113 lines
3.6 KiB
Go
113 lines
3.6 KiB
Go
package main
|
|
|
|
import (
|
|
"io"
|
|
"log/slog"
|
|
"strings"
|
|
"testing"
|
|
"vctp/internal/secrets"
|
|
)
|
|
|
|
func testLogger() *slog.Logger {
|
|
return slog.New(slog.NewTextHandler(io.Discard, nil))
|
|
}
|
|
|
|
func mustEncrypt(t *testing.T, s *secrets.Secrets, plain string) string {
|
|
t.Helper()
|
|
enc, err := s.Encrypt([]byte(plain))
|
|
if err != nil {
|
|
t.Fatalf("encrypt failed: %v", err)
|
|
}
|
|
return enc
|
|
}
|
|
|
|
func TestResolveVcenterPasswordPlaintextRewrite(t *testing.T) {
|
|
logger := testLogger()
|
|
key := []byte("0123456789abcdef0123456789abcdef")
|
|
cipher := secrets.New(logger, key)
|
|
|
|
pass, rewritten, err := resolveVcenterPassword(logger, cipher, nil, "my-password")
|
|
if err != nil {
|
|
t.Fatalf("resolve failed: %v", err)
|
|
}
|
|
if string(pass) != "my-password" {
|
|
t.Fatalf("unexpected plaintext returned: %q", string(pass))
|
|
}
|
|
if !strings.HasPrefix(rewritten, encryptedVcenterPasswordPrefix) {
|
|
t.Fatalf("expected rewritten prefixed credential, got: %q", rewritten)
|
|
}
|
|
}
|
|
|
|
func TestResolveVcenterPasswordUnprefixedLegacyCiphertextRewrite(t *testing.T) {
|
|
logger := testLogger()
|
|
activeKey := []byte("0123456789abcdef0123456789abcdef")
|
|
legacyKey := []byte("abcdef0123456789abcdef0123456789")
|
|
activeCipher := secrets.New(logger, activeKey)
|
|
legacyCipher := secrets.New(logger, legacyKey)
|
|
|
|
legacyCiphertext := mustEncrypt(t, legacyCipher, "legacy-secret")
|
|
|
|
pass, rewritten, err := resolveVcenterPassword(logger, activeCipher, [][]byte{legacyKey}, legacyCiphertext)
|
|
if err != nil {
|
|
t.Fatalf("resolve failed: %v", err)
|
|
}
|
|
if string(pass) != "legacy-secret" {
|
|
t.Fatalf("unexpected plaintext returned: %q", string(pass))
|
|
}
|
|
if !strings.HasPrefix(rewritten, encryptedVcenterPasswordPrefix) {
|
|
t.Fatalf("expected rewritten prefixed credential, got: %q", rewritten)
|
|
}
|
|
|
|
decoded, err := activeCipher.Decrypt(strings.TrimPrefix(rewritten, encryptedVcenterPasswordPrefix))
|
|
if err != nil {
|
|
t.Fatalf("rewritten ciphertext did not decrypt with active key: %v", err)
|
|
}
|
|
if string(decoded) != "legacy-secret" {
|
|
t.Fatalf("unexpected rewritten decrypt value: %q", string(decoded))
|
|
}
|
|
}
|
|
|
|
func TestResolveVcenterPasswordPrefixedLegacyCiphertextRewrite(t *testing.T) {
|
|
logger := testLogger()
|
|
activeKey := []byte("0123456789abcdef0123456789abcdef")
|
|
legacyKey := []byte("abcdef0123456789abcdef0123456789")
|
|
activeCipher := secrets.New(logger, activeKey)
|
|
legacyCipher := secrets.New(logger, legacyKey)
|
|
|
|
legacyCiphertext := mustEncrypt(t, legacyCipher, "legacy-prefixed-secret")
|
|
raw := encryptedVcenterPasswordPrefix + legacyCiphertext
|
|
|
|
pass, rewritten, err := resolveVcenterPassword(logger, activeCipher, [][]byte{legacyKey}, raw)
|
|
if err != nil {
|
|
t.Fatalf("resolve failed: %v", err)
|
|
}
|
|
if string(pass) != "legacy-prefixed-secret" {
|
|
t.Fatalf("unexpected plaintext returned: %q", string(pass))
|
|
}
|
|
if !strings.HasPrefix(rewritten, encryptedVcenterPasswordPrefix) {
|
|
t.Fatalf("expected rewritten prefixed credential, got: %q", rewritten)
|
|
}
|
|
|
|
decoded, err := activeCipher.Decrypt(strings.TrimPrefix(rewritten, encryptedVcenterPasswordPrefix))
|
|
if err != nil {
|
|
t.Fatalf("rewritten ciphertext did not decrypt with active key: %v", err)
|
|
}
|
|
if string(decoded) != "legacy-prefixed-secret" {
|
|
t.Fatalf("unexpected rewritten decrypt value: %q", string(decoded))
|
|
}
|
|
}
|
|
|
|
func TestResolveVcenterPasswordShortPlaintextRejected(t *testing.T) {
|
|
logger := testLogger()
|
|
key := []byte("0123456789abcdef0123456789abcdef")
|
|
cipher := secrets.New(logger, key)
|
|
|
|
_, _, err := resolveVcenterPassword(logger, cipher, nil, "ab")
|
|
if err == nil {
|
|
t.Fatal("expected short plaintext error, got nil")
|
|
}
|
|
if !strings.Contains(err.Error(), "too short") {
|
|
t.Fatalf("unexpected error: %v", err)
|
|
}
|
|
}
|