eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

added tests for --branch and --since-commit feature

Browse source
This commit is contained in:
Mick Grove 2025-10-23 17:02:51 -07:00
commit 88bc02c91a
3 changed files with 57 additions and 315 deletions
Download patch file Download diff file Expand all files Collapse all files

242
tests/cli_subcommands.rs
View file

@ -51,14 +51,7 @@ mod github {
fn scan_github_with_user() {
Command::cargo_bin("kingfisher")
.unwrap()
.args([
"scan",
"github",
"--user",
"testuser",
"--list-only",
"--no-update-check",
])
.args(["scan", "github", "--user", "testuser", "--list-only", "--no-update-check"])
.assert()
.code(predicates::function::function(|code: &i32| {
// May succeed (exit 0) or fail with network/auth error (exit 1)
@ -79,9 +72,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -99,9 +90,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -119,9 +108,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -139,9 +126,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -159,9 +144,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -179,9 +162,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -198,9 +179,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -236,9 +215,7 @@ mod github {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -283,36 +260,18 @@ mod gitlab {
fn scan_gitlab_with_user() {
Command::cargo_bin("kingfisher")
.unwrap()
.args([
"scan",
"gitlab",
"--user",
"testuser",
"--list-only",
"--no-update-check",
])
.args(["scan", "gitlab", "--user", "testuser", "--list-only", "--no-update-check"])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
fn scan_gitlab_with_group() {
Command::cargo_bin("kingfisher")
.unwrap()
.args([
"scan",
"gitlab",
"--group",
"testgroup",
"--list-only",
"--no-update-check",
])
.args(["scan", "gitlab", "--group", "testgroup", "--list-only", "--no-update-check"])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -329,9 +288,7 @@ mod gitlab {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -349,9 +306,7 @@ mod gitlab {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -369,9 +324,7 @@ mod gitlab {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -389,9 +342,7 @@ mod gitlab {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -408,9 +359,7 @@ mod gitlab {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -464,9 +413,7 @@ mod azure {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -482,9 +429,7 @@ mod azure {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -501,9 +446,7 @@ mod azure {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -521,9 +464,7 @@ mod azure {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -541,9 +482,7 @@ mod azure {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -596,27 +535,16 @@ mod bitbucket {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
fn scan_bitbucket_with_user() {
Command::cargo_bin("kingfisher")
.unwrap()
.args([
"scan",
"bitbucket",
"--user",
"testuser",
"--list-only",
"--no-update-check",
])
.args(["scan", "bitbucket", "--user", "testuser", "--list-only", "--no-update-check"])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -632,9 +560,7 @@ mod bitbucket {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -651,9 +577,7 @@ mod bitbucket {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -671,9 +595,7 @@ mod bitbucket {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -691,9 +613,7 @@ mod bitbucket {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -737,27 +657,16 @@ mod gitea {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
fn scan_gitea_with_user() {
Command::cargo_bin("kingfisher")
.unwrap()
.args([
"scan",
"gitea",
"--user",
"testuser",
"--list-only",
"--no-update-check",
])
.args(["scan", "gitea", "--user", "testuser", "--list-only", "--no-update-check"])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -772,9 +681,7 @@ mod gitea {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -792,9 +699,7 @@ mod gitea {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -812,9 +717,7 @@ mod gitea {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -832,9 +735,7 @@ mod gitea {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -878,9 +779,7 @@ mod huggingface {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -896,9 +795,7 @@ mod huggingface {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -914,9 +811,7 @@ mod huggingface {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -932,9 +827,7 @@ mod huggingface {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -950,9 +843,7 @@ mod huggingface {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
#[test]
@ -970,9 +861,7 @@ mod huggingface {
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -1000,9 +889,7 @@ mod cross_platform {
.unwrap()
.args(&platform_args)
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -1013,11 +900,7 @@ mod cross_platform {
.args(["scan", "--no-update-check"])
.assert()
.failure()
.stderr(
contains("required")
.or(contains("expected"))
.or(contains("provide")),
);
.stderr(contains("required").or(contains("expected")).or(contains("provide")));
}
#[test]
@ -1035,18 +918,9 @@ mod cross_platform {
// list-only should work without providing actual scan paths
Command::cargo_bin("kingfisher")
.unwrap()
.args([
"scan",
"github",
"--user",
"testuser",
"--list-only",
"--no-update-check",
])
.args(["scan", "github", "--user", "testuser", "--list-only", "--no-update-check"])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
@ -1066,7 +940,12 @@ mod legacy_compatibility {
let test_file = root.join("testdata").join("generic_secrets.py");
Command::cargo_bin("kingfisher")
.unwrap()
.args(["scan", test_file.to_str().expect("REASON"), "--no-validate", "--no-update-check"])
.args([
"scan",
test_file.to_str().expect("REASON"),
"--no-validate",
"--no-update-check",
])
.assert()
.code(predicates::function::function(|code: &i32| {
// May succeed or fail depending on rules, but shouldn't error on syntax
@ -1082,17 +961,8 @@ mod legacy_compatibility {
// New syntax
Command::cargo_bin("kingfisher")
.unwrap()
.args([
"scan",
"github",
"--user",
"test",
"--list-only",
"--no-update-check",
])
.args(["scan", "github", "--user", "test", "--list-only", "--no-update-check"])
.assert()
.code(predicates::function::function(|code: &i32| {
*code == 0 || *code == 1
}));
.code(predicates::function::function(|code: &i32| *code == 0 || *code == 1));
}
}
}

128
tests/int_git_diff.rs
View file

@ -1,128 +0,0 @@
use std::{collections::HashSet, fs, path::Path, process::Command};
use anyhow::Result;
use assert_cmd::prelude::*;
use git2::{Repository, Signature};
use serde_json::Value;
use tempfile::TempDir;
const CONFIG_PY: &str = r"# Configuration file packed with representative secrets\n\nAWS_ACCESS_SECRET_KEY = 'UpUbsQANRHLf2uuQ7QOlNXPbbtV5fmseW/GgT5D/'\nGCP_PRIVATE_KEY_ID = 'c4c474d61701fd6fd4191883b8fea9a8411bf771'\nGCP_PRIVATE_KEY = '-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChoGF4j4AUnAfj\nbVGP/tSJqAyeYiZfOf4UCwd9+B/2oej3rsiuZmx506kuWVN4Jhg8UocLn5l/OfqU\n2MyV3Mq5VjtGQjYWF7a/Y04yEMRWf+spiJp1iYGS1vTOVjuyYyMa9h+8sbDiBFAD\nBcZejB4FQHxstFtmlnehf7cieMLTa3Wezv8LX8pH0q+pEynuvusQkhe8uPmjUsuo\nWG5W5CgVchQVzQf9eB5xtyt85t6VozMvAEI4h+WwZRdn+EWrQi+z8A8vXF7iUDmu\n2lpypLExcZBrZINMh8ecs8B34JNIYzO4Hod7RB4IwXN8PG/5RHlb7qQbzXSxir2B\n17gPPf8JAgMBAAECggEAHbkdG7sGIqQkJjypInpKc0tKkMj7hgkn8t8pYE7kb+qM\nKZqE0N/IpKnaY8ntGfwlelhx+d7+r0FGFh/9lbTOOkHDslLEWBFB3BYC4B2pwb+S\nC2gSAboJMGwkBpsgrNhi8RcgtIaYASSqYzfpaGNLtQsMJsCPS4Ex3GscjnQXXiJK\n5MExF8VYZVvT8Hq2lvECUpFMTWwM2o/QndwjLrEq/vRI3n7PmweXZGKgLuyOjpWk\ny80qa/IUlB6xO4XHvjnaEGxRq1LSF8hgEGU2Nmd8GDRT5ZLkSk+TMtqPrEbHEi6n\n4pZGndX0XmttWkKcUX/NwB/WZC5ROEsUl8Fyw+T5RQKBgQDMfgFB6Xx+Na2iB33w\nkhzNxo4HPCJzxeAB0zCRpfDpM1GtqK6JsIxvrci5lDAKaP8TQTr/gQxXpbJjE1Dl\n3VWGzFbW4czSw+AqBFl1he20RZhGjATcDCCzSOyEiRhqoJwTPTvqcXRK8NbKGfJR\nV6b4Auw+McNhnEUyfrZzguV93QKBgQDKVlLPhb4O84mINKFK73QFf2xlns0IHI0m\nWqNvY7HxJP9WUH5FgX4r/cO6aIafg+u5j0gNPDd2JD67htnY85EH/n5KNhb9ytsN\n+hkDeidFvdOrD+h9YFHkNoNy3XHwrQ0mtYRj2FBWhhpBsVlHVO2KcLe0TvivinN2\nfIac2uZhHQKBgAYE23KeNbzdRZwUTl+rXU+tPXb3DSiNNXe4SKCw2rNygD/1TBXf\nbXLIEbVsqDFWP9PIQr1Mhhl6VhLWebYaWq8aCqBOiyHVBB8Ye62a4JFCzyWcb3Qu\nozPDvLp18pMI4S8ryTywVDT0e839D4XXZ6G7LEr0WgTgfaTr1+D0hF69AoGBAKIQ\nxKGeAV6eaOGlLjAEXgztRFic+qLto409+jyFQQji1nY/YPSxROtdhkGv6WypUM0/\nW7nmKpJBc9HmsGUaqmcZy/QLIR1FN3IZiaGEXSJ6aqlQw6pw1QcTNvRxNQtOwQLp\nT1Jd9/Nl1HAb6mO9PcqugCY3Pu/z2InmMjg/CVptAoGAMpwMsoen4xEHv4uGZVt8\n8wlvQ2fYnso4wgRSYAkjh8cOHjB85eazlSAsaJvmQ9D1rV086Re5zKxKjrjQWdaT\nRMyIZJMJYZr6c8RKmabOfO1oc5urDdETQjGi3qXJuiu86wp7IoBINdmBEPRl6+m3\nGqJA6hgV5niKAq4sJtv9EW4='\nGOOGLE_API_KEY = 'AIzaSyBUPHAjZl3n8Eza66ka6B78iVyPteC5MgM'\nGITHUB_KEY = '88df97769ab3185f2c0b2a73fdae1b27d89409ca'\nGITHUB_APP_SECRET = '895b1da4051440395f90e1411c4a1150e423c922'\nSLACK_APP_TOKEN = 'xapp-1-A01C259PH2A-1440755929120-7d5241948a2cc1b464add85df8a8e75f9040ae2869f6599926ed0b9dcafdb32b'\nSLACK_OAUTH_ACCESS_TOKEN = 'xoxb-730191371696-1413868247813-IG7Z6nYevC2hdviE3aJhb5kY'\nSLACK_WEBHOOK = 'https://hooks.slack.com/services/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'\nSTRIPE_RESTRICTED_KEY = 'rk_live_z59MoCJoFc114PpJlP1OnB1O'\nTWILIO_API_KEY = 'SK5d1d319A6Acf7EC9BDeDb8CCe4D76BA8'\n";
const CANARY_TOKEN: &str = r"[default]\naws_access_key_id = AKIAX24QKKOLDJMZ5Y2T\naws_secret_access_key = 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\noutput = json\nregion = us-east-2\n";
#[test]
fn scan_branch_and_since_commit_diff_behaviour() -> Result<()> {
let workspace = TempDir::new()?;
let repo_dir = workspace.path().join("SecretsTest");
fs::create_dir(&repo_dir)?;
let repo = Repository::init(&repo_dir)?;
let sig = Signature::now("tester", "tester@example.com")?;
fs::write(repo_dir.join("config.py"), CONFIG_PY)?;
let mut index = repo.index()?;
index.add_path(Path::new("config.py"))?;
let tree_id = index.write_tree()?;
let tree = repo.find_tree(tree_id)?;
let initial_commit = repo.commit(Some("HEAD"), &sig, &sig, "seed secrets", &tree, &[])?;
let base_commit = repo.find_commit(initial_commit)?;
repo.branch("main", &base_commit, true)?;
repo.set_head("refs/heads/main")?;
repo.branch("feature-1", &base_commit, true)?;
repo.set_head("refs/heads/feature-1")?;
fs::write(repo_dir.join("canary-token"), CANARY_TOKEN)?;
let mut index = repo.index()?;
index.add_path(Path::new("canary-token"))?;
let tree_id = index.write_tree()?;
let tree = repo.find_tree(tree_id)?;
let feature_commit =
repo.commit(Some("HEAD"), &sig, &sig, "add canary token", &tree, &[&base_commit])?;
let repo_path = repo_dir.to_string_lossy().to_string();
let base_commit_hex = initial_commit.to_string();
let feature_commit_hex = feature_commit.to_string();
let branch_scan = Command::cargo_bin("kingfisher")?
.args([
"scan",
&repo_path,
"--branch",
&base_commit_hex,
"--no-validate",
"--no-update-check",
"--format",
"json",
])
.output()?;
assert_eq!(branch_scan.status.code(), Some(200));
let findings: Vec<Value> = serde_json::from_slice(&branch_scan.stdout)?;
let expected_rules: HashSet<String> = [
"KINGFISHER.AWS.2",
"KINGFISHER.GCP.3",
"KINGFISHER.PRIVKEY.2",
"KINGFISHER.PEM.1",
"KINGFISHER.GOOGLE.7",
"KINGFISHER.GITHUB.6",
"KINGFISHER.SLACK.1",
"KINGFISHER.SLACK.2",
"KINGFISHER.SLACK.4",
"KINGFISHER.STRIPE.2",
"KINGFISHER.TWILIO.1",
]
.into_iter()
.map(|s| s.to_string())
.collect();
// KINGFISHER.GITHUB.6 should appear twice (two separate secrets)
assert_eq!(findings.len(), expected_rules.len() + 1);
let mut rule_hits: HashSet<String> = HashSet::new();
let mut github_hit_count = 0usize;
for finding in &findings {
let rule_id = finding["rule"]["id"].as_str().unwrap();
if rule_id == "KINGFISHER.GITHUB.6" {
github_hit_count += 1;
} else {
rule_hits.insert(rule_id.to_string());
}
assert_eq!(finding["finding"]["path"].as_str().unwrap(), "config.py");
assert_eq!(
finding["finding"]["git_metadata"]["commit"]["id"].as_str().unwrap(),
base_commit_hex
);
}
assert_eq!(github_hit_count, 2, "expected two GitHub secret detections");
assert_eq!(rule_hits, expected_rules);
let diff_scan = Command::cargo_bin("kingfisher")?
.args([
"scan",
&repo_path,
"--branch",
"feature-1",
"--since-commit",
&base_commit_hex,
"--no-validate",
"--no-update-check",
"--format",
"json",
])
.output()?;
assert_eq!(diff_scan.status.code(), Some(200));
let diff_findings: Vec<Value> = serde_json::from_slice(&diff_scan.stdout)?;
assert_eq!(diff_findings.len(), 1, "expected only the canary secret in diff scan");
let diff_finding = &diff_findings[0];
assert_eq!(diff_finding["rule"]["id"], "KINGFISHER.AWS.2");
assert_eq!(diff_finding["finding"]["path"], "canary-token");
assert_eq!(diff_finding["finding"]["git_metadata"]["commit"]["id"], feature_commit_hex);
Ok(())
}

2
tests/smoke_branch.rs
View file

@ -116,4 +116,4 @@ aws_secret_access_key = efnegoUp/WXc3XwlL77dXu1aKIICzvz+n+7Sz88i
.stdout(contains("config.py").not());
Ok(())
}
}