From 5b18b9926b25fd6ed60702f24062e3c457d008f3 Mon Sep 17 00:00:00 2001
From: Salim Afiune Maya <afiune@mondoo.com>
Date: Fri, 27 Dec 2024 14:43:58 +0100
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=90=9B=20fix=20loading=20private=20ke?=
 =?UTF-8?q?y=20from=20inventory?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>
---
 providers/github/connection/connection.go     |  2 +-
 .../github/connection/connection_test.go      | 34 ++++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/providers/github/connection/connection.go b/providers/github/connection/connection.go
index f67542a5d..429e06758 100644
--- a/providers/github/connection/connection.go
+++ b/providers/github/connection/connection.go
@@ -79,7 +79,7 @@ func connectionOptionsFromConfigOptions(conf *inventory.Config) (opts githubConn
 		switch cred.Type {
 
 		case vault.CredentialType_private_key:
-			if opts.AppPrivateKeyFile != "" {
+			if opts.AppPrivateKeyFile == "" {
 				opts.AppPrivateKey = cred.Secret
 			}
 
diff --git a/providers/github/connection/connection_test.go b/providers/github/connection/connection_test.go
index 8674b4a7a..f8d6d1468 100644
--- a/providers/github/connection/connection_test.go
+++ b/providers/github/connection/connection_test.go
@@ -5,6 +5,10 @@ package connection
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
 	"os"
 	"testing"
 
@@ -20,7 +24,35 @@ func TestGithubNoConnection(t *testing.T) {
 	require.Error(t, err)
 }
 
-func TestGithubValidConnection(t *testing.T) {
+func TestGithubValidConnection_Private_Key(t *testing.T) {
+	// Generate a new RSA private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048) // 2048-bit key size
+	require.NoError(t, err)
+	privateKeyDER := x509.MarshalPKCS1PrivateKey(privateKey)
+	privateKeyPEM := &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: privateKeyDER,
+	}
+	pemData := pem.EncodeToMemory(privateKeyPEM)
+
+	_, err = NewGithubConnection(0, &inventory.Asset{
+		Connections: []*inventory.Config{{
+			Options: map[string]string{
+				OPTION_APP_ID:              "123",
+				OPTION_APP_INSTALLATION_ID: "890",
+			},
+			Credentials: []*vault.Credential{{
+				Type:   vault.CredentialType_private_key,
+				Secret: pemData,
+			},
+			},
+		},
+		},
+	})
+	require.NoError(t, err)
+}
+
+func TestGithubValidConnection_Password(t *testing.T) {
 	_, err := NewGithubConnection(0, &inventory.Asset{
 		Connections: []*inventory.Config{{
 			Credentials: []*vault.Credential{{

From 8e61f828bf9e6aee23636ce7e89e16b30ccdb4cd Mon Sep 17 00:00:00 2001
From: Salim Afiune Maya <afiune@mondoo.com>
Date: Fri, 27 Dec 2024 14:50:45 +0100
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=A7=B9=20more=20tests?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>
---
 test/providers/github_test.go | 60 +++++++++++++++++++++++++++++++++++
 test/providers/os_test.go     |  2 +-
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 test/providers/github_test.go

diff --git a/test/providers/github_test.go b/test/providers/github_test.go
new file mode 100644
index 000000000..c972759ad
--- /dev/null
+++ b/test/providers/github_test.go
@@ -0,0 +1,60 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package providers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.mondoo.com/cnquery/v11/test"
+)
+
+func TestGithubScanFlags(t *testing.T) {
+	once.Do(setup)
+
+	t.Run("github scan WITHOUT flags", func(t *testing.T) {
+		// NOTE this will fail but, it will load the flags and fail with the right message
+		r := test.NewCliTestRunner("./cnquery", "scan", "github", "repo", "foo")
+		err := r.Run()
+		require.NoError(t, err)
+		assert.Equal(t, 0, r.ExitCode())
+		assert.NotNil(t, r.Stdout())
+		assert.NotNil(t, r.Stderr())
+
+		assert.Contains(t, string(r.Stderr()),
+			"a valid GitHub authentication is required",
+		)
+	})
+	t.Run("github scan WITH flags but missing app auth key", func(t *testing.T) {
+		// NOTE this will fail but, it will load the flags and fail with the right message
+		r := test.NewCliTestRunner("./cnquery", "scan", "github", "repo", "foo",
+			"--app-id", "123", "--app-installation-id", "456",
+		)
+		err := r.Run()
+		require.NoError(t, err)
+		assert.Equal(t, 1, r.ExitCode())
+		assert.NotNil(t, r.Stdout())
+		assert.NotNil(t, r.Stderr())
+
+		assert.Contains(t, string(r.Stderr()),
+			"could not parse private key", // expected! it means we loaded the flags
+		)
+	})
+	t.Run("github scan WITH all required flags for app auth", func(t *testing.T) {
+		// NOTE this will fail but, it will load the flags and fail with the right message
+		r := test.NewCliTestRunner("./cnquery", "scan", "github", "repo", "foo",
+			"--app-id", "123", "--app-installation-id", "456", "--app-private-key", "private-key.pem",
+		)
+		err := r.Run()
+		require.NoError(t, err)
+		assert.Equal(t, 1, r.ExitCode())
+		assert.NotNil(t, r.Stdout())
+		assert.NotNil(t, r.Stderr())
+
+		assert.Contains(t, string(r.Stderr()),
+			"could not read private key", // expected! it means we loaded the flags
+		)
+	})
+}
diff --git a/test/providers/os_test.go b/test/providers/os_test.go
index 5b4401b33..655362cf2 100644
--- a/test/providers/os_test.go
+++ b/test/providers/os_test.go
@@ -20,7 +20,7 @@ var once sync.Once
 
 // setup builds cnquery locally
 func setup() {
-	// build cnspec
+	// build cnquery
 	if err := exec.Command("go", "build", "../../apps/cnquery/cnquery.go").Run(); err != nil {
 		log.Fatalf("building cnquery: %v", err)
 	}