test: add comprehensive secrets handling test coverage

edmundmiller · edmundmiller · commit 77caa0c78590 · 2025-08-21T11:42:27.000-05:00
Add test cases for:
- Detection of 'secrets.PATTERN' unresolved secrets
- Detection of '[secret]' placeholder patterns
- Proper handling of null and empty credentials
- Fallback constructor behavior with secrets
- Comprehensive error message validation
- Integration testing with ChannelSqlExtension

Ensures robust validation of secrets detection functionality and
provides regression protection for the secrets handling feature.

Signed-off-by: Edmund Miller &lt;edmund.miller@seqera.io&gt;
diff --git a/plugins/nf-sqldb/src/test/nextflow/sql/ChannelSqlExtensionTest.groovy b/plugins/nf-sqldb/src/test/nextflow/sql/ChannelSqlExtensionTest.groovy
@@ -95,4 +95,42 @@ class ChannelSqlExtensionTest extends Specification {
         rows.alpha == ['x1','y2','z3']
     }
 
+    def 'should provide helpful error message for unresolved secrets' () {
+        given:
+        def session = Mock(Session) {
+            getConfig() >> [sql: [db: [athena: [
+                url: 'jdbc:awsathena://AwsRegion=us-east-1;S3OutputLocation=s3://bucket;Workgroup=CompBio',
+                user: 'secrets.ATHENA_USER',
+                password: '[secret]'
+            ]]]]
+        }
+        def sqlExtension = new ChannelSqlExtension()
+
+        when:
+        sqlExtension.init(session)
+
+        then:
+        def e = thrown(IllegalArgumentException)
+        e.message.contains("Unresolved secret detected")
+        e.message.contains("secrets.ATHENA_USER")
+        e.message.contains("workspace secrets are not properly configured")
+    }
+
+    def 'should handle unknown database' () {
+        given:
+        def session = Mock(Session) {
+            getConfig() >> [sql: [db: [default: [url: 'jdbc:h2:mem:'], postgres: [url: 'jdbc:postgresql:']]]]
+        }
+        def sqlExtension = new ChannelSqlExtension()
+        sqlExtension.init(session)
+
+        when:
+        sqlExtension.fromQuery([db: 'invalid'], 'select * from table')
+
+        then:
+        def e = thrown(IllegalArgumentException)
+        e.message.contains("Unknown db name: invalid")
+        e.message.contains("Available databases:")
+    }
+
 }
diff --git a/plugins/nf-sqldb/src/test/nextflow/sql/config/SqlDataSourceTest.groovy b/plugins/nf-sqldb/src/test/nextflow/sql/config/SqlDataSourceTest.groovy
@@ -132,4 +132,76 @@ class SqlDataSourceTest extends Specification {
         ds1.hashCode() == ds2.hashCode()
         ds1.hashCode() != ds3.hashCode()
     }
+
+    def 'should handle null credentials gracefully' () {
+        when:
+        def ds = new SqlDataSource([url: 'jdbc:h2:mem:', user: null, password: null])
+        then:
+        ds.user == SqlDataSource.DEFAULT_USER
+        ds.password == null
+    }
+
+    def 'should handle empty string credentials' () {
+        when:
+        def ds = new SqlDataSource([url: 'jdbc:h2:mem:', user: '', password: ''])
+        then:
+        ds.user == SqlDataSource.DEFAULT_USER
+        ds.password == null
+    }
+
+    def 'should detect unresolved secrets.* pattern' () {
+        when:
+        new SqlDataSource([user: 'secrets.ATHENA_USER'])
+        then:
+        def e = thrown(IllegalArgumentException)
+        e.message.contains("Unresolved secret detected for user")
+        e.message.contains("secrets.ATHENA_USER")
+        e.message.contains("workspace secrets are not properly configured")
+    }
+
+    def 'should detect unresolved [secret] pattern' () {
+        when:
+        new SqlDataSource([password: '[secret]'])
+        then:
+        def e = thrown(IllegalArgumentException)
+        e.message.contains("Unresolved secret detected for password")
+        e.message.contains("[secret]")
+        e.message.contains("workspace secrets are not properly configured")
+    }
+
+    def 'should allow valid secret-like strings that are not unresolved' () {
+        when:
+        def ds = new SqlDataSource([user: 'mysecret', password: 'secretpassword'])
+        then:
+        ds.user == 'mysecret'
+        ds.password == 'secretpassword'
+    }
+
+    def 'should handle secrets in fallback constructor' () {
+        given:
+        def fallback = new SqlDataSource([user: 'fallback_user', password: 'fallback_pass'])
+        
+        when:
+        new SqlDataSource([user: 'secrets.ATHENA_USER'], fallback)
+        then:
+        def e = thrown(IllegalArgumentException)
+        e.message.contains("Unresolved secret detected for user")
+    }
+
+    def 'should provide comprehensive error message for secrets' () {
+        when:
+        new SqlDataSource([user: 'secrets.MISSING_SECRET'])
+        then:
+        def e = thrown(IllegalArgumentException)
+        with(e.message) {
+            contains("Unresolved secret detected")
+            contains("secrets.MISSING_SECRET")
+            contains("workspace secrets are not properly configured")
+            contains("secret is defined in your workspace")
+            contains("secret name matches exactly")
+            contains("proper permissions")
+            contains("Nextflow version supports secrets")
+            contains("https://www.nextflow.io/docs/latest/secrets.html")
+        }
+    }
 }
