package sources import ( "context" "net/http" "net/http/httptest" "testing" "time" "github.com/salvacybersec/keyhunter/pkg/providers" "github.com/salvacybersec/keyhunter/pkg/recon" ) func envLeakTestRegistry() *providers.Registry { return providers.NewRegistryFromProviders([]providers.Provider{ {Name: "openai", Keywords: []string{"sk-proj-"}}, }) } const envLeakFixture = `# Application config APP_NAME=myapp DATABASE_URL=postgres://user:pass@localhost/db OPENAI_API_KEY=sk-proj-abc123def456ghi789 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY DEBUG=false ` const envLeakCleanFixture = `# Nothing sensitive here APP_NAME=myapp DEBUG=false LOG_LEVEL=info ` func TestEnvLeak_Sweep_ExtractsFindings(t *testing.T) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/plain") _, _ = w.Write([]byte(envLeakFixture)) })) defer srv.Close() src := &EnvLeakSource{ BaseURL: srv.URL, Registry: envLeakTestRegistry(), Client: NewClient(), } out := make(chan recon.Finding, 64) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() if err := src.Sweep(ctx, "", out); err != nil { t.Fatalf("Sweep err: %v", err) } close(out) var findings []recon.Finding for f := range out { findings = append(findings, f) } if len(findings) == 0 { t.Fatal("expected at least one finding") } for _, f := range findings { if f.SourceType != "recon:dotenv" { t.Errorf("unexpected SourceType: %s", f.SourceType) } if f.Confidence != "high" { t.Errorf("unexpected Confidence: %s", f.Confidence) } } } func TestEnvLeak_Sweep_NoFindings_OnCleanFile(t *testing.T) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/plain") _, _ = w.Write([]byte(envLeakCleanFixture)) })) defer srv.Close() src := &EnvLeakSource{ BaseURL: srv.URL, Registry: envLeakTestRegistry(), Client: NewClient(), } out := make(chan recon.Finding, 64) ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() if err := src.Sweep(ctx, "", out); err != nil { t.Fatalf("Sweep err: %v", err) } close(out) var count int for range out { count++ } if count != 0 { t.Errorf("expected 0 findings, got %d", count) } } func TestEnvLeak_Sweep_CtxCancelled(t *testing.T) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { time.Sleep(500 * time.Millisecond) _, _ = w.Write([]byte(envLeakFixture)) })) defer srv.Close() src := &EnvLeakSource{ BaseURL: srv.URL, Registry: envLeakTestRegistry(), Limiters: recon.NewLimiterRegistry(), Client: NewClient(), } ctx, cancel := context.WithCancel(context.Background()) cancel() out := make(chan recon.Finding, 4) if err := src.Sweep(ctx, "", out); err == nil { t.Fatal("expected ctx error") } } func TestEnvLeak_EnabledAlwaysTrue(t *testing.T) { s := &EnvLeakSource{} if !s.Enabled(recon.Config{}) { t.Fatal("expected Enabled=true") } } func TestEnvLeak_NameAndRate(t *testing.T) { s := &EnvLeakSource{} if s.Name() != "dotenv" { t.Errorf("unexpected name: %s", s.Name()) } if s.Burst() != 2 { t.Errorf("burst: %d", s.Burst()) } if !s.RespectsRobots() { t.Error("expected RespectsRobots=true") } }