update tests

Author: kerobbi

pkg/github/issues_test.go

@@ -23,17 +23,14 @@ import (
 )
 
 var defaultGQLClient *githubv4.Client = githubv4.NewClient(newRepoAccessHTTPClient())
-var repoAccessCache *lockdown.RepoAccessCache = stubRepoAccessCache(defaultGQLClient, 15*time.Minute)
 
 type repoAccessKey struct {
-	owner    string
-	repo     string
-	username string
+	owner string
+	repo  string
 }
 
 type repoAccessValue struct {
-	isPrivate  bool
-	permission string
+	isPrivate bool
 }
 
 type repoAccessMockTransport struct {
@@ -42,8 +39,8 @@ type repoAccessMockTransport struct {
 
 func newRepoAccessHTTPClient() *http.Client {
 	responses := map[repoAccessKey]repoAccessValue{
-		{owner: "owner2", repo: "repo2", username: "testuser2"}: {isPrivate: true},
-		{owner: "owner", repo: "repo", username: "testuser"}:    {isPrivate: false, permission: "READ"},
+		{owner: "owner2", repo: "repo2"}: {isPrivate: true},
+		{owner: "owner", repo: "repo"}:   {isPrivate: false},
 	}
 
 	return &http.Client{Transport: &repoAccessMockTransport{responses: responses}}
@@ -66,30 +63,19 @@ func (rt *repoAccessMockTransport) RoundTrip(req *http.Request) (*http.Response,
 
 	owner := toString(payload.Variables["owner"])
 	repo := toString(payload.Variables["name"])
-	username := toString(payload.Variables["username"])
 
-	value, ok := rt.responses[repoAccessKey{owner: owner, repo: repo, username: username}]
+	value, ok := rt.responses[repoAccessKey{owner: owner, repo: repo}]
 	if !ok {
-		value = repoAccessValue{isPrivate: false, permission: "WRITE"}
-	}
-
-	edges := []any{}
-	if value.permission != "" {
-		edges = append(edges, map[string]any{
-			"permission": value.permission,
-			"node": map[string]any{
-				"login": username,
-			},
-		})
+		value = repoAccessValue{isPrivate: false}
 	}
 
 	responseBody, err := json.Marshal(map[string]any{
 		"data": map[string]any{
+			"viewer": map[string]any{
+				"login": "test-viewer",
+			},
 			"repository": map[string]any{
 				"isPrivate": value.isPrivate,
-				"collaborators": map[string]any{
-					"edges": edges,
-				},
 			},
 		},
 	})
@@ -170,13 +156,13 @@ func Test_GetIssue(t *testing.T) {
 	tests := []struct {
 		name               string
 		mockedClient       *http.Client
-		gqlHTTPClient      *http.Client
 		requestArgs        map[string]any
 		expectHandlerError bool
 		expectResultError  bool
 		expectedIssue      *github.Issue
 		expectedErrMsg     string
 		lockdownEnabled    bool
+		restPermission     string
 	}{
 		{
 			name: "successful issue retrieval",
@@ -210,36 +196,6 @@ func Test_GetIssue(t *testing.T) {
 			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
 				GetReposIssuesByOwnerByRepoByIssueNumber: mockResponse(t, http.StatusOK, mockIssue2),
 			}),
-			gqlHTTPClient: githubv4mock.NewMockedHTTPClient(
-				githubv4mock.NewQueryMatcher(
-					struct {
-						Repository struct {
-							IsPrivate     githubv4.Boolean
-							Collaborators struct {
-								Edges []struct {
-									Permission githubv4.String
-									Node       struct {
-										Login githubv4.String
-									}
-								}
-							} `graphql:"collaborators(query: $username, first: 1)"`
-						} `graphql:"repository(owner: $owner, name: $name)"`
-					}{},
-					map[string]any{
-						"owner":    githubv4.String("owner2"),
-						"name":     githubv4.String("repo2"),
-						"username": githubv4.String("testuser2"),
-					},
-					githubv4mock.DataResponse(map[string]any{
-						"repository": map[string]any{
-							"isPrivate": true,
-							"collaborators": map[string]any{
-								"edges": []any{},
-							},
-						},
-					}),
-				),
-			),
 			requestArgs: map[string]any{
 				"method":       "get",
 				"owner":        "owner2",
@@ -248,49 +204,13 @@ func Test_GetIssue(t *testing.T) {
 			},
 			expectedIssue:   mockIssue2,
 			lockdownEnabled: true,
+			restPermission:  "none",
 		},
 		{
 			name: "lockdown enabled - user lacks push access",
 			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
 				GetReposIssuesByOwnerByRepoByIssueNumber: mockResponse(t, http.StatusOK, mockIssue),
 			}),
-			gqlHTTPClient: githubv4mock.NewMockedHTTPClient(
-				githubv4mock.NewQueryMatcher(
-					struct {
-						Repository struct {
-							IsPrivate     githubv4.Boolean
-							Collaborators struct {
-								Edges []struct {
-									Permission githubv4.String
-									Node       struct {
-										Login githubv4.String
-									}
-								}
-							} `graphql:"collaborators(query: $username, first: 1)"`
-						} `graphql:"repository(owner: $owner, name: $name)"`
-					}{},
-					map[string]any{
-						"owner":    githubv4.String("owner"),
-						"name":     githubv4.String("repo"),
-						"username": githubv4.String("testuser"),
-					},
-					githubv4mock.DataResponse(map[string]any{
-						"repository": map[string]any{
-							"isPrivate": false,
-							"collaborators": map[string]any{
-								"edges": []any{
-									map[string]any{
-										"permission": "READ",
-										"node": map[string]any{
-											"login": "testuser",
-										},
-									},
-								},
-							},
-						},
-					}),
-				),
-			),
 			requestArgs: map[string]any{
 				"method":       "get",
 				"owner":        "owner",
@@ -300,20 +220,21 @@ func Test_GetIssue(t *testing.T) {
 			expectResultError: true,
 			expectedErrMsg:    "access to issue details is restricted by lockdown mode",
 			lockdownEnabled:   true,
+			restPermission:    "read",
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			client := github.NewClient(tc.mockedClient)
 
-			var gqlClient *githubv4.Client
-			cache := repoAccessCache
-			if tc.gqlHTTPClient != nil {
-				gqlClient = githubv4.NewClient(tc.gqlHTTPClient)
-				cache = stubRepoAccessCache(gqlClient, 15*time.Minute)
+			gqlClient := defaultGQLClient
+			var cache *lockdown.RepoAccessCache
+			if tc.restPermission != "" {
+				restClient := mockRESTPermissionServer(t, tc.restPermission, nil)
+				cache = stubLockdownCache(t, restClient, 15*time.Minute)
 			} else {
-				gqlClient = githubv4.NewClient(nil)
+				cache = stubRepoAccessCache(gqlClient, 15*time.Minute)
 			}
 
 			flags := stubFeatureFlags(map[string]bool{"lockdown-mode": tc.lockdownEnabled})
@@ -1997,7 +1918,6 @@ func Test_GetIssueComments(t *testing.T) {
 	tests := []struct {
 		name             string
 		mockedClient     *http.Client
-		gqlHTTPClient    *http.Client
 		requestArgs      map[string]any
 		expectError      bool
 		expectedComments []*github.IssueComment
@@ -2069,7 +1989,6 @@ func Test_GetIssueComments(t *testing.T) {
 					},
 				}),
 			}),
-			gqlHTTPClient: newRepoAccessHTTPClient(),
 			requestArgs: map[string]any{
 				"method":       "get_comments",
 				"owner":        "owner",
@@ -2092,13 +2011,17 @@ func Test_GetIssueComments(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			// Setup client with mock
 			client := github.NewClient(tc.mockedClient)
-			var gqlClient *githubv4.Client
-			if tc.gqlHTTPClient != nil {
-				gqlClient = githubv4.NewClient(tc.gqlHTTPClient)
+			gqlClient := defaultGQLClient
+			var cache *lockdown.RepoAccessCache
+			if tc.lockdownEnabled {
+				restClient := mockRESTPermissionServer(t, "read", map[string]string{
+					"maintainer": "write",
+					"testuser":   "read",
+				})
+				cache = stubLockdownCache(t, restClient, 15*time.Minute)
 			} else {
-				gqlClient = githubv4.NewClient(nil)
+				cache = stubRepoAccessCache(gqlClient, 15*time.Minute)
 			}
-			cache := stubRepoAccessCache(gqlClient, 15*time.Minute)
 			flags := stubFeatureFlags(map[string]bool{"lockdown-mode": tc.lockdownEnabled})
 			deps := BaseDeps{
 				Client:          client,

pkg/github/pullrequests_test.go

@@ -1939,7 +1939,12 @@ func Test_GetPullRequestComments(t *testing.T) {
 			// Setup cache for lockdown mode
 			var cache *lockdown.RepoAccessCache
 			if tc.lockdownEnabled {
-				cache = stubRepoAccessCache(githubv4.NewClient(newRepoAccessHTTPClient()), 5*time.Minute)
+				restClient := mockRESTPermissionServer(t, "read", map[string]string{
+					"maintainer":    "write",
+					"external-user": "read",
+					"testuser":      "read",
+				})
+				cache = stubLockdownCache(t, restClient, 5*time.Minute)
 			} else {
 				cache = stubRepoAccessCache(gqlClient, 5*time.Minute)
 			}
@@ -2083,7 +2088,6 @@ func Test_GetPullRequestReviews(t *testing.T) {
 					},
 				}),
 			}),
-			gqlHTTPClient: newRepoAccessHTTPClient(),
 			requestArgs: map[string]any{
 				"method":     "get_reviews",
 				"owner":      "owner",
@@ -2107,13 +2111,20 @@ func Test_GetPullRequestReviews(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			// Setup client with mock
 			client := github.NewClient(tc.mockedClient)
-			var gqlClient *githubv4.Client
+			gqlClient := defaultGQLClient
 			if tc.gqlHTTPClient != nil {
 				gqlClient = githubv4.NewClient(tc.gqlHTTPClient)
+			}
+			var cache *lockdown.RepoAccessCache
+			if tc.lockdownEnabled {
+				restClient := mockRESTPermissionServer(t, "read", map[string]string{
+					"maintainer": "write",
+					"testuser":   "read",
+				})
+				cache = stubLockdownCache(t, restClient, 5*time.Minute)
 			} else {
-				gqlClient = githubv4.NewClient(nil)
+				cache = stubRepoAccessCache(gqlClient, 5*time.Minute)
 			}
-			cache := stubRepoAccessCache(gqlClient, 5*time.Minute)
 			flags := stubFeatureFlags(map[string]bool{"lockdown-mode": tc.lockdownEnabled})
 			serverTool := PullRequestRead(translations.NullTranslationHelper)
 			deps := BaseDeps{

pkg/github/server_test.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
+	"strings"
 	"testing"
 	"time"
 
@@ -99,7 +100,35 @@ func stubGQLClientFnErr(errMsg string) func(context.Context) (*githubv4.Client,
 
 func stubRepoAccessCache(client *githubv4.Client, ttl time.Duration) *lockdown.RepoAccessCache {
 	cacheName := fmt.Sprintf("repo-access-cache-test-%d", time.Now().UnixNano())
-	return lockdown.GetInstance(client, lockdown.WithTTL(ttl), lockdown.WithCacheName(cacheName))
+	return lockdown.NewRepoAccessCache(client, nil, lockdown.WithTTL(ttl), lockdown.WithCacheName(cacheName))
+}
+
+func stubLockdownCache(t *testing.T, restClient *gogithub.Client, ttl time.Duration) *lockdown.RepoAccessCache {
+	t.Helper()
+	cacheName := fmt.Sprintf("repo-access-cache-test-%d", time.Now().UnixNano())
+	return lockdown.NewRepoAccessCache(
+		githubv4.NewClient(newRepoAccessHTTPClient()),
+		restClient,
+		lockdown.WithTTL(ttl),
+		lockdown.WithCacheName(cacheName),
+	)
+}
+
+func mockRESTPermissionServer(t *testing.T, defaultPerm string, overrides map[string]string) *gogithub.Client {
+	t.Helper()
+	return gogithub.NewClient(MockHTTPClientWithHandler(func(w http.ResponseWriter, r *http.Request) {
+		perm := defaultPerm
+		for user, p := range overrides {
+			if strings.Contains(r.URL.Path, "/collaborators/"+user+"/") {
+				perm = p
+				break
+			}
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(gogithub.RepositoryPermissionLevel{
+			Permission: gogithub.Ptr(perm),
+		})
+	}))
 }
 
 func stubFeatureFlags(enabledFlags map[string]bool) FeatureFlags {