Fix a bug in the GitHub release source

davewalter · rizwanreza · commit 4d18b22a23fa · 2024-11-21T14:25:25.000-06:00
GetGithubReleaseWithTag will now return ErrNotFound if the repository
owner from the GitHubRepository value in the Kilnfile release entry does
not match the configured Org.
diff --git a/internal/commands/update_release.go b/internal/commands/update_release.go
@@ -89,7 +89,6 @@ func (u UpdateRelease) Execute(args []string) error {
 		newSHA1 = remoteRelease.SHA1
 		newSourceID = remoteRelease.RemoteSource
 		newRemotePath = remoteRelease.RemotePath
-
 	} else {
 		remoteRelease, err = releaseSource.GetMatchedRelease(cargo.BOSHReleaseTarballSpecification{
 			Name:             u.Options.Name,
diff --git a/internal/component/github_release_source.go b/internal/component/github_release_source.go
@@ -109,6 +109,11 @@ func (grs *GithubReleaseSource) GetGithubReleaseWithTag(ctx context.Context, s c
 		return nil, ErrNotFound
 	}
 
+	if repoOwner != grs.Org {
+		grs.Logger.Printf("GitHubRepository owner %q does not match configured Org %q, skipping...", repoOwner, grs.Org)
+		return nil, ErrNotFound
+	}
+
 	release, response, err := grs.GetReleaseByTag(ctx, repoOwner, repoName, "v"+s.Version)
 	if err == nil {
 		err = checkStatus(http.StatusOK, response.StatusCode)
diff --git a/internal/component/github_release_source_test.go b/internal/component/github_release_source_test.go
@@ -318,8 +318,54 @@ func TestGithubReleaseSource_GetMatchedRelease(t *testing.T) {
 	})
 }
 
-func TestGetGithubReleaseWithTag(t *testing.T) {
-	t.Run("when get release with tag api request fails", func(t *testing.T) {
+func TestGithubReleaseSource_GetGithubReleaseWithTag(t *testing.T) {
+	t.Run("when RepositoryOwnerAndNameFromPath fails", func(t *testing.T) {
+		damnIt := NewWithT(t)
+
+		ctx := context.TODO()
+
+		grsMock := &component.GithubReleaseSource{
+			Logger: log.New(GinkgoWriter, "[test] ", log.Default().Flags()),
+			ReleaseSourceConfig: cargo.ReleaseSourceConfig{
+				Type:        component.ReleaseSourceTypeGithub,
+				Org:         "cloudfoundry",
+				GithubToken: "fake-token",
+			},
+		}
+		s := cargo.BOSHReleaseTarballSpecification{
+			Name:             "routing",
+			Version:          "0.226.0",
+			GitHubRepository: "invalid-uri",
+		}
+
+		_, err := grsMock.GetGithubReleaseWithTag(ctx, s)
+		damnIt.Expect(err).To(MatchError(component.ErrNotFound))
+	})
+
+	t.Run("when the GitHubRepository owner does not match the configured Org", func(t *testing.T) {
+		damnIt := NewWithT(t)
+
+		ctx := context.TODO()
+
+		grsMock := &component.GithubReleaseSource{
+			Logger: log.New(GinkgoWriter, "[test] ", log.Default().Flags()),
+			ReleaseSourceConfig: cargo.ReleaseSourceConfig{
+				Type:        component.ReleaseSourceTypeGithub,
+				Org:         "cloudnotfoundry",
+				GithubToken: "fake-token",
+			},
+		}
+		s := cargo.BOSHReleaseTarballSpecification{
+			Name:             "routing",
+			Version:          "0.226.0",
+			GitHubRepository: "https://github.com/cloudfoundry/routing-release",
+		}
+
+		_, err := grsMock.GetGithubReleaseWithTag(ctx, s)
+		damnIt.Expect(err).To(MatchError(component.ErrNotFound))
+	})
+
+	t.Run("when GetReleaseByTag fails", func(t *testing.T) {
 		damnIt := NewWithT(t)
 
 		releaseGetter := new(fakes.ReleaseByTagGetter)
