vctp2/internal/settings/settings_redaction_test.go

package settings

import (
	"bytes"
	"log/slog"
	"os"
	"path/filepath"
	"strings"
	"testing"
)

func TestRedactDatabaseURL_PostgresURI(t *testing.T) {
	input := "postgres://vctp_user:Secr3tP%40ss@db-host:5432/vctp?sslmode=disable"
	got := redactDatabaseURL(input)
	want := "postgres://vctp_user:REDACTED@db-host:5432/vctp?sslmode=disable"
	if got != want {
		t.Fatalf("unexpected redaction result\nwant: %s\ngot:  %s", want, got)
	}
}

func TestRedactDatabaseURL_PostgresKeyValue(t *testing.T) {
	input := "host=db-host port=5432 dbname=vctp user=vctp_user password='P@ss:w0rd#%' sslmode=disable"
	got := redactDatabaseURL(input)
	want := "host=db-host port=5432 dbname=vctp user=vctp_user password=REDACTED sslmode=disable"
	if got != want {
		t.Fatalf("unexpected redaction result\nwant: %s\ngot:  %s", want, got)
	}
}

func TestRedactDatabaseURL_UnchangedWhenNoPassword(t *testing.T) {
	input := "host=db-host port=5432 dbname=vctp user=vctp_user sslmode=disable"
	got := redactDatabaseURL(input)
	if got != input {
		t.Fatalf("expected input to remain unchanged\nwant: %s\ngot:  %s", input, got)
	}
}

func TestReadYMLSettingsRedactsAuthJWTSigningKey(t *testing.T) {
	tmpDir := t.TempDir()
	settingsPath := filepath.Join(tmpDir, "vctp.yml")
	content := `settings:
  auth_jwt_signing_key: "c2VjcmV0"
`
	if err := os.WriteFile(settingsPath, []byte(content), 0o600); err != nil {
		t.Fatalf("failed to write settings file: %v", err)
	}

	var output bytes.Buffer
	logger := slog.New(slog.NewTextHandler(&output, &slog.HandlerOptions{Level: slog.LevelDebug}))
	s := New(logger, settingsPath)
	if err := s.ReadYMLSettings(); err != nil {
		t.Fatalf("expected settings to load, got error: %v", err)
	}

	logged := output.String()
	if strings.Contains(logged, "c2VjcmV0") {
		t.Fatalf("expected auth_jwt_signing_key to be redacted in logs, got log output: %s", logged)
	}
	if !strings.Contains(logged, "REDACTED") {
		t.Fatalf("expected redacted marker in logs, got log output: %s", logged)
	}
}