108 lines
2.3 KiB
Go
108 lines
2.3 KiB
Go
package secrets
|
|
|
|
import (
|
|
"bytes"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func testKey(seed byte) []byte {
|
|
key := make([]byte, 32)
|
|
for i := range key {
|
|
key[i] = seed
|
|
}
|
|
return key
|
|
}
|
|
|
|
func readAllSecretStoreBytes(t *testing.T, root string) []byte {
|
|
t.Helper()
|
|
|
|
var data []byte
|
|
if err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error {
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if d.IsDir() {
|
|
return nil
|
|
}
|
|
fileData, err := os.ReadFile(path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
data = append(data, fileData...)
|
|
return nil
|
|
}); err != nil {
|
|
t.Fatalf("read secret store bytes: %v", err)
|
|
}
|
|
return data
|
|
}
|
|
|
|
func TestStoreRoundTripsSecretWithoutPlaintextOnDisk(t *testing.T) {
|
|
root := t.TempDir()
|
|
store, err := NewStore(root, testKey(0x11))
|
|
if err != nil {
|
|
t.Fatalf("NewStore: %v", err)
|
|
}
|
|
|
|
const id = "server.password"
|
|
const value = "s3cr3t-value"
|
|
if err := store.Write(id, value); err != nil {
|
|
t.Fatalf("Write: %v", err)
|
|
}
|
|
|
|
got, err := store.Read(id)
|
|
if err != nil {
|
|
t.Fatalf("Read: %v", err)
|
|
}
|
|
if got != value {
|
|
t.Fatalf("Read = %q, want %q", got, value)
|
|
}
|
|
|
|
raw := readAllSecretStoreBytes(t, root)
|
|
if bytes.Contains(raw, []byte(value)) {
|
|
t.Fatal("secret value is stored as plaintext")
|
|
}
|
|
if bytes.Contains(raw, []byte(id)) {
|
|
t.Fatal("secret id is stored as plaintext")
|
|
}
|
|
}
|
|
|
|
func TestStoreRejectsWrongKey(t *testing.T) {
|
|
root := t.TempDir()
|
|
store, err := NewStore(root, testKey(0x11))
|
|
if err != nil {
|
|
t.Fatalf("NewStore: %v", err)
|
|
}
|
|
if err := store.Write("server.password", "s3cr3t-value"); err != nil {
|
|
t.Fatalf("Write: %v", err)
|
|
}
|
|
|
|
wrongKeyStore, err := NewStore(root, testKey(0x22))
|
|
if err != nil {
|
|
t.Fatalf("NewStore wrong key: %v", err)
|
|
}
|
|
if _, err := wrongKeyStore.Read("server.password"); err == nil {
|
|
t.Fatal("Read with wrong key succeeded")
|
|
}
|
|
}
|
|
|
|
func TestStoreRejectsUnsafeIDs(t *testing.T) {
|
|
store, err := NewStore(t.TempDir(), testKey(0x11))
|
|
if err != nil {
|
|
t.Fatalf("NewStore: %v", err)
|
|
}
|
|
|
|
for _, id := range []string{"", ".", "..", "../secret", `folder\secret`, strings.Repeat("a", 257)} {
|
|
t.Run(id, func(t *testing.T) {
|
|
if err := store.Write(id, "value"); err == nil {
|
|
t.Fatalf("Write(%q): expected error", id)
|
|
}
|
|
if _, err := store.Read(id); err == nil {
|
|
t.Fatalf("Read(%q): expected error", id)
|
|
}
|
|
})
|
|
}
|
|
}
|