tests: update and expand testing for classification and detect_ast_secrets functions

Author: Saharsh1123

tests/test_ast.py

@@ -1,54 +1,90 @@
 from detectors.find_secrets import detect_ast_secrets
 
-# Basic detection of a simple variable assignment
+
+# Detect a basic hardcoded password assignment
 def test_ast_basic_password():
     code = 'password = "abcdef"'
     result = detect_ast_secrets(code)
 
     assert result == [(1, "Password", "HIGH", "abcdef")]
 
 
-# Detect secrets assigned via object attributes (e.g., self.password)
+# Detect password assigned through a simple object attribute
 def test_ast_attribute_password():
     code = 'self.password = "abcdef"'
     result = detect_ast_secrets(code)
 
     assert result == [(1, "Password", "HIGH", "abcdef")]
 
 
-# Detect API key pattern from attribute-based assignment
+# Detect API key assigned through an attribute
 def test_ast_api_key():
     code = 'config.api_key = "12345678"'
     result = detect_ast_secrets(code)
 
     assert result == [(1, "API Key", "HIGH", "12345678")]
 
 
-# Detect token with correct severity classification
+# Detect token with correct MEDIUM severity
 def test_ast_token():
     code = 'user.token = "qwerty123"'
     result = detect_ast_secrets(code)
 
     assert result == [(1, "Token", "MEDIUM", "qwerty123")]
 
 
-# Ensure non-string assignments are ignored
+# Detect generic secret assignment
+def test_ast_secret():
+    code = 'client_secret = "abcdef"'
+    result = detect_ast_secrets(code)
+
+    assert result == [(1, "Secret", "MEDIUM", "abcdef")]
+
+
+# Detect AWS access key by value, regardless of variable name
+def test_ast_aws_access_key_value():
+    code = 'random_var = "AKIAEXAMPLE123456789"'
+    result = detect_ast_secrets(code)
+
+    assert result == [(1, "AWS Access Key", "HIGH", "AKIAEXAMPLE123456789")]
+
+
+# Detect multiple classifications when both value and variable name match
+def test_ast_aws_access_key_with_api_key_variable():
+    code = 'api_key = "AKIAEXAMPLE123456789"'
+    result = detect_ast_secrets(code)
+
+    assert result == [
+        (1, "AWS Access Key", "HIGH", "AKIAEXAMPLE123456789"),
+        (1, "API Key", "HIGH", "AKIAEXAMPLE123456789"),
+    ]
+
+
+# Ignore non-string assignments
 def test_ast_non_string():
     code = 'password = 123456'
     result = detect_ast_secrets(code)
 
     assert result == []
 
 
-# Ensure unrelated variable names are not flagged
+# Ignore unrelated variable names with string values
 def test_ast_irrelevant_variable():
     code = 'username = "abcdef"'
     result = detect_ast_secrets(code)
 
     assert result == []
 
 
-# Validate detection across multiple assignments with correct line numbers
+# Ignore short values below the rule threshold
+def test_ast_short_value():
+    code = 'password = "abc"'
+    result = detect_ast_secrets(code)
+
+    assert result == []
+
+
+# Validate multiple assignments and correct line numbers
 def test_ast_multiple_assignments():
     code = '''
     password = "abcdef"
@@ -60,37 +96,83 @@ def test_ast_multiple_assignments():
     assert result == [
         (2, "Password", "HIGH", "abcdef"),
         (3, "API Key", "HIGH", "12345678"),
-        (4, "Token", "MEDIUM", "qwerty123")
+        (4, "Token", "MEDIUM", "qwerty123"),
     ]
 
 
-# Ensure syntax errors are handled gracefully without crashing
+# Handle syntax errors gracefully without crashing
 def test_ast_syntax_error():
-    code = 'password = "abc'  
+    code = 'password = "abc'
     result = detect_ast_secrets(code)
 
     assert result == []
 
 
-# Ensure case-insensitive variable matching
+# Detect uppercase variable names through case-insensitive rules
 def test_ast_uppercase_variable():
     code = 'PASSWORD = "abcdef"'
     result = detect_ast_secrets(code)
 
     assert result == [(1, "Password", "HIGH", "abcdef")]
 
 
-# Ensure multiple assignment targets are handled correctly
+# Process multiple assignment targets correctly
 def test_ast_multiple_targets():
     code = 'a = password = "abcdef"'
     result = detect_ast_secrets(code)
 
     assert result == [(1, "Password", "HIGH", "abcdef")]
 
 
-# Validate detection within deeply nested attribute chains
+# Process multiple sensitive targets assigned the same value
+def test_ast_multiple_sensitive_targets():
+    code = 'password = token = "abcdef"'
+    result = detect_ast_secrets(code)
+
+    assert result == [
+        (1, "Password", "HIGH", "abcdef"),
+        (1, "Token", "MEDIUM", "abcdef"),
+    ]
+
+
+# Detect secrets in deeply nested attribute chains
 def test_ast_nested_attribute():
     code = 'self.config.db.password = "abcdef"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Password", "HIGH", "abcdef")]
+    assert result == [(1, "Password", "HIGH", "abcdef")]
+
+
+# Detect API keys in deeply nested attribute chains
+def test_ast_deep_nested_api_key():
+    code = 'settings.auth.credentials.api_key = "12345678"'
+    result = detect_ast_secrets(code)
+
+    assert result == [(1, "API Key", "HIGH", "12345678")]
+
+
+# Ignore unsupported assignment targets such as subscript assignments
+def test_ast_unsupported_subscript_target():
+    code = 'config["password"] = "abcdef"'
+    result = detect_ast_secrets(code)
+
+    assert result == []
+
+
+# Preserve complex string values with special characters
+def test_ast_complex_password_value():
+    code = 'password = "abc_def-123#$%^&*()"'
+    result = detect_ast_secrets(code)
+
+    assert result == [(1, "Password", "HIGH", "abc_def-123#$%^&*()")]
+
+
+# Handle indented multiline code by normalizing indentation
+def test_ast_dedented_multiline_code():
+    code = '''
+        password = "abcdef"
+        username = "notsecret"
+    '''
+    result = detect_ast_secrets(code)
+
+    assert result == [(2, "Password", "HIGH", "abcdef")]

tests/test_detect_from_parts.py

@@ -0,0 +1,112 @@
+from detectors.find_secrets import detect_from_parts
+
+
+# Detect password variable with valid value length
+def test_password_match():
+    result = detect_from_parts("password", "abcdef")
+    assert result == [("Password", "HIGH", "abcdef")]
+
+
+# Detect password alias: pwd
+def test_pwd_alias_match():
+    result = detect_from_parts("pwd", "abcdef")
+    assert result == [("Password", "HIGH", "abcdef")]
+
+
+# Detect password alias: passwd
+def test_passwd_alias_match():
+    result = detect_from_parts("passwd", "abcdef")
+    assert result == [("Password", "HIGH", "abcdef")]
+
+
+# Ensure similar but unrelated variable names are not flagged
+def test_no_match():
+    result = detect_from_parts("username", "abcdef")
+    assert result is None
+
+
+# Ensure values below minimum length threshold are ignored
+def test_short_password_value():
+    result = detect_from_parts("password", "abc")
+    assert result is None
+
+
+# Ensure values exactly at minimum length are accepted
+def test_min_length_boundary_match():
+    result = detect_from_parts("password", "abcd")
+    assert result == [("Password", "HIGH", "abcd")]
+
+
+# Ensure case-insensitive variable matching
+def test_uppercase_variable_match():
+    result = detect_from_parts("PASSWORD", "abcdef")
+    assert result == [("Password", "HIGH", "abcdef")]
+
+
+# Detect API key variable with underscore
+def test_api_key_match():
+    result = detect_from_parts("api_key", "1234abcd")
+    assert result == [("API Key", "HIGH", "1234abcd")]
+
+
+# Detect API key variable without underscore
+def test_apikey_match():
+    result = detect_from_parts("apikey", "1234abcd")
+    assert result == [("API Key", "HIGH", "1234abcd")]
+
+
+# Detect token with medium severity
+def test_token_match():
+    result = detect_from_parts("token", "qwerty")
+    assert result == [("Token", "MEDIUM", "qwerty")]
+
+
+# Detect secret with medium severity
+def test_secret_match():
+    result = detect_from_parts("secret", "abcdef")
+    assert result == [("Secret", "MEDIUM", "abcdef")]
+
+
+# Detect secret when embedded in a longer variable name
+def test_secret_embedded_variable_match():
+    result = detect_from_parts("client_secret", "abcdef")
+    assert result == [("Secret", "MEDIUM", "abcdef")]
+
+
+# Detect AWS access key by value, regardless of variable name
+def test_aws_access_key_value_match():
+    result = detect_from_parts("random_var", "AKIAEXAMPLE123456789")
+    assert result == [("AWS Access Key", "HIGH", "AKIAEXAMPLE123456789")]
+
+
+# Ensure lowercase AWS-style value does not match case-sensitive AWS pattern
+def test_lowercase_aws_access_key_no_match():
+    result = detect_from_parts("random_var", "akiaexample123456789")
+    assert result is None
+
+
+# Ensure AWS access key can produce multiple classifications when variable also matches
+def test_aws_access_key_with_api_key_variable():
+    result = detect_from_parts("api_key", "AKIAEXAMPLE123456789")
+    assert result == [
+        ("AWS Access Key", "HIGH", "AKIAEXAMPLE123456789"),
+        ("API Key", "HIGH", "AKIAEXAMPLE123456789"),
+    ]
+
+
+# Ensure complex values with special characters are preserved
+def test_complex_password_value_match():
+    result = detect_from_parts("password", "abc_def-123#$%^&*()")
+    assert result == [("Password", "HIGH", "abc_def-123#$%^&*()")]
+
+
+# Ensure empty variable name does not trigger variable-based rules
+def test_empty_variable_name():
+    result = detect_from_parts("", "abcdef")
+    assert result is None
+
+
+# Ensure empty value does not trigger length-based rules
+def test_empty_value():
+    result = detect_from_parts("password", "")
+    assert result is None