# frozen_string_literal: true describe Gitlab::QA::Support::ShellCommand do describe 'execute!' do context 'when masking secrets' do let(:wait_thread) { instance_double(Thread) } let(:errored_wait) { instance_double(Process::Status, exited?: true, exitstatus: 1) } let(:non_errored_wait) { instance_double(Process::Status, exited?: true, exitstatus: 0) } let(:stdin) { StringIO.new } let(:stdout) { [+'logged in as ***** with password *****'] } let(:logger) { Gitlab::QA::Runtime::Logger.logger } let(:command) { +'login -u user -p secret' } before do Rainbow.enabled = false allow(Open3).to receive(:popen2e).and_yield(stdin, stdout, wait_thread) allow(Gitlab::QA::Runtime::Logger).to receive(:logger).and_return(logger) end subject(:shell_command) { described_class.new(command, mask_secrets: %w[secret user]) } it 'masks secrets when logging the command itself' do expect(logger).to receive(:info).with('Shell command: `login -u ***** -p *****`') expect(wait_thread).to receive(:value).twice.and_return(non_errored_wait) shell_command.execute! end it 'masks command secrets on CommandError' do expect(wait_thread).to receive(:value).twice.and_return(errored_wait) expect { shell_command.execute! } .to raise_error(Gitlab::QA::Support::ShellCommand::StatusError, /Command `login -u \*{5} -p \*{5}` failed/) end it 'masks secrets when yielding output' do expect(wait_thread).to receive(:value).twice.and_return(non_errored_wait) shell_command.execute! do |output| expect(output).not_to be_nil expect(output).to eql('logged in as ***** with password *****') end end it 'masks secrets in debug logs' do expect(logger).to receive(:debug).with(/Shell command output:\nlogged in as \*{5} with password \*{5}/) expect(wait_thread).to receive(:value).twice.and_return(non_errored_wait) shell_command.execute! end it 'masks secrets in error logs' do expect(logger).to receive(:error).with(/Shell command output:\nlogged in as \*{5} with password \*{5}/) expect(wait_thread).to receive(:value).twice.and_return(errored_wait) expect { shell_command.execute! }.to raise_error(Gitlab::QA::Support::ShellCommand::StatusError) end context 'when there is no secret' do let(:command) { +'docker pull ruby:3' } it 'returns the original string' do expect(wait_thread).to receive(:value).twice.and_return(errored_wait) expect { shell_command.execute! } .to raise_error(Gitlab::QA::Support::ShellCommand::StatusError, /Command `docker pull ruby:3` failed/) end context 'with any other docker command other than attach' do let(:command) { 'docker exec' } it 'doesnt log' do expect(wait_thread).to receive(:value).twice.and_return(errored_wait) expect(logger).to receive(:error).with(/Shell command output:\nlogged in as \*{5} with password \*{5}/) expect { shell_command.execute! } .to raise_error(Gitlab::QA::Support::ShellCommand::StatusError, /Command `docker exec` failed/) end end context 'for sig docker command' do # rubocop:disable RSpec/ContextWording let(:command) { 'docker attach --sig-proxy=true' } it 'does log' do expect(wait_thread).to receive(:value).twice.and_return(errored_wait) expect(logger).not_to receive(:error).with(/Shell command output:\nlogged in as \*{5} with password \*{5}/) expect { shell_command.execute! } .to raise_error(Gitlab::QA::Support::ShellCommand::StatusError, /Command `docker attach --sig-proxy=true` failed/ ) end end end end end end