test(gitleaks): split sealed-secrets tests; use realistic-looking sealed-secret blob

wajidzahoor-dls · wajidzahoor-dls · commit f6e2aa815378 · 2025-10-02T14:19:58.000+01:00
diff --git a/tests/test_gitleaks_precommit.py b/tests/test_gitleaks_precommit.py
@@ -32,16 +32,38 @@ def test_gitleaks_stable_patterns_fail(tmp_path: Path, fname: str, content: str)
 
 
 # --- Sealed-secrets: YAML/YML allowlisted; non-YAML should be flagged ---
-def _fake_sealed_secret_blob(n: int = 800) -> str:
-    body = ("Qw9+/" * ((n // 4) + 1))[:n]
-    return "Ag" + body + "=="
+def _fake_sealed_secret_blob(n: int = 800, seed: str = "sealed-secrets-test") -> str:
+    """
+    Generate a deterministic, base64-looking ciphertext that resembles a SealedSecret.
+    - Always starts with 'Ag'
+    - Uses a realistic base64 alphabet mix (via sha256-derived bytes)
+    - Adds '=' padding only if required by base64 length
+    - Deterministic for stable tests (change `seed` to vary appearance)
+    """
+    import base64
+    import hashlib
+
+    # Build a deterministic byte stream from the seed, not random
+    chunk = hashlib.sha256(seed.encode("utf-8")).digest()  # 32 bytes
+    raw = (chunk * ((n // len(chunk)) + 4))[: n + 64]  # extra slack, then trim
+
+    # Base64-encode -> realistic distribution of A–Z a–z 0–9 + /
+    b64 = base64.b64encode(raw).decode("ascii")
 
+    # Compose with 'Ag' prefix and keep length near n
+    body = b64.replace("=", "")  # remove padding from the body
+    s = "Ag" + body[:n]  # ensure 'Ag' at start
 
-def test_gitleaks_yaml_allowlist_for_sealed_secrets(tmp_path: Path):
+    # Fix padding so total length is a multiple of 4 (valid base64-looking)
+    rem = len(s) % 4
+    if rem:
+        s += "=" * (4 - rem)
+    return s
+
+
+def test_gitleaks_yaml_allowlist_for_sealed_secrets_yaml(tmp_path: Path):
     """
-    Keep .gitleaks.toml as-is (realistic behavior).
-    - In .yaml/.yml: blob under spec.encryptedData -> allowlisted -> hook PASS
-    - In non-YAML: same blob in code -> not allowlisted -> hook FAIL
+    Case 1: .yaml (allowlisted => PASS)
     """
     blob = _fake_sealed_secret_blob()
 
@@ -56,7 +78,6 @@ def test_gitleaks_yaml_allowlist_for_sealed_secrets(tmp_path: Path):
     token: "{blob}"
 """
 
-    # Case 1: .yaml (allowlisted => PASS)
     proj_yaml = tmp_path / "proj_yaml"
     proj_yaml.mkdir()
     copy_project(proj_yaml)
@@ -65,7 +86,24 @@ def test_gitleaks_yaml_allowlist_for_sealed_secrets(tmp_path: Path):
     run_yaml("git add -A")
     run_yaml("./venv/bin/tox -e pre-commit")
 
-    # Case 2: .yml (allowlisted => PASS)
+
+def test_gitleaks_yaml_allowlist_for_sealed_secrets_yml(tmp_path: Path):
+    """
+    Case 2: .yml (allowlisted => PASS)
+    """
+    blob = _fake_sealed_secret_blob()
+
+    sealed_yaml = f"""\
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: demo
+  namespace: default
+spec:
+  encryptedData:
+    token: "{blob}"
+"""
+
     proj_yml = tmp_path / "proj_yml"
     proj_yml.mkdir()
     copy_project(proj_yml)
@@ -74,7 +112,13 @@ def test_gitleaks_yaml_allowlist_for_sealed_secrets(tmp_path: Path):
     run_yml("git add -A")
     run_yml("./venv/bin/tox -e pre-commit")
 
-    # Case 3: non-YAML (should be flagged => FAIL)
+
+def test_leaky_code_fails_gitleaks(tmp_path: Path):
+    """
+    Case 3: non-YAML (should be flagged => FAIL)
+    """
+    blob = _fake_sealed_secret_blob()
+
     proj_code = tmp_path / "proj_code"
     proj_code.mkdir()
     copy_project(proj_code)
