fix(pyats): prevent credential exposure in PyATS archives (#689)

[oboehmer]

Description

Quick fix to prevent credential exposure in PyATS result archives. The EnvironmentDebugPlugin was writing environment variables (including passwords) to env.txt files within PyATS archives.

This is an expedited fix to address the security issue before UAT. A more comprehensive PR (#697) is in progress that includes this fix along with additional cleanup for #570.

Closes

• Fixes Security: Disable pyATS EnvironmentDebugPlugin to prevent credential exposure in env.txt #689

Related Issue(s)

• Tech Debt: Consolidate PyATS config file creation in SubprocessRunner #570 (addressed in draft PR fix(pyats): disable EnvironmentDebugPlugin to prevent credential exposure #697)
• fix(pyats): disable EnvironmentDebugPlugin to prevent credential exposure #697 (comprehensive fix with additional refactoring)

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactoring / Technical debt (internal improvements with no user-facing changes)
• Documentation update
• Chore (build process, CI, tooling, dependencies)
• Other (please describe):

Test Framework Affected

• PyATS
• Robot Framework
• Both
• N/A (not test-framework specific)

Network as Code (NaC) Architecture Affected

• ACI (APIC)
• NDO (Nexus Dashboard Orchestrator)
• NDFC / VXLAN-EVPN (Nexus Dashboard Fabric Controller)
• Catalyst SD-WAN (SDWAN Manager / vManage)
• Catalyst Center (DNA Center)
• ISE (Identity Services Engine)
• FMC (Firepower Management Center)
• Meraki (Cloud-managed)
• NX-OS (Nexus Direct-to-Device)
• IOS-XE (Direct-to-Device)
• IOS-XR (Direct-to-Device)
• Hyperfabric
• All architectures
• N/A (architecture-agnostic)

Platform Tested

• macOS (version tested: )
• Linux (distro/version tested: )

Key Changes

• Disable EnvironmentDebugPlugin in PyATS subprocess runner configuration to prevent env vars from being written to archives
• Add E2E regression test that scans all output artifacts (including ZIP contents) for credential sentinel values

Testing Done

• Unit tests added/updated
• Integration tests performed
• Manual testing performed:
  • PyATS tests executed successfully
  • Robot Framework tests executed successfully
  • D2D/SSH tests executed successfully (if applicable)
  • HTML reports generated correctly
• All existing tests pass (pytest / pre-commit run -a)

Test Commands Used

without the fix in subprocess_runner, I see the new test fail:

E       AssertionError: Credential sentinel found in output artifacts:
E           - /private/var/folders/_f/vfw2shn13kqfdqskxs8s70qh0000gn/T/pytest-of-oboehmer/pytest-72/popen-gw13/e2e_pyats_cc0/pyats_results/api/env.txt
E           - /private/var/folders/_f/vfw2shn13kqfdqskxs8s70qh0000gn/T/pytest-of-oboehmer/pytest-72/popen-gw13/e2e_pyats_cc0/pyats_results/d2d/sd-dc-c8kv-02/env.txt
E           - /private/var/folders/_f/vfw2shn13kqfdqskxs8s70qh0000gn/T/pytest-of-oboehmer/pytest-72/popen-gw13/e2e_pyats_cc0/pyats_results/d2d/sd-dc-c8kv-01/env.txt
E       assert not ['/private/var/folders/_f/vfw2shn13kqfdqskxs8s70qh0000gn/T/pytest-of-oboehmer/pytest-72/popen-gw13/e2e_pyats_cc0/pyats...kqfdqskxs8s70qh0000gn/T/pytest-of-oboehmer/pytest-72/popen-gw13/e2e_pyats_cc0/pyats_results/d2d/sd-dc-c8kv-01/env.txt']

tests/e2e/test_e2e_scenarios.py:987: AssertionError
[...]
======================================================================== short test summary info =========================================================================
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EPyatsApiOnly::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EVerboseWithInfo::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EVerbose::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EPyatsD2dOnly::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EAllFail::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2ESuccess::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EMixedRelativeOutput::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EMixed::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
FAILED tests/e2e/test_e2e_scenarios.py::TestE2EPyatsCc::test_no_credentials_in_output_artifacts - AssertionError: Credential sentinel found in output artifacts:
================================================== 9 failed, 644 passed, 270 skipped, 127 warnings in 92.33s (0:01:32) ===================================================

Checklist

• Code follows project style guidelines (pre-commit run -a passes)
• Self-review of code completed
• Code is commented where necessary (especially complex logic)
• Documentation updated (if applicable)
• No new warnings introduced
• Changes work on both macOS and Linux
• CHANGELOG.md updated (if applicable)

Screenshots (if applicable)

N/A

Additional Notes

This is a minimal, targeted fix to mitigate the security issue quickly. PR #697 will supersede this with a more comprehensive solution that also addresses #570 (tech debt cleanup and code deduplication).