1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
use crate::harness::{self, SiteBuilder, TestServer};
/// Tier 1: env-var token resolves and auth works
#[tokio::test]
async fn env_var_token_auth() {
let var_name = "WITRYNA_INTEG_SECRET_01";
let token_value = "env-resolved-secret-token";
// SAFETY: test-only, called before spawning server
unsafe { std::env::set_var(var_name, token_value) };
let dir = tempfile::tempdir().unwrap().keep();
let site = SiteBuilder::new(
"secret-site",
"https://example.com/repo.git",
&format!("${{{var_name}}}"),
)
.build();
let config = harness::test_config_with_site(dir, site);
let server = TestServer::start(config).await;
// Valid token → 404 (site exists but no real repo)
let resp = TestServer::client()
.post(server.url("secret-site"))
.header("Authorization", format!("Bearer {token_value}"))
.send()
.await
.unwrap();
assert_eq!(resp.status(), 202);
// Wrong token → 401
let resp = TestServer::client()
.post(server.url("secret-site"))
.header("Authorization", "Bearer wrong-token")
.send()
.await
.unwrap();
assert_eq!(resp.status(), 401);
// SAFETY: test-only cleanup
unsafe { std::env::remove_var(var_name) };
}
/// Tier 1: file-based token resolves and auth works
#[tokio::test]
async fn file_token_auth() {
let token_value = "file-resolved-secret-token";
let dir = tempfile::tempdir().unwrap().keep();
let token_path = std::path::PathBuf::from(&dir).join("webhook_token");
std::fs::write(&token_path, format!(" {token_value} \n")).unwrap();
let site = SiteBuilder::new("file-site", "https://example.com/repo.git", "")
.webhook_token_file(token_path)
.build();
let config = harness::test_config_with_site(dir, site);
let server = TestServer::start(config).await;
// Valid token → 202
let resp = TestServer::client()
.post(server.url("file-site"))
.header("Authorization", format!("Bearer {token_value}"))
.send()
.await
.unwrap();
assert_eq!(resp.status(), 202);
// Wrong token → 401
let resp = TestServer::client()
.post(server.url("file-site"))
.header("Authorization", "Bearer wrong-token")
.send()
.await
.unwrap();
assert_eq!(resp.status(), 401);
}
|
