Redacts secrets from JSON report

Orange-OpenSource · Jan 22, 2025 · 77d5a89 · 77d5a89
1 parent 8449c1a
commit 77d5a89
Show file tree

Hide file tree

Showing 13 changed files with 176 additions and 64 deletions.
diff --git a/integration/hurl/tests_failed/assert_secret.err b/integration/hurl/tests_failed/assert_secret.err
diff --git a/integration/hurl/tests_failed/assert_secret.err.pattern b/integration/hurl/tests_failed/assert_secret.err.pattern
@@ -0,0 +1,19 @@
+HTTP/1.1 200
+Server: Werkzeug/<<<.*?>>> Python/<<<.*?>>>
+Date: <<<.*?>>>
+Content-Type: text/html; charset=utf-8
+Content-Length: 9
+Server: Flask Server
+Connection: close
+
+Hello ***
+
+error: Assert body value
+  --> tests_failed/assert_secret.hurl:3:1
+   |
+   | GET http://localhost:8000/secret-failed
+   | ...
+ 3 | "Hello ***"
+   | ^ actual value is <Hello ***>
+   |
+
diff --git a/integration/hurl/tests_failed/assert_secret.ps1 b/integration/hurl/tests_failed/assert_secret.ps1
@@ -1,4 +1,35 @@
 Set-StrictMode -Version latest
 $ErrorActionPreference = 'Stop'
 
-hurl --secret name=Alice tests_failed/assert_secret.hurl
+if (Test-Path -Path build/assert_secret) {
+    Remove-Item -Recurse build/assert_secret
+}
+
+# We want to check leaks and do not stop at the first error
+$ErrorActionPreference = 'Continue'
+
+hurl --secret name1=Alice `
+    --secret name2=Bob `
+    --error-format long `
+    --report-html build/assert_secret/report-html `
+    --report-json build/assert_secret/report-json `
+    tests_failed/assert_secret.hurl
+
+$secrets = @("Alice", "Bob")
+
+$files = @(Get-ChildItem -Filter *.html -Recurse build/assert_secret/report-html)
+$files += @(Get-ChildItem -Filter *.json build/assert_secret/)
+$files += @(Get-ChildItem tests_failed/assert_secret.err.pattern)
+
+foreach ($secret in $secrets) {
+    foreach ($file in $files) {
+        # Don't search leaks in sources
+        if ($file.name.EndsWith("source.html")) {
+            continue
+        }
+        if (Get-Content $file | Select-String -CaseSensitive $secret) {
+            echo "Secret <$secret> have leaked in $file"
+            exit 1
+        }
+    }
+}
diff --git a/integration/hurl/tests_failed/assert_secret.sh b/integration/hurl/tests_failed/assert_secret.sh
@@ -1,4 +1,39 @@
 #!/bin/bash
 set -Eeuo pipefail
 
-hurl --secret name=Alice tests_failed/assert_secret.hurl
+rm -rf build/assert_secret
+
+# We want to check leaks and do not stop at the first error
+set +euo pipefail
+
+hurl --secret name1=Alice \
+    --secret name2=Bob \
+    --error-format long \
+    --report-html build/assert_secret/report-html \
+    --report-json build/assert_secret/report-json \
+    tests_failed/assert_secret.hurl
+
+ret=$?
+
+secrets=("Alice" "Bob")
+
+files=$(find build/assert_secret/report-html/*.html \
+  build/assert_secret/report-html/**/*.html \
+  build/assert_secret/report-json/*.json \
+  tests_failed/assert_secret.err.pattern)
+
+for secret in "${secrets[@]}"; do
+  for file in $files; do
+    # Don't search leaks in sources
+    if [[ "$file" == *source.html ]]; then
+      continue
+    fi
+    if grep -q "$secret" "$file"; then
+        echo "Secret <$secret> have leaked in $file"
+        exit 1
+    fi
+  done
+done
+
+# We use the exit code of the Hurl command
+exit $ret
diff --git a/integration/hurl/tests_ok/secret.ps1 b/integration/hurl/tests_ok/secret.ps1
@@ -9,12 +9,15 @@ hurl --very-verbose `
     --secret a=secret1 `
     --secret b=secret2 `
     --secret c=12345678 `
-    --report-html build/secret `
+    --report-html build/secret/report-html `
+    --report-json build/secret/report-json `
     tests_ok/secret.hurl
 
-$secrets = @("secret1", "secret2", "secret3", 12345678)
+$secrets = @("secret1", "secret2", "secret3", "12345678")
 
-$files = Get-ChildItem -Filter *.html -Recurse build/secret
+$files = @(Get-ChildItem -Filter *.html -Recurse build/secret/report-html)
+$files += @(Get-ChildItem -Filter *.json build/secret/report-json)
+$files += @(Get-ChildItem tests_ok/secret.err.pattern)
 
 foreach ($secret in $secrets) {
     foreach ($file in $files) {

diff --git a/integration/hurl/tests_ok/secret.sh b/integration/hurl/tests_ok/secret.sh
@@ -7,12 +7,16 @@ hurl --very-verbose \
     --secret a=secret1 \
     --secret b=secret2 \
     --secret c=12345678 \
-    --report-html build/secret \
+    --report-html build/secret/report-html \
+    --report-json build/secret/report-json \
     tests_ok/secret.hurl
 
 secrets=("secret1" "secret2" "secret3" "12345678")
 
-files=$(find build/secret/*.html build/secret/**/*.html tests_ok/secret.err.pattern)
+files=$(find build/secret/report-html/*.html \
+  build/secret/report-html/**/*.html \
+  build/secret/report-json/*.json \
+  tests_ok/secret.err.pattern)
 
 for secret in "${secrets[@]}"; do
   for file in $files; do