verstak-desktop/internal/core/secrets/store_test.go

108 lines
2.3 KiB
Go

package secrets
import (
"bytes"
"os"
"path/filepath"
"strings"
"testing"
)
func testKey(seed byte) []byte {
key := make([]byte, 32)
for i := range key {
key[i] = seed
}
return key
}
func readAllSecretStoreBytes(t *testing.T, root string) []byte {
t.Helper()
var data []byte
if err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error {
if err != nil {
return err
}
if d.IsDir() {
return nil
}
fileData, err := os.ReadFile(path)
if err != nil {
return err
}
data = append(data, fileData...)
return nil
}); err != nil {
t.Fatalf("read secret store bytes: %v", err)
}
return data
}
func TestStoreRoundTripsSecretWithoutPlaintextOnDisk(t *testing.T) {
root := t.TempDir()
store, err := NewStore(root, testKey(0x11))
if err != nil {
t.Fatalf("NewStore: %v", err)
}
const id = "server.password"
const value = "s3cr3t-value"
if err := store.Write(id, value); err != nil {
t.Fatalf("Write: %v", err)
}
got, err := store.Read(id)
if err != nil {
t.Fatalf("Read: %v", err)
}
if got != value {
t.Fatalf("Read = %q, want %q", got, value)
}
raw := readAllSecretStoreBytes(t, root)
if bytes.Contains(raw, []byte(value)) {
t.Fatal("secret value is stored as plaintext")
}
if bytes.Contains(raw, []byte(id)) {
t.Fatal("secret id is stored as plaintext")
}
}
func TestStoreRejectsWrongKey(t *testing.T) {
root := t.TempDir()
store, err := NewStore(root, testKey(0x11))
if err != nil {
t.Fatalf("NewStore: %v", err)
}
if err := store.Write("server.password", "s3cr3t-value"); err != nil {
t.Fatalf("Write: %v", err)
}
wrongKeyStore, err := NewStore(root, testKey(0x22))
if err != nil {
t.Fatalf("NewStore wrong key: %v", err)
}
if _, err := wrongKeyStore.Read("server.password"); err == nil {
t.Fatal("Read with wrong key succeeded")
}
}
func TestStoreRejectsUnsafeIDs(t *testing.T) {
store, err := NewStore(t.TempDir(), testKey(0x11))
if err != nil {
t.Fatalf("NewStore: %v", err)
}
for _, id := range []string{"", ".", "..", "../secret", `folder\secret`, strings.Repeat("a", 257)} {
t.Run(id, func(t *testing.T) {
if err := store.Write(id, "value"); err == nil {
t.Fatalf("Write(%q): expected error", id)
}
if _, err := store.Read(id); err == nil {
t.Fatalf("Read(%q): expected error", id)
}
})
}
}