Skip to content

fix(jfrog-oauth): fail when access_token is empty #574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 2, 2025
Merged

fix(jfrog-oauth): fail when access_token is empty #574

merged 1 commit into from
Dec 2, 2025
+409 −191

Conversation

@matifali
Copy link
Member

@matifali matifali commented Dec 2, 2025
edited
Loading

Summary

Fixes #72 - The jfrog-oauth module now fails with a clear error message when the JFrog access token is empty, instead of silently creating configurations with empty tokens.

Changes

1. Added Precondition Validation (main.tf)

lifecycle {
  precondition {
    condition     = data.coder_external_auth.jfrog.access_token != ""
    error_message = "JFrog access token is empty. Please authenticate with JFrog using external auth."
  }
}

This ensures the module fails at plan time with a clear error when users haven't authenticated via external auth.

2. Replaced main.test.ts with jfrog-oauth.tftest.hcl

Why we removed the TypeScript tests:

The TypeScript tests used runTerraformApply() which runs terraform apply directly. This approach cannot mock data sources like coder_external_auth. The Coder provider returns empty strings for tokens by default when running outside a real Coder workspace.

With our new precondition, the TypeScript tests would always fail because:

  1. terraform apply runs → empty access_token from mock provider
  2. Precondition check fails → "JFrog access token is empty"
  3. Test fails before any assertions run

The solution: Terraform's native .tftest.hcl format supports override_data blocks that can properly mock data sources:

override_data {
  target = data.coder_external_auth.jfrog
  values = {
    access_token = "valid-token-value"  # or "" to test failure
  }
}

3. Comprehensive Test Coverage

The new jfrog-oauth.tftest.hcl includes 12 tests (up from 7):

Test What it validates
test_required_vars Basic module works with required variables
test_empty_access_token_fails NEW: Precondition rejects empty tokens
test_valid_access_token_succeeds Module works with valid token
test_jfrog_url_validation NEW: URL must start with http(s)://
test_username_field_validation NEW: Must be "email" or "username"
test_with_npm_package_manager NPM config with scoped repos (script content)
test_configure_code_server NEW: IDE env vars created when enabled
test_go_proxy_env GOPROXY env value with multiple repos
test_pypi_package_manager pip.conf with extra-index-url
test_docker_package_manager register_docker commands for all repos
test_conda_package_manager .condarc channels configuration
test_maven_package_manager settings.xml with servers and repos

All package manager tests use strcontains() to verify the actual script content matches expected configuration formats.

Test Limitations (Acknowledged)

The tests verify template rendering but not runtime execution:

✅ What we test ❌ What we don't test
Configuration file formats Script syntax errors at runtime
Variable interpolation JFrog CLI compatibility
Precondition validation Actual JFrog authentication
Script contains expected content Commands execute successfully

Rationale: The original TypeScript tests also only checked script content (toContain()), not execution. Full execution testing would require a mock JFrog server, which adds significant complexity for limited benefit. The script is straightforward bash that configures files and runs CLI commands.

Testing

cd registry/coder/modules/jfrog-oauth
terraform test
# Success! 12 passed, 0 failed.

Generated with mux

@matifali matifali force-pushed the registry-issue-72-fix branch from 9927e48 to 3b0d95b Compare December 2, 2025 19:02
@matifali matifali requested a review from Copilot December 2, 2025 19:09
@matifali
Copy link
Member Author

matifali commented Dec 2, 2025

@codex review

@matifali
fix(jfrog-oauth): fail when access_token is empty
2c8daf1 
Add a lifecycle precondition to the coder_script resource that validates
the JFrog access token is not empty. This prevents the module from
silently creating configurations with empty tokens when users haven't
authenticated via external auth.

Changes:
- Add precondition check on data.coder_external_auth.jfrog.access_token
- Replace main.test.ts with jfrog-oauth.tftest.hcl for proper data mocking
- Add comprehensive tests covering all package managers (npm, pypi, go,
  docker, conda, maven) with script content validation
- Tests verify actual generated configuration content, not just resource
  existence

Fixes #72
@matifali matifali force-pushed the registry-issue-72-fix branch from 3b0d95b to 2c8daf1 Compare December 2, 2025 19:11
Copilot finished reviewing on behalf of matifali December 2, 2025 19:13
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the jfrog-oauth module's error handling by adding precondition validation that fails with a clear error message when the JFrog access token is empty, preventing silent configuration issues. It also migrates from TypeScript tests to native Terraform .tftest.hcl tests, which better support mocking data sources like coder_external_auth.

Key Changes:

  • Added a lifecycle precondition to coder_script.jfrog resource that validates the access token is non-empty at plan time
  • Replaced TypeScript tests (main.test.ts) with comprehensive Terraform native tests (jfrog-oauth.tftest.hcl)
  • Expanded test coverage from 7 to 12 tests, including validation tests and package manager configuration tests

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
registry/coder/modules/jfrog-oauth/main.tf Added lifecycle precondition to validate non-empty access token, failing early with clear error message
registry/coder/modules/jfrog-oauth/main.test.ts Removed TypeScript tests that couldn't effectively mock data sources
registry/coder/modules/jfrog-oauth/jfrog-oauth.tftest.hcl Added comprehensive native Terraform tests with data source mocking via override_data blocks, covering all package managers and edge cases

@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Dec 2, 2025

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@DevelopmentCats DevelopmentCats merged commit d21db0d into main Dec 2, 2025
4 checks passed
@DevelopmentCats DevelopmentCats deleted the registry-issue-72-fix branch December 2, 2025 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DevelopmentCats DevelopmentCats DevelopmentCats approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: jfrog-oauth module should fail and avoid changing configuration if access_token is empty

2 participants

@matifali @DevelopmentCats