Alexander Whitestone
cb331da4f1
Some checks failed
Docker Build and Publish / build-and-push (pull_request) Has been skipped
Contributor Attribution Check / check-attribution (pull_request) Failing after 49s
Tests / e2e (pull_request) Successful in 2m50s
Tests / test (pull_request) Failing after 11m50s
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 47s
102 lines
3.4 KiB
Python
102 lines
3.4 KiB
Python
"""
|
|
Tests for credential redaction
|
|
|
|
Issue: #839
|
|
"""
|
|
|
|
import unittest
|
|
from tools.credential_redact import (
|
|
CredentialRedactor,
|
|
redact_credentials,
|
|
redact_tool_output,
|
|
should_mask_file,
|
|
mask_sensitive_file,
|
|
)
|
|
|
|
|
|
class TestCredentialRedaction(unittest.TestCase):
|
|
|
|
def test_openai_key(self):
|
|
text = "api_key=sk-abc123def456ghi789jkl012mno"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertGreater(count, 0)
|
|
self.assertIn("REDACTED", redacted)
|
|
self.assertNotIn("sk-abc123", redacted)
|
|
|
|
def test_github_token(self):
|
|
text = "token: ghp_1234567890abcdef1234567890abcdef12345678"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertGreater(count, 0)
|
|
self.assertIn("REDACTED", redacted)
|
|
|
|
def test_bearer_token(self):
|
|
text = "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertGreater(count, 0)
|
|
self.assertIn("REDACTED", redacted)
|
|
|
|
def test_password(self):
|
|
text = "password: mySecretPassword123"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertGreater(count, 0)
|
|
self.assertIn("REDACTED", redacted)
|
|
|
|
def test_aws_key(self):
|
|
text = "AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertGreater(count, 0)
|
|
self.assertIn("REDACTED", redacted)
|
|
|
|
def test_database_url(self):
|
|
text = "DATABASE_URL=postgres://user:pass@localhost/db"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertGreater(count, 0)
|
|
self.assertIn("REDACTED", redacted)
|
|
|
|
def test_clean_text_unchanged(self):
|
|
text = "Hello world, this is a normal message"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertEqual(count, 0)
|
|
self.assertEqual(redacted, text)
|
|
|
|
def test_multiple_credentials(self):
|
|
text = "key1=sk-abc123def456ghi789jkl012mno and token: ghp_1234567890abcdef1234567890abcdef12345678"
|
|
redacted, count = redact_credentials(text)
|
|
self.assertGreaterEqual(count, 2)
|
|
|
|
|
|
class TestToolOutputRedaction(unittest.TestCase):
|
|
|
|
def test_redaction_notice(self):
|
|
output = "Running with key sk-abc123def456ghi789jkl012mno"
|
|
redacted, notice = redact_tool_output("terminal", output)
|
|
self.assertIn("REDACTED", notice)
|
|
self.assertIn("terminal", notice)
|
|
|
|
def test_no_notice_when_clean(self):
|
|
output = "Hello world"
|
|
redacted, notice = redact_tool_output("terminal", output)
|
|
self.assertEqual(notice, "")
|
|
|
|
|
|
class TestSensitiveFileMasking(unittest.TestCase):
|
|
|
|
def test_env_file_detected(self):
|
|
self.assertTrue(should_mask_file("/path/to/.env"))
|
|
self.assertTrue(should_mask_file("/path/to/.env.local"))
|
|
self.assertTrue(should_mask_file("/path/to/config.yaml"))
|
|
|
|
def test_normal_file_not_detected(self):
|
|
self.assertFalse(should_mask_file("/path/to/readme.md"))
|
|
self.assertFalse(should_mask_file("/path/to/code.py"))
|
|
|
|
def test_mask_env_file(self):
|
|
content = "API_KEY=sk-abc123\nDATABASE_URL=postgres://u:p@h/d\nNORMAL=value"
|
|
masked = mask_sensitive_file(content, ".env")
|
|
self.assertIn("[REDACTED]", masked)
|
|
self.assertIn("NORMAL=value", masked)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|