diff --git a/src/reporter/json_format.rs b/src/reporter/json_format.rs index c1185b2..a4e8730 100644 --- a/src/reporter/json_format.rs +++ b/src/reporter/json_format.rs @@ -390,7 +390,6 @@ mod tests { cli::commands::scan::ScanArgs { num_jobs: 1, no_dedup: false, - ignore_tests: false, rules: RuleSpecifierArgs { rules_path: Vec::new(), rule: vec!["all".into()], diff --git a/src/scanner/enumerate.rs b/src/scanner/enumerate.rs index 8cfa9ff..0e0c795 100644 --- a/src/scanner/enumerate.rs +++ b/src/scanner/enumerate.rs @@ -37,7 +37,6 @@ use crate::{ util::is_compressed_file, }, scanner_pool::ScannerPool, - util::is_test_like_path, EnumeratorConfig, EnumeratorFileResult, FileResult, FilesystemEnumerator, FoundInput, GitRepoEnumerator, GitRepoResult, GitRepoWithMetadataEnumerator, PathBuf, }; diff --git a/src/validation/jwt.rs b/src/validation/jwt.rs index ed2bd3c..ca0ac43 100644 --- a/src/validation/jwt.rs +++ b/src/validation/jwt.rs @@ -3,12 +3,24 @@ use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _}; use chrono::Utc; use ipnet::IpNet; use jsonwebtoken::{decode, decode_header, jwk::JwkSet, DecodingKey, Validation as JwtValidation}; +use once_cell::sync::Lazy; use reqwest::{redirect::Policy, Client, Url}; use serde::Deserialize; use tokio::net::lookup_host; use super::utils::check_url_resolvable; +/// One global, redirect-free client. Building a `Client` is comparatively +/// expensive; re-using it lets reqwest share its internal connection pool +/// and TLS sessions across JWT validations. `Lazy` ensures thread-safe, +/// one-time initialisation. +static NO_REDIRECT_CLIENT: Lazy = Lazy::new(|| { + Client::builder() + .redirect(Policy::none()) // disable all redirects + .build() + .expect("failed to build no-redirect Client") +}); + /// RFC 1918 + loopback + link-local nets we refuse to contact const BLOCKED_NETS: &[&str] = &[ "10.0.0.0/8", @@ -66,12 +78,7 @@ pub async fn validate_jwt(token: &str, client: &Client) -> Result<(bool, String) // build discovery URL and fetch it (redirects disabled) let config_url = format!("{}/.well-known/openid-configuration", iss.trim_end_matches('/')); - let no_redirect_client = Client::builder() - .redirect(Policy::none()) - .build() - .map_err(|e| anyhow!("client build: {e}"))?; - - let cfg_resp = no_redirect_client + let cfg_resp = NO_REDIRECT_CLIENT .get(&config_url) .send() .await @@ -122,7 +129,7 @@ pub async fn validate_jwt(token: &str, client: &Client) -> Result<(bool, String) check_url_resolvable(&url).await.map_err(|e| anyhow!("jwks uri unresolvable: {e}"))?; // fetch JWKS with redirect-free client - let jwks_resp = no_redirect_client + let jwks_resp = NO_REDIRECT_CLIENT .get(url) .send() .await diff --git a/tests/smoke_update.rs b/tests/smoke_update.rs index 45573fa..8224d42 100644 --- a/tests/smoke_update.rs +++ b/tests/smoke_update.rs @@ -1,9 +1,4 @@ -use std::fs::{self, File}; - -use flate2::{write::GzEncoder, Compression}; use kingfisher::{cli::global::GlobalArgs, update::check_for_update}; -use tar::Builder; -use tempfile::tempdir; use tokio; use wiremock::{ matchers::{method, path},