQL_PWD': 'somepassword'}`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`self.assertEqual(`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env({`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`'NAME': 'somedbname',`
			`'USER': 'someuser',`
			`'PASSWORD': 'somepassword',`
			`'HOST': 'somehost',`
			`'PORT': 444,`
			`'OPTIONS': {},`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`}),`
			`(expected_args, expected_env),`
			`)`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00
			`def test_options_override_settings_proper_values(self):`
			`settings_port = 444`
			`options_port = 555`
			`self.assertNotEqual(settings_port, options_port, 'test pre-req')`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`expected_args = [`
			`'mysql',`
			`'--user=optionuser',`
			`'--host=optionhost',`
			`'--port=%s' % options_port,`
			`'optiondbname',`
			`]`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`expected_env = {'MYSQL_PWD': 'optionpassword'}`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`self.assertEqual(`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env({`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`'NAME': 'settingdbname',`
			`'USER': 'settinguser',`
			`'PASSWORD': 'settingpassword',`
			`'HOST': 'settinghost',`
			`'PORT': settings_port,`
			`'OPTIONS': {`
			`'db': 'optiondbname',`
			`'user': 'optionuser',`
			`'passwd': 'optionpassword',`
			`'host': 'optionhost',`
			`'port': options_port,`
			`},`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`}),`
			`(expected_args, expected_env),`
			`)`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00
Fixed #31491 -- Allowed 'password' option in DATABASES['OPTIONS'] on MySQL. 2020-06-11 18:12:35 +00:00			`def test_options_password(self):`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`expected_args = [`
			`'mysql',`
			`'--user=someuser',`
			`'--host=somehost',`
			`'--port=444',`
			`'somedbname',`
			`]`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`expected_env = {'MYSQL_PWD': 'optionpassword'}`
Fixed #31491 -- Allowed 'password' option in DATABASES['OPTIONS'] on MySQL. 2020-06-11 18:12:35 +00:00			`self.assertEqual(`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env({`
Fixed #31491 -- Allowed 'password' option in DATABASES['OPTIONS'] on MySQL. 2020-06-11 18:12:35 +00:00			`'NAME': 'somedbname',`
			`'USER': 'someuser',`
			`'PASSWORD': 'settingpassword',`
			`'HOST': 'somehost',`
			`'PORT': 444,`
			`'OPTIONS': {'password': 'optionpassword'},`
			`}),`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`(expected_args, expected_env),`
Fixed #31491 -- Allowed 'password' option in DATABASES['OPTIONS'] on MySQL. 2020-06-11 18:12:35 +00:00			`)`

Fixed #6517 -- Made dbshell use charset option on MySQL. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-10-14 18:07:57 +00:00			`def test_options_charset(self):`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`expected_args = [`
			`'mysql',`
			`'--user=someuser',`
			`'--host=somehost',`
			`'--port=444',`
			`'--default-character-set=utf8',`
			`'somedbname',`
			`]`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`expected_env = {'MYSQL_PWD': 'somepassword'}`
Fixed #6517 -- Made dbshell use charset option on MySQL. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-10-14 18:07:57 +00:00			`self.assertEqual(`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env({`
Fixed #6517 -- Made dbshell use charset option on MySQL. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-10-14 18:07:57 +00:00			`'NAME': 'somedbname',`
			`'USER': 'someuser',`
			`'PASSWORD': 'somepassword',`
			`'HOST': 'somehost',`
			`'PORT': 444,`
			`'OPTIONS': {'charset': 'utf8'},`
			`}),`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`(expected_args, expected_env),`
Fixed #6517 -- Made dbshell use charset option on MySQL. Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-10-14 18:07:57 +00:00			`)`

Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`def test_can_connect_using_sockets(self):`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`expected_args = [`
			`'mysql',`
			`'--user=someuser',`
			`'--socket=/path/to/mysql.socket.file',`
			`'somedbname',`
			`]`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`expected_env = {'MYSQL_PWD': 'somepassword'}`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`self.assertEqual(`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env({`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`'NAME': 'somedbname',`
			`'USER': 'someuser',`
			`'PASSWORD': 'somepassword',`
			`'HOST': '/path/to/mysql.socket.file',`
			`'PORT': None,`
			`'OPTIONS': {},`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`}),`
			`(expected_args, expected_env),`
			`)`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00
			`def test_ssl_certificate_is_added(self):`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`expected_args = [`
			`'mysql',`
			`'--user=someuser',`
			`'--host=somehost',`
			`'--port=444',`
			`'--ssl-ca=sslca',`
			`'--ssl-cert=sslcert',`
			`'--ssl-key=sslkey',`
			`'somedbname',`
			`]`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`expected_env = {'MYSQL_PWD': 'somepassword'}`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`self.assertEqual(`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env({`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00			`'NAME': 'somedbname',`
			`'USER': 'someuser',`
			`'PASSWORD': 'somepassword',`
			`'HOST': 'somehost',`
			`'PORT': 444,`
Fixed #28322 -- Added dbshell support for MySQL client TLS certs. 2017-06-19 22:11:25 +00:00			`'OPTIONS': {`
			`'ssl': {`
			`'ca': 'sslca',`
			`'cert': 'sslcert',`
			`'key': 'sslkey',`
			`},`
			`},`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`}),`
			`(expected_args, expected_env),`
			`)`
Fixed #22646: Added support for the MySQL ssl-ca option to dbshell. 2014-05-21 13:05:41 +00:00
Fixed #29501 -- Allowed dbshell to pass options to underlying tool. 2020-04-14 07:56:40 +00:00			`def test_parameters(self):`
			`self.assertEqual(`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`self.settings_to_cmd_args_env(`
Fixed #29501 -- Allowed dbshell to pass options to underlying tool. 2020-04-14 07:56:40 +00:00			`{`
			`'NAME': 'somedbname',`
			`'USER': None,`
			`'PASSWORD': None,`
			`'HOST': None,`
			`'PORT': None,`
			`'OPTIONS': {},`
			`},`
			`['--help'],`
			`),`
Refs #32061 -- Unified DatabaseClient.runshell() in db backends. 2020-10-04 22:25:29 +00:00			`(['mysql', 'somedbname', '--help'], None),`
Fixed #29501 -- Allowed dbshell to pass options to underlying tool. 2020-04-14 07:56:40 +00:00			`)`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00
			`def test_crash_password_does_not_leak(self):`
			`# The password doesn't leak in an exception that results from a client`
			`# crash.`
			`args, env = DatabaseClient.settings_to_cmd_args_env(`
			`{`
			`'NAME': 'somedbname',`
			`'USER': 'someuser',`
			`'PASSWORD': 'somepassword',`
			`'HOST': 'somehost',`
			`'PORT': 444,`
			`'OPTIONS': {},`
			`},`
			`[],`
			`)`
Refs #32061 -- Fixed test_crash_password_does_not_leak() crash on Windows. When env is passed to subprocess.run() we should pass all existing environment variables. This fixes crash on Windows: Fatal Python error: failed to get random numbers to initialize Python Fatal Python error: _Py_HashRandomization_Init: failed to get random numbers to initialize Python Python runtime state: preinitialized 2020-11-03 10:38:40 +00:00			`if env:`
			`env = {os.environ, env}`
Refs #32061 -- Prevented password leak on MySQL dbshell crash. The usage of the --password flag when invoking the mysql CLI has the potential of exposing the password in plain text if the command happens to crash due to the inclusion of args provided to subprocess.run(check=True) in the string representation of the subprocess.CalledProcessError exception raised on non-zero return code. Since this has the potential of leaking the password to logging facilities configured to capture crashes (e.g. sys.excepthook, Sentry) it's safer to rely on the MYSQL_PWD environment variable instead even if its usage is discouraged due to potential leak through the ps command on old flavors of Unix. Thanks Charlie Denton for reporting the issue to the security team. Refs #24999. 2020-10-04 22:31:04 +00:00			`fake_client = Path(__file__).with_name('fake_client.py')`
			`args[0:1] = [sys.executable, str(fake_client)]`
			`with self.assertRaises(subprocess.CalledProcessError) as ctx:`
			`subprocess.run(args, check=True, env=env)`
			`self.assertNotIn('somepassword', str(ctx.exception))`