def test_cache_catches_last_found_secrets(client):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", set())
cache = Cache()
cache.purge()
assert cache.last_found_secrets == set()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == set()
assert cache.last_found_secrets == FOUND_SECRETS
cache.load_cache()
assert cache.last_found_secrets == FOUND_SECRETS
def test_cache_catches_last_found_secrets(client, isolated_fs):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", [])
cache = Cache()
cache.purge()
assert cache.last_found_secrets == list()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == list()
cache_found_secrets = sorted(cache.last_found_secrets, key=compare_matches_ignore)
found_secrets = sorted(FOUND_SECRETS, key=compare_matches_ignore)
assert [found_secret["match"] for found_secret in cache_found_secrets] == [
found_secret["match"] for found_secret in found_secrets
]
ignore_last_found(config, cache)
for ignore in config.matches_ignore:
assert "test.txt" in ignore["name"]
cache.load_cache()
def test_cache_old_config_no_new_secret(client, isolated_fs):
"""
GIVEN a cache of last found secrets same as config ignored-matches
and config ignored-matches is a list of strings
WHEN I run a scan (therefore finding no secret)
THEN config matches is unchanged and cache is empty
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
config.matches_ignore = [d["match"] for d in FOUND_SECRETS]
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
with my_vcr.use_cassette("multiple_secrets"):
results = c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert results == []
assert config.matches_ignore == [d["match"] for d in FOUND_SECRETS]
assert cache.last_found_secrets == []
def scan_commit(
commit: Commit,
client: GGClient,
cache: Cache,
verbose: bool,
matches_ignore: Iterable[IgnoredMatch],
all_policies: bool,
mode_header: str,
banlisted_detectors: Optional[Set[str]] = None,
) -> ScanCollection: # pragma: no cover
results = commit.scan(
client=client,
cache=cache,
matches_ignore=matches_ignore,
banlisted_detectors=banlisted_detectors,
all_policies=all_policies,
verbose=verbose,
)
return ScanCollection(
commit.sha or "unknown",
type="commit",
results=results,
optional_header=commit.optional_header,
extra_info=commit.info._asdict(),
)
def test_cache_catches_nothing(client):
"""
GIVEN a cache of last found secrets same as config ignored-matches
WHEN I run a scan (therefore finding no secret)
THEN config matches is unchanged and cache is empty
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
config.matches_ignore = FOUND_SECRETS
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
with my_vcr.use_cassette("multiple_secrets"):
results = c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert results == []
assert config.matches_ignore == FOUND_SECRETS
assert cache.last_found_secrets == []
def test_scan_patch(client, cache, name, input_patch, expected):
c = Commit()
c._patch = input_patch
with my_vcr.use_cassette(name):
results = c.scan(
client=client,
cache=cache,
matches_ignore={},
all_policies=True,
verbose=False,
)
for result in results:
if result.scan.policy_breaks:
assert len(
result.scan.policy_breaks[0].matches) == expected.matches
if expected.first_match:
assert (result.scan.policy_breaks[0].matches[0].match ==
expected.first_match)
else:
assert result.scan.policy_breaks == []
if expected.want:
assert result.content == expected.want["content"]
assert result.filename == expected.want["filename"]
assert result.filemode == expected.want["filemode"]
def test_request_headers(scan_mock: Mock, client):
c = Commit()
c._patch = _SIMPLE_SECRET
with Context(Command("bar"), info_name="bar") as ctx:
ctx.parent = Context(Group("foo"), info_name="foo")
c.scan(
client=client,
cache=Cache(),
matches_ignore={},
all_policies=True,
verbose=False,
)
scan_mock.assert_called_with(
ANY,
{
"GGShield-Version": __version__,
"GGShield-Command-Path": "foo bar",
},
)
def test_json_output(client, name, input_patch, expected, snapshot):
c = Commit()
c._patch = input_patch
handler = JSONHandler(verbose=True, show_secrets=False)
with my_vcr.use_cassette(name):
results = c.scan(
client=client, matches_ignore={}, all_policies=True, verbose=False
)
flat_results, exit_code = handler.process_scan(
scan=ScanCollection(id="path", type="test", results=results), top=True
)
assert exit_code == expected
json_flat_results = JSONScanCollectionSchema().dumps(flat_results)
snapshot.assert_match(JSONScanCollectionSchema().loads(json_flat_results))
def scan_commit(
commit: Commit,
client: GGClient,
verbose: bool,
matches_ignore: Iterable[str],
all_policies: bool,
) -> ScanCollection: # pragma: no cover
results = commit.scan(
client=client,
matches_ignore=matches_ignore,
all_policies=all_policies,
verbose=verbose,
)
return ScanCollection(
commit.sha or "unknown",
type="commit",
results=results,
optional_header=commit.optional_header,
extra_info=commit.info._asdict(),
)
def test_json_output(client, cache, name, input_patch, expected, snapshot):
c = Commit()
c._patch = input_patch
handler = JSONOutputHandler(verbose=True, show_secrets=False)
with my_vcr.use_cassette(name):
results = c.scan(
client=client,
cache=cache,
matches_ignore={},
all_policies=True,
verbose=False,
banlisted_detectors=None,
)
scan = ScanCollection(id="path", type="test", results=results)
json_flat_results = handler._process_scan_impl(scan)
exit_code = OutputHandler._get_exit_code(scan)
assert exit_code == expected
snapshot.assert_match(
JSONScanCollectionSchema().loads(json_flat_results))
