Skip to content

test: connections — SSH tunnel + MongoDB auth detection #512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
anandgupta42 wants to merge 1 commit into from
Closed

test: connections — SSH tunnel + MongoDB auth detection #512

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 115 additions & 0 deletions packages/opencode/test/altimate/ssh-tunnel-and-registry.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
import { describe, test, expect, beforeAll, afterAll } from "bun:test"

// Disable telemetry to avoid side-effects
beforeAll(() => { process.env.ALTIMATE_TELEMETRY_DISABLED = "true" })
afterAll(() => { delete process.env.ALTIMATE_TELEMETRY_DISABLED })
Comment on lines +4 to +5
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Preserve and restore pre-existing telemetry env state.

Line 5 always deletes ALTIMATE_TELEMETRY_DISABLED, which can leak global state across suites if it was already set before this file ran. Save and restore the original value.

🔧 Proposed fix 
 import { describe, test, expect, beforeAll, afterAll } from "bun:test"
 
 // Disable telemetry to avoid side-effects
-beforeAll(() => { process.env.ALTIMATE_TELEMETRY_DISABLED = "true" })
-afterAll(() => { delete process.env.ALTIMATE_TELEMETRY_DISABLED })
+const prevTelemetryDisabled = process.env.ALTIMATE_TELEMETRY_DISABLED
+beforeAll(() => { process.env.ALTIMATE_TELEMETRY_DISABLED = "true" })
+afterAll(() => {
+  if (prevTelemetryDisabled === undefined) {
+    delete process.env.ALTIMATE_TELEMETRY_DISABLED
+  } else {
+    process.env.ALTIMATE_TELEMETRY_DISABLED = prevTelemetryDisabled
+  }
+})
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/opencode/test/altimate/ssh-tunnel-and-registry.test.ts` around lines
4 - 5, The test setup currently unconditionally sets and then deletes
ALTIMATE_TELEMETRY_DISABLED in beforeAll/afterAll; modify beforeAll to capture
the original value (e.g. const _orig = process.env.ALTIMATE_TELEMETRY_DISABLED),
then set process.env.ALTIMATE_TELEMETRY_DISABLED = "true", and modify afterAll
to restore the original: if (_orig === undefined) delete
process.env.ALTIMATE_TELEMETRY_DISABLED else
process.env.ALTIMATE_TELEMETRY_DISABLED = _orig; keep the references to the same
beforeAll and afterAll functions and the ALTIMATE_TELEMETRY_DISABLED env var so
the test no longer leaks global state.


import { extractSshConfig, closeTunnel, getActiveTunnel } from "../../src/altimate/native/connections/ssh-tunnel"
import { detectAuthMethod } from "../../src/altimate/native/connections/registry"

// ---------------------------------------------------------------------------
// extractSshConfig — pure function that extracts SSH tunnel config
// ---------------------------------------------------------------------------

describe("extractSshConfig", () => {
test("returns null when no ssh_host is present", () => {
const result = extractSshConfig({ type: "postgres", host: "db.example.com", port: 5432 })
expect(result).toBeNull()
})

test("extracts full SSH config with all fields", () => {
const result = extractSshConfig({
type: "postgres",
host: "db.internal",
port: 5433,
ssh_host: "bastion.example.com",
ssh_port: 2222,
ssh_user: "deployer",
ssh_password: "secret",
})
expect(result).toEqual({
ssh_host: "bastion.example.com",
ssh_port: 2222,
ssh_user: "deployer",
ssh_password: "secret",
ssh_private_key: undefined,
host: "db.internal",
port: 5433,
})
})

test("applies defaults for ssh_port, ssh_user, host, port", () => {
const result = extractSshConfig({
type: "postgres",
ssh_host: "bastion.example.com",
})
expect(result).not.toBeNull()
expect(result!.ssh_port).toBe(22)
expect(result!.ssh_user).toBe("root")
expect(result!.host).toBe("127.0.0.1")
expect(result!.port).toBe(5432)
})

test("throws when connection_string is used with SSH tunnel", () => {
expect(() => extractSshConfig({
type: "postgres",
ssh_host: "bastion.example.com",
connection_string: "postgresql://user:pass@host:5432/db",
})).toThrow("Cannot use SSH tunnel with connection_string")
})

test("supports private key authentication", () => {
const result = extractSshConfig({
type: "snowflake",
host: "db.internal",
port: 443,
ssh_host: "bastion.example.com",
ssh_private_key: "-----BEGIN OPENSSH PRIVATE KEY-----\nAAA...",
})
expect(result).not.toBeNull()
expect(result!.ssh_private_key).toBe("-----BEGIN OPENSSH PRIVATE KEY-----\nAAA...")
Comment on lines +67 to +70
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid PEM-formatted private-key literals in tests.

The string at Line 67/Line 70 matches a real private-key header pattern and can trigger secret scanners or policy gates. Use a clearly synthetic placeholder value instead.

🔐 Proposed fix 
-      ssh_private_key: "-----BEGIN OPENSSH PRIVATE KEY-----\nAAA...",
+      ssh_private_key: "__TEST_SSH_PRIVATE_KEY__",
@@
-    expect(result!.ssh_private_key).toBe("-----BEGIN OPENSSH PRIVATE KEY-----\nAAA...")
+    expect(result!.ssh_private_key).toBe("__TEST_SSH_PRIVATE_KEY__")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ssh_private_key: "-----BEGIN OPENSSH PRIVATE KEY-----\nAAA...",
})
expect(result).not.toBeNull()
expect(result!.ssh_private_key).toBe("-----BEGIN OPENSSH PRIVATE KEY-----\nAAA...")
ssh_private_key: "__TEST_SSH_PRIVATE_KEY__",
})
expect(result).not.toBeNull()
expect(result!.ssh_private_key).toBe("__TEST_SSH_PRIVATE_KEY__")
🧰 Tools
🪛 Betterleaks (1.1.1)

[high] 67-70: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/opencode/test/altimate/ssh-tunnel-and-registry.test.ts` around lines
67 - 70, The test currently embeds a PEM-formatted private key literal in the
assertions (the string compared to result!.ssh_private_key), which triggers
secret scanners; replace the real-looking PEM with a clearly synthetic
placeholder (e.g., "REDACTED_SSH_PRIVATE_KEY" or "mock-ssh-private-key") in both
the object used to create the result and the expect(...) assertion so result and
expect still match but no PEM-like header/footer appears; update the literal in
the test that constructs the value and in the expect(result!.ssh_private_key)
comparison.

expect(result!.ssh_password).toBeUndefined()
})
})

// ---------------------------------------------------------------------------
// closeTunnel / getActiveTunnel — idempotent operations on empty state
// ---------------------------------------------------------------------------

describe("SSH tunnel state management", () => {
test("closeTunnel is a no-op for non-existent tunnel and does not corrupt state", () => {
closeTunnel("nonexistent-tunnel-name")
expect(getActiveTunnel("nonexistent-tunnel-name")).toBeUndefined()
})

test("getActiveTunnel returns undefined for non-existent tunnel", () => {
expect(getActiveTunnel("nonexistent")).toBeUndefined()
})
})

// ---------------------------------------------------------------------------
// detectAuthMethod — MongoDB-specific fallback paths (added in commit abcaa1d)
//
// Note: config.password triggers the generic "password" branch (line 226)
// BEFORE the type-specific MongoDB branch (line 229). These tests document
// the actual precedence behavior, not the MongoDB branch in isolation.
// ---------------------------------------------------------------------------

describe("detectAuthMethod: MongoDB", () => {
test("mongodb without password falls through to MongoDB-specific branch returning 'connection_string'", () => {
expect(detectAuthMethod({ type: "mongodb" })).toBe("connection_string")
})

test("mongo alias without password falls through to MongoDB-specific branch returning 'connection_string'", () => {
expect(detectAuthMethod({ type: "mongo" })).toBe("connection_string")
})

test("mongodb with password is caught by the generic password check (precedence test)", () => {
// The generic `if (config.password)` fires before the MongoDB branch
expect(detectAuthMethod({ type: "mongodb", password: "secret" })).toBe("password")
})

test("mongodb with connection_string is caught by the generic connection_string check (precedence test)", () => {
expect(detectAuthMethod({ type: "mongodb", connection_string: "mongodb://localhost:27017" })).toBe("connection_string")
})
})
Loading