[ci skip] more codex 5.3 improvements

2026-02-06 15:17:38 +11:00
parent dc96431f06
commit dfbaacb6f3
16 changed files with 297 additions and 75 deletions
--- a/main_test.go
+++ b/main_test.go
@@ -0,0 +1,112 @@
+package main
+
+import (
+	"io"
+	"log/slog"
+	"strings"
+	"testing"
+	"vctp/internal/secrets"
+)
+
+func testLogger() *slog.Logger {
+	return slog.New(slog.NewTextHandler(io.Discard, nil))
+}
+
+func mustEncrypt(t *testing.T, s *secrets.Secrets, plain string) string {
+	t.Helper()
+	enc, err := s.Encrypt([]byte(plain))
+	if err != nil {
+		t.Fatalf("encrypt failed: %v", err)
+	}
+	return enc
+}
+
+func TestResolveVcenterPasswordPlaintextRewrite(t *testing.T) {
+	logger := testLogger()
+	key := []byte("0123456789abcdef0123456789abcdef")
+	cipher := secrets.New(logger, key)
+
+	pass, rewritten, err := resolveVcenterPassword(logger, cipher, nil, "my-password")
+	if err != nil {
+		t.Fatalf("resolve failed: %v", err)
+	}
+	if string(pass) != "my-password" {
+		t.Fatalf("unexpected plaintext returned: %q", string(pass))
+	}
+	if !strings.HasPrefix(rewritten, encryptedVcenterPasswordPrefix) {
+		t.Fatalf("expected rewritten prefixed credential, got: %q", rewritten)
+	}
+}
+
+func TestResolveVcenterPasswordUnprefixedLegacyCiphertextRewrite(t *testing.T) {
+	logger := testLogger()
+	activeKey := []byte("0123456789abcdef0123456789abcdef")
+	legacyKey := []byte("abcdef0123456789abcdef0123456789")
+	activeCipher := secrets.New(logger, activeKey)
+	legacyCipher := secrets.New(logger, legacyKey)
+
+	legacyCiphertext := mustEncrypt(t, legacyCipher, "legacy-secret")
+
+	pass, rewritten, err := resolveVcenterPassword(logger, activeCipher, [][]byte{legacyKey}, legacyCiphertext)
+	if err != nil {
+		t.Fatalf("resolve failed: %v", err)
+	}
+	if string(pass) != "legacy-secret" {
+		t.Fatalf("unexpected plaintext returned: %q", string(pass))
+	}
+	if !strings.HasPrefix(rewritten, encryptedVcenterPasswordPrefix) {
+		t.Fatalf("expected rewritten prefixed credential, got: %q", rewritten)
+	}
+
+	decoded, err := activeCipher.Decrypt(strings.TrimPrefix(rewritten, encryptedVcenterPasswordPrefix))
+	if err != nil {
+		t.Fatalf("rewritten ciphertext did not decrypt with active key: %v", err)
+	}
+	if string(decoded) != "legacy-secret" {
+		t.Fatalf("unexpected rewritten decrypt value: %q", string(decoded))
+	}
+}
+
+func TestResolveVcenterPasswordPrefixedLegacyCiphertextRewrite(t *testing.T) {
+	logger := testLogger()
+	activeKey := []byte("0123456789abcdef0123456789abcdef")
+	legacyKey := []byte("abcdef0123456789abcdef0123456789")
+	activeCipher := secrets.New(logger, activeKey)
+	legacyCipher := secrets.New(logger, legacyKey)
+
+	legacyCiphertext := mustEncrypt(t, legacyCipher, "legacy-prefixed-secret")
+	raw := encryptedVcenterPasswordPrefix + legacyCiphertext
+
+	pass, rewritten, err := resolveVcenterPassword(logger, activeCipher, [][]byte{legacyKey}, raw)
+	if err != nil {
+		t.Fatalf("resolve failed: %v", err)
+	}
+	if string(pass) != "legacy-prefixed-secret" {
+		t.Fatalf("unexpected plaintext returned: %q", string(pass))
+	}
+	if !strings.HasPrefix(rewritten, encryptedVcenterPasswordPrefix) {
+		t.Fatalf("expected rewritten prefixed credential, got: %q", rewritten)
+	}
+
+	decoded, err := activeCipher.Decrypt(strings.TrimPrefix(rewritten, encryptedVcenterPasswordPrefix))
+	if err != nil {
+		t.Fatalf("rewritten ciphertext did not decrypt with active key: %v", err)
+	}
+	if string(decoded) != "legacy-prefixed-secret" {
+		t.Fatalf("unexpected rewritten decrypt value: %q", string(decoded))
+	}
+}
+
+func TestResolveVcenterPasswordShortPlaintextRejected(t *testing.T) {
+	logger := testLogger()
+	key := []byte("0123456789abcdef0123456789abcdef")
+	cipher := secrets.New(logger, key)
+
+	_, _, err := resolveVcenterPassword(logger, cipher, nil, "ab")
+	if err == nil {
+		t.Fatal("expected short plaintext error, got nil")
+	}
+	if !strings.Contains(err.Error(), "too short") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}