Files
wehub-resource-sync 2860fb5d18
Security / Dependency review (push) Has been skipped
Scorecard / Scorecard analysis (push) Failing after 0s
Validate / eval (push) Failing after 0s
Security / Dependency audit (push) Failing after 1s
Security / Secret scan (push) Failing after 1s
Validate / tests (push) Failing after 0s
Validate / mcp-tests (push) Failing after 1s
GitHub Actions Security Analysis with zizmor 🌈 / zizmor (push) Failing after 1s
Security / SAST scan (push) Failing after 13m52s
chore: import upstream snapshot with attribution
2026-07-13 12:05:33 +08:00

208 lines
8.7 KiB
Python

"""Tests for the ScrapeCreators GitHub device-auth flow.
Covers the U4/U5/U6 fixes: the device code is surfaced on stdout as an early
structured line, a non-device-shaped user_code is never copied/labeled/emitted,
and an already-registered account short-circuits without a fresh device dance.
All hermetic — the network, clipboard, and browser are patched.
"""
import io
import json
from contextlib import redirect_stdout
from unittest.mock import MagicMock, patch
from lib import setup_wizard
class TestUserCodeValidation:
"""U5: user_code must match the XXXX-XXXX device-code shape."""
@patch("lib.setup_wizard.subprocess.run")
@patch("lib.setup_wizard.run_device_auth")
@patch("lib.setup_wizard._existing_scrapecreators_key", return_value=None)
def test_malformed_user_code_is_rejected(
self, _mock_existing, mock_run_device, mock_subprocess_run
):
# mock_subprocess_run patches setup_wizard.subprocess.run; the only such
# call in run_full_device_auth is the pbcopy of the code.
# A key-shaped value (no dash, 28 chars) must never be treated as a code.
mock_run_device.return_value = (
"dev-code-123",
"m08LboBUJpRz82AMyuCWP9sqwnk2",
"https://github.com/login/device",
5,
)
out = io.StringIO()
with redirect_stdout(out):
result = setup_wizard.run_full_device_auth(timeout=1)
assert result["status"] == "error"
# Not copied to the clipboard (no pbcopy subprocess call)...
mock_subprocess_run.assert_not_called()
# ...and never emitted as a device_code_ready line.
assert "device_code_ready" not in out.getvalue()
assert "m08LboBUJpRz82AMyuCWP9sqwnk2" not in out.getvalue()
class TestDeviceCodeReadyEmission:
"""U4: a validated code is emitted to stdout before polling."""
@patch("webbrowser.open")
@patch("lib.setup_wizard.subprocess.run")
@patch("lib.setup_wizard.poll_device_auth")
@patch("lib.setup_wizard.run_device_auth")
@patch("lib.setup_wizard._existing_scrapecreators_key", return_value=None)
def test_valid_code_emitted_to_stdout(
self, _mock_existing, mock_run_device, mock_poll, mock_pbcopy, mock_browser
):
mock_run_device.return_value = (
"dev-code-123",
"819B-F71B",
"https://github.com/login/device",
5,
)
mock_poll.return_value = None # simulate timeout, no token
out = io.StringIO()
with redirect_stdout(out):
result = setup_wizard.run_full_device_auth(timeout=1)
lines = [ln for ln in out.getvalue().splitlines() if ln.strip()]
ready = [json.loads(ln) for ln in lines if "device_code_ready" in ln]
assert ready, "expected a device_code_ready stdout line"
assert ready[0]["user_code"] == "819B-F71B"
assert ready[0]["verification_uri"] == "https://github.com/login/device"
# The final status is still returned (timeout here).
assert result["status"] == "timeout"
class TestAlreadyRegistered:
"""An existing key short-circuits run_github_start without the device dance."""
@patch("lib.setup_wizard.run_device_auth")
@patch("lib.setup_wizard._existing_scrapecreators_key")
def test_existing_key_short_circuits_start(self, mock_existing, mock_device):
mock_existing.return_value = "sc_live_realkey1234567890"
result = setup_wizard.run_github_start()
assert result["status"] == "already_registered"
assert result["persisted"] is True
mock_device.assert_not_called() # no /code submit, no browser
@patch("webbrowser.open")
@patch("lib.setup_wizard.subprocess.run")
@patch("lib.setup_wizard.run_device_auth")
@patch("lib.setup_wizard._existing_scrapecreators_key")
def test_no_existing_key_starts_device_flow(
self, mock_existing, mock_device, mock_pbcopy, mock_browser
):
mock_existing.return_value = None
mock_device.return_value = ("dev-code", "819B-F71B", "https://github.com/login/device", 5)
out = io.StringIO()
with redirect_stdout(out):
result = setup_wizard.run_github_start()
assert result["status"] == "awaiting_authorization"
assert result["user_code"] == "819B-F71B"
mock_device.assert_called_once()
# The code is printed to stdout as a plain human line (the whole point).
assert "819B-F71B" in out.getvalue()
@patch("lib.setup_wizard._device_handle_path")
@patch("lib.setup_wizard.fetch_api_key")
@patch("lib.setup_wizard.poll_device_auth")
def test_poll_reads_handle_and_returns_key(self, mock_poll, mock_fetch, mock_handle, tmp_path):
import json as _json
handle = tmp_path / "h.json"
handle.write_text(_json.dumps({"device_code": "dc", "interval": 1, "user_code": "819B-F71B"}))
mock_handle.return_value = handle
mock_poll.return_value = "access-token"
mock_fetch.return_value = "sc_polled_key"
result = setup_wizard.run_github_poll(timeout=1)
assert result["status"] == "success"
assert result["api_key"] == "sc_polled_key"
assert not handle.exists() # handle cleaned up
@patch("lib.setup_wizard._device_handle_path")
def test_poll_without_handle_errors_cleanly(self, mock_handle, tmp_path):
mock_handle.return_value = tmp_path / "missing.json"
result = setup_wizard.run_github_poll(timeout=1)
assert result["status"] == "error"
assert "github-start" in result["message"]
@patch("lib.setup_wizard._device_handle_path")
@patch("lib.setup_wizard.fetch_api_key")
@patch("lib.setup_wizard.poll_device_auth")
def test_poll_passes_real_clipboard_state(self, mock_poll, mock_fetch, mock_handle, tmp_path):
"""clipboard_ok is read from the handle, not hardcoded True, so the poll
reminder never falsely claims the code is on the clipboard."""
import json as _json
handle = tmp_path / "h.json"
handle.write_text(
_json.dumps({"device_code": "dc", "interval": 1, "user_code": "819B-F71B", "clipboard_ok": False})
)
mock_handle.return_value = handle
mock_poll.return_value = "tok"
mock_fetch.return_value = "sc_k"
setup_wizard.run_github_poll(timeout=1)
assert mock_poll.call_args.kwargs["clipboard_ok"] is False
@patch("lib.setup_wizard._device_handle_path")
@patch("lib.setup_wizard.fetch_api_key")
@patch("lib.setup_wizard.poll_device_auth")
@patch("lib.setup_wizard._start_device_flow")
def test_oneshot_uses_in_memory_handle_when_file_write_fails(
self, mock_start, mock_poll, mock_fetch, mock_handle, tmp_path
):
"""run_full_device_auth hands the handle to poll in-memory, so a broken
handle-file path can't strand the one-shot."""
mock_handle.return_value = tmp_path / "does-not-exist" / "h.json" # unwritable/unreadable
mock_start.return_value = (
{"status": "awaiting_authorization", "user_code": "819B-F71B"},
{"device_code": "dc", "interval": 1, "user_code": "819B-F71B", "clipboard_ok": True},
)
mock_poll.return_value = "tok"
mock_fetch.return_value = "sc_oneshot_key"
result = setup_wizard.run_full_device_auth(timeout=1)
assert result["status"] == "success"
assert result["api_key"] == "sc_oneshot_key"
mock_poll.assert_called_once() # reached poll without a readable handle file
def test_already_registered_key_is_masked_before_output(self):
# Defense-in-depth: the mask helper must not echo the raw key.
masked = setup_wizard.mask_api_key("sc_live_realkey1234567890")
assert "realkey" not in masked
assert masked != "sc_live_realkey1234567890"
class TestFetchApiKeyLogging:
"""U4: the /profile no-key path logs field NAMES only, never values."""
@patch("lib.setup_wizard.logger")
@patch("lib.setup_wizard.urlopen")
def test_no_key_logs_field_names_not_values(self, mock_urlopen, mock_logger):
# An already-linked account: /profile parses but carries no api_key,
# and could carry a secret under another field (here, "token").
body = json.dumps({"linked": True, "token": "sc_secret_value_xyz"}).encode()
resp = MagicMock()
resp.read.return_value = body
resp.__enter__.return_value = resp
mock_urlopen.return_value = resp
result = setup_wizard.fetch_api_key("gh_access_token")
assert result is None
# The warning must include the field names but never the secret value.
logged = " ".join(str(c) for c in mock_logger.warning.call_args_list)
assert "linked" in logged and "token" in logged
assert "sc_secret_value_xyz" not in logged