fix(host): recognize review-app URLs as SaaS-like environments

timothedelion · timothedelion · commit 8172e6f7aa4a · 2026-03-30T18:34:57.000+02:00
Review-app hostnames (e.g. dashboard-23683.review-apps.preprod.gitguardian.tech)
were treated as self-hosted, causing the client to call /exposed/v1 on the
dashboard hostname instead of deriving the API hostname. The dashboard
VirtualService has no /exposed/ route, so requests fell through to the
frontend and returned HTML instead of JSON.

Add suffix-based matching for .gitguardian.com and .gitguardian.tech domains
so the client correctly derives the API hostname (api-23683.review-apps...)
for these dynamic environments.

Refs: APPAI-556
diff --git a/packages/gg_api_core/src/gg_api_core/host.py b/packages/gg_api_core/src/gg_api_core/host.py
@@ -10,6 +10,13 @@
     "dashboard.preprod.gitguardian.com",
 ]
 
+# Domain suffixes for dynamic SaaS-like environments (e.g. review-apps)
+# where hostnames include a dynamic ID like dashboard-23683.review-apps.preprod.gitguardian.tech
+SAAS_DOMAIN_SUFFIXES = [
+    ".gitguardian.com",
+    ".gitguardian.tech",
+]
+
 LOCAL_HOSTNAMES = ["localhost", "127.0.0.1"]
 
 
@@ -20,6 +27,14 @@ def _is_local_hostname(parsed_hostname: str | None) -> bool:
     return parsed_hostname.lower() in LOCAL_HOSTNAMES
 
 
+def _is_saas_hostname(netloc: str) -> bool:
+    """Check if a netloc (host:port) belongs to a SaaS or SaaS-like environment."""
+    if netloc in SAAS_HOSTNAMES:
+        return True
+    # Match dynamic environments like review-apps (e.g. dashboard-23683.review-apps.preprod.gitguardian.tech)
+    return any(netloc.endswith(suffix) for suffix in SAAS_DOMAIN_SUFFIXES)
+
+
 def is_self_hosted_instance(gitguardian_url: str | None = None) -> bool:
     """
     Determine if we're connecting to a self-hosted GitGuardian instance.
@@ -40,7 +55,7 @@ def is_self_hosted_instance(gitguardian_url: str | None = None) -> bool:
             return False
         # For SaaS, check the full netloc (includes port)
         netloc = parsed.netloc.lower()
-        return netloc not in SAAS_HOSTNAMES
+        return not _is_saas_hostname(netloc)
     except Exception:
         # If parsing fails, assume self-hosted to be safe
         return True
diff --git a/tests/test_client.py b/tests/test_client.py
@@ -9,7 +9,7 @@
 @pytest.fixture
 def client():
     """Fixture to create a client instance with OAuth authentication."""
-    with patch.dict(os.environ, {"GITGUARDIAN_URL": "https://test.gitguardian.com"}):
+    with patch.dict(os.environ, {"GITGUARDIAN_URL": "https://gitguardian.mycompany.com"}):
         client = GitGuardianClient()
         # Mock the OAuth token to prevent OAuth flow during tests
         client._oauth_token = "test_oauth_token"
@@ -41,7 +41,7 @@ class TestGitGuardianClient:
 
     def test_init_with_env_vars(self, client):
         """Test client initialization with environment variables."""
-        assert client.public_api_url == "https://test.gitguardian.com/exposed/v1"
+        assert client.public_api_url == "https://gitguardian.mycompany.com/exposed/v1"
 
     def test_init_with_params(self):
         """Test client initialization with parameters."""
diff --git a/tests/test_host.py b/tests/test_host.py
@@ -3,7 +3,7 @@
 import os
 from unittest.mock import patch
 
-from gg_api_core.host import SAAS_HOSTNAMES, is_self_hosted_instance
+from gg_api_core.host import SAAS_HOSTNAMES, _is_saas_hostname, is_self_hosted_instance
 
 
 class TestIsSelfHostedInstance:
@@ -104,16 +104,38 @@ def test_url_with_different_ports(self):
 
     def test_url_with_basic_auth(self):
         """Test that URLs with basic auth credentials are handled correctly."""
-        # Note: urlparse includes credentials in netloc (e.g., "user:pass@hostname")
-        # Since "user:pass@dashboard.gitguardian.com" is not in SAAS_HOSTNAMES,
-        # the function returns True (treats it as self-hosted)
-        # This is an edge case where the current implementation doesn't strip credentials
-        assert is_self_hosted_instance("https://user:pass@dashboard.gitguardian.com") is True
+        # urlparse includes credentials in netloc (e.g., "user:pass@hostname")
+        # The suffix-based matching still recognizes the SaaS domain
+        assert is_self_hosted_instance("https://user:pass@dashboard.gitguardian.com") is False
         assert is_self_hosted_instance("https://user:pass@custom.domain.com") is True
 
+    def test_review_app_returns_false(self):
+        """Test that review-app URLs are recognized as SaaS-like (not self-hosted)."""
+        review_app_urls = [
+            "https://dashboard-23683.review-apps.preprod.gitguardian.tech",
+            "https://api-23683.review-apps.preprod.gitguardian.tech",
+            "https://dashboard-99999.review-apps.preprod.gitguardian.tech",
+        ]
+        for url in review_app_urls:
+            assert is_self_hosted_instance(url) is False, f"Expected False for {url}"
+
     def test_all_saas_hostnames_in_list(self):
         """Test that all hostnames in SAAS_HOSTNAMES are correctly identified."""
         for hostname in SAAS_HOSTNAMES:
             # Construct a full URL for each hostname
             url = f"https://{hostname}"
             assert is_self_hosted_instance(url) is False, f"Expected False for {url}"
+
+
+class TestIsSaasHostname:
+    """Tests for the _is_saas_hostname function."""
+
+    def test_exact_match(self):
+        assert _is_saas_hostname("dashboard.gitguardian.com") is True
+
+    def test_suffix_match(self):
+        assert _is_saas_hostname("dashboard-23683.review-apps.preprod.gitguardian.tech") is True
+
+    def test_custom_domain_not_matched(self):
+        assert _is_saas_hostname("gitguardian.mycompany.com") is False
+        assert _is_saas_hostname("gg.internal.corp") is False
