def test_cache_catches_last_found_secrets(client, isolated_fs):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", [])
cache = Cache()
cache.purge()
assert cache.last_found_secrets == list()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == list()
cache_found_secrets = sorted(cache.last_found_secrets, key=compare_matches_ignore)
found_secrets = sorted(FOUND_SECRETS, key=compare_matches_ignore)
assert [found_secret["match"] for found_secret in cache_found_secrets] == [
found_secret["match"] for found_secret in found_secrets
]
ignore_last_found(config, cache)
for ignore in config.matches_ignore:
assert "test.txt" in ignore["name"]
cache.load_cache()
def test_cache_old_config_no_new_secret(client, isolated_fs):
"""
GIVEN a cache of last found secrets same as config ignored-matches
and config ignored-matches is a list of strings
WHEN I run a scan (therefore finding no secret)
THEN config matches is unchanged and cache is empty
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
config.matches_ignore = [d["match"] for d in FOUND_SECRETS]
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
with my_vcr.use_cassette("multiple_secrets"):
results = c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert results == []
assert config.matches_ignore == [d["match"] for d in FOUND_SECRETS]
assert cache.last_found_secrets == []
def test_cache_catches_nothing(client):
"""
GIVEN a cache of last found secrets same as config ignored-matches
WHEN I run a scan (therefore finding no secret)
THEN config matches is unchanged and cache is empty
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
config.matches_ignore = FOUND_SECRETS
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
with my_vcr.use_cassette("multiple_secrets"):
results = c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert results == []
assert config.matches_ignore == FOUND_SECRETS
assert cache.last_found_secrets == []
def test_cache_catches_last_found_secrets(client):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", set())
cache = Cache()
cache.purge()
assert cache.last_found_secrets == set()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == set()
assert cache.last_found_secrets == FOUND_SECRETS
cache.load_cache()
assert cache.last_found_secrets == FOUND_SECRETS
def test_scan_patch(client, cache, name, input_patch, expected):
c = Commit()
c._patch = input_patch
with my_vcr.use_cassette(name):
results = c.scan(
client=client,
cache=cache,
matches_ignore={},
all_policies=True,
verbose=False,
)
for result in results:
if result.scan.policy_breaks:
assert len(
result.scan.policy_breaks[0].matches) == expected.matches
if expected.first_match:
assert (result.scan.policy_breaks[0].matches[0].match ==
expected.first_match)
else:
assert result.scan.policy_breaks == []
if expected.want:
assert result.content == expected.want["content"]
assert result.filename == expected.want["filename"]
assert result.filemode == expected.want["filemode"]
def test_patch_separation_ignore():
c = Commit()
c._patch = PATCH_SEPARATION
file_to_ignore = ".env"
c.filter_set = {os.path.join(os.getcwd(), file_to_ignore)}
files = list(c.get_files())
assert len(files) == 3
assert not (any(entry.filename == file_to_ignore for entry in files))
def test_patch_separation():
c = Commit()
c._patch = PATCH_SEPARATION
files = list(c.get_files())
assert len(files) == 4
assert c.info.author == "Testificate Jose"
assert c.info.email == "*****@*****.**"
assert c.info.date == "Fri Oct 18 13:20:00 2012 +0100"
def test_patch_max_size():
c = Commit()
c._patch = """
diff --git a/tests/test_scannable.py b/.env
new file mode 100644
index 0000000..0000000
--- /dev/null
+++ b/.env
@@ -0,0 +1,112 @@
CHECK_ENVIRONMENT=true
"""
c._patch += "a" * MAX_FILE_SIZE
files = list(c.get_files())
assert len(files) == 0
def test_json_output(client, name, input_patch, expected, snapshot):
c = Commit()
c._patch = input_patch
handler = JSONHandler(verbose=True, show_secrets=False)
with my_vcr.use_cassette(name):
results = c.scan(
client=client, matches_ignore={}, all_policies=True, verbose=False
)
flat_results, exit_code = handler.process_scan(
scan=ScanCollection(id="path", type="test", results=results), top=True
)
assert exit_code == expected
json_flat_results = JSONScanCollectionSchema().dumps(flat_results)
snapshot.assert_match(JSONScanCollectionSchema().loads(json_flat_results))
def test_request_headers(scan_mock: Mock, client):
c = Commit()
c._patch = _SIMPLE_SECRET
with Context(Command("bar"), info_name="bar") as ctx:
ctx.parent = Context(Group("foo"), info_name="foo")
c.scan(
client=client,
cache=Cache(),
matches_ignore={},
all_policies=True,
verbose=False,
)
scan_mock.assert_called_with(
ANY,
{
"GGShield-Version": __version__,
"GGShield-Command-Path": "foo bar",
},
)
def test_json_output(client, cache, name, input_patch, expected, snapshot):
c = Commit()
c._patch = input_patch
handler = JSONOutputHandler(verbose=True, show_secrets=False)
with my_vcr.use_cassette(name):
results = c.scan(
client=client,
cache=cache,
matches_ignore={},
all_policies=True,
verbose=False,
banlisted_detectors=None,
)
scan = ScanCollection(id="path", type="test", results=results)
json_flat_results = handler._process_scan_impl(scan)
exit_code = OutputHandler._get_exit_code(scan)
assert exit_code == expected
snapshot.assert_match(
JSONScanCollectionSchema().loads(json_flat_results))
