Support sonar on prem evidence endpoint in jfrog integration

mnsboev · mnsboev · commit aab7029f3d40 · 2025-12-25T09:57:24.000+02:00
diff --git a/evidence/sonar/client.go b/evidence/sonar/client.go
@@ -3,7 +3,6 @@ package sonar
 import (
 	"encoding/json"
 	"fmt"
-	"net"
 	"net/url"
 	"strings"
 
@@ -81,12 +80,30 @@ func (c *httpClient) GetSonarIntotoStatement(ceTaskID string) ([]byte, error) {
 	baseURL := c.baseURL
 	u, _ := url.Parse(baseURL)
 	hostname := u.Hostname()
-	// Get sonar intoto statement has api prefix before the hostname
-	// if hostname is localhost or an ip address or has api prefix, then don't add the api.
-	if hostname != "localhost" && net.ParseIP(hostname) == nil && !strings.HasPrefix(hostname, "api.") {
-		baseURL = strings.Replace(baseURL, "://", "://api.", 1)
+
+	var enterpriseURL string
+
+	// Determine URL format based on SonarQube type
+	// SonarCloud uses subdomain (api.), SonarQube Server uses path (/api/)
+	isSonarCloud := strings.Contains(hostname, "sonarcloud.io") || strings.Contains(hostname, "sonarqube.us")
+
+	if isSonarCloud {
+		// SonarQube Cloud: subdomain approach (no /v2/ prefix)
+		// https://api.sonarcloud.io/dop-translation/jfrog-evidence/{ceTaskID}
+		// https://api.sonarqube.us/dop-translation/jfrog-evidence/{ceTaskID}
+		cloudBaseURL := baseURL
+		if !strings.HasPrefix(hostname, "api.") {
+			cloudBaseURL = strings.Replace(baseURL, "://", "://api.", 1)
+		}
+		enterpriseURL = fmt.Sprintf("%s/dop-translation/jfrog-evidence/%s", cloudBaseURL, url.QueryEscape(ceTaskID))
+		log.Debug("Using SonarCloud URL format:", enterpriseURL)
+	} else {
+		// SonarQube Server: path approach (with /api/v2/ prefix)
+		// https://{customer-domain}/api/v2/dop-translation/jfrog-evidence/{ceTaskID}
+		enterpriseURL = fmt.Sprintf("%s/api/v2/dop-translation/jfrog-evidence/%s", baseURL, url.QueryEscape(ceTaskID))
+		log.Debug("Using SonarQube Server URL format:", enterpriseURL)
 	}
-	enterpriseURL := fmt.Sprintf("%s/dop-translation/jfrog-evidence/%s", baseURL, url.QueryEscape(ceTaskID))
+
 	body, statusCode, err := c.doGET(enterpriseURL)
 	if err != nil {
 		return nil, errorutils.CheckErrorf("enterprise endpoint failed with status %d and response %s %v", statusCode, string(body), err)
diff --git a/evidence/sonar/client_test.go b/evidence/sonar/client_test.go
@@ -0,0 +1,159 @@
+package sonar
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetSonarIntotoStatement_SonarQubeServerV2Success(t *testing.T) {
+	// Mock SonarQube Server that responds to v2 API endpoint (path-based)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Verify SonarQube Server v2 API path is called (path approach)
+		assert.Equal(t, "/api/v2/dop-translation/jfrog-evidence/task-123", r.URL.Path)
+
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://sonar.com/evidence/sonarqube/v1"}`))
+	}))
+	defer server.Close()
+
+	client, err := NewClient(server.URL, "test-token")
+	assert.NoError(t, err)
+
+	result, err := client.GetSonarIntotoStatement("task-123")
+	assert.NoError(t, err)
+	assert.Contains(t, string(result), "in-toto.io/Statement/v1")
+}
+
+func TestGetSonarIntotoStatement_SonarQubeServer_404Error(t *testing.T) {
+	// Mock SonarQube Server that returns 404
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Verify SonarQube Server v2 API path is called (path approach)
+		assert.Equal(t, "/api/v2/dop-translation/jfrog-evidence/task-123", r.URL.Path)
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write([]byte(`{"error":"not found"}`))
+	}))
+	defer server.Close()
+
+	client, err := NewClient(server.URL, "test-token")
+	assert.NoError(t, err)
+
+	_, err = client.GetSonarIntotoStatement("task-123")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "status 404")
+}
+
+func TestGetSonarIntotoStatement_ServerError(t *testing.T) {
+	// Mock server that returns 500 error
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+		_, _ = w.Write([]byte(`{"error":"server error"}`))
+	}))
+	defer server.Close()
+
+	client, err := NewClient(server.URL, "test-token")
+	assert.NoError(t, err)
+
+	_, err = client.GetSonarIntotoStatement("task-123")
+	assert.Error(t, err)
+	// Error may contain timeout or status 500 depending on retry mechanism
+	assert.True(t, strings.Contains(err.Error(), "timeout") || strings.Contains(err.Error(), "status 500"))
+}
+
+func TestGetSonarIntotoStatement_EmptyTaskID(t *testing.T) {
+	client, err := NewClient("https://test.example.com", "test-token")
+	assert.NoError(t, err)
+
+	result, err := client.GetSonarIntotoStatement("")
+	assert.Error(t, err)
+	assert.Nil(t, result)
+	assert.Contains(t, err.Error(), "missing ce task id")
+}
+
+func TestGetSonarIntotoStatement_AuthorizationHeader(t *testing.T) {
+	// Mock server that verifies authorization header
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authHeader := r.Header.Get("Authorization")
+		assert.Equal(t, "Bearer test-token", authHeader, "Should send Bearer token")
+
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"_type":"https://in-toto.io/Statement/v1"}`))
+	}))
+	defer server.Close()
+
+	client, err := NewClient(server.URL, "test-token")
+	assert.NoError(t, err)
+
+	result, err := client.GetSonarIntotoStatement("task-123")
+	assert.NoError(t, err)
+	assert.NotNil(t, result)
+}
+
+func TestGetTaskDetails_Success(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "/api/ce/task", r.URL.Path)
+		assert.Equal(t, "task-123", r.URL.Query().Get("id"))
+
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"task":{"id":"task-123","status":"SUCCESS"}}`))
+	}))
+	defer server.Close()
+
+	client, err := NewClient(server.URL, "test-token")
+	assert.NoError(t, err)
+
+	details, err := client.GetTaskDetails("task-123")
+	assert.NoError(t, err)
+	assert.NotNil(t, details)
+	assert.Equal(t, "task-123", details.Task.ID)
+	assert.Equal(t, "SUCCESS", details.Task.Status)
+}
+
+func TestGetTaskDetails_EmptyTaskID(t *testing.T) {
+	client, err := NewClient("https://test.example.com", "test-token")
+	assert.NoError(t, err)
+
+	details, err := client.GetTaskDetails("")
+	assert.NoError(t, err)
+	assert.Nil(t, details)
+}
+
+func TestGetTaskDetails_Error(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+		_, _ = w.Write([]byte(`{"error":"server error"}`))
+	}))
+	defer server.Close()
+
+	client, err := NewClient(server.URL, "test-token")
+	assert.NoError(t, err)
+
+	details, err := client.GetTaskDetails("task-123")
+	assert.Error(t, err)
+	assert.Nil(t, details)
+}
+
+func TestGetSonarIntotoStatement_URLEncoding(t *testing.T) {
+	// Test that task IDs with special characters are properly URL encoded
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// When Go's http server receives the request, the path is already URL-decoded
+		// So we just verify the request succeeds with special characters
+		assert.Contains(t, r.URL.Path, "task")
+
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"_type":"https://in-toto.io/Statement/v1"}`))
+	}))
+	defer server.Close()
+
+	client, err := NewClient(server.URL, "test-token")
+	assert.NoError(t, err)
+
+	// Verify that special characters in task ID don't cause errors
+	result, err := client.GetSonarIntotoStatement("task/123+special")
+	assert.NoError(t, err)
+	assert.NotNil(t, result)
+	assert.Contains(t, string(result), "in-toto.io/Statement/v1")
+}
