def test_scan_patch(client, cache, name, input_patch, expected): c = Commit() c._patch = input_patch with my_vcr.use_cassette(name): results = c.scan( client=client, cache=cache, matches_ignore={}, all_policies=True, verbose=False, ) for result in results: if result.scan.policy_breaks: assert len( result.scan.policy_breaks[0].matches) == expected.matches if expected.first_match: assert (result.scan.policy_breaks[0].matches[0].match == expected.first_match) else: assert result.scan.policy_breaks == [] if expected.want: assert result.content == expected.want["content"] assert result.filename == expected.want["filename"] assert result.filemode == expected.want["filemode"]
def test_cache_old_config_no_new_secret(client, isolated_fs): """ GIVEN a cache of last found secrets same as config ignored-matches and config ignored-matches is a list of strings WHEN I run a scan (therefore finding no secret) THEN config matches is unchanged and cache is empty """ c = Commit() c._patch = _MULTIPLE_SECRETS config = Config() config.matches_ignore = [d["match"] for d in FOUND_SECRETS] cache = Cache() cache.last_found_secrets = FOUND_SECRETS with my_vcr.use_cassette("multiple_secrets"): results = c.scan( client=client, cache=cache, matches_ignore=config.matches_ignore, all_policies=True, verbose=False, ) assert results == [] assert config.matches_ignore == [d["match"] for d in FOUND_SECRETS] assert cache.last_found_secrets == []
def test_cache_catches_last_found_secrets(client, isolated_fs): """ GIVEN an empty cache and an empty config matches-ignore section WHEN I run a scan with multiple secrets THEN cache last_found_secrets is updated with these secrets and saved """ c = Commit() c._patch = _MULTIPLE_SECRETS config = Config() setattr(config, "matches_ignore", []) cache = Cache() cache.purge() assert cache.last_found_secrets == list() with my_vcr.use_cassette("multiple_secrets"): c.scan( client=client, cache=cache, matches_ignore=config.matches_ignore, all_policies=True, verbose=False, ) assert config.matches_ignore == list() cache_found_secrets = sorted(cache.last_found_secrets, key=compare_matches_ignore) found_secrets = sorted(FOUND_SECRETS, key=compare_matches_ignore) assert [found_secret["match"] for found_secret in cache_found_secrets] == [ found_secret["match"] for found_secret in found_secrets ] ignore_last_found(config, cache) for ignore in config.matches_ignore: assert "test.txt" in ignore["name"] cache.load_cache()
def test_banlisted_detectors( self, cli_fs_runner, banlisted_detectors, nb_secret, ): Path("file_secret").write_text(_ONE_LINE_AND_MULTILINE_PATCH) with my_vcr.use_cassette("_ONE_LINE_AND_MULTILINE_PATCH"): result = cli_fs_runner.invoke( cli, [ "scan", "--exit-zero", "-v", *banlisted_detectors, "path", "file_secret", ], ) if nb_secret: plural = nb_secret > 1 assert (f"{nb_secret} incident{'s' if plural else ''} " f"{'have' if plural else 'has'} been found" ) in result.output else: assert "No secrets have been found" in result.output
def test_cache_catches_last_found_secrets(client): """ GIVEN an empty cache and an empty config matches-ignore section WHEN I run a scan with multiple secrets THEN cache last_found_secrets is updated with these secrets and saved """ c = Commit() c._patch = _MULTIPLE_SECRETS config = Config() setattr(config, "matches_ignore", set()) cache = Cache() cache.purge() assert cache.last_found_secrets == set() with my_vcr.use_cassette("multiple_secrets"): c.scan( client=client, cache=cache, matches_ignore=config.matches_ignore, all_policies=True, verbose=False, ) assert config.matches_ignore == set() assert cache.last_found_secrets == FOUND_SECRETS cache.load_cache() assert cache.last_found_secrets == FOUND_SECRETS
def test_cache_catches_nothing(client): """ GIVEN a cache of last found secrets same as config ignored-matches WHEN I run a scan (therefore finding no secret) THEN config matches is unchanged and cache is empty """ c = Commit() c._patch = _MULTIPLE_SECRETS config = Config() config.matches_ignore = FOUND_SECRETS cache = Cache() cache.last_found_secrets = FOUND_SECRETS with my_vcr.use_cassette("multiple_secrets"): results = c.scan( client=client, cache=cache, matches_ignore=config.matches_ignore, all_policies=True, verbose=False, ) assert results == [] assert config.matches_ignore == FOUND_SECRETS assert cache.last_found_secrets == []
def test_scan_file_secret_exit_zero(self, cli_fs_runner): Path("file_secret").write_text(UNCHECKED_SECRET) assert os.path.isfile("file_secret") with my_vcr.use_cassette("test_scan_file_secret"): result = cli_fs_runner.invoke( cli, ["scan", "--exit-zero", "-v", "path", "file_secret"]) assert result.exit_code == 0 assert not result.exception
def test_scan_file_secret_with_validity(self, cli_fs_runner): Path("file_secret").write_text(VALID_SECRET) assert os.path.isfile("file_secret") with my_vcr.use_cassette("test_scan_file_secret_with_validity"): result = cli_fs_runner.invoke( cli, ["-v", "scan", "path", "file_secret"]) assert result.exit_code == 1 assert result.exception assert ( "Incident 1(Secrets detection): GitGuardian Test Token Checked (Validity: Valid) (Ignore with SHA: 56c12" in result.output)
def test_scan_file_secret(self, cli_fs_runner): Path("file_secret").write_text(UNCHECKED_SECRET) assert os.path.isfile("file_secret") with my_vcr.use_cassette("test_scan_file_secret"): result = cli_fs_runner.invoke( cli, ["-v", "scan", "path", "file_secret"]) assert result.exit_code == 1 assert result.exception assert ( "GitGuardian Development Secret (Validity: Cannot Check) (Ignore with SHA: 4f307a4cae8f14cc276398c666559a6d4f959640616ed733b168a9ee7ab08fd4)" # noqa in result.output)
def test_ignore_default_excludes_with_configuration(self, cli_fs_runner): """ GIVEN a path scan WHEN ignore-default-excludes has been put to true in the configuration THEN ignored patterns by default should NOT be used """ path = create_normally_ignored_file() local_config = Path(ggshield.core.config.LOCAL_CONFIG_PATHS[0]) local_config.write_text("ignore-default-excludes: true") with my_vcr.use_cassette("ignore_default_excludes_from_configuration"): result = cli_fs_runner.invoke( cli, ["scan", "-v", "path", "--recursive", "-y", "."]) assert str(path) in result.output assert result.exit_code == 0 assert result.exception is None
def test_json_output(client, name, input_patch, expected, snapshot): c = Commit() c._patch = input_patch handler = JSONHandler(verbose=True, show_secrets=False) with my_vcr.use_cassette(name): results = c.scan( client=client, matches_ignore={}, all_policies=True, verbose=False ) flat_results, exit_code = handler.process_scan( scan=ScanCollection(id="path", type="test", results=results), top=True ) assert exit_code == expected json_flat_results = JSONScanCollectionSchema().dumps(flat_results) snapshot.assert_match(JSONScanCollectionSchema().loads(json_flat_results))
async def test_success(self) -> None: """ Given a url, When the `async_soupify` function is invoked, Then an async request is made to the url and the bs4 representation is returned """ url = "http://httpbin.org" with my_vcr.use_cassette( f"{VCR_FIXTURES_DIR}/async_soupify.yaml", serializer="response_body_compressor", ) as cass: result = await async_soupify(url=url) assert len(cass.requests) == 1 assert cass.requests[0].headers == {"User-agent": "Mozilla/5.0"} assert isinstance(result, BeautifulSoup)
def test_scan_file_secret_json_with_validity(self, cli_fs_runner, validity): secret = VALID_SECRET if validity else UNCHECKED_SECRET Path("file_secret").write_text(secret) assert os.path.isfile("file_secret") cassette_name = f"test_scan_file_secret-{validity}" with my_vcr.use_cassette(cassette_name): result = cli_fs_runner.invoke( cli, ["-v", "scan", "--json", "path", "file_secret"]) assert result.exit_code == 1 assert result.exception if validity: assert '"validity": "valid"' in result.output else: assert '"validity": "valid"' not in result.output
def test_ignore_default_excludes_with_flag(self, cli_fs_runner): """ GIVEN a path scan WHEN --ignore-default-excludes has been used THEN ignored patterns by default should NOT be used """ path = create_normally_ignored_file() with my_vcr.use_cassette("ignore_default_excludes_from_flag"): result = cli_fs_runner.invoke( cli, [ "scan", "-v", "--ignore-default-excludes", "path", "--recursive", "." ], ) assert str(path) in result.output assert result.exit_code == 0 assert result.exception is None
def test_json_output(client, cache, name, input_patch, expected, snapshot): c = Commit() c._patch = input_patch handler = JSONOutputHandler(verbose=True, show_secrets=False) with my_vcr.use_cassette(name): results = c.scan( client=client, cache=cache, matches_ignore={}, all_policies=True, verbose=False, banlisted_detectors=None, ) scan = ScanCollection(id="path", type="test", results=results) json_flat_results = handler._process_scan_impl(scan) exit_code = OutputHandler._get_exit_code(scan) assert exit_code == expected snapshot.assert_match( JSONScanCollectionSchema().loads(json_flat_results))
def test_docker_scan_archive( self, get_files_mock: Mock, cli_fs_runner: click.testing.CliRunner, image_path: Path, ): assert image_path.exists() get_files_mock.return_value = Files( files=[File(document=_SIMPLE_SECRET, filename="file_secret")]) with my_vcr.use_cassette("test_scan_file_secret"): result = cli_fs_runner.invoke( cli, [ "-v", "scan", "docker-archive", str(image_path), ], ) get_files_mock.assert_called_once() assert "1 incident has been found in file file_secret" in result.output assert result.exit_code == 1
def test_api_status(cassette, json_output, snapshot, cli_fs_runner): with my_vcr.use_cassette(cassette): cmd = ["api-status", "--json"] if json_output else ["api-status"] result = cli_fs_runner.invoke(cli, cmd, color=False) assert result.exit_code == 0 snapshot.assert_match(result.output)