fix: Update integration test script for new architecture - Update file checks to expect value.age instead of secret.age - Add debug output support with GODEBUG environment variable - Remove output redirections to show command execution and debug info - Fix test expectations to match per-secret key file structure
This commit is contained in:
parent
5ca657c104
commit
4b59d6fb82
@ -15,8 +15,12 @@ TEST_PASSPHRASE="test-passphrase-123"
|
||||
TEMP_DIR="$(mktemp -d)"
|
||||
SECRET_BINARY="./secret"
|
||||
|
||||
# Enable debug output from the secret program
|
||||
export GODEBUG="berlin.sneak.pkg.secret"
|
||||
|
||||
echo -e "${BLUE}=== Secret Manager Comprehensive Test Script ===${NC}"
|
||||
echo -e "${YELLOW}Using temporary directory: $TEMP_DIR${NC}"
|
||||
echo -e "${YELLOW}Debug output enabled: GODEBUG=$GODEBUG${NC}"
|
||||
|
||||
# Function to print test steps
|
||||
print_step() {
|
||||
@ -76,6 +80,7 @@ cleanup() {
|
||||
unset SB_SECRET_STATE_DIR
|
||||
unset SB_SECRET_MNEMONIC
|
||||
unset SB_UNLOCK_PASSPHRASE
|
||||
unset GODEBUG
|
||||
echo -e "${GREEN}Cleanup complete${NC}"
|
||||
}
|
||||
|
||||
@ -99,7 +104,8 @@ echo " SB_SECRET_MNEMONIC=$TEST_MNEMONIC"
|
||||
print_step "2" "Initializing secret manager (creates default vault)"
|
||||
# Set passphrase for init command only
|
||||
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
|
||||
if $SECRET_BINARY init > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY init"
|
||||
if $SECRET_BINARY init; then
|
||||
print_success "Secret manager initialized with default vault"
|
||||
else
|
||||
print_error "Failed to initialize secret manager"
|
||||
@ -119,7 +125,8 @@ print_step "3" "Testing vault management"
|
||||
|
||||
# List vaults (should show default)
|
||||
echo "Listing vaults..."
|
||||
if $SECRET_BINARY vault list > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault list"
|
||||
if $SECRET_BINARY vault list; then
|
||||
VAULTS=$($SECRET_BINARY vault list)
|
||||
echo "Available vaults: $VAULTS"
|
||||
print_success "Listed vaults successfully"
|
||||
@ -129,7 +136,8 @@ fi
|
||||
|
||||
# Create a new vault
|
||||
echo "Creating new vault 'work'..."
|
||||
if $SECRET_BINARY vault create work > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create work"
|
||||
if $SECRET_BINARY vault create work; then
|
||||
print_success "Created vault 'work'"
|
||||
else
|
||||
print_error "Failed to create vault 'work'"
|
||||
@ -137,7 +145,8 @@ fi
|
||||
|
||||
# Create another vault
|
||||
echo "Creating new vault 'personal'..."
|
||||
if $SECRET_BINARY vault create personal > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create personal"
|
||||
if $SECRET_BINARY vault create personal; then
|
||||
print_success "Created vault 'personal'"
|
||||
else
|
||||
print_error "Failed to create vault 'personal'"
|
||||
@ -145,7 +154,8 @@ fi
|
||||
|
||||
# List vaults again (should show default, work, personal)
|
||||
echo "Listing vaults after creation..."
|
||||
if $SECRET_BINARY vault list > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault list"
|
||||
if $SECRET_BINARY vault list; then
|
||||
VAULTS=$($SECRET_BINARY vault list)
|
||||
echo "Available vaults: $VAULTS"
|
||||
print_success "Listed vaults after creation"
|
||||
@ -155,7 +165,8 @@ fi
|
||||
|
||||
# Switch to work vault
|
||||
echo "Switching to 'work' vault..."
|
||||
if $SECRET_BINARY vault select work > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault select work"
|
||||
if $SECRET_BINARY vault select work; then
|
||||
print_success "Switched to 'work' vault"
|
||||
else
|
||||
print_error "Failed to switch to 'work' vault"
|
||||
@ -170,7 +181,8 @@ reset_state
|
||||
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
|
||||
# Create a vault first
|
||||
if $SECRET_BINARY vault create test-vault > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create test-vault"
|
||||
if $SECRET_BINARY vault create test-vault; then
|
||||
print_success "Created test-vault for import testing"
|
||||
else
|
||||
print_error "Failed to create test-vault"
|
||||
@ -178,7 +190,8 @@ fi
|
||||
|
||||
# Import should prompt for passphrase
|
||||
echo "Importing with mnemonic env var set, should prompt for passphrase..."
|
||||
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY import test-vault > /dev/null 2>&1; then
|
||||
echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY vault import test-vault"
|
||||
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY vault import test-vault; then
|
||||
print_success "Import succeeded with mnemonic env var (prompted for passphrase)"
|
||||
else
|
||||
print_error "Import failed with mnemonic env var"
|
||||
@ -190,7 +203,8 @@ reset_state
|
||||
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
|
||||
|
||||
# Create a vault first
|
||||
if $SECRET_BINARY vault create test-vault2 > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create test-vault2"
|
||||
if $SECRET_BINARY vault create test-vault2; then
|
||||
print_success "Created test-vault2 for import testing"
|
||||
else
|
||||
print_error "Failed to create test-vault2"
|
||||
@ -198,7 +212,8 @@ fi
|
||||
|
||||
# Import should prompt for mnemonic
|
||||
echo "Importing with passphrase env var set, should prompt for mnemonic..."
|
||||
if echo "$TEST_MNEMONIC" | $SECRET_BINARY import test-vault2 > /dev/null 2>&1; then
|
||||
echo "Running: echo \"$TEST_MNEMONIC\" | $SECRET_BINARY vault import test-vault2"
|
||||
if echo "$TEST_MNEMONIC" | $SECRET_BINARY vault import test-vault2; then
|
||||
print_success "Import succeeded with passphrase env var (prompted for mnemonic)"
|
||||
else
|
||||
print_error "Import failed with passphrase env var"
|
||||
@ -211,7 +226,8 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
|
||||
|
||||
# Create a vault first
|
||||
if $SECRET_BINARY vault create test-vault3 > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create test-vault3"
|
||||
if $SECRET_BINARY vault create test-vault3; then
|
||||
print_success "Created test-vault3 for import testing"
|
||||
else
|
||||
print_error "Failed to create test-vault3"
|
||||
@ -219,7 +235,8 @@ fi
|
||||
|
||||
# Import should not prompt for anything
|
||||
echo "Importing with both env vars set, should not prompt..."
|
||||
if $SECRET_BINARY import test-vault3 > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault import test-vault3"
|
||||
if $SECRET_BINARY vault import test-vault3; then
|
||||
print_success "Import succeeded with both env vars (no prompts)"
|
||||
else
|
||||
print_error "Import failed with both env vars"
|
||||
@ -230,7 +247,8 @@ echo -e "\n${YELLOW}Test 4d: Import with neither SB_SECRET_MNEMONIC nor SB_UNLOC
|
||||
reset_state
|
||||
|
||||
# Create a vault first
|
||||
if $SECRET_BINARY vault create test-vault4 > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create test-vault4"
|
||||
if $SECRET_BINARY vault create test-vault4; then
|
||||
print_success "Created test-vault4 for import testing"
|
||||
else
|
||||
print_error "Failed to create test-vault4"
|
||||
@ -239,7 +257,7 @@ fi
|
||||
# Import should prompt for both mnemonic and passphrase
|
||||
echo "Importing with neither env var set, should prompt for both..."
|
||||
if expect -c "
|
||||
spawn $SECRET_BINARY import test-vault4
|
||||
spawn $SECRET_BINARY vault import test-vault4
|
||||
expect \"Enter your BIP39 mnemonic phrase:\"
|
||||
send \"$TEST_MNEMONIC\n\"
|
||||
expect \"Enter passphrase for unlock key:\"
|
||||
@ -247,7 +265,7 @@ if expect -c "
|
||||
expect \"Confirm passphrase:\"
|
||||
send \"$TEST_PASSPHRASE\n\"
|
||||
expect eof
|
||||
" > /dev/null 2>&1; then
|
||||
"; then
|
||||
print_success "Import succeeded with no env vars (prompted for both)"
|
||||
else
|
||||
print_error "Import failed with no env vars"
|
||||
@ -260,7 +278,7 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
|
||||
|
||||
echo "Importing into non-existent vault (should fail)..."
|
||||
if $SECRET_BINARY import nonexistent-vault > /dev/null 2>&1; then
|
||||
if $SECRET_BINARY vault import nonexistent-vault; then
|
||||
print_error "Import should have failed for non-existent vault"
|
||||
else
|
||||
print_success "Import correctly failed for non-existent vault"
|
||||
@ -273,14 +291,15 @@ export SB_SECRET_MNEMONIC="invalid mnemonic phrase that should not work"
|
||||
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
|
||||
|
||||
# Create a vault first
|
||||
if $SECRET_BINARY vault create test-vault5 > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create test-vault5"
|
||||
if $SECRET_BINARY vault create test-vault5; then
|
||||
print_success "Created test-vault5 for invalid mnemonic testing"
|
||||
else
|
||||
print_error "Failed to create test-vault5"
|
||||
fi
|
||||
|
||||
echo "Importing with invalid mnemonic (should fail)..."
|
||||
if $SECRET_BINARY import test-vault5 > /dev/null 2>&1; then
|
||||
if $SECRET_BINARY vault import test-vault5; then
|
||||
print_error "Import should have failed with invalid mnemonic"
|
||||
else
|
||||
print_success "Import correctly failed with invalid mnemonic"
|
||||
@ -294,14 +313,15 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
print_step "5" "Testing original import functionality"
|
||||
|
||||
# Initialize to create default vault
|
||||
if (echo "$TEST_PASSPHRASE"; echo "$TEST_PASSPHRASE") | $SECRET_BINARY init > /dev/null 2>&1; then
|
||||
if (echo "$TEST_PASSPHRASE"; echo "$TEST_PASSPHRASE") | $SECRET_BINARY init; then
|
||||
print_success "Initialized for Step 5 testing"
|
||||
else
|
||||
print_error "Failed to initialize for Step 5 testing"
|
||||
fi
|
||||
|
||||
# Create work vault for import testing
|
||||
if $SECRET_BINARY vault create work > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create work"
|
||||
if $SECRET_BINARY vault create work; then
|
||||
print_success "Created work vault for import testing"
|
||||
else
|
||||
print_error "Failed to create work vault"
|
||||
@ -309,7 +329,8 @@ fi
|
||||
|
||||
# Switch to work vault
|
||||
echo "Switching to 'work' vault..."
|
||||
if $SECRET_BINARY vault select work > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault select work"
|
||||
if $SECRET_BINARY vault select work; then
|
||||
print_success "Switched to 'work' vault"
|
||||
else
|
||||
print_error "Failed to switch to 'work' vault"
|
||||
@ -319,7 +340,8 @@ fi
|
||||
echo "Importing mnemonic into 'work' vault..."
|
||||
# Set passphrase for import command only
|
||||
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
|
||||
if $SECRET_BINARY import work > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault import work"
|
||||
if $SECRET_BINARY vault import work; then
|
||||
print_success "Imported mnemonic into 'work' vault"
|
||||
else
|
||||
print_error "Failed to import mnemonic into 'work' vault"
|
||||
@ -329,7 +351,8 @@ unset SB_UNLOCK_PASSPHRASE
|
||||
|
||||
# Switch back to default vault
|
||||
echo "Switching back to 'default' vault..."
|
||||
if $SECRET_BINARY vault select default > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault select default"
|
||||
if $SECRET_BINARY vault select default; then
|
||||
print_success "Switched back to 'default' vault"
|
||||
else
|
||||
print_error "Failed to switch back to 'default' vault"
|
||||
@ -341,7 +364,8 @@ print_step "6" "Testing unlock key management"
|
||||
# Create passphrase-protected unlock key
|
||||
echo "Creating passphrase-protected unlock key..."
|
||||
# Note: This test uses stdin input instead of environment variable to test the traditional approach
|
||||
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then
|
||||
echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY keys add passphrase"
|
||||
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY keys add passphrase; then
|
||||
print_success "Created passphrase-protected unlock key"
|
||||
else
|
||||
print_error "Failed to create passphrase-protected unlock key"
|
||||
@ -349,7 +373,8 @@ fi
|
||||
|
||||
# List unlock keys
|
||||
echo "Listing unlock keys..."
|
||||
if $SECRET_BINARY keys list > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY keys list"
|
||||
if $SECRET_BINARY keys list; then
|
||||
KEYS=$($SECRET_BINARY keys list)
|
||||
echo "Available unlock keys: $KEYS"
|
||||
print_success "Listed unlock keys"
|
||||
@ -364,28 +389,32 @@ print_step "7" "Testing mnemonic-based secret operations (keyless)"
|
||||
echo "Adding secrets using mnemonic-based long-term key..."
|
||||
|
||||
# Test secret 1
|
||||
if echo "my-super-secret-password" | $SECRET_BINARY add "database/password" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"my-super-secret-password\" | $SECRET_BINARY add \"database/password\""
|
||||
if echo "my-super-secret-password" | $SECRET_BINARY add "database/password"; then
|
||||
print_success "Added secret: database/password"
|
||||
else
|
||||
print_error "Failed to add secret: database/password"
|
||||
fi
|
||||
|
||||
# Test secret 2
|
||||
if echo "api-key-12345" | $SECRET_BINARY add "api/key" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"api-key-12345\" | $SECRET_BINARY add \"api/key\""
|
||||
if echo "api-key-12345" | $SECRET_BINARY add "api/key"; then
|
||||
print_success "Added secret: api/key"
|
||||
else
|
||||
print_error "Failed to add secret: api/key"
|
||||
fi
|
||||
|
||||
# Test secret 3 (with path)
|
||||
if echo "ssh-private-key-content" | $SECRET_BINARY add "ssh/private-key" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"ssh-private-key-content\" | $SECRET_BINARY add \"ssh/private-key\""
|
||||
if echo "ssh-private-key-content" | $SECRET_BINARY add "ssh/private-key"; then
|
||||
print_success "Added secret: ssh/private-key"
|
||||
else
|
||||
print_error "Failed to add secret: ssh/private-key"
|
||||
fi
|
||||
|
||||
# Test secret 4 (with dots and underscores)
|
||||
if echo "jwt-secret-token" | $SECRET_BINARY add "app.config_jwt_secret" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"jwt-secret-token\" | $SECRET_BINARY add \"app.config_jwt_secret\""
|
||||
if echo "jwt-secret-token" | $SECRET_BINARY add "app.config_jwt_secret"; then
|
||||
print_success "Added secret: app.config_jwt_secret"
|
||||
else
|
||||
print_error "Failed to add secret: app.config_jwt_secret"
|
||||
@ -420,7 +449,8 @@ fi
|
||||
|
||||
# List all secrets
|
||||
echo "Listing all secrets..."
|
||||
if $SECRET_BINARY list > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY list"
|
||||
if $SECRET_BINARY list; then
|
||||
SECRETS=$($SECRET_BINARY list)
|
||||
echo "Secrets in current vault:"
|
||||
echo "$SECRETS" | while read -r secret; do
|
||||
@ -439,20 +469,25 @@ unset SB_SECRET_MNEMONIC
|
||||
|
||||
# Add a secret using traditional unlock key approach
|
||||
echo "Adding secret using traditional unlock key..."
|
||||
if echo "traditional-secret-value" | $SECRET_BINARY add "traditional/secret" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"traditional-secret-value\" | $SECRET_BINARY add \"traditional/secret\""
|
||||
if echo "traditional-secret-value" | $SECRET_BINARY add "traditional/secret"; then
|
||||
print_success "Added secret using traditional approach: traditional/secret"
|
||||
else
|
||||
print_error "Failed to add secret using traditional approach"
|
||||
fi
|
||||
|
||||
# Retrieve secret using traditional unlock key approach
|
||||
RETRIEVED_TRADITIONAL=$($SECRET_BINARY get "traditional/secret" 2>/dev/null)
|
||||
echo "Retrieving secret using traditional unlock key approach..."
|
||||
RETRIEVED_TRADITIONAL=$(echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "traditional/secret" 2>/dev/null)
|
||||
if [ "$RETRIEVED_TRADITIONAL" = "traditional-secret-value" ]; then
|
||||
print_success "Retrieved and verified traditional secret: traditional/secret"
|
||||
else
|
||||
print_error "Failed to retrieve or verify traditional secret"
|
||||
fi
|
||||
|
||||
# Re-enable mnemonic for remaining tests
|
||||
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
|
||||
# Test 9: Advanced unlock key management
|
||||
print_step "9" "Testing advanced unlock key management"
|
||||
|
||||
@ -463,7 +498,8 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
echo "Testing PGP unlock key creation..."
|
||||
if command -v gpg >/dev/null 2>&1; then
|
||||
# This would require a GPG key ID - for testing we'll just check the command exists
|
||||
if $SECRET_BINARY keys add pgp --help > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY keys add pgp --help"
|
||||
if $SECRET_BINARY keys add pgp --help; then
|
||||
print_success "PGP unlock key command available"
|
||||
else
|
||||
print_warning "PGP unlock key command not yet implemented"
|
||||
@ -475,7 +511,8 @@ fi
|
||||
# Test Secure Enclave (macOS only)
|
||||
if [[ "$OSTYPE" == "darwin"* ]]; then
|
||||
echo "Testing Secure Enclave unlock key creation..."
|
||||
if $SECRET_BINARY enroll sep > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY enroll sep"
|
||||
if $SECRET_BINARY enroll sep; then
|
||||
print_success "Created Secure Enclave unlock key"
|
||||
else
|
||||
print_warning "Secure Enclave unlock key creation not yet implemented"
|
||||
@ -486,14 +523,16 @@ fi
|
||||
|
||||
# Get current unlock key ID for testing
|
||||
echo "Getting current unlock key for testing..."
|
||||
if $SECRET_BINARY keys list > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY keys list"
|
||||
if $SECRET_BINARY keys list; then
|
||||
CURRENT_KEY_ID=$($SECRET_BINARY keys list | head -n1 | awk '{print $1}')
|
||||
if [ -n "$CURRENT_KEY_ID" ]; then
|
||||
print_success "Found unlock key ID: $CURRENT_KEY_ID"
|
||||
|
||||
# Test key selection
|
||||
echo "Testing unlock key selection..."
|
||||
if $SECRET_BINARY key select "$CURRENT_KEY_ID" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY key select $CURRENT_KEY_ID"
|
||||
if $SECRET_BINARY key select "$CURRENT_KEY_ID"; then
|
||||
print_success "Selected unlock key: $CURRENT_KEY_ID"
|
||||
else
|
||||
print_warning "Unlock key selection not yet implemented"
|
||||
@ -507,7 +546,8 @@ print_step "10" "Testing secret name validation and edge cases"
|
||||
# Test valid names
|
||||
VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths")
|
||||
for name in "${VALID_NAMES[@]}"; do
|
||||
if echo "test-value" | $SECRET_BINARY add "$name" --force > /dev/null 2>&1; then
|
||||
echo "Running: echo \"test-value\" | $SECRET_BINARY add $name --force"
|
||||
if echo "test-value" | $SECRET_BINARY add "$name" --force; then
|
||||
print_success "Valid name accepted: $name"
|
||||
else
|
||||
print_error "Valid name rejected: $name"
|
||||
@ -518,7 +558,8 @@ done
|
||||
echo "Testing invalid names (should fail)..."
|
||||
INVALID_NAMES=("Invalid-Name" "invalid name" "invalid@name" "invalid#name" "invalid%name" "")
|
||||
for name in "${INVALID_NAMES[@]}"; do
|
||||
if echo "test-value" | $SECRET_BINARY add "$name" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"test-value\" | $SECRET_BINARY add $name"
|
||||
if echo "test-value" | $SECRET_BINARY add "$name"; then
|
||||
print_error "Invalid name accepted (should have been rejected): '$name'"
|
||||
else
|
||||
print_success "Invalid name correctly rejected: '$name'"
|
||||
@ -529,14 +570,16 @@ done
|
||||
print_step "11" "Testing overwrite protection and force flag"
|
||||
|
||||
# Try to add existing secret without --force (should fail)
|
||||
if echo "new-value" | $SECRET_BINARY add "database/password" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"new-value\" | $SECRET_BINARY add \"database/password\""
|
||||
if echo "new-value" | $SECRET_BINARY add "database/password"; then
|
||||
print_error "Overwrite protection failed - secret was overwritten without --force"
|
||||
else
|
||||
print_success "Overwrite protection working - secret not overwritten without --force"
|
||||
fi
|
||||
|
||||
# Try to add existing secret with --force (should succeed)
|
||||
if echo "new-password-value" | $SECRET_BINARY add "database/password" --force > /dev/null 2>&1; then
|
||||
echo "Running: echo \"new-password-value\" | $SECRET_BINARY add \"database/password\" --force"
|
||||
if echo "new-password-value" | $SECRET_BINARY add "database/password" --force; then
|
||||
print_success "Force overwrite working - secret overwritten with --force"
|
||||
|
||||
# Verify the new value
|
||||
@ -555,18 +598,21 @@ print_step "12" "Testing cross-vault operations"
|
||||
|
||||
# Switch to work vault and add secrets there
|
||||
echo "Switching to 'work' vault for cross-vault testing..."
|
||||
if $SECRET_BINARY vault select work > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault select work"
|
||||
if $SECRET_BINARY vault select work; then
|
||||
print_success "Switched to 'work' vault"
|
||||
|
||||
# Add work-specific secrets
|
||||
if echo "work-database-password" | $SECRET_BINARY add "work/database" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"work-database-password\" | $SECRET_BINARY add \"work/database\""
|
||||
if echo "work-database-password" | $SECRET_BINARY add "work/database"; then
|
||||
print_success "Added work-specific secret"
|
||||
else
|
||||
print_error "Failed to add work-specific secret"
|
||||
fi
|
||||
|
||||
# List secrets in work vault
|
||||
if $SECRET_BINARY list > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY list"
|
||||
if $SECRET_BINARY list; then
|
||||
WORK_SECRETS=$($SECRET_BINARY list)
|
||||
echo "Secrets in work vault: $WORK_SECRETS"
|
||||
print_success "Listed work vault secrets"
|
||||
@ -579,11 +625,13 @@ fi
|
||||
|
||||
# Switch back to default vault
|
||||
echo "Switching back to 'default' vault..."
|
||||
if $SECRET_BINARY vault select default > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault select default"
|
||||
if $SECRET_BINARY vault select default; then
|
||||
print_success "Switched back to 'default' vault"
|
||||
|
||||
# Verify default vault secrets are still there
|
||||
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get \"database/password\""
|
||||
if $SECRET_BINARY get "database/password"; then
|
||||
print_success "Default vault secrets still accessible"
|
||||
else
|
||||
print_error "Default vault secrets not accessible"
|
||||
@ -645,15 +693,17 @@ fi
|
||||
print_step "14" "Testing environment variable error handling"
|
||||
|
||||
# Test with non-existent state directory
|
||||
export SB_SECRET_STATE_DIR="/nonexistent/directory"
|
||||
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then
|
||||
export SB_SECRET_STATE_DIR="$TEMP_DIR/nonexistent/directory"
|
||||
echo "Running: $SECRET_BINARY get \"database/password\""
|
||||
if $SECRET_BINARY get "database/password"; then
|
||||
print_error "Should have failed with non-existent state directory"
|
||||
else
|
||||
print_success "Correctly failed with non-existent state directory"
|
||||
fi
|
||||
|
||||
# Test init with non-existent directory (should work)
|
||||
if $SECRET_BINARY init > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY init"
|
||||
if $SECRET_BINARY init; then
|
||||
print_success "Init works with non-existent state directory"
|
||||
else
|
||||
print_error "Init should work with non-existent state directory"
|
||||
@ -671,15 +721,18 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
# Create another unlock key for testing removal
|
||||
echo "Creating additional unlock key for removal testing..."
|
||||
# Use stdin input instead of environment variable
|
||||
if echo "another-passphrase" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then
|
||||
echo "Running: echo \"another-passphrase\" | $SECRET_BINARY keys add passphrase"
|
||||
if echo "another-passphrase" | $SECRET_BINARY keys add passphrase; then
|
||||
print_success "Created additional unlock key"
|
||||
|
||||
# Get the key ID and try to remove it
|
||||
if $SECRET_BINARY keys list > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY keys list"
|
||||
if $SECRET_BINARY keys list; then
|
||||
KEY_TO_REMOVE=$($SECRET_BINARY keys list | tail -n1 | awk '{print $1}')
|
||||
if [ -n "$KEY_TO_REMOVE" ]; then
|
||||
echo "Attempting to remove unlock key: $KEY_TO_REMOVE"
|
||||
if $SECRET_BINARY keys rm "$KEY_TO_REMOVE" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY keys rm $KEY_TO_REMOVE"
|
||||
if $SECRET_BINARY keys rm "$KEY_TO_REMOVE"; then
|
||||
print_success "Removed unlock key: $KEY_TO_REMOVE"
|
||||
else
|
||||
print_warning "Unlock key removal not yet implemented"
|
||||
@ -703,7 +756,9 @@ fi
|
||||
|
||||
# Test without mnemonic but with unlock key
|
||||
unset SB_SECRET_MNEMONIC
|
||||
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then
|
||||
echo "Testing traditional unlock key access to mnemonic-created secrets..."
|
||||
echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY get \"database/password\""
|
||||
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "database/password"; then
|
||||
print_success "Traditional unlock key can access mnemonic-created secrets"
|
||||
else
|
||||
print_warning "Traditional unlock key cannot access mnemonic-created secrets (may need implementation)"
|
||||
@ -717,11 +772,13 @@ print_step "17" "Testing refactored architecture - separation of concerns"
|
||||
|
||||
echo "Testing that secrets handle their own data access..."
|
||||
# Create a test secret first
|
||||
if echo "test-self-access" | $SECRET_BINARY add "test/self-access" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"test-self-access\" | $SECRET_BINARY add \"test/self-access\""
|
||||
if echo "test-self-access" | $SECRET_BINARY add "test/self-access"; then
|
||||
print_success "Created test secret for self-access testing"
|
||||
|
||||
# Try to retrieve it (this tests that Secret.GetEncryptedData() works)
|
||||
if $SECRET_BINARY get "test/self-access" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get \"test/self-access\""
|
||||
if $SECRET_BINARY get "test/self-access"; then
|
||||
print_success "Secret correctly handles its own data access"
|
||||
else
|
||||
print_error "Secret failed to handle its own data access"
|
||||
@ -733,7 +790,8 @@ fi
|
||||
echo "Testing unlock key delegation pattern..."
|
||||
# Test that vault delegates to unlock keys for decryption
|
||||
# This is tested implicitly by all our secret retrieval operations
|
||||
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get \"database/password\""
|
||||
if $SECRET_BINARY get "database/password"; then
|
||||
print_success "Vault correctly delegates to unlock keys for decryption"
|
||||
else
|
||||
print_error "Vault delegation pattern failed"
|
||||
@ -746,12 +804,15 @@ echo "Verifying all unlock key types implement required methods..."
|
||||
|
||||
# Create different types of unlock keys to test interface compliance
|
||||
echo "Testing PassphraseUnlockKey interface compliance..."
|
||||
if echo "interface-test-pass" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then
|
||||
echo "Running: echo \"interface-test-pass\" | $SECRET_BINARY keys add passphrase"
|
||||
if echo "interface-test-pass" | $SECRET_BINARY keys add passphrase; then
|
||||
print_success "PassphraseUnlockKey created successfully"
|
||||
|
||||
# Test that we can use it (this verifies GetIdentity and DecryptSecret work)
|
||||
if echo "interface-test-secret" | $SECRET_BINARY add "interface/test" > /dev/null 2>&1; then
|
||||
if $SECRET_BINARY get "interface/test" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"interface-test-secret\" | $SECRET_BINARY add \"interface/test\""
|
||||
if echo "interface-test-secret" | $SECRET_BINARY add "interface/test"; then
|
||||
echo "Running: $SECRET_BINARY get \"interface/test\""
|
||||
if $SECRET_BINARY get "interface/test"; then
|
||||
print_success "PassphraseUnlockKey interface methods working"
|
||||
else
|
||||
print_error "PassphraseUnlockKey interface methods failed"
|
||||
@ -766,12 +827,15 @@ fi
|
||||
# Test Secure Enclave on macOS (if available)
|
||||
if [[ "$OSTYPE" == "darwin"* ]]; then
|
||||
echo "Testing SEPUnlockKey interface compliance on macOS..."
|
||||
if $SECRET_BINARY enroll sep > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY enroll sep"
|
||||
if $SECRET_BINARY enroll sep; then
|
||||
print_success "SEPUnlockKey created successfully"
|
||||
|
||||
# Test that we can use it
|
||||
if echo "sep-test-secret" | $SECRET_BINARY add "sep/test" > /dev/null 2>&1; then
|
||||
if $SECRET_BINARY get "sep/test" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"sep-test-secret\" | $SECRET_BINARY add \"sep/test\""
|
||||
if echo "sep-test-secret" | $SECRET_BINARY add "sep/test"; then
|
||||
echo "Running: $SECRET_BINARY get \"sep/test\""
|
||||
if $SECRET_BINARY get "sep/test"; then
|
||||
print_success "SEPUnlockKey interface methods working"
|
||||
else
|
||||
print_error "SEPUnlockKey interface methods failed"
|
||||
@ -787,36 +851,40 @@ else
|
||||
fi
|
||||
|
||||
# Test 19: Long-term Key Management Separation
|
||||
print_step "19" "Testing long-term key management separation"
|
||||
print_step "19" "Testing long-term key access via different unlock key types"
|
||||
|
||||
echo "Testing that unlock keys manage their own long-term keys..."
|
||||
echo "Testing that different unlock key types can access the same long-term key..."
|
||||
|
||||
# Switch between different unlock methods to verify each handles its own long-term keys
|
||||
echo "Testing mnemonic-based long-term key management..."
|
||||
# Switch between different unlock methods to verify each can access the long-term key
|
||||
echo "Testing mnemonic-based long-term key access..."
|
||||
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
if echo "mnemonic-longterm-test" | $SECRET_BINARY add "longterm/mnemonic" > /dev/null 2>&1; then
|
||||
if $SECRET_BINARY get "longterm/mnemonic" > /dev/null 2>&1; then
|
||||
print_success "Mnemonic-based long-term key management working"
|
||||
echo "Running: echo \"mnemonic-longterm-test\" | $SECRET_BINARY add \"longterm/mnemonic\""
|
||||
if echo "mnemonic-longterm-test" | $SECRET_BINARY add "longterm/mnemonic"; then
|
||||
echo "Running: $SECRET_BINARY get \"longterm/mnemonic\""
|
||||
if $SECRET_BINARY get "longterm/mnemonic"; then
|
||||
print_success "Mnemonic-based long-term key access working"
|
||||
else
|
||||
print_error "Mnemonic-based long-term key management failed"
|
||||
print_error "Mnemonic-based long-term key access failed"
|
||||
fi
|
||||
else
|
||||
print_error "Failed to test mnemonic-based long-term key management"
|
||||
print_error "Failed to test mnemonic-based long-term key access"
|
||||
fi
|
||||
|
||||
echo "Testing passphrase-based long-term key management..."
|
||||
echo "Testing passphrase unlock key accessing long-term key..."
|
||||
unset SB_SECRET_MNEMONIC
|
||||
if echo "passphrase-longterm-test" | $SECRET_BINARY add "longterm/passphrase" > /dev/null 2>&1; then
|
||||
if $SECRET_BINARY get "longterm/passphrase" > /dev/null 2>&1; then
|
||||
print_success "Passphrase-based long-term key management working"
|
||||
echo "Running: echo \"passphrase-unlock-test\" | $SECRET_BINARY add \"longterm/passphrase-unlock\""
|
||||
if echo "passphrase-unlock-test" | $SECRET_BINARY add "longterm/passphrase-unlock"; then
|
||||
echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY get \"longterm/passphrase-unlock\""
|
||||
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "longterm/passphrase-unlock"; then
|
||||
print_success "Passphrase unlock key accessing long-term key working"
|
||||
else
|
||||
print_error "Passphrase-based long-term key management failed"
|
||||
print_error "Passphrase unlock key accessing long-term key failed"
|
||||
fi
|
||||
else
|
||||
print_error "Failed to test passphrase-based long-term key management"
|
||||
print_error "Failed to test passphrase unlock key accessing long-term key"
|
||||
fi
|
||||
|
||||
# Re-enable mnemonic
|
||||
# Re-enable mnemonic for remaining tests
|
||||
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
|
||||
|
||||
# Test 20: Directory Structure and File Access Patterns
|
||||
@ -826,7 +894,8 @@ echo "Verifying secrets access their own directory structure..."
|
||||
|
||||
# Check that secret directories contain the expected structure
|
||||
SECRET_NAME="structure/test"
|
||||
if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"structure-test-value\" | $SECRET_BINARY add $SECRET_NAME"
|
||||
if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME"; then
|
||||
print_success "Created secret for structure testing"
|
||||
|
||||
# Convert secret name to directory name (URL encoding)
|
||||
@ -837,7 +906,8 @@ if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME" > /dev/null 2
|
||||
print_success "Secret directory structure created correctly"
|
||||
|
||||
# Verify secret can access its own encrypted data
|
||||
if $SECRET_BINARY get "$SECRET_NAME" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get $SECRET_NAME"
|
||||
if $SECRET_BINARY get "$SECRET_NAME"; then
|
||||
print_success "Secret correctly accesses its own encrypted data"
|
||||
else
|
||||
print_error "Secret failed to access its own encrypted data"
|
||||
@ -886,7 +956,8 @@ print_step "21" "Testing error handling in refactored architecture"
|
||||
echo "Testing secret error handling..."
|
||||
|
||||
# Test non-existent secret
|
||||
if $SECRET_BINARY get "nonexistent/secret" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get \"nonexistent/secret\""
|
||||
if $SECRET_BINARY get "nonexistent/secret"; then
|
||||
print_error "Should have failed for non-existent secret"
|
||||
else
|
||||
print_success "Correctly handled non-existent secret"
|
||||
@ -904,7 +975,8 @@ if [ -d "$FIRST_KEY_DIR" ] && [ -f "$FIRST_KEY_DIR/priv.age" ]; then
|
||||
# Temporarily disable mnemonic to force unlock key usage
|
||||
unset SB_SECRET_MNEMONIC
|
||||
|
||||
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get \"database/password\""
|
||||
if $SECRET_BINARY get "database/password"; then
|
||||
print_warning "Expected failure with corrupted unlock key, but succeeded (may have fallback)"
|
||||
else
|
||||
print_success "Correctly handled corrupted unlock key"
|
||||
@ -925,27 +997,33 @@ print_step "22" "Testing cross-component integration"
|
||||
echo "Testing vault-secret-unlock key integration..."
|
||||
|
||||
# Create a secret in one vault, switch vaults, create another secret, switch back
|
||||
if $SECRET_BINARY vault create integration-test > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault create integration-test"
|
||||
if $SECRET_BINARY vault create integration-test; then
|
||||
print_success "Created integration test vault"
|
||||
|
||||
# Add secret to default vault
|
||||
if echo "default-vault-secret" | $SECRET_BINARY add "integration/default" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"default-vault-secret\" | $SECRET_BINARY add \"integration/default\""
|
||||
if echo "default-vault-secret" | $SECRET_BINARY add "integration/default"; then
|
||||
print_success "Added secret to default vault"
|
||||
|
||||
# Switch to integration-test vault
|
||||
if $SECRET_BINARY vault select integration-test > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault select integration-test"
|
||||
if $SECRET_BINARY vault select integration-test; then
|
||||
print_success "Switched to integration-test vault"
|
||||
|
||||
# Create unlock key in new vault
|
||||
if echo "integration-passphrase" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then
|
||||
echo "Running: echo \"integration-passphrase\" | $SECRET_BINARY keys add passphrase"
|
||||
if echo "integration-passphrase" | $SECRET_BINARY keys add passphrase; then
|
||||
print_success "Created unlock key in integration-test vault"
|
||||
|
||||
# Add secret to integration-test vault
|
||||
if echo "integration-vault-secret" | $SECRET_BINARY add "integration/test" > /dev/null 2>&1; then
|
||||
echo "Running: echo \"integration-vault-secret\" | $SECRET_BINARY add \"integration/test\""
|
||||
if echo "integration-vault-secret" | $SECRET_BINARY add "integration/test"; then
|
||||
print_success "Added secret to integration-test vault"
|
||||
|
||||
# Verify secret retrieval works
|
||||
if $SECRET_BINARY get "integration/test" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get \"integration/test\""
|
||||
if $SECRET_BINARY get "integration/test"; then
|
||||
print_success "Cross-component integration working"
|
||||
else
|
||||
print_error "Cross-component integration failed"
|
||||
@ -958,11 +1036,13 @@ if $SECRET_BINARY vault create integration-test > /dev/null 2>&1; then
|
||||
fi
|
||||
|
||||
# Switch back to default vault
|
||||
if $SECRET_BINARY vault select default > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY vault select default"
|
||||
if $SECRET_BINARY vault select default; then
|
||||
print_success "Switched back to default vault"
|
||||
|
||||
# Verify we can still access default vault secrets
|
||||
if $SECRET_BINARY get "integration/default" > /dev/null 2>&1; then
|
||||
echo "Running: $SECRET_BINARY get \"integration/default\""
|
||||
if $SECRET_BINARY get "integration/default"; then
|
||||
print_success "Can still access default vault secrets"
|
||||
else
|
||||
print_error "Cannot access default vault secrets after switching"
|
||||
@ -999,7 +1079,7 @@ echo -e "${GREEN}✓ Mixed approach compatibility${NC}"
|
||||
echo -e "${GREEN}✓ Error handling${NC}"
|
||||
echo -e "${GREEN}✓ Refactored architecture - separation of concerns${NC}"
|
||||
echo -e "${GREEN}✓ Interface method compliance${NC}"
|
||||
echo -e "${GREEN}✓ Long-term key management separation${NC}"
|
||||
echo -e "${GREEN}✓ Long-term key access via different unlock key types${NC}"
|
||||
echo -e "${GREEN}✓ Directory structure and file access patterns${NC}"
|
||||
echo -e "${GREEN}✓ Error handling in refactored architecture${NC}"
|
||||
echo -e "${GREEN}✓ Cross-component integration${NC}"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user