fixing coverage

detect_secrets/plugins/aws.py

@@ -51,7 +51,7 @@ def get_secret_access_key(content):
     ]
 
 
-def verify_aws_secret_access_key(key, secret):
+def verify_aws_secret_access_key(key, secret):  # pragma: no cover
     """
     Using requests, because we don't want to require boto3 for this one
     optional verification step.
@@ -92,8 +92,8 @@ def verify_aws_secret_access_key(key, secret):
     """)[1:-1].format(
 
         headers='\n'.join([
-            '{}:{}'.format(key.lower(), value)
-            for key, value in headers.items()
+            '{}:{}'.format(header.lower(), value)
+            for header, value in headers.items()
         ]),
         signed_headers=signed_headers,
 
@@ -175,7 +175,7 @@ def verify_aws_secret_access_key(key, secret):
     return True
 
 
-def _sign(key, message, hex=False):
+def _sign(key, message, hex=False):   # pragma: no cover
     value = hmac.new(key, message.encode('utf-8'), hashlib.sha256)
     if not hex:
         return value.digest()

detect_secrets/plugins/slack.py

@@ -19,7 +19,7 @@ class SlackDetector(RegexBasedDetector):
         re.compile(r'xox(?:a|b|p|o|s|r)-(?:\d+-)+[a-z0-9]+', flags=re.IGNORECASE),
     )
 
-    def verify(self, token, **kwargs):
+    def verify(self, token, **kwargs):    # pragma: no cover
         response = requests.post(
             'https://slack.com/api/auth.test',
             data={

detect_secrets/util.py

@@ -1,7 +1,7 @@
 import os
 
 
-def get_root_directory():
+def get_root_directory():       # pragma: no cover
     return os.path.realpath(
         os.path.join(
             os.path.dirname(__file__),

setup.py

@@ -20,6 +20,7 @@
     keywords=['secret-management', 'pre-commit', 'security', 'entropy-checks'],
     install_requires=[
         'pyyaml',
+        'requests',
     ],
     extras_require={
         ':python_version=="2.7"': [

tests/plugins/aws_key_test.py

@@ -1,14 +1,25 @@
 from __future__ import absolute_import
 from __future__ import unicode_literals
 
+import textwrap
+
+import mock
 import pytest
 
+from detect_secrets.core.constants import VerifiedResult
 from detect_secrets.plugins.aws import AWSKeyDetector
+from detect_secrets.plugins.aws import get_secret_access_key
 from testing.mocks import mock_file_object
 
 
+EXAMPLE_SECRET = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
+
+
 class TestAWSKeyDetector(object):
 
+    def setup(self):
+        self.example_key = 'AKIAZZZZZZZZZZZZZZZZ'
+
     @pytest.mark.parametrize(
         'file_content,should_flag',
         [
@@ -34,3 +45,101 @@ def test_analyze(self, file_content, should_flag):
         assert len(output) == (1 if should_flag else 0)
         for potential_secret in output:
             assert 'mock_filename' == potential_secret.filename
+
+    def test_verify_no_secret(self):
+        logic = AWSKeyDetector()
+
+        assert logic.verify(self.example_key, '') == VerifiedResult.UNVERIFIED
+
+    def test_verify_valid_secret(self):
+        with mock.patch(
+            'detect_secrets.plugins.aws.verify_aws_secret_access_key',
+            return_value=True,
+        ):
+            assert AWSKeyDetector().verify(
+                self.example_key,
+                '={}'.format(EXAMPLE_SECRET),
+            ) == VerifiedResult.VERIFIED_TRUE
+
+    def test_verify_invalid_secret(self):
+        with mock.patch(
+            'detect_secrets.plugins.aws.verify_aws_secret_access_key',
+            return_value=False,
+        ):
+            assert AWSKeyDetector().verify(
+                self.example_key,
+                '={}'.format(EXAMPLE_SECRET),
+            ) == VerifiedResult.VERIFIED_FALSE
+
+    def test_verify_keep_trying_until_found_something(self):
+        data = {'count': 0}
+
+        def counter(*args, **kwargs):
+            output = data['count']
+            data['count'] += 1
+
+            return bool(output)
+
+        with mock.patch(
+            'detect_secrets.plugins.aws.verify_aws_secret_access_key',
+            counter,
+        ):
+            assert AWSKeyDetector().verify(
+                self.example_key,
+                textwrap.dedent("""
+                    false_secret = {}
+                    real_secret = {}
+                """)[1:-1].format(
+                    'TEST' * 10,
+                    EXAMPLE_SECRET,
+                ),
+            ) == VerifiedResult.VERIFIED_TRUE
+
+
+@pytest.mark.parametrize(
+    'content, expected_output',
+    (
+        # No quotes
+        (
+            textwrap.dedent("""
+                aws_secret_access_key = {}
+            """)[1:-1].format(
+                EXAMPLE_SECRET,
+            ),
+            [EXAMPLE_SECRET],
+        ),
+
+        # With quotes
+        (
+            textwrap.dedent("""
+                secret_key = "{}"
+            """)[1:-1].format(
+                EXAMPLE_SECRET,
+            ),
+            [EXAMPLE_SECRET],
+        ),
+
+        # multiple candidates
+        (
+            textwrap.dedent("""
+                base64_keyA = '{}'
+                aws_secret = '{}'
+                base64_keyB = '{}'
+            """)[1:-1].format(
+                'TEST' * 10,
+
+                EXAMPLE_SECRET,
+
+                # This should not be a candidate, because it's not exactly
+                # 40 chars long.
+                'EXAMPLE' * 7,
+            ),
+            [
+                'TEST' * 10,
+                EXAMPLE_SECRET,
+            ],
+        ),
+    ),
+)
+def test_get_secret_access_key(content, expected_output):
+    assert get_secret_access_key(content) == expected_output

tests/plugins/base_test.py

@@ -1,4 +1,5 @@
 from __future__ import absolute_import
+from __future__ import unicode_literals
 
 from contextlib import contextmanager