github.com/google/osv-scalibr@v0.4.1/veles/secrets/pypiapitoken/detector_test.go

github.com/google/osv-scalibr@v0.4.1/veles/secrets/pypiapitoken/detector_test.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package pypiapitoken_test
    16  
    17  import (
    18  	"fmt"
    19  	"strings"
    20  	"testing"
    21  
    22  	"github.com/google/go-cmp/cmp"
    23  	"github.com/google/go-cmp/cmp/cmpopts"
    24  	"github.com/google/osv-scalibr/veles"
    25  	"github.com/google/osv-scalibr/veles/secrets/pypiapitoken"
    26  )
    27  
    28  const testKey = `pypi-AgEIc433aS5vcmcffDgyZDA0MzFkLWMzZjEtNDlhNy1iOWQwLfflMjE5NmNkMjhjNQACKlszLCI22UBiYzQ2Yi05YjNhhTQ5NmItYWIxMHYhMGI3MmEyOWI5MzYiXQAABiCJBI80LFFz0JvS6UIj2LzgV9N-BQnBAD2123Dyu9xs33`
    29  
    30  // TestDetector_truePositives tests for cases where we know the Detector
    31  // will find a PyPI API Token/s.
    32  func TestDetector_truePositives(t *testing.T) {
    33  	engine, err := veles.NewDetectionEngine([]veles.Detector{pypiapitoken.NewDetector()})
    34  	if err != nil {
    35  		t.Fatal(err)
    36  	}
    37  	cases := []struct {
    38  		name  string
    39  		input string
    40  		want  []veles.Secret
    41  	}{{
    42  		name:  "simple matching string",
    43  		input: testKey,
    44  		want: []veles.Secret{
    45  			pypiapitoken.PyPIAPIToken{Token: testKey},
    46  		},
    47  	}, {
    48  		name:  "match at end of string",
    49  		input: `PYPI_API_TOKEN=` + testKey,
    50  		want: []veles.Secret{
    51  			pypiapitoken.PyPIAPIToken{Token: testKey},
    52  		},
    53  	}, {
    54  		name:  "match in middle of string",
    55  		input: `PYPI_API_TOKEN="` + testKey + `"`,
    56  		want: []veles.Secret{
    57  			pypiapitoken.PyPIAPIToken{Token: testKey},
    58  		},
    59  	}, {
    60  		name:  "multiple matches",
    61  		input: testKey + "\n" + testKey + "\n" + testKey,
    62  		want: []veles.Secret{
    63  			pypiapitoken.PyPIAPIToken{Token: testKey},
    64  			pypiapitoken.PyPIAPIToken{Token: testKey},
    65  			pypiapitoken.PyPIAPIToken{Token: testKey},
    66  		},
    67  	}, {
    68  		name:  "multiple distinct matches",
    69  		input: testKey + "\n" + testKey[:len(testKey)-1] + "a",
    70  		want: []veles.Secret{
    71  			pypiapitoken.PyPIAPIToken{Token: testKey},
    72  			pypiapitoken.PyPIAPIToken{Token: testKey[:len(testKey)-1] + "a"},
    73  		},
    74  	}, {
    75  		name: "larger_input_containing_key",
    76  		input: fmt.Sprintf(`
    77  :test_api_key: PYPI-test
    78  :PYPI_API_TOKEN: %s
    79  		`, testKey),
    80  		want: []veles.Secret{
    81  			pypiapitoken.PyPIAPIToken{Token: testKey},
    82  		},
    83  	},
    84  	}
    85  	for _, tc := range cases {
    86  		t.Run(tc.name, func(t *testing.T) {
    87  			got, err := engine.Detect(t.Context(), strings.NewReader(tc.input))
    88  			if err != nil {
    89  				t.Errorf("Detect() error: %v, want nil", err)
    90  			}
    91  			fmt.Printf("got = %+v\n", got)
    92  			if diff := cmp.Diff(tc.want, got, cmpopts.EquateEmpty()); diff != "" {
    93  				t.Errorf("Detect() diff (-want +got):\n%s", diff)
    94  			}
    95  		})
    96  	}
    97  }
    98  
    99  // TestDetector_trueNegatives tests for cases where we know the Detector
   100  // will not find a PyPI API Token.
   101  func TestDetector_trueNegatives(t *testing.T) {
   102  	engine, err := veles.NewDetectionEngine([]veles.Detector{pypiapitoken.NewDetector()})
   103  	if err != nil {
   104  		t.Fatal(err)
   105  	}
   106  	cases := []struct {
   107  		name  string
   108  		input string
   109  		want  []veles.Secret
   110  	}{{
   111  		name:  "empty input",
   112  		input: "",
   113  	}, {
   114  		name:  "short key should not match",
   115  		input: testKey[:len(testKey)-90],
   116  	}, {
   117  		name:  "invalid character(!) in key should not match",
   118  		input: `pypi-AgEIc433aS5vcmcffDgyZDA0!MzFkLWMzZjEtNDlhNy1iOWQwLfflMjE5NmNkMjhjNQACKlszLCI22UBiYzQ2Yi05Yj`,
   119  	}, {
   120  		name:  "incorrect prefix should not match",
   121  		input: `pV1-MzFkLWMzZjEtNDlhNy1iOWQwLfflMjE5NmNkMjhjNQACKlszLCI22UBiYzQ2Yi05Yj`,
   122  	}, {
   123  		name:  "prefix missing dash should not match",
   124  		input: `MzFkLWMzZjEtNDlhNy1iOWQwLfflMjE5NmNkMjhjNQACKlszLCI22UBiYzQ2Yi05Yj`,
   125  	}}
   126  	for _, tc := range cases {
   127  		t.Run(tc.name, func(t *testing.T) {
   128  			got, err := engine.Detect(t.Context(), strings.NewReader(tc.input))
   129  			if err != nil {
   130  				t.Errorf("Detect() error: %v, want nil", err)
   131  			}
   132  			if diff := cmp.Diff(tc.want, got, cmpopts.EquateEmpty()); diff != "" {
   133  				t.Errorf("Detect() diff (-want +got):\n%s", diff)
   134  			}
   135  		})
   136  	}
   137  }