Fix Python and R repository smoke tests

[craddm]

:white_check_mark: Checklist

• [x] You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• [x] You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• [x] Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

:vertical_traffic_light: Depends on

This is best done in combination with an update to the nexus-allowlist container to allow installation of older versions of R packages. Current smoke tests will still fail as they require installation of older R package versions, which is not currently allowed by the Nexus server.

:arrow_heading_up: Summary

Minimally updates the PyPi allowlist, ensuring that the smoke tests can run with all required dependencies now on the list.

Updates the R smoke tests to now refer to packages that are on allowlist.

Fixes the following tests:

• Python package repository
• R package repository
• Python functionality
• MS SQL database (Python & R)
• Postgres database (Python & R)

Does not fix the R functionality test.

:closed_umbrella: Related issues

Closes #2107

:microscope: Tests

Tested on a Tier 3 equivalent SRE deployment - noteasybeing.green.develop.turingsafehaven.ac.uk

[github-actions[bot]]

Coverage report

This PR does not seem to contain any modification to coverable code.

[jemrobinson]

@craddm : do you want to merge this as a fix for Python/PyPI only or wait until you have a fix for R/CRAN too?

[craddm]

@craddm : do you want to merge this as a fix for Python/PyPI only or wait until you have a fix for R/CRAN too?

Could do; smoke tests will still fail for R until nexus-allowlists is updated, and then we'll need a separate PR to update which version of that we're using. Or I can probably change the R smoke tests further so they pass now.

[jemrobinson]

I think it's better to keep PRs small if possible. Is this one working and ready for review?

[craddm]

I hadn't finished it, no, as I switched to getting the CRAN part working via nexus-allowlist, and I still need to work out why some of the smoke test are still failing.

The database smoke tests are all failing at the moment (python and R)

I suspect this is a different problem to so I'll transfer this to new issue/PR

 ✗ Postgres database (Python)
   (in test file run_all_tests.bats, line 118)
     `[ "$status" -eq 0 ]' failed

[jemrobinson]

I've changed the title of the PR to what I think it's doing. Can you paste a before/after of the Python tests with this change?

[craddm]

I've changed the title of the PR to what I think it's doing. Can you paste a before/after of the Python tests with this change?

This wasn't correct, as it also fixes an R smoke test to use packages that are actually on the allowlist

[craddm]

Note, this doesn't fix the R functionality test, as that requires installation of an old version of MASS that is compatible with our R version. That'd be fixed by #2116, or by changing to a different package.

[JimMadge]

@craddm Do you want to check if #2116 would fix this?

I think the conversation about whether than is fine to put in the release is still open. If it makes the difference here I think we should try to include it.

[jemrobinson]

I don't think we can release with broken smoke tests. I doubt (although I can't be completely certain) that updating the nexus-allowlists version will trigger any vulnerability that wasn't already present. If we're worried about that, let's update one of the under-test SREs and ask the penetration testers to retest the software packages server.

[craddm]

I also think the ramifications of this change in terms of allowing more possible downloads from CRAN are not very concerning. It's still allowing R packages that have been through the same process as all the latest R packages, and only from CRAN, so as James says I don't think it triggers any vulnerability that isn't already there.

[JimMadge]

I also think the ramifications of this change in terms of allowing more possible downloads from CRAN are not very concerning. It's still allowing R packages that have been through the same process as all the latest R packages, and only from CRAN, so as James says I don't think it triggers any vulnerability that isn't already there.

:+1: Moreover, I think these changes are making Nexus behave as we expected. We already decided in T2 we are comfortable with all CRAN packages, and in T3 we are not interesting in filtering versions.

[jemrobinson]

OK, so sounds like we should merge this PR and also test out #2116. Is that right?

[craddm]

I'm testing out #2116 shortly, in combination with this