feature: validate the token user (#45)

Author: ideepu

codecov/exceptions.py

@@ -14,6 +14,10 @@ class GithubBaseException(CoreBaseException):
     pass
 
 
+class CannotGetUser(GithubBaseException):
+    pass
+
+
 class CannotGetBranch(GithubBaseException):
     pass
 
@@ -34,6 +38,10 @@ class NotFound(ApiError):
     pass
 
 
+class Unauthorized(ApiError):
+    pass
+
+
 class Forbidden(ApiError):
     pass
 

codecov/github.py

@@ -4,17 +4,18 @@
     ApiError,
     CannotGetBranch,
     CannotGetPullRequest,
+    CannotGetUser,
     CannotPostComment,
     Conflict,
     Forbidden,
     NotFound,
+    Unauthorized,
     ValidationFailed,
 )
 from codecov.github_client import GitHubClient
 from codecov.groups import Annotation
 from codecov.log import log
 
-GITHUB_CODECOV_LOGIN = 'CI-codecov[bot]'
 COMMIT_MESSAGE = 'Update annotations data'
 
 
@@ -41,7 +42,6 @@ def __init__(  # pylint: disable=too-many-arguments, too-many-positional-argumen
         self.user: User = self._init_user()
         self.pr_number, self.base_ref = self._init_pr_number(pr_number=pr_number, ref=ref)
         self.pr_diff: str = self._init_pr_diff()
-        # TODO: Validate the user and email if annotations are not empty. We need these for committing to the branch
 
     def _init_user(self) -> User:
         log.info('Getting user details.')
@@ -52,13 +52,12 @@ def _init_user(self) -> User:
                 email=response.email or f'{response.id}+{response.login}@users.noreply.github.com',
                 login=response.login,
             )
-        except Forbidden:
-            # The GitHub actions user cannot access its own details
-            # and I'm not sure there's a way to see that we're using
-            # the GitHub actions user except noting that it fails
-            log.warning('Cannot get user details. Using default user.')
-            # TODO: Abort if we can't get the user details
-        return User(name=GITHUB_CODECOV_LOGIN, email='', login=GITHUB_CODECOV_LOGIN)
+        except Unauthorized as exc:
+            log.error('Unauthorized access to user details. Invalid token.')
+            raise CannotGetUser from exc
+        except Forbidden as exc:
+            log.error('Cannot get user details.')
+            raise CannotGetUser from exc
 
     def _init_pr_number(self, pr_number: int | None = None, ref: str | None = None) -> tuple[int, str]:
         if pr_number:

codecov/github_client.py

@@ -4,7 +4,15 @@
 
 import httpx
 
-from codecov.exceptions import ApiError, ConfigurationException, Conflict, Forbidden, NotFound, ValidationFailed
+from codecov.exceptions import (
+    ApiError,
+    ConfigurationException,
+    Conflict,
+    Forbidden,
+    NotFound,
+    Unauthorized,
+    ValidationFailed,
+)
 from codecov.log import log
 
 TIMEOUT = 60
@@ -110,6 +118,8 @@ def _http(self, method: str, path: str, *, use_bytes: bool = False, use_text: bo
         except httpx.HTTPStatusError as exc:
             exc_cls = ApiError
             match exc.response.status_code:
+                case 401:
+                    exc_cls = Unauthorized
                 case 403:
                     exc_cls = Forbidden
                 case 404:

run.py

@@ -1,9 +1,15 @@
+import sys
+
+from codecov.exceptions import CoreBaseException
 from codecov.main import Main
 
 
 def main_call(name):
     if name == '__main__':
-        Main().run()
+        try:
+            Main().run()
+        except CoreBaseException:
+            sys.exit(1)
 
 
 main_call(name=__name__)

tests/test_github.py

@@ -7,8 +7,8 @@
 
 import pytest
 
-from codecov.exceptions import CannotGetBranch, CannotGetPullRequest, CannotPostComment
-from codecov.github import COMMIT_MESSAGE, GITHUB_CODECOV_LOGIN, Github, User
+from codecov.exceptions import CannotGetBranch, CannotGetPullRequest, CannotGetUser, CannotPostComment
+from codecov.github import COMMIT_MESSAGE, Github, User
 from codecov.groups import Annotation, AnnotationEncoder
 
 TEST_DATA_PR_DIFF = 'diff --git a/file.py b/file.py\nindex 1234567..abcdefg 100644\n--- a/file.py\n+++ b/file.py\n@@ -1,2 +1,2 @@\n-foo\n+bar\n-baz\n+qux\n'
@@ -54,19 +54,29 @@ def test_init_user_login(
         test_config,
         gh_client,
     ):
+        session.register('GET', '/user')(status_code=401)
+        with pytest.raises(CannotGetUser):
+            Github(
+                client=gh_client,
+                repository=test_config.GITHUB_REPOSITORY,
+                pr_number=test_config.GITHUB_PR_NUMBER,
+                ref=test_config.GITHUB_REF,
+                annotations_data_branch=test_config.ANNOTATIONS_DATA_BRANCH,
+            )
+        gh_init_pr_number_mock.assert_not_called()
+        gh_init_pr_diff_mock.assert_not_called()
+
         session.register('GET', '/user')(status_code=403)
-        gh = Github(
-            client=gh_client,
-            repository=test_config.GITHUB_REPOSITORY,
-            pr_number=test_config.GITHUB_PR_NUMBER,
-            ref=test_config.GITHUB_REF,
-            annotations_data_branch=test_config.ANNOTATIONS_DATA_BRANCH,
-        )
-        assert gh.user == User(name=GITHUB_CODECOV_LOGIN, email='', login=GITHUB_CODECOV_LOGIN)
-        gh_init_pr_number_mock.assert_called_once()
-        gh_init_pr_diff_mock.assert_called_once()
-        gh_init_pr_number_mock.reset_mock()
-        gh_init_pr_diff_mock.reset_mock()
+        with pytest.raises(CannotGetUser):
+            Github(
+                client=gh_client,
+                repository=test_config.GITHUB_REPOSITORY,
+                pr_number=test_config.GITHUB_PR_NUMBER,
+                ref=test_config.GITHUB_REF,
+                annotations_data_branch=test_config.ANNOTATIONS_DATA_BRANCH,
+            )
+        gh_init_pr_number_mock.assert_not_called()
+        gh_init_pr_diff_mock.assert_not_called()
 
         session.register('GET', '/user')(json={'login': 'foo', 'id': 123, 'name': 'bar', 'email': 'baz'})
         gh = Github(