Logging a warning if readGitHubTokens finds several values which clash.

Signed-off-by: Simon Heidrich <[email protected]>
ossf · Jan 8, 2025 · 01d9a12 · 01d9a12
1 parent f5a34b9
commit 01d9a12
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 2 deletions.
diff --git a/clients/githubrepo/roundtripper/tokens/accessor.go b/clients/githubrepo/roundtripper/tokens/accessor.go
@@ -16,6 +16,7 @@
 package tokens
 
 import (
+	"fmt"
 	"os"
 	"strings"
 )
@@ -33,13 +34,27 @@ type TokenAccessor interface {
 	Release(uint64)
 }
 
+var logDuplicateTokenWarning = func(firstName string, clashingName string) {
+	fmt.Printf("Warning: PATs stored in env variables %s and %s differ. Scorecard will use the former.\n", firstName, clashingName)
+}
+
 func readGitHubTokens() (string, bool) {
+	var firstName, firstToken string
 	for _, name := range githubAuthTokenEnvVars {
 		if token, exists := os.LookupEnv(name); exists && token != "" {
-			return token, exists
+			if firstName == "" {
+				firstName = name
+				firstToken = token
+			} else if token != firstToken {
+				logDuplicateTokenWarning(firstName, name)
+			}
 		}
 	}
-	return "", false
+	if firstName == "" {
+		return "", false
+	} else {
+		return firstToken, true
+	}
 }
 
 // MakeTokenAccessor is a factory function of TokenAccessor.

diff --git a/clients/githubrepo/roundtripper/tokens/accessor_test.go b/clients/githubrepo/roundtripper/tokens/accessor_test.go
@@ -91,3 +91,79 @@ func testServer(t *testing.T) {
 		t.Errorf("MakeTokenAccessor() = nil, want not nil")
 	}
 }
+
+func TestClashingTokensDisplayWarning(t *testing.T) {
+	t.Helper()
+	someToken := "test_token"
+	otherToken := "clashing_token"
+	t.Setenv("GITHUB_AUTH_TOKEN", someToken)
+	t.Setenv("GITHUB_TOKEN", otherToken)
+
+	warningCalled := false
+	originalLogWarning := logDuplicateTokenWarning
+	logDuplicateTokenWarning = func(firstName string, clashingName string) {
+		warningCalled = true
+	}
+	defer func() { logDuplicateTokenWarning = originalLogWarning }()
+
+	token, exists := readGitHubTokens()
+
+	if token != someToken {
+		t.Errorf("Received wrong token")
+	}
+	if !exists {
+		t.Errorf("Token is expected to exist")
+	}
+	if !warningCalled {
+		t.Errorf("Expected logWarning to be called for clashing tokens, but it was not.")
+	}
+}
+
+func TestConsistentTokensDoNotDisplayWarning(t *testing.T) {
+	t.Helper()
+	someToken := "test_token"
+	t.Setenv("GITHUB_AUTH_TOKEN", someToken)
+	t.Setenv("GITHUB_TOKEN", someToken)
+
+	warningCalled := false
+	originalLogWarning := logDuplicateTokenWarning
+	logDuplicateTokenWarning = func(firstName string, clashingName string) {
+		warningCalled = true
+	}
+	defer func() { logDuplicateTokenWarning = originalLogWarning }()
+
+	token, exists := readGitHubTokens()
+
+	if token != someToken {
+		t.Errorf("Received wrong token")
+	}
+	if !exists {
+		t.Errorf("Token is expected to exist")
+	}
+	if warningCalled {
+		t.Errorf("Expected logWarning to not have been called for consistent tokens, but it was.")
+	}
+}
+
+func TestNoTokensDoNoDisplayWarning(t *testing.T) {
+	t.Helper()
+
+	warningCalled := false
+	originalLogWarning := logDuplicateTokenWarning
+	logDuplicateTokenWarning = func(firstName string, clashingName string) {
+		warningCalled = true
+	}
+	defer func() { logDuplicateTokenWarning = originalLogWarning }()
+
+	token, exists := readGitHubTokens()
+
+	if token != "" {
+		t.Errorf("Scorecard found a token somewhere")
+	}
+	if exists {
+		t.Errorf("Token is not expected to exist")
+	}
+	if warningCalled {
+		t.Errorf("Expected logWarning to not have been called for no set tokens, but it was not.")
+	}
+}