new-api/models/secret/secret_test.go

// Copyright 2026 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package secret

import (
	"testing"

	actions_model "gitea.dev/models/actions"
	"gitea.dev/models/db"
	"gitea.dev/models/unittest"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestGetScopedSecretsForJob(t *testing.T) {
	require.NoError(t, unittest.PrepareTestDatabase())
	ctx := t.Context()

	base := map[string]string{
		"GITHUB_TOKEN": "tok",
		"GITEA_TOKEN":  "tok",
		"PROD_API_KEY": "prod-secret",
		"DEV_API_KEY":  "dev-secret",
	}

	// insertCaller create an ActionRunJob caller row with the given CallSecrets policy
	insertCaller := func(t *testing.T, runID, parentJobID int64, callSecrets string) *actions_model.ActionRunJob {
		t.Helper()
		job := &actions_model.ActionRunJob{
			RunID:            runID,
			RepoID:           1,
			IsReusableCaller: true,
			ParentJobID:      parentJobID,
			CallSecrets:      callSecrets,
			Status:           actions_model.StatusBlocked,
		}
		require.NoError(t, db.Insert(t.Context(), job))
		return job
	}

	t.Run("TopLevelJob_ReturnsBaseUnchanged", func(t *testing.T) {
		const runID = 9001
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: 0}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, base, got, "top-level jobs should see the full base scope")
	})

	t.Run("CallerInherit_PassesParentScopeThrough", func(t *testing.T) {
		const runID = 9002
		caller := insertCaller(t, runID, 0, "inherit")
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, base, got, "secrets: inherit forwards everything from parent scope")
	})

	t.Run("CallerEmptySecrets_ExposesOnlyAutoTokens", func(t *testing.T) {
		const runID = 9003
		caller := insertCaller(t, runID, 0, "")
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, map[string]string{
			"GITHUB_TOKEN": "tok",
			"GITEA_TOKEN":  "tok",
		}, got)
	})

	t.Run("CallerMapping_OnlyMappedAliasesPlusTokens", func(t *testing.T) {
		const runID = 9004
		// {alias: source} - the called workflow sees `secrets.MY_KEY` resolved to PROD_API_KEY's value.
		caller := insertCaller(t, runID, 0, `{"MY_KEY":"PROD_API_KEY"}`)
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, map[string]string{
			"GITHUB_TOKEN": "tok",
			"GITEA_TOKEN":  "tok",
			"MY_KEY":       "prod-secret",
			// no "dev-secret"
		}, got)
	})

	t.Run("CallerMapping_CaseInsensitiveSource", func(t *testing.T) {
		const runID = 9005
		caller := insertCaller(t, runID, 0, `{"alias":"prod_api_key"}`)
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, "prod-secret", got["alias"])
	})

	t.Run("CallerMapping_UnknownSourceDropsAlias", func(t *testing.T) {
		const runID = 9006
		// alias points at a non-existent secret name, so it must be dropped.
		caller := insertCaller(t, runID, 0, `{"MAPPED_ALIAS":"DOES_NOT_EXIST"}`)
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: caller.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		_, present := got["MAPPED_ALIAS"]
		assert.False(t, present)
	})

	t.Run("Nested_InheritThenInherit_FullScope", func(t *testing.T) {
		const runID = 9007
		outer := insertCaller(t, runID, 0, "inherit")
		inner := insertCaller(t, runID, outer.ID, "inherit")
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, base, got, "inherit-then-inherit should pass the full base scope through")
	})

	t.Run("Nested_InheritThenMapping_InnerNarrows", func(t *testing.T) {
		const runID = 9008
		// inner mapping narrows the full scope it inherited from outer.
		outer := insertCaller(t, runID, 0, "inherit")
		inner := insertCaller(t, runID, outer.ID, `{"ALIAS_OUT":"PROD_API_KEY"}`)
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, map[string]string{
			"GITHUB_TOKEN": "tok",
			"GITEA_TOKEN":  "tok",
			"ALIAS_OUT":    "prod-secret",
			// no "dev-secret"
		}, got)
	})

	t.Run("Nested_MappingThenInherit_OuterNarrows", func(t *testing.T) {
		const runID = 9009
		// inner inherits outer's already-narrowed scope, so leaf sees only auto-tokens + OUTER_ALIAS.
		outer := insertCaller(t, runID, 0, `{"OUTER_ALIAS":"PROD_API_KEY"}`)
		inner := insertCaller(t, runID, outer.ID, "inherit")
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, map[string]string{
			"GITHUB_TOKEN": "tok",
			"GITEA_TOKEN":  "tok",
			"OUTER_ALIAS":  "prod-secret",
			// no "dev-secret"
		}, got)
	})

	t.Run("Nested_MappingThenMapping_InnerSourceMustExistInOuterScope", func(t *testing.T) {
		const runID = 9010
		// inner can rename ALIAS_A (in outer's scope) to ALIAS_C, but cannot forward DEV_API_KEY, which outer dropped.
		outer := insertCaller(t, runID, 0, `{"ALIAS_A":"PROD_API_KEY"}`)
		inner := insertCaller(t, runID, outer.ID, `{"ALIAS_B":"DEV_API_KEY","ALIAS_C":"ALIAS_A"}`)
		leaf := &actions_model.ActionRunJob{RunID: runID, ParentJobID: inner.ID}

		got, err := getScopedSecretsForJob(ctx, leaf, base)
		require.NoError(t, err)
		assert.Equal(t, map[string]string{
			"GITHUB_TOKEN": "tok",
			"GITEA_TOKEN":  "tok",
			"ALIAS_C":      "prod-secret",
			// no "dev-secret"
		}, got)
	})
}