fix(secret_ignore): Add tests

GitGuardian · Sep 13, 2024 · b1050a6 · b1050a6
1 parent 7498c93
commit b1050a6
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 10 deletions.
diff --git a/changelog.d/20240912_120216_salome.voltz_add_ignore_hash_cmd.md b/changelog.d/20240912_120216_salome.voltz_add_ignore_hash_cmd.md
@@ -1,3 +1,3 @@
 ### Added
 
-- Default behavior for `ggshield secret ignore` command to allow ignoring secrets using their hash with optional `--name` argument.
+- It is now possible to ignore a secret manually using `ggshield secret ignore SECRET_SHA --name NAME`.
diff --git a/ggshield/cmd/secret/ignore.py b/ggshield/cmd/secret/ignore.py
@@ -12,11 +12,11 @@
 
 @click.command()
 @click.argument(
-    "hash",
+    "secret_sha",
     nargs=1,
     type=str,
     required=False,
-    metavar="HASH",
+    metavar="SECRET_SHA",
 )
 @click.option(
     "--last-found",
@@ -27,12 +27,13 @@
     "--name",
     type=str,
     help="Name of the secret to ignore.",
+    metavar="NAME",
 )
 @add_common_options()
 @click.pass_context
 def ignore_cmd(
     ctx: click.Context,
-    hash: str,
+    secret_sha: str,
     name: str,
     last_found: bool,
     **kwargs: Any,
@@ -55,14 +56,18 @@ def ignore_cmd(
     path = config.config_path
 
     if last_found:
-        if hash or name:
+        if secret_sha or name:
             raise click.UsageError(
-                "Option `--last-found` cannot be used with `HASH` or `--name`."
+                "Option `--last-found` cannot be used with `SECRET_SHA` or `--name`."
             )
         nb = ignore_last_found(config, ctx_obj.cache)
     else:
-        match = IgnoredMatch(name=name if name else "", match=hash)
-        config.add_ignored_match(match)
+        if not name:
+            raise click.UsageError(
+                "Option `--name` is required when ignoring a secret."
+            )
+        ignored_match = IgnoredMatch(name=name if name else "", match=secret_sha)
+        config.add_ignored_match(ignored_match)
         nb = 1
 
     config.save()

diff --git a/tests/unit/cmd/test_ignore.py b/tests/unit/cmd/test_ignore.py
@@ -1,16 +1,23 @@
 import os
 import tempfile
-from unittest.mock import Mock
+from unittest.mock import Mock, patch
 
 from pygitguardian.models import Match, PolicyBreak
 
+from ggshield.__main__ import cli
 from ggshield.cmd.secret.ignore import ignore_last_found
 from ggshield.core.cache import Cache
 from ggshield.core.config import Config
+from ggshield.core.errors import ExitCode
 from ggshield.core.scan import Commit, ScanContext, ScanMode
 from ggshield.core.types import IgnoredMatch
 from ggshield.verticals.secret import SecretScanner
-from tests.unit.conftest import _MULTIPLE_SECRETS_PATCH, my_vcr
+from tests.unit.conftest import (
+    _MULTIPLE_SECRETS_PATCH,
+    assert_invoke_exited_with,
+    assert_invoke_ok,
+    my_vcr,
+)
 
 
 DOT_GITGUARDIAN_YAML = os.path.join(tempfile.gettempdir(), ".gitguardian.yml")
@@ -27,6 +34,59 @@ def compare_matches_ignore(match):
     return (match.name, match.match) if isinstance(match, IgnoredMatch) else (match,)
 
 
+def test_ignore_sha(cli_fs_runner):
+    """
+    GIVEN an empty cache and an empty config ignored_matches section
+    WHEN I ignore a secret sha
+    THEN the ignore secret is added to the config and saved
+    """
+    ignored_match = IgnoredMatch(
+        name="test_name",
+        match="41b8889e5e794b21cb1349d8eef1815960bf5257330fd40243a4895f26c2b5c8",
+    )
+    config = Config()
+
+    with patch("ggshield.cmd.utils.context_obj.ContextObj.get") as mock_get_ctx:
+        mock_get_ctx.return_value.config = config
+
+        cmd = ["secret", "ignore", ignored_match.match, "--name", ignored_match.name]
+        result = cli_fs_runner.invoke(cli, cmd, color=False, catch_exceptions=False)
+
+        assert_invoke_ok(result)
+        assert config.user_config.secret.ignored_matches == [ignored_match]
+
+
+def test_error_sha_last_found(cli_fs_runner):
+    """
+    GIVEN any config and cache
+    WHEN I run the command with invalid arguments
+    THEN an error should be raised
+    """
+
+    cmd = ["secret", "ignore", "some_secret_sha", "--last-found"]
+    result = cli_fs_runner.invoke(cli, cmd, color=False, catch_exceptions=False)
+
+    assert_invoke_exited_with(result, ExitCode.USAGE_ERROR)
+    assert (
+        "Option `--last-found` cannot be used with `SECRET_SHA` or `--name`."
+        in result.output
+    )
+
+
+def test_error_ignore_sha_no_name(cli_fs_runner):
+    """
+    GIVEN any config and cache
+    WHEN I run the command with a secret sha but no name
+    THEN an error should be raised
+    """
+
+    cmd = ["secret", "ignore", "some_secret_sha"]
+    result = cli_fs_runner.invoke(cli, cmd, color=False, catch_exceptions=False)
+
+    assert_invoke_exited_with(result, ExitCode.USAGE_ERROR)
+    assert "Option `--name` is required when ignoring a secret." in result.output
+
+
 def test_cache_catches_last_found_secrets(client, isolated_fs):
     """
     GIVEN an empty cache and an empty config ignored_matches section