def test_cache_catches_last_found_secrets(client):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", set())
cache = Cache()
cache.purge()
assert cache.last_found_secrets == set()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == set()
assert cache.last_found_secrets == FOUND_SECRETS
cache.load_cache()
assert cache.last_found_secrets == FOUND_SECRETS
def test_display_options(self, cli_fs_runner):
with open(".gitguardian.yml", "w") as file:
file.write(yaml.dump({"verbose": True, "show_secrets": True}))
config = Config()
assert config.verbose is True
assert config.show_secrets is True
def test_unknown_option(self, cli_fs_runner, capsys):
with open(".gitguardian.yml", "w") as file:
file.write(yaml.dump({"verbosity": True}))
Config()
captured = capsys.readouterr()
assert "Unrecognized key in config" in captured.out
def test_cache_old_config_no_new_secret(client):
"""
GIVEN a cache of last found secrets same as config ignored-matches
and config ignored-matches is a list of strings
WHEN I run a scan (therefore finding no secret)
THEN config matches is unchanged and cache is empty
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
config.matches_ignore = [d["match"] for d in FOUND_SECRETS]
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
with my_vcr.use_cassette("multiple_secrets"):
results = c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert results == []
assert config.matches_ignore == [d["match"] for d in FOUND_SECRETS]
assert cache.last_found_secrets == []
def test_cache_catches_last_found_secrets(client):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", [])
cache = Cache()
cache.purge()
assert cache.last_found_secrets == list()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == list()
cache_found_secrets = sorted(cache.last_found_secrets,
key=compare_matches_ignore)
found_secrets = sorted(FOUND_SECRETS, key=compare_matches_ignore)
assert [found_secret["match"] for found_secret in cache_found_secrets
] == [found_secret["match"] for found_secret in found_secrets]
ignore_last_found(config, cache)
for ignore in config.matches_ignore:
assert "test.txt" in ignore["name"]
cache.load_cache()
def test_ignore_last_found_preserve_previous_config(client):
"""
GIVEN a cache containing new secrets AND a config not empty
WHEN I run ignore command
THEN existing config option are not wiped out
"""
config = Config()
previous_secrets = [
{
"name": "",
"match": "previous_secret"
},
{
"name": "",
"match": "other_previous_secret"
},
]
previous_paths = {"some_path", "some_other_path"}
config.matches_ignore = previous_secrets.copy()
config.paths_ignore = previous_paths
config.exit_zero = True
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
ignore_last_found(config, cache)
matches_ignore = sorted(config.matches_ignore, key=compare_matches_ignore)
found_secrets = sorted(FOUND_SECRETS + previous_secrets,
key=compare_matches_ignore)
assert matches_ignore == found_secrets
assert config.paths_ignore == previous_paths
assert config.exit_zero is True
def test_display_options_inheritance(self, cli_fs_runner):
with open(".gitguardian.yml", "w") as file:
file.write(
yaml.dump(
{
"verbose": True,
"show_secrets": False,
"api_url": "https://gitguardian.com",
}
)
)
with open(".gitguardian.yaml", "w") as file:
file.write(
yaml.dump(
{
"verbose": False,
"show_secrets": True,
"api_url": "https://gitguardian.com/ex",
}
)
)
config = Config()
assert config.verbose is True
assert config.show_secrets is False
assert config.api_url == "https://gitguardian.com"
def test_accumulation_matches(self, cli_fs_runner):
with open(".gitguardian.yml", "w") as file:
file.write(yaml.dump({"matches_ignore": ["one", "two"]}))
with open(".gitguardian.yaml", "w") as file:
file.write(yaml.dump({"matches_ignore": ["three"]}))
config = Config()
assert config.matches_ignore == {"one", "two", "three"}
def test_parsing_error(cli_fs_runner, capsys):
with open(".gitguardian.yml", "w") as file:
file.write("Not a:\nyaml file.\n")
Config()
out, err = capsys.readouterr()
sys.stdout.write(out)
sys.stderr.write(err)
assert "Parsing error while reading .gitguardian.yml:" in out
def test_ignore_last_found(client):
"""
GIVEN a cache of last found secrets not empty
WHEN I run a ignore last found command
THEN config ignored-matches is updated accordingly
"""
config = Config()
setattr(config, "matches_ignore", set())
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
ignore_last_found(config, cache)
assert config.matches_ignore == FOUND_SECRETS
assert cache.last_found_secrets == FOUND_SECRETS
def test_ignore_last_found_with_manually_added_secrets(client):
"""
GIVEN a cache containing part of config ignored-matches secrets
WHEN I run ignore command
THEN only new discovered secrets are added to the config
"""
manually_added_secret = "m42ploz2wd"
config = Config()
config.matches_ignore = {manually_added_secret}
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
ignore_last_found(config, cache)
assert config.matches_ignore == FOUND_SECRETS
def test_ignore_last_found_with_manually_added_secrets(client):
"""
GIVEN a cache containing part of config ignored-matches secrets
WHEN I run ignore command
THEN only new discovered secrets are added to the config
"""
manually_added_secret = (
"41b8889e5e794b21cb1349d8eef1815960bf5257330fd40243a4895f26c2b5c8")
config = Config()
config.matches_ignore = [{"name": "", "match": manually_added_secret}]
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
ignore_last_found(config, cache)
matches_ignore = sorted(config.matches_ignore, key=compare_matches_ignore)
found_secrets = sorted(FOUND_SECRETS, key=compare_matches_ignore)
assert matches_ignore == found_secrets
def test_ignore_last_found_preserve_previous_config(client):
"""
GIVEN a cache containing new secrets AND a config not empty
WHEN I run ignore command
THEN existing config option are not wiped out
"""
config = Config()
previous_secrets = {"previous_secret", "other_previous_secret"}
previous_paths = {"some_path", "some_other_path"}
config.matches_ignore = previous_secrets
config.paths_ignore = previous_paths
config.exit_zero = True
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
ignore_last_found(config, cache)
assert config.matches_ignore == FOUND_SECRETS.union(previous_secrets)
assert config.paths_ignore == previous_paths
assert config.exit_zero is True
def test_ignore_last_found_compatible_with_previous_matches_ignore_format(
client):
"""
GIVEN a cache containing new secrets
AND a config's matches_ignore not empty as a list of strings
WHEN I run ignore command
THEN config's matches_ignore is updated AND strings hashes are unchanged
"""
config = Config()
old_format_matches_ignore = [
"some_secret_hash",
"another_secret_hash",
]
config.matches_ignore = old_format_matches_ignore.copy()
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
ignore_last_found(config, cache)
assert sorted(config.matches_ignore, key=compare_matches_ignore) == sorted(
FOUND_SECRETS + old_format_matches_ignore, key=compare_matches_ignore)
def test_exclude_regex(self, cli_fs_runner):
with open(".gitguardian.yml", "w") as file:
file.write(yaml.dump({"paths-ignore": ["/tests/"]}))
config = Config()
assert r"/tests/" in config.paths_ignore
def test_defaults(self, cli_fs_runner):
config = Config()
for attr in config.attributes:
assert getattr(config, attr.name) == attr.default