peanut/new-api
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

初始提交: Gitea 项目代码

Browse Source
This commit is contained in:
root
2026-05-30 22:47:36 +08:00
commit f288f76350
6116 changed files with 776822 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
models/secret/secret_test.go
+174
View File
@@ -0,0 +1,174 @@
// Copyright 2026 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package secret
import (
"testing"
actions_model "gitea.dev/models/actions"
"gitea.dev/models/db"
"gitea.dev/models/unittest"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestGetScopedSecretsForJob(t *testing.T) {
require.NoError(t, unittest.PrepareTestDatabase())
ctx := t.Context()
base := map[string]string{
"GITHUB_TOKEN": "tok",
"GITEA_TOKEN": "tok",
"PROD_API_KEY": "prod-secret",
"DEV_API_KEY": "dev-secret",
}
// insertCaller create an ActionRunJob caller row with the given CallSecrets policy
insertCaller := func(t *testing.T, runID, parentJobID int64, callSecrets string) *actions_model.ActionRunJob {
t.Helper()
job := &actions_model.ActionRunJob{
RunID: runID,
RepoID: 1,
IsReusableCaller: true,
ParentJobID: parentJobID,
CallSecrets: callSecrets,
Status: actions_model.StatusBlocked,
}
require.NoError(t, db.Insert(t.Context(), job))
return job
}
t.Run("TopLevelJob_ReturnsBaseUnchanged", func(t *testing.T) {
const runID = 9001
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: 0}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, base, got, "top-level jobs should see the full base scope")
})
t.Run("CallerInherit_PassesParentScopeThrough", func(t *testing.T) {
const runID = 9002
caller := insertCaller(t, runID, 0, "inherit")
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, base, got, "secrets: inherit forwards everything from parent scope")
})
t.Run("CallerEmptySecrets_ExposesOnlyAutoTokens", func(t *testing.T) {
const runID = 9003
caller := insertCaller(t, runID, 0, "")
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, map[string]string{
"GITHUB_TOKEN": "tok",
"GITEA_TOKEN": "tok",
}, got)
})
t.Run("CallerMapping_OnlyMappedAliasesPlusTokens", func(t *testing.T) {
const runID = 9004
// {alias: source} - the called workflow sees `secrets.MY_KEY` resolved to PROD_API_KEY's value.
caller := insertCaller(t, runID, 0, `{"MY_KEY":"PROD_API_KEY"}`)
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, map[string]string{
"GITHUB_TOKEN": "tok",
"GITEA_TOKEN": "tok",
"MY_KEY": "prod-secret",
// no "dev-secret"
}, got)
})
t.Run("CallerMapping_CaseInsensitiveSource", func(t *testing.T) {
const runID = 9005
caller := insertCaller(t, runID, 0, `{"alias":"prod_api_key"}`)
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, "prod-secret", got["alias"])
})
t.Run("CallerMapping_UnknownSourceDropsAlias", func(t *testing.T) {
const runID = 9006
// alias points at a non-existent secret name, so it must be dropped.
caller := insertCaller(t, runID, 0, `{"MAPPED_ALIAS":"DOES_NOT_EXIST"}`)
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
_, present := got["MAPPED_ALIAS"]
assert.False(t, present)
})
t.Run("Nested_InheritThenInherit_FullScope", func(t *testing.T) {
const runID = 9007
outer := insertCaller(t, runID, 0, "inherit")
inner := insertCaller(t, runID, outer.ID, "inherit")
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, base, got, "inherit-then-inherit should pass the full base scope through")
})
t.Run("Nested_InheritThenMapping_InnerNarrows", func(t *testing.T) {
const runID = 9008
// inner mapping narrows the full scope it inherited from outer.
outer := insertCaller(t, runID, 0, "inherit")
inner := insertCaller(t, runID, outer.ID, `{"ALIAS_OUT":"PROD_API_KEY"}`)
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, map[string]string{
"GITHUB_TOKEN": "tok",
"GITEA_TOKEN": "tok",
"ALIAS_OUT": "prod-secret",
// no "dev-secret"
}, got)
})
t.Run("Nested_MappingThenInherit_OuterNarrows", func(t *testing.T) {
const runID = 9009
// inner inherits outer's already-narrowed scope, so leaf sees only auto-tokens + OUTER_ALIAS.
outer := insertCaller(t, runID, 0, `{"OUTER_ALIAS":"PROD_API_KEY"}`)
inner := insertCaller(t, runID, outer.ID, "inherit")
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, map[string]string{
"GITHUB_TOKEN": "tok",
"GITEA_TOKEN": "tok",
"OUTER_ALIAS": "prod-secret",
// no "dev-secret"
}, got)
})
t.Run("Nested_MappingThenMapping_InnerSourceMustExistInOuterScope", func(t *testing.T) {
const runID = 9010
// inner can rename ALIAS_A (in outer's scope) to ALIAS_C, but cannot forward DEV_API_KEY, which outer dropped.
outer := insertCaller(t, runID, 0, `{"ALIAS_A":"PROD_API_KEY"}`)
inner := insertCaller(t, runID, outer.ID, `{"ALIAS_B":"DEV_API_KEY","ALIAS_C":"ALIAS_A"}`)
leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}
got, err := getScopedSecretsForJob(ctx, leaf, base)
require.NoError(t, err)
assert.Equal(t, map[string]string{
"GITHUB_TOKEN": "tok",
"GITEA_TOKEN": "tok",
"ALIAS_C": "prod-secret",
// no "dev-secret"
}, got)
})
}