From 2b6483dd275df1e83ce71f1cde1cc40690679362 Mon Sep 17 00:00:00 2001
From: Jason Novinger <jnovinger@gmail.com>
Date: Mon, 2 Feb 2026 11:07:19 -0600
Subject: [PATCH] Fix CI: factor out unit tests, skip integration tests if
 dulwich not installed

---
 netbox/core/data_backends.py            | 18 ++++++--
 netbox/core/tests/test_data_backends.py | 61 ++++++++++++++++++++++++-
 2 files changed, 74 insertions(+), 5 deletions(-)

diff --git a/netbox/core/data_backends.py b/netbox/core/data_backends.py
index bc8cdb869..86e16afa2 100644
--- a/netbox/core/data_backends.py
+++ b/netbox/core/data_backends.py
@@ -21,11 +21,24 @@ __all__ = (
     'GitBackend',
     'LocalBackend',
     'S3Backend',
+    'url_has_embedded_credentials',
 )
 
 logger = logging.getLogger('netbox.data_backends')
 
 
+def url_has_embedded_credentials(url):
+    """
+    Check if a URL contains embedded credentials (username in the URL).
+
+    URLs like 'https://user@bitbucket.org/...' have embedded credentials.
+    This is used to avoid passing explicit credentials to dulwich when the
+    URL already contains them, which would cause authentication conflicts.
+    """
+    parsed = urlparse(url)
+    return bool(parsed.username)
+
+
 @register_data_backend()
 class LocalBackend(DataBackend):
     name = 'local'
@@ -103,9 +116,8 @@ class GitBackend(DataBackend):
 
         if self.url_scheme in ('http', 'https'):
             # Only pass explicit credentials if URL doesn't already contain embedded username
-            # to avoid credential conflicts
-            parsed_url = urlparse(self.url)
-            if not parsed_url.username and self.params.get('username'):
+            # to avoid credential conflicts (see #20902)
+            if not url_has_embedded_credentials(self.url) and self.params.get('username'):
                 clone_args.update(
                     {
                         "username": self.params.get('username'),
diff --git a/netbox/core/tests/test_data_backends.py b/netbox/core/tests/test_data_backends.py
index 4c2bb27a4..8020eb76c 100644
--- a/netbox/core/tests/test_data_backends.py
+++ b/netbox/core/tests/test_data_backends.py
@@ -1,13 +1,70 @@
+from unittest import skipIf
 from unittest.mock import patch
 
 from django.test import TestCase
 
-from core.data_backends import GitBackend
+from core.data_backends import url_has_embedded_credentials
+
+try:
+    import dulwich  # noqa: F401
+    DULWICH_AVAILABLE = True
+except ImportError:
+    DULWICH_AVAILABLE = False
 
 
-class GitBackendCredentialTests(TestCase):
+class URLEmbeddedCredentialsTests(TestCase):
+    def test_url_with_embedded_username(self):
+        self.assertTrue(url_has_embedded_credentials('https://myuser@bitbucket.org/workspace/repo.git'))
+
+    def test_url_without_embedded_username(self):
+        self.assertFalse(url_has_embedded_credentials('https://bitbucket.org/workspace/repo.git'))
+
+    def test_url_with_username_and_password(self):
+        self.assertTrue(url_has_embedded_credentials('https://user:pass@bitbucket.org/workspace/repo.git'))
+
+    def test_various_providers_with_embedded_username(self):
+        urls = [
+            'https://user@bitbucket.org/workspace/repo.git',
+            'https://user@github.com/owner/repo.git',
+            'https://deploy-key@gitlab.com/group/project.git',
+            'http://user@internal-git.example.com/repo.git',
+        ]
+        for url in urls:
+            with self.subTest(url=url):
+                self.assertTrue(url_has_embedded_credentials(url))
+
+    def test_various_providers_without_embedded_username(self):
+        """Various Git providers without embedded usernames."""
+        urls = [
+            'https://bitbucket.org/workspace/repo.git',
+            'https://github.com/owner/repo.git',
+            'https://gitlab.com/group/project.git',
+            'http://internal-git.example.com/repo.git',
+        ]
+        for url in urls:
+            with self.subTest(url=url):
+                self.assertFalse(url_has_embedded_credentials(url))
+
+    def test_ssh_url(self):
+        # git@host:path format doesn't parse as having a username in the traditional sense
+        self.assertFalse(url_has_embedded_credentials('git@github.com:owner/repo.git'))
+
+    def test_file_url(self):
+        self.assertFalse(url_has_embedded_credentials('file:///path/to/repo'))
+
+
+@skipIf(not DULWICH_AVAILABLE, "dulwich is not installed")
+class GitBackendCredentialIntegrationTests(TestCase):
+    """
+    Integration tests that verify GitBackend correctly applies credential logic.
+
+    These tests require dulwich to be installed and verify the full integration
+    of the credential handling in GitBackend.fetch().
+    """
 
     def _get_clone_kwargs(self, url, **params):
+        from core.data_backends import GitBackend
+
         backend = GitBackend(url=url, **params)
 
         with patch('dulwich.porcelain.clone') as mock_clone, \