fifth-domain/zero-point/core-channel/revive-guard/pre-receive-guard.test.py

41 lines
1.5 KiB
Python

import importlib.util
import os
import tempfile
import unittest
MODULE_PATH = os.path.join(os.path.dirname(__file__), "pre-receive-guard.py")
SPEC = importlib.util.spec_from_file_location("pre_receive_guard", MODULE_PATH)
GUARD = importlib.util.module_from_spec(SPEC)
SPEC.loader.exec_module(GUARD)
class PreReceiveGuardTests(unittest.TestCase):
def test_private_identifiers_are_loaded_from_root_only_file(self):
with tempfile.NamedTemporaryFile("w", delete=False) as handle:
handle.write("private-owner-id\nowner@example.invalid\n")
filename = handle.name
try:
patterns = GUARD.load_forbidden_identifiers(filename)
findings = GUARD.scan_content("x private-owner-id y", "demo.txt", patterns=patterns)
self.assertEqual(len(findings), 1)
self.assertEqual(findings[0]["pattern_name"], "私密禁用标识")
self.assertNotIn("private-owner-id", repr(findings[0]))
finally:
os.unlink(filename)
def test_security_clean_commit_marker_cannot_bypass_scanning(self):
with open(MODULE_PATH, encoding="utf-8") as handle:
source = handle.read()
self.assertNotIn("TRUST_SEC_CLEAN", source)
self.assertNotIn('"[SEC-CLEAN]" in', source)
def test_repository_source_does_not_embed_owner_identifier(self):
with open(MODULE_PATH, encoding="utf-8") as handle:
source = handle.read()
self.assertNotRegex(source, r"\b\d{7,12}@qq\\\.com\b")
if __name__ == "__main__":
unittest.main()