@@ -709,6 +709,63 @@ func TestValidateApplications_RootPath(t *testing.T) {
709709 require .ErrorContains (t , errs [app .QualifiedName ()], "app is configured to hydrate to the repository root" )
710710}
711711
712+ // TestValidateApplications_SyncSourceRepoNotPermitted tests that the sync source repo
713+ // must be permitted in the project. When SyncSource.RepoURL is set to a different repo,
714+ // that repo must be permitted. This tests PR #25464 code.
715+ func TestValidateApplications_SyncSourceRepoNotPermitted (t * testing.T ) {
716+ t .Parallel ()
717+ d := mocks .NewDependencies (t )
718+ app := newTestApp ("test-app" )
719+ // Set a different sync source repo URL that is not permitted in the project
720+ // The dry source repo (https://example.com/repo) is permitted, but the sync source repo is not
721+ app .Spec .SourceHydrator .SyncSource .RepoURL = "https://example.com/not-permitted-repo"
722+ // Project permits https://example.com/repo (dry source) but not the sync source repo
723+ proj := newTestProject ()
724+ d .EXPECT ().GetProcessableAppProj (app ).Return (proj , nil ).Once ()
725+ h := & Hydrator {dependencies : d }
726+
727+ projects , errs := h .validateApplications ([]* v1alpha1.Application {app })
728+ require .Nil (t , projects )
729+ require .Len (t , errs , 1 )
730+ // When SyncSource.RepoURL is set, GetSource() returns that repo URL, so the first validation check fails
731+ require .ErrorContains (t , errs [app .QualifiedName ()], "application repo https://example.com/not-permitted-repo is not permitted in project" )
732+ }
733+
734+ // TestValidateApplications_DestinationRepoPermitted tests that validation passes when
735+ // the destination repo (sync source) is permitted in the project
736+ func TestValidateApplications_DestinationRepoPermitted (t * testing.T ) {
737+ t .Parallel ()
738+ d := mocks .NewDependencies (t )
739+ app := newTestApp ("test-app" )
740+ // Set sync source repo URL that IS permitted in the project
741+ app .Spec .SourceHydrator .SyncSource .RepoURL = "https://example.com/repo"
742+ // Project permits https://example.com/repo
743+ proj := newTestProject ()
744+ d .EXPECT ().GetProcessableAppProj (app ).Return (proj , nil ).Once ()
745+ h := & Hydrator {dependencies : d }
746+
747+ projects , errs := h .validateApplications ([]* v1alpha1.Application {app })
748+ require .NotNil (t , projects )
749+ require .Empty (t , errs )
750+ }
751+
752+ // TestValidateApplications_DestinationRepoSameAsDrySource tests that validation passes when
753+ // the sync source repo URL is empty (defaults to dry source repo)
754+ func TestValidateApplications_DestinationRepoSameAsDrySource (t * testing.T ) {
755+ t .Parallel ()
756+ d := mocks .NewDependencies (t )
757+ app := newTestApp ("test-app" )
758+ // Empty sync source repo URL - should use dry source repo URL which is permitted
759+ app .Spec .SourceHydrator .SyncSource .RepoURL = ""
760+ proj := newTestProject ()
761+ d .EXPECT ().GetProcessableAppProj (app ).Return (proj , nil ).Once ()
762+ h := & Hydrator {dependencies : d }
763+
764+ projects , errs := h .validateApplications ([]* v1alpha1.Application {app })
765+ require .NotNil (t , projects )
766+ require .Empty (t , errs )
767+ }
768+
712769func TestValidateApplications_DuplicateDestination (t * testing.T ) {
713770 t .Parallel ()
714771 d := mocks .NewDependencies (t )
0 commit comments