mocking http server for unit tests

sailikhith-stepsecurity · sailikhith-stepsecurity · commit 1281489db29f · 2025-01-21T11:01:54.000+05:30
diff --git a/remediation/workflow/pin/action_image_manifest_test.go b/remediation/workflow/pin/action_image_manifest_test.go
@@ -1,10 +1,75 @@
 package pin
 
 import (
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
 	"testing"
 )
 
+var (
+	testFilesDir = "../../../testfiles/pinactions/immutableActionResponses/"
+)
+
+func createTestServer(t *testing.T) *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		w.Header().Set("Content-Type", "application/json")
+
+		// Mock manifest endpoints
+		switch r.URL.Path {
+
+		case "/token":
+			// for immutable actions, since image will be present in registry...it returns 200 OK with token
+			// otherwise it returns 403 Forbidden
+			scope := r.URL.Query().Get("scope")
+			switch scope {
+			case "repository:actions/checkout:pull":
+				fallthrough
+			case "repository:step-security/wait-for-secrets:pull":
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"token": "test-token", "access_token": "test-token"}`))
+			default:
+				w.WriteHeader(http.StatusForbidden)
+				w.Write([]byte(`{"errors": [{"code": "DENIED", "message": "requested access to the resource is denied"}]}`))
+			}
+
+		case "/v2/actions/checkout/manifests/4.2.2":
+			fallthrough
+		case "/v2/step-security/wait-for-secrets/manifests/1.2.0":
+			w.Write(readHttpResponseForAction(t, r.URL.Path))
+		case "/v2/actions/checkout/manifests/1.2.3": // since this version doesn't exist
+			fallthrough
+		default:
+			w.WriteHeader(http.StatusNotFound)
+			w.Write(readHttpResponseForAction(t, "default"))
+		}
+	}))
+}
+
 func Test_isImmutableAction(t *testing.T) {
+	// Create test server that mocks GitHub Container Registry
+	server := createTestServer(t)
+	defer server.Close()
+
+	// Create a custom client that redirects ghcr.io to our test server
+	originalClient := http.DefaultClient
+	http.DefaultClient = &http.Client{
+		Transport: &http.Transport{
+			Proxy: func(req *http.Request) (*url.URL, error) {
+				if strings.Contains(req.URL.Host, "ghcr.io") {
+					return url.Parse(server.URL)
+				}
+				return nil, nil
+			},
+		},
+	}
+	defer func() {
+		http.DefaultClient = originalClient
+	}()
+
 	tests := []struct {
 		name   string
 		action string
@@ -52,3 +117,18 @@ func Test_isImmutableAction(t *testing.T) {
 		})
 	}
 }
+
+func readHttpResponseForAction(t *testing.T, actionPath string) []byte {
+	// remove v2 prefix from action path
+	actionPath = strings.TrimPrefix(actionPath, "v2/")
+
+	fileName := strings.ReplaceAll(actionPath, "/", "-")
+	respFilePath := testFilesDir + fileName
+
+	resp, err := ioutil.ReadFile(respFilePath)
+	if err != nil {
+		t.Fatalf("error reading test file")
+	}
+
+	return resp
+}
diff --git a/testfiles/pinactions/immutableActionResponses/default.json b/testfiles/pinactions/immutableActionResponses/default.json
@@ -0,0 +1,8 @@
+{
+    "errors":[
+        {
+            "code":"MANIFEST_UNKNOWN",
+            "message":"manifest unknown"
+        }
+    ]
+}
diff --git a/testfiles/pinactions/immutableActionResponses/ghcr.io_actions_checkout:4.2.2.json b/testfiles/pinactions/immutableActionResponses/ghcr.io_actions_checkout:4.2.2.json
@@ -0,0 +1,38 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.oci.image.manifest.v1+json",
+    "artifactType": "application/vnd.github.actions.package.v1+json",
+    "config": {
+        "mediaType": "application/vnd.oci.empty.v1+json",
+        "size": 2,
+        "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.github.actions.package.layer.v1.tar+gzip",
+            "size": 424913,
+            "digest": "sha256:309d5e1a7604a5e688e2b55a6763e4109eb07349dca6d3c44e85c57ab2bb4f3f",
+            "annotations": {
+                "org.opencontainers.image.title": "actions-checkout_4.2.2.tar.gz"
+            }
+        },
+        {
+            "mediaType": "application/vnd.github.actions.package.layer.v1.zip",
+            "size": 546845,
+            "digest": "sha256:e9808fe811a75b46234757f9566987635166bca838090fcbc8021a0d45c737b3",
+            "annotations": {
+                "org.opencontainers.image.title": "actions-checkout_4.2.2.zip"
+            }
+        }
+    ],
+    "annotations": {
+        "org.opencontainers.image.created": "2024-10-23T14:46:13.071Z",
+        "action.tar.gz.digest": "sha256:309d5e1a7604a5e688e2b55a6763e4109eb07349dca6d3c44e85c57ab2bb4f3f",
+        "action.zip.digest": "sha256:e9808fe811a75b46234757f9566987635166bca838090fcbc8021a0d45c737b3",
+        "com.github.package.type": "actions_oci_pkg",
+        "com.github.package.version": "4.2.2",
+        "com.github.source.repo.id": "197814629",
+        "com.github.source.repo.owner.id": "44036562",
+        "com.github.source.commit": "11bd71901bbe5b1630ceea73d27597364c9af683"
+    }
+}
diff --git a/testfiles/pinactions/immutableActionResponses/ghcr.io_step-security_wait-for-secrets:1.2.0.json b/testfiles/pinactions/immutableActionResponses/ghcr.io_step-security_wait-for-secrets:1.2.0.json
@@ -0,0 +1,38 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.oci.image.manifest.v1+json",
+    "artifactType": "application/vnd.github.actions.package.v1+json",
+    "config": {
+        "mediaType": "application/vnd.oci.empty.v1+json",
+        "size": 2,
+        "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.github.actions.package.layer.v1.tar+gzip",
+            "size": 689381,
+            "digest": "sha256:6390cea2d46095ef08dd2746d4323b11b7d1190d7e9ad9ef4a23b8ee5481d295",
+            "annotations": {
+                "org.opencontainers.image.title": "step-security-wait-for-secrets_1.2.0.tar.gz"
+            }
+        },
+        {
+            "mediaType": "application/vnd.github.actions.package.layer.v1.zip",
+            "size": 723541,
+            "digest": "sha256:56f5004c2b1bff0f148c3998aa0f5bd47a315a602428031b8ba72d881edfb429",
+            "annotations": {
+                "org.opencontainers.image.title": "step-security-wait-for-secrets_1.2.0.zip"
+            }
+        }
+    ],
+    "annotations": {
+        "org.opencontainers.image.created": "2024-10-24T05:13:19.501Z",
+        "action.tar.gz.digest": "sha256:6390cea2d46095ef08dd2746d4323b11b7d1190d7e9ad9ef4a23b8ee5481d295",
+        "action.zip.digest": "sha256:56f5004c2b1bff0f148c3998aa0f5bd47a315a602428031b8ba72d881edfb429",
+        "com.github.package.type": "actions_oci_pkg",
+        "com.github.package.version": "1.2.0",
+        "com.github.source.repo.id": "498456330",
+        "com.github.source.repo.owner.id": "88700172",
+        "com.github.source.commit": "5809f7d044804a5a1d43217fa8f3e855939fc9ef"
+    }
+}
