-
Notifications
You must be signed in to change notification settings - Fork 114
Expand file tree
/
Copy pathtest_auth_scoping.py
More file actions
721 lines (593 loc) · 29.3 KB
/
test_auth_scoping.py
File metadata and controls
721 lines (593 loc) · 29.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
"""Unit tests for auth scoping: tokens are only sent to their matching hosts.
Tests cover:
- _build_repo_url: GitHub tokens only go to GitHub hosts, not to generic hosts
- _clone_with_fallback: generic hosts get relaxed env (no GIT_ASKPASS etc.)
- Object-style dependency entries (parse_from_dict, from_apm_yml)
"""
import os
import sys
import tempfile
from pathlib import Path
from unittest.mock import Mock, patch, MagicMock
from urllib.parse import urlparse
import pytest
from git.exc import GitCommandError
from apm_cli.deps.github_downloader import GitHubPackageDownloader
from apm_cli.models.apm_package import DependencyReference, APMPackage
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
def _make_downloader(github_token=None, ado_token=None):
"""Create a GitHubPackageDownloader with controlled tokens."""
with patch.dict(os.environ, {
**({"GITHUB_APM_PAT": github_token} if github_token else {}),
**({"ADO_APM_PAT": ado_token} if ado_token else {}),
}, clear=True), patch(
"apm_cli.core.token_manager.GitHubTokenManager.resolve_credential_from_git",
return_value=None,
):
return GitHubPackageDownloader()
def _dep(url_str):
"""Shortcut: parse a DependencyReference from a string."""
return DependencyReference.parse(url_str)
def _url_host(url: str) -> str:
"""Extract the hostname from an HTTPS or SSH git URL."""
parsed = urlparse(url)
if parsed.hostname:
return parsed.hostname
# SSH shorthand: git@host:path
if url.startswith("git@") and ":" in url:
return url.split("@", 1)[1].split(":", 1)[0]
raise ValueError(f"Cannot extract host from URL: {url}")
# ===========================================================================
# _build_repo_url – token scoping
# ===========================================================================
class TestBuildRepoUrlTokenScoping:
"""Verify _build_repo_url sends GitHub tokens only to GitHub hosts."""
def test_github_com_gets_token(self):
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://github.com/owner/repo.git")
url = dl._build_repo_url("owner/repo", use_ssh=False, dep_ref=dep)
assert "ghp_TESTTOKEN" in url
assert _url_host(url) == "github.com"
def test_ghe_host_gets_token(self):
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://company.ghe.com/owner/repo.git")
url = dl._build_repo_url("owner/repo", use_ssh=False, dep_ref=dep)
assert "ghp_TESTTOKEN" in url
assert _url_host(url) == "company.ghe.com"
def test_gitlab_does_not_get_github_token(self):
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://gitlab.com/acme/rules.git")
url = dl._build_repo_url("acme/rules", use_ssh=False, dep_ref=dep)
assert "ghp_TESTTOKEN" not in url
assert _url_host(url) == "gitlab.com"
def test_bitbucket_does_not_get_github_token(self):
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://bitbucket.org/team/standards.git")
url = dl._build_repo_url("team/standards", use_ssh=False, dep_ref=dep)
assert "ghp_TESTTOKEN" not in url
assert _url_host(url) == "bitbucket.org"
def test_self_hosted_does_not_get_github_token(self):
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://git.company.internal/team/rules.git")
url = dl._build_repo_url("team/rules", use_ssh=False, dep_ref=dep)
assert "ghp_TESTTOKEN" not in url
def test_ssh_url_never_embeds_token(self):
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("git@gitlab.com:acme/rules.git")
url = dl._build_repo_url("acme/rules", use_ssh=True, dep_ref=dep)
assert "ghp_TESTTOKEN" not in url
assert _url_host(url) == "gitlab.com"
def test_github_ssh_also_no_embedded_token(self):
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("git@github.com:owner/repo.git")
url = dl._build_repo_url("owner/repo", use_ssh=True, dep_ref=dep)
assert "ghp_TESTTOKEN" not in url
def test_no_token_at_all_plain_url(self):
dl = _make_downloader()
dep = _dep("https://github.com/owner/repo.git")
url = dl._build_repo_url("owner/repo", use_ssh=False, dep_ref=dep)
assert "@" not in url # no token embedded
# ===========================================================================
# _clone_with_fallback – env relaxation for generic hosts
# ===========================================================================
class TestCloneWithFallbackEnv:
"""Verify that env lockdown is based on token availability, not host type."""
def _run_clone(self, dl, dep, succeed_on=1):
"""Run _clone_with_fallback, succeeding on the nth attempt (1-based).
Returns the list of Repo.clone_from call_args.
"""
mock_repo = Mock()
mock_repo.head.commit.hexsha = "abc123"
effects = []
for i in range(3):
if i == succeed_on - 1:
effects.append(mock_repo)
else:
effects.append(GitCommandError("clone", "failed"))
# Reconstruct the env matching construction so per-dep resolution
# via AuthResolver sees the same tokens the downloader was built with.
env_vars = {}
if dl.github_token:
env_vars["GITHUB_APM_PAT"] = dl.github_token
if dl.ado_token:
env_vars["ADO_APM_PAT"] = dl.ado_token
# Clear the resolver cache so resolve_for_dep re-resolves with the
# controlled env rather than returning stale entries.
dl.auth_resolver._cache.clear()
with patch.dict(os.environ, env_vars, clear=True), \
patch(
"apm_cli.core.token_manager.GitHubTokenManager.resolve_credential_from_git",
return_value=None,
), \
patch('apm_cli.deps.github_downloader.Repo') as MockRepo:
MockRepo.clone_from.side_effect = effects
target = Path(tempfile.mkdtemp())
try:
dl._clone_with_fallback(dep.repo_url, target, dep_ref=dep)
except RuntimeError:
pass # all methods failed is OK here
finally:
import shutil
shutil.rmtree(target, ignore_errors=True)
return MockRepo.clone_from.call_args_list
def test_generic_host_env_allows_credential_helpers(self):
"""For GitLab/Bitbucket, GIT_ASKPASS / GIT_CONFIG_GLOBAL are NOT set."""
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://gitlab.com/acme/rules.git")
calls = self._run_clone(dl, dep, succeed_on=1)
assert len(calls) >= 1
# First call should be SSH (no token for generic), check its env
# Actually for generic: no token → skip method 1, go to method 2 (SSH)
env_used = calls[0][1].get("env", calls[0].kwargs.get("env"))
assert "GIT_ASKPASS" not in env_used
assert "GIT_CONFIG_GLOBAL" not in env_used
assert "GIT_CONFIG_NOSYSTEM" not in env_used
# But GIT_TERMINAL_PROMPT should still be set
assert env_used.get("GIT_TERMINAL_PROMPT") == "0"
def test_github_host_env_is_locked_down(self):
"""For GitHub hosts WITH a token, the locked-down env with GIT_ASKPASS etc. is used."""
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://github.com/owner/repo.git")
calls = self._run_clone(dl, dep, succeed_on=1)
assert len(calls) >= 1
env_used = calls[0][1].get("env", calls[0].kwargs.get("env"))
assert env_used.get("GIT_ASKPASS") == "echo"
assert env_used.get("GIT_CONFIG_NOSYSTEM") == "1"
cfg_path = env_used.get("GIT_CONFIG_GLOBAL")
if sys.platform == "win32":
assert cfg_path != "NUL"
assert os.path.isfile(cfg_path)
else:
assert cfg_path == "/dev/null"
def test_github_host_no_token_allows_credential_helpers(self):
"""For GitHub hosts WITHOUT a token, env is relaxed so credential helpers work."""
dl = _make_downloader(github_token=None)
dep = _dep("https://github.com/owner/repo.git")
calls = self._run_clone(dl, dep, succeed_on=1)
assert len(calls) >= 1
env_used = calls[0][1].get("env", calls[0].kwargs.get("env"))
assert "GIT_ASKPASS" not in env_used
assert "GIT_CONFIG_GLOBAL" not in env_used
assert "GIT_CONFIG_NOSYSTEM" not in env_used
assert env_used.get("GIT_TERMINAL_PROMPT") == "0"
def test_generic_host_no_token_skips_method1(self):
"""Generic hosts have no token → Method 1 (auth HTTPS) is skipped."""
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://gitlab.com/acme/rules.git")
calls = self._run_clone(dl, dep, succeed_on=1)
# Should only attempt SSH (method 2) first, since no token for generic
first_url = calls[0][0][0]
assert "git@" in first_url or "ssh://" in first_url
def test_github_host_with_token_tries_method1_first(self):
"""GitHub with a token → Method 1 (auth HTTPS) is tried first."""
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://github.com/owner/repo.git")
calls = self._run_clone(dl, dep, succeed_on=1)
first_url = calls[0][0][0]
assert "ghp_TESTTOKEN" in first_url
assert _url_host(first_url) == "github.com"
def test_generic_host_error_message_mentions_credential_helpers(self):
"""When all methods fail for a generic host, the error suggests credential helpers."""
dl = _make_downloader(github_token="ghp_TESTTOKEN")
dep = _dep("https://gitlab.com/acme/rules.git")
dl.auth_resolver._cache.clear()
with patch.dict(os.environ, {"GITHUB_APM_PAT": "ghp_TESTTOKEN"}, clear=True), \
patch(
"apm_cli.core.token_manager.GitHubTokenManager.resolve_credential_from_git",
return_value=None,
), \
patch('apm_cli.deps.github_downloader.Repo') as MockRepo:
MockRepo.clone_from.side_effect = GitCommandError("clone", "failed")
target = Path(tempfile.mkdtemp())
try:
with pytest.raises(RuntimeError, match="credential helper"):
dl._clone_with_fallback(dep.repo_url, target, dep_ref=dep)
finally:
import shutil
shutil.rmtree(target, ignore_errors=True)
# ===========================================================================
# Regression: ssh:// URLs with custom ports (issue #661)
# ===========================================================================
class TestCloneWithFallbackSshUrl:
"""Verify that an explicit ssh:// URL is passed verbatim to git clone.
Regression for #661: Bitbucket Datacenter uses custom SSH ports (e.g.
7999). APM was stripping the port during normalisation and then falling
back to https://. The fix stores the original url in
DependencyReference.original_ssh_url and uses it in Method 2 of
_clone_with_fallback so the port is never silently dropped.
"""
def _run_clone_capture_urls(self, dep):
"""Run _clone_with_fallback and return every URL passed to clone_from."""
mock_repo = Mock()
mock_repo.head.commit.hexsha = "abc123"
dl = _make_downloader()
dl.auth_resolver._cache.clear()
called_urls = []
def _fake_clone(url, *a, **kw):
called_urls.append(url)
return mock_repo
with patch.dict(os.environ, {}, clear=True), \
patch(
"apm_cli.core.token_manager.GitHubTokenManager.resolve_credential_from_git",
return_value=None,
), \
patch('apm_cli.deps.github_downloader.Repo') as MockRepo:
MockRepo.clone_from.side_effect = _fake_clone
target = Path(tempfile.mkdtemp())
try:
dl._clone_with_fallback(dep.repo_url, target, dep_ref=dep)
except (RuntimeError, Exception):
pass
finally:
import shutil
shutil.rmtree(target, ignore_errors=True)
return called_urls
def test_bitbucket_datacenter_ssh_with_port_used_verbatim(self):
"""The first clone attempt must use the exact ssh:// URL including port."""
original = "ssh://git@bitbucket.domain.ext:7999/project/repo.git"
dep = _dep(original)
assert dep.original_ssh_url == original, "original_ssh_url not stored"
urls = self._run_clone_capture_urls(dep)
assert len(urls) >= 1
assert urls[0] == original, (
f"Expected first clone URL to be the original ssh:// URL, got: {urls[0]!r}"
)
def test_bitbucket_datacenter_ssh_no_https_attempted_first(self):
"""APM must not attempt https:// before the explicit ssh:// URL."""
original = "ssh://git@bitbucket.domain.ext:7999/project/repo.git"
dep = _dep(original)
urls = self._run_clone_capture_urls(dep)
assert len(urls) >= 1
assert not urls[0].startswith("https://"), (
f"First clone attempt must not be https://, got: {urls[0]!r}"
)
def test_standard_ssh_url_without_port_also_preserved(self):
"""ssh:// without a custom port is also used verbatim."""
original = "ssh://git@github.com/org/repo.git"
dep = _dep(original)
urls = self._run_clone_capture_urls(dep)
assert len(urls) >= 1
assert urls[0] == original
# ===========================================================================
# Object-style dependency entries (parse_from_dict)
# ===========================================================================
class TestParseFromDict:
"""Test DependencyReference.parse_from_dict for object-style entries."""
def test_basic_git_url(self):
dep = DependencyReference.parse_from_dict({"git": "https://gitlab.com/acme/rules.git"})
assert dep.host == "gitlab.com"
assert dep.repo_url == "acme/rules"
assert dep.virtual_path is None
assert dep.reference is None
def test_git_url_with_path(self):
dep = DependencyReference.parse_from_dict({
"git": "https://gitlab.com/acme/rules.git",
"path": "instructions/security",
})
assert dep.host == "gitlab.com"
assert dep.repo_url == "acme/rules"
assert dep.virtual_path == "instructions/security"
assert dep.is_virtual is True
def test_git_url_with_ref(self):
dep = DependencyReference.parse_from_dict({
"git": "https://bitbucket.org/team/standards.git",
"ref": "v2.0",
})
assert dep.host == "bitbucket.org"
assert dep.reference == "v2.0"
def test_git_url_with_alias(self):
dep = DependencyReference.parse_from_dict({
"git": "git@gitlab.com:acme/rules.git",
"alias": "my-rules",
})
assert dep.alias == "my-rules"
assert dep.host == "gitlab.com"
def test_git_url_with_all_fields(self):
dep = DependencyReference.parse_from_dict({
"git": "https://gitlab.com/acme/rules.git",
"path": "prompts/review.prompt.md",
"ref": "main",
"alias": "review",
})
assert dep.host == "gitlab.com"
assert dep.repo_url == "acme/rules"
assert dep.virtual_path == "prompts/review.prompt.md"
assert dep.is_virtual is True
assert dep.reference == "main"
assert dep.alias == "review"
def test_ssh_git_url(self):
dep = DependencyReference.parse_from_dict({
"git": "git@bitbucket.org:team/rules.git",
"path": "security",
})
assert dep.host == "bitbucket.org"
assert dep.repo_url == "team/rules"
assert dep.virtual_path == "security"
def test_path_strips_slashes(self):
dep = DependencyReference.parse_from_dict({
"git": "https://gitlab.com/acme/rules.git",
"path": "/prompts/file.md/",
})
assert dep.virtual_path == "prompts/file.md"
def test_ref_in_url_overridden_by_field(self):
"""'ref' field takes precedence over inline #ref in git URL."""
dep = DependencyReference.parse_from_dict({
"git": "https://gitlab.com/acme/rules.git#v1.0",
"ref": "v2.0",
})
assert dep.reference == "v2.0"
# --- Error cases ---
def test_missing_git_field(self):
# With local path support, {"path": "foo"} is treated as a local path attempt.
# Since "foo" is not a valid local or remote dependency, it raises ValueError.
with pytest.raises(ValueError):
DependencyReference.parse_from_dict({"path": "foo"})
def test_empty_git_field(self):
with pytest.raises(ValueError, match="non-empty string"):
DependencyReference.parse_from_dict({"git": ""})
def test_git_field_not_string(self):
with pytest.raises(ValueError, match="non-empty string"):
DependencyReference.parse_from_dict({"git": 42})
def test_empty_path_field(self):
with pytest.raises(ValueError, match="'path' field"):
DependencyReference.parse_from_dict({"git": "https://gitlab.com/a/b.git", "path": ""})
def test_empty_ref_field(self):
with pytest.raises(ValueError, match="'ref' field"):
DependencyReference.parse_from_dict({"git": "https://gitlab.com/a/b.git", "ref": ""})
def test_empty_alias_field(self):
with pytest.raises(ValueError, match="'alias' field"):
DependencyReference.parse_from_dict({"git": "https://gitlab.com/a/b.git", "alias": ""})
# ===========================================================================
# from_apm_yml – mixed string + dict dependencies
# ===========================================================================
class TestFromApmYmlMixedDeps:
"""Test APMPackage.from_apm_yml with both string and object-style deps."""
def _write_yml(self, tmp_path, content):
"""Write an apm.yml file and return its Path."""
yml_file = tmp_path / "apm.yml"
yml_file.write_text(content, encoding="utf-8")
return yml_file
def test_string_only_deps(self, tmp_path):
yml = self._write_yml(tmp_path, """
name: test-pkg
version: 1.0.0
dependencies:
apm:
- owner/repo
- gitlab.com/acme/rules
""")
pkg = APMPackage.from_apm_yml(yml)
deps = pkg.get_apm_dependencies()
assert len(deps) == 2
assert deps[0].repo_url == "owner/repo"
assert deps[1].host == "gitlab.com"
def test_dict_only_deps(self, tmp_path):
yml = self._write_yml(tmp_path, """
name: test-pkg
version: 1.0.0
dependencies:
apm:
- git: https://gitlab.com/acme/rules.git
path: instructions/security
ref: v2.0
""")
pkg = APMPackage.from_apm_yml(yml)
deps = pkg.get_apm_dependencies()
assert len(deps) == 1
assert deps[0].host == "gitlab.com"
assert deps[0].virtual_path == "instructions/security"
assert deps[0].reference == "v2.0"
def test_mixed_string_and_dict_deps(self, tmp_path):
yml = self._write_yml(tmp_path, """
name: test-pkg
version: 1.0.0
dependencies:
apm:
- owner/repo
- git: https://gitlab.com/acme/rules.git
path: prompts/review.prompt.md
- bitbucket.org/team/standards
""")
pkg = APMPackage.from_apm_yml(yml)
deps = pkg.get_apm_dependencies()
assert len(deps) == 3
assert deps[0].repo_url == "owner/repo"
assert deps[1].host == "gitlab.com"
assert deps[1].virtual_path == "prompts/review.prompt.md"
assert deps[2].host == "bitbucket.org"
def test_invalid_dict_dep_raises(self, tmp_path):
yml = self._write_yml(tmp_path, """
name: test-pkg
version: 1.0.0
dependencies:
apm:
- path: foo/bar
""")
with pytest.raises(ValueError, match="'git' field|local filesystem path"):
APMPackage.from_apm_yml(yml)
# ===========================================================================
# Dict-style duplicate detection in _validate_and_add_packages_to_apm_yml
# ===========================================================================
class TestDictIdentityDuplicateDetection:
"""Verify that dict-style deps with 'path' get distinct identities.
Bug: previously, dict entries used only dep_entry.get("git", ""),
dropping 'path', so {git: "owner/repo", path: "sub"} had the same
identity as plain "owner/repo", causing false duplicate detection.
"""
def _write_yml(self, tmp_path, content):
yml_file = tmp_path / "apm.yml"
yml_file.write_text(content, encoding="utf-8")
return yml_file
@patch("apm_cli.commands.install._validate_package_exists", return_value=True)
def test_dict_dep_with_path_not_duplicate_of_base(self, mock_validate, tmp_path):
"""A dict dep {git: X, path: Y} should not block adding the base repo X."""
import yaml
yml = self._write_yml(tmp_path, """
name: test
version: 1.0.0
dependencies:
apm:
- git: https://gitlab.com/acme/rules.git
path: instructions/security
""")
with patch("apm_cli.commands.install.Path") as MockPath:
# Make Path("apm.yml") return our test file
MockPath.return_value.exists.return_value = True
# We test the identity-building logic directly
from apm_cli.models.apm_package import DependencyReference
# Dict dep with path
dict_dep = {"git": "https://gitlab.com/acme/rules.git", "path": "instructions/security"}
ref_dict = DependencyReference.parse_from_dict(dict_dep)
# Base repo (no path)
ref_base = DependencyReference.parse("gitlab.com/acme/rules")
# They MUST have different identities
assert ref_dict.get_identity() != ref_base.get_identity()
def test_two_dict_deps_same_repo_different_paths_distinct(self):
"""Two dict deps from same repo but different paths have distinct identities."""
from apm_cli.models.apm_package import DependencyReference
dep1 = DependencyReference.parse_from_dict({
"git": "https://gitlab.com/acme/rules.git",
"path": "instructions/security",
})
dep2 = DependencyReference.parse_from_dict({
"git": "https://gitlab.com/acme/rules.git",
"path": "prompts/review.prompt.md",
})
assert dep1.get_identity() != dep2.get_identity()
def test_dict_dep_no_path_same_identity_as_string(self):
"""A dict dep without path has the same identity as the string form."""
from apm_cli.models.apm_package import DependencyReference
dep_dict = DependencyReference.parse_from_dict({
"git": "https://gitlab.com/acme/rules.git",
})
dep_str = DependencyReference.parse("gitlab.com/acme/rules")
assert dep_dict.get_identity() == dep_str.get_identity()
# ===========================================================================
# _validate_package_exists env scoping for generic hosts
# ===========================================================================
class TestValidatePackageExistsEnv:
"""Verify _validate_package_exists uses relaxed env for generic hosts.
Bug: previously, all non-GitHub.com hosts got the locked-down git_env
(GIT_ASKPASS=echo, etc.), blocking credential helpers for generic hosts
like GitLab. The clone step already relaxed this, but validation didn't.
"""
@patch("apm_cli.core.token_manager.GitHubTokenManager.resolve_credential_from_git", return_value=None)
@patch("subprocess.run")
@patch.dict(os.environ, {}, clear=True)
def test_generic_host_validation_allows_credential_helpers(self, mock_run, _mock_cred):
"""git ls-remote for a generic host should NOT have GIT_ASKPASS=echo."""
from apm_cli.commands.install import _validate_package_exists
mock_run.return_value = Mock(returncode=0)
_validate_package_exists("gitlab.com/acme/rules")
# Verify subprocess.run was called
assert mock_run.called
call_kwargs = mock_run.call_args
env_used = call_kwargs.kwargs.get("env") or call_kwargs[1].get("env", {})
# GIT_ASKPASS must NOT be set to 'echo' (that blocks credential helpers)
assert env_used.get("GIT_ASKPASS") != "echo", \
"Generic host validation should not set GIT_ASKPASS=echo"
# GIT_CONFIG_NOSYSTEM must NOT be '1' (allows system git config)
assert env_used.get("GIT_CONFIG_NOSYSTEM") != "1", \
"Generic host validation should not set GIT_CONFIG_NOSYSTEM=1"
# GIT_TERMINAL_PROMPT should still be '0' (no interactive prompts)
assert env_used.get("GIT_TERMINAL_PROMPT") == "0"
@patch("apm_cli.core.token_manager.GitHubTokenManager.resolve_credential_from_git", return_value=None)
@patch("subprocess.run")
@patch.dict(os.environ, {"ADO_APM_PAT": "test-ado-token"}, clear=True)
def test_ado_host_validation_uses_locked_env(self, mock_run, _mock_cred):
"""git ls-remote for ADO should use the locked-down env (APM manages auth)."""
from apm_cli.commands.install import _validate_package_exists
mock_run.return_value = Mock(returncode=0)
_validate_package_exists("dev.azure.com/myorg/myproject/myrepo")
assert mock_run.called
call_kwargs = mock_run.call_args
env_used = call_kwargs.kwargs.get("env") or call_kwargs[1].get("env", {})
# ADO should keep the locked-down env
assert "GIT_ASKPASS" in env_used or "GIT_CONFIG_NOSYSTEM" in env_used
# ===========================================================================
# is_github classification edge cases
# ===========================================================================
class TestIsGitHubClassification:
"""Verify is_github is correctly determined for edge-case hosts."""
def test_empty_host_defaults_to_github(self):
"""When no host is set, packages default to GitHub behavior."""
downloader = _make_downloader(github_token="ghp_test123")
dep_ref = _dep("microsoft/apm-sample-package")
# No host set → is_github should be True
dep_host = dep_ref.host if dep_ref else None
# Original bug: `dep_host and is_github_hostname(dep_host) or (not dep_host)`
# With empty/None dep_host, this should return True
from apm_cli.utils.github_host import is_github_hostname
if dep_host:
is_github = is_github_hostname(dep_host)
else:
is_github = True
assert is_github is True
def test_gitlab_host_is_not_github(self):
"""GitLab host should NOT be classified as GitHub."""
dep_ref = _dep("gitlab.com/acme/rules")
from apm_cli.utils.github_host import is_github_hostname
assert is_github_hostname(dep_ref.host) is False
def test_ghe_host_is_github(self):
"""GitHub Enterprise host should be classified as GitHub."""
dep_ref = _dep("https://company.ghe.com/org/repo.git")
from apm_cli.utils.github_host import is_github_hostname
assert is_github_hostname(dep_ref.host) is True
# ===========================================================================
# _try_sparse_checkout -- per-dep token resolution
# ===========================================================================
class TestSparseCheckoutTokenResolution:
"""Verify _try_sparse_checkout uses resolve_for_dep() for per-dep tokens."""
def test_sparse_checkout_uses_per_org_token(self, tmp_path):
"""Sparse checkout should use per-org token, not the global instance token."""
org_token = "ghp_ORG_SPECIFIC"
global_token = "ghp_GLOBAL"
with patch.dict(os.environ, {
"GITHUB_APM_PAT": global_token,
"GITHUB_APM_PAT_ACME": org_token,
}, clear=True), patch(
"apm_cli.core.token_manager.GitHubTokenManager.resolve_credential_from_git",
return_value=None,
):
dl = GitHubPackageDownloader()
dep = _dep("acme/mono-repo/subdir")
# Patch subprocess.run to capture the URL used in 'git remote add'
captured_urls = []
def capture_run(cmd, **kwargs):
if len(cmd) >= 5 and cmd[:3] == ["git", "remote", "add"]:
captured_urls.append(cmd[4]) # The URL argument (after 'origin')
# Fail after capturing to keep the test fast
return MagicMock(returncode=1, stderr="test abort")
# Let other commands (git init, etc.) succeed
return MagicMock(returncode=0, stderr="")
with patch("subprocess.run", side_effect=capture_run):
dl._try_sparse_checkout(dep, tmp_path / "sparse", "subdir", ref="main")
assert len(captured_urls) == 1, f"Expected 1 URL capture, got {captured_urls}"
# The per-org token should be in the URL, not the global one
assert org_token in captured_urls[0], (
f"Expected org-specific token in sparse checkout URL, "
f"got: {captured_urls[0]}"
)
assert global_token not in captured_urls[0]