diff --git a/test_secret_manager.sh b/test_secret_manager.sh index 7089b9b..3369470 100755 --- a/test_secret_manager.sh +++ b/test_secret_manager.sh @@ -15,8 +15,12 @@ TEST_PASSPHRASE="test-passphrase-123" TEMP_DIR="$(mktemp -d)" SECRET_BINARY="./secret" +# Enable debug output from the secret program +export GODEBUG="berlin.sneak.pkg.secret" + echo -e "${BLUE}=== Secret Manager Comprehensive Test Script ===${NC}" echo -e "${YELLOW}Using temporary directory: $TEMP_DIR${NC}" +echo -e "${YELLOW}Debug output enabled: GODEBUG=$GODEBUG${NC}" # Function to print test steps print_step() { @@ -76,6 +80,7 @@ cleanup() { unset SB_SECRET_STATE_DIR unset SB_SECRET_MNEMONIC unset SB_UNLOCK_PASSPHRASE + unset GODEBUG echo -e "${GREEN}Cleanup complete${NC}" } @@ -99,7 +104,8 @@ echo " SB_SECRET_MNEMONIC=$TEST_MNEMONIC" print_step "2" "Initializing secret manager (creates default vault)" # Set passphrase for init command only export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" -if $SECRET_BINARY init > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY init" +if $SECRET_BINARY init; then print_success "Secret manager initialized with default vault" else print_error "Failed to initialize secret manager" @@ -119,7 +125,8 @@ print_step "3" "Testing vault management" # List vaults (should show default) echo "Listing vaults..." -if $SECRET_BINARY vault list > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault list" +if $SECRET_BINARY vault list; then VAULTS=$($SECRET_BINARY vault list) echo "Available vaults: $VAULTS" print_success "Listed vaults successfully" @@ -129,7 +136,8 @@ fi # Create a new vault echo "Creating new vault 'work'..." -if $SECRET_BINARY vault create work > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create work" +if $SECRET_BINARY vault create work; then print_success "Created vault 'work'" else print_error "Failed to create vault 'work'" @@ -137,7 +145,8 @@ fi # Create another vault echo "Creating new vault 'personal'..." -if $SECRET_BINARY vault create personal > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create personal" +if $SECRET_BINARY vault create personal; then print_success "Created vault 'personal'" else print_error "Failed to create vault 'personal'" @@ -145,7 +154,8 @@ fi # List vaults again (should show default, work, personal) echo "Listing vaults after creation..." -if $SECRET_BINARY vault list > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault list" +if $SECRET_BINARY vault list; then VAULTS=$($SECRET_BINARY vault list) echo "Available vaults: $VAULTS" print_success "Listed vaults after creation" @@ -155,7 +165,8 @@ fi # Switch to work vault echo "Switching to 'work' vault..." -if $SECRET_BINARY vault select work > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault select work" +if $SECRET_BINARY vault select work; then print_success "Switched to 'work' vault" else print_error "Failed to switch to 'work' vault" @@ -170,7 +181,8 @@ reset_state export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" # Create a vault first -if $SECRET_BINARY vault create test-vault > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create test-vault" +if $SECRET_BINARY vault create test-vault; then print_success "Created test-vault for import testing" else print_error "Failed to create test-vault" @@ -178,7 +190,8 @@ fi # Import should prompt for passphrase echo "Importing with mnemonic env var set, should prompt for passphrase..." -if echo "$TEST_PASSPHRASE" | $SECRET_BINARY import test-vault > /dev/null 2>&1; then +echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY vault import test-vault" +if echo "$TEST_PASSPHRASE" | $SECRET_BINARY vault import test-vault; then print_success "Import succeeded with mnemonic env var (prompted for passphrase)" else print_error "Import failed with mnemonic env var" @@ -190,7 +203,8 @@ reset_state export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" # Create a vault first -if $SECRET_BINARY vault create test-vault2 > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create test-vault2" +if $SECRET_BINARY vault create test-vault2; then print_success "Created test-vault2 for import testing" else print_error "Failed to create test-vault2" @@ -198,7 +212,8 @@ fi # Import should prompt for mnemonic echo "Importing with passphrase env var set, should prompt for mnemonic..." -if echo "$TEST_MNEMONIC" | $SECRET_BINARY import test-vault2 > /dev/null 2>&1; then +echo "Running: echo \"$TEST_MNEMONIC\" | $SECRET_BINARY vault import test-vault2" +if echo "$TEST_MNEMONIC" | $SECRET_BINARY vault import test-vault2; then print_success "Import succeeded with passphrase env var (prompted for mnemonic)" else print_error "Import failed with passphrase env var" @@ -211,7 +226,8 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" # Create a vault first -if $SECRET_BINARY vault create test-vault3 > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create test-vault3" +if $SECRET_BINARY vault create test-vault3; then print_success "Created test-vault3 for import testing" else print_error "Failed to create test-vault3" @@ -219,7 +235,8 @@ fi # Import should not prompt for anything echo "Importing with both env vars set, should not prompt..." -if $SECRET_BINARY import test-vault3 > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault import test-vault3" +if $SECRET_BINARY vault import test-vault3; then print_success "Import succeeded with both env vars (no prompts)" else print_error "Import failed with both env vars" @@ -230,7 +247,8 @@ echo -e "\n${YELLOW}Test 4d: Import with neither SB_SECRET_MNEMONIC nor SB_UNLOC reset_state # Create a vault first -if $SECRET_BINARY vault create test-vault4 > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create test-vault4" +if $SECRET_BINARY vault create test-vault4; then print_success "Created test-vault4 for import testing" else print_error "Failed to create test-vault4" @@ -239,7 +257,7 @@ fi # Import should prompt for both mnemonic and passphrase echo "Importing with neither env var set, should prompt for both..." if expect -c " - spawn $SECRET_BINARY import test-vault4 + spawn $SECRET_BINARY vault import test-vault4 expect \"Enter your BIP39 mnemonic phrase:\" send \"$TEST_MNEMONIC\n\" expect \"Enter passphrase for unlock key:\" @@ -247,7 +265,7 @@ if expect -c " expect \"Confirm passphrase:\" send \"$TEST_PASSPHRASE\n\" expect eof -" > /dev/null 2>&1; then +"; then print_success "Import succeeded with no env vars (prompted for both)" else print_error "Import failed with no env vars" @@ -260,7 +278,7 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" echo "Importing into non-existent vault (should fail)..." -if $SECRET_BINARY import nonexistent-vault > /dev/null 2>&1; then +if $SECRET_BINARY vault import nonexistent-vault; then print_error "Import should have failed for non-existent vault" else print_success "Import correctly failed for non-existent vault" @@ -273,14 +291,15 @@ export SB_SECRET_MNEMONIC="invalid mnemonic phrase that should not work" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" # Create a vault first -if $SECRET_BINARY vault create test-vault5 > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create test-vault5" +if $SECRET_BINARY vault create test-vault5; then print_success "Created test-vault5 for invalid mnemonic testing" else print_error "Failed to create test-vault5" fi echo "Importing with invalid mnemonic (should fail)..." -if $SECRET_BINARY import test-vault5 > /dev/null 2>&1; then +if $SECRET_BINARY vault import test-vault5; then print_error "Import should have failed with invalid mnemonic" else print_success "Import correctly failed with invalid mnemonic" @@ -294,14 +313,15 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" print_step "5" "Testing original import functionality" # Initialize to create default vault -if (echo "$TEST_PASSPHRASE"; echo "$TEST_PASSPHRASE") | $SECRET_BINARY init > /dev/null 2>&1; then +if (echo "$TEST_PASSPHRASE"; echo "$TEST_PASSPHRASE") | $SECRET_BINARY init; then print_success "Initialized for Step 5 testing" else print_error "Failed to initialize for Step 5 testing" fi # Create work vault for import testing -if $SECRET_BINARY vault create work > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create work" +if $SECRET_BINARY vault create work; then print_success "Created work vault for import testing" else print_error "Failed to create work vault" @@ -309,7 +329,8 @@ fi # Switch to work vault echo "Switching to 'work' vault..." -if $SECRET_BINARY vault select work > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault select work" +if $SECRET_BINARY vault select work; then print_success "Switched to 'work' vault" else print_error "Failed to switch to 'work' vault" @@ -319,7 +340,8 @@ fi echo "Importing mnemonic into 'work' vault..." # Set passphrase for import command only export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" -if $SECRET_BINARY import work > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault import work" +if $SECRET_BINARY vault import work; then print_success "Imported mnemonic into 'work' vault" else print_error "Failed to import mnemonic into 'work' vault" @@ -329,7 +351,8 @@ unset SB_UNLOCK_PASSPHRASE # Switch back to default vault echo "Switching back to 'default' vault..." -if $SECRET_BINARY vault select default > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault select default" +if $SECRET_BINARY vault select default; then print_success "Switched back to 'default' vault" else print_error "Failed to switch back to 'default' vault" @@ -341,7 +364,8 @@ print_step "6" "Testing unlock key management" # Create passphrase-protected unlock key echo "Creating passphrase-protected unlock key..." # Note: This test uses stdin input instead of environment variable to test the traditional approach -if echo "$TEST_PASSPHRASE" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then +echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY keys add passphrase" +if echo "$TEST_PASSPHRASE" | $SECRET_BINARY keys add passphrase; then print_success "Created passphrase-protected unlock key" else print_error "Failed to create passphrase-protected unlock key" @@ -349,7 +373,8 @@ fi # List unlock keys echo "Listing unlock keys..." -if $SECRET_BINARY keys list > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY keys list" +if $SECRET_BINARY keys list; then KEYS=$($SECRET_BINARY keys list) echo "Available unlock keys: $KEYS" print_success "Listed unlock keys" @@ -364,28 +389,32 @@ print_step "7" "Testing mnemonic-based secret operations (keyless)" echo "Adding secrets using mnemonic-based long-term key..." # Test secret 1 -if echo "my-super-secret-password" | $SECRET_BINARY add "database/password" > /dev/null 2>&1; then +echo "Running: echo \"my-super-secret-password\" | $SECRET_BINARY add \"database/password\"" +if echo "my-super-secret-password" | $SECRET_BINARY add "database/password"; then print_success "Added secret: database/password" else print_error "Failed to add secret: database/password" fi # Test secret 2 -if echo "api-key-12345" | $SECRET_BINARY add "api/key" > /dev/null 2>&1; then +echo "Running: echo \"api-key-12345\" | $SECRET_BINARY add \"api/key\"" +if echo "api-key-12345" | $SECRET_BINARY add "api/key"; then print_success "Added secret: api/key" else print_error "Failed to add secret: api/key" fi # Test secret 3 (with path) -if echo "ssh-private-key-content" | $SECRET_BINARY add "ssh/private-key" > /dev/null 2>&1; then +echo "Running: echo \"ssh-private-key-content\" | $SECRET_BINARY add \"ssh/private-key\"" +if echo "ssh-private-key-content" | $SECRET_BINARY add "ssh/private-key"; then print_success "Added secret: ssh/private-key" else print_error "Failed to add secret: ssh/private-key" fi # Test secret 4 (with dots and underscores) -if echo "jwt-secret-token" | $SECRET_BINARY add "app.config_jwt_secret" > /dev/null 2>&1; then +echo "Running: echo \"jwt-secret-token\" | $SECRET_BINARY add \"app.config_jwt_secret\"" +if echo "jwt-secret-token" | $SECRET_BINARY add "app.config_jwt_secret"; then print_success "Added secret: app.config_jwt_secret" else print_error "Failed to add secret: app.config_jwt_secret" @@ -420,7 +449,8 @@ fi # List all secrets echo "Listing all secrets..." -if $SECRET_BINARY list > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY list" +if $SECRET_BINARY list; then SECRETS=$($SECRET_BINARY list) echo "Secrets in current vault:" echo "$SECRETS" | while read -r secret; do @@ -439,20 +469,25 @@ unset SB_SECRET_MNEMONIC # Add a secret using traditional unlock key approach echo "Adding secret using traditional unlock key..." -if echo "traditional-secret-value" | $SECRET_BINARY add "traditional/secret" > /dev/null 2>&1; then +echo "Running: echo \"traditional-secret-value\" | $SECRET_BINARY add \"traditional/secret\"" +if echo "traditional-secret-value" | $SECRET_BINARY add "traditional/secret"; then print_success "Added secret using traditional approach: traditional/secret" else print_error "Failed to add secret using traditional approach" fi # Retrieve secret using traditional unlock key approach -RETRIEVED_TRADITIONAL=$($SECRET_BINARY get "traditional/secret" 2>/dev/null) +echo "Retrieving secret using traditional unlock key approach..." +RETRIEVED_TRADITIONAL=$(echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "traditional/secret" 2>/dev/null) if [ "$RETRIEVED_TRADITIONAL" = "traditional-secret-value" ]; then print_success "Retrieved and verified traditional secret: traditional/secret" else print_error "Failed to retrieve or verify traditional secret" fi +# Re-enable mnemonic for remaining tests +export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" + # Test 9: Advanced unlock key management print_step "9" "Testing advanced unlock key management" @@ -463,7 +498,8 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" echo "Testing PGP unlock key creation..." if command -v gpg >/dev/null 2>&1; then # This would require a GPG key ID - for testing we'll just check the command exists - if $SECRET_BINARY keys add pgp --help > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY keys add pgp --help" + if $SECRET_BINARY keys add pgp --help; then print_success "PGP unlock key command available" else print_warning "PGP unlock key command not yet implemented" @@ -475,7 +511,8 @@ fi # Test Secure Enclave (macOS only) if [[ "$OSTYPE" == "darwin"* ]]; then echo "Testing Secure Enclave unlock key creation..." - if $SECRET_BINARY enroll sep > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY enroll sep" + if $SECRET_BINARY enroll sep; then print_success "Created Secure Enclave unlock key" else print_warning "Secure Enclave unlock key creation not yet implemented" @@ -486,14 +523,16 @@ fi # Get current unlock key ID for testing echo "Getting current unlock key for testing..." -if $SECRET_BINARY keys list > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY keys list" +if $SECRET_BINARY keys list; then CURRENT_KEY_ID=$($SECRET_BINARY keys list | head -n1 | awk '{print $1}') if [ -n "$CURRENT_KEY_ID" ]; then print_success "Found unlock key ID: $CURRENT_KEY_ID" # Test key selection echo "Testing unlock key selection..." - if $SECRET_BINARY key select "$CURRENT_KEY_ID" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY key select $CURRENT_KEY_ID" + if $SECRET_BINARY key select "$CURRENT_KEY_ID"; then print_success "Selected unlock key: $CURRENT_KEY_ID" else print_warning "Unlock key selection not yet implemented" @@ -507,7 +546,8 @@ print_step "10" "Testing secret name validation and edge cases" # Test valid names VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths") for name in "${VALID_NAMES[@]}"; do - if echo "test-value" | $SECRET_BINARY add "$name" --force > /dev/null 2>&1; then + echo "Running: echo \"test-value\" | $SECRET_BINARY add $name --force" + if echo "test-value" | $SECRET_BINARY add "$name" --force; then print_success "Valid name accepted: $name" else print_error "Valid name rejected: $name" @@ -518,7 +558,8 @@ done echo "Testing invalid names (should fail)..." INVALID_NAMES=("Invalid-Name" "invalid name" "invalid@name" "invalid#name" "invalid%name" "") for name in "${INVALID_NAMES[@]}"; do - if echo "test-value" | $SECRET_BINARY add "$name" > /dev/null 2>&1; then + echo "Running: echo \"test-value\" | $SECRET_BINARY add $name" + if echo "test-value" | $SECRET_BINARY add "$name"; then print_error "Invalid name accepted (should have been rejected): '$name'" else print_success "Invalid name correctly rejected: '$name'" @@ -529,14 +570,16 @@ done print_step "11" "Testing overwrite protection and force flag" # Try to add existing secret without --force (should fail) -if echo "new-value" | $SECRET_BINARY add "database/password" > /dev/null 2>&1; then +echo "Running: echo \"new-value\" | $SECRET_BINARY add \"database/password\"" +if echo "new-value" | $SECRET_BINARY add "database/password"; then print_error "Overwrite protection failed - secret was overwritten without --force" else print_success "Overwrite protection working - secret not overwritten without --force" fi # Try to add existing secret with --force (should succeed) -if echo "new-password-value" | $SECRET_BINARY add "database/password" --force > /dev/null 2>&1; then +echo "Running: echo \"new-password-value\" | $SECRET_BINARY add \"database/password\" --force" +if echo "new-password-value" | $SECRET_BINARY add "database/password" --force; then print_success "Force overwrite working - secret overwritten with --force" # Verify the new value @@ -555,18 +598,21 @@ print_step "12" "Testing cross-vault operations" # Switch to work vault and add secrets there echo "Switching to 'work' vault for cross-vault testing..." -if $SECRET_BINARY vault select work > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault select work" +if $SECRET_BINARY vault select work; then print_success "Switched to 'work' vault" # Add work-specific secrets - if echo "work-database-password" | $SECRET_BINARY add "work/database" > /dev/null 2>&1; then + echo "Running: echo \"work-database-password\" | $SECRET_BINARY add \"work/database\"" + if echo "work-database-password" | $SECRET_BINARY add "work/database"; then print_success "Added work-specific secret" else print_error "Failed to add work-specific secret" fi # List secrets in work vault - if $SECRET_BINARY list > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY list" + if $SECRET_BINARY list; then WORK_SECRETS=$($SECRET_BINARY list) echo "Secrets in work vault: $WORK_SECRETS" print_success "Listed work vault secrets" @@ -579,11 +625,13 @@ fi # Switch back to default vault echo "Switching back to 'default' vault..." -if $SECRET_BINARY vault select default > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault select default" +if $SECRET_BINARY vault select default; then print_success "Switched back to 'default' vault" # Verify default vault secrets are still there - if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY get \"database/password\"" + if $SECRET_BINARY get "database/password"; then print_success "Default vault secrets still accessible" else print_error "Default vault secrets not accessible" @@ -645,15 +693,17 @@ fi print_step "14" "Testing environment variable error handling" # Test with non-existent state directory -export SB_SECRET_STATE_DIR="/nonexistent/directory" -if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then +export SB_SECRET_STATE_DIR="$TEMP_DIR/nonexistent/directory" +echo "Running: $SECRET_BINARY get \"database/password\"" +if $SECRET_BINARY get "database/password"; then print_error "Should have failed with non-existent state directory" else print_success "Correctly failed with non-existent state directory" fi # Test init with non-existent directory (should work) -if $SECRET_BINARY init > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY init" +if $SECRET_BINARY init; then print_success "Init works with non-existent state directory" else print_error "Init should work with non-existent state directory" @@ -671,15 +721,18 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" # Create another unlock key for testing removal echo "Creating additional unlock key for removal testing..." # Use stdin input instead of environment variable -if echo "another-passphrase" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then +echo "Running: echo \"another-passphrase\" | $SECRET_BINARY keys add passphrase" +if echo "another-passphrase" | $SECRET_BINARY keys add passphrase; then print_success "Created additional unlock key" # Get the key ID and try to remove it - if $SECRET_BINARY keys list > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY keys list" + if $SECRET_BINARY keys list; then KEY_TO_REMOVE=$($SECRET_BINARY keys list | tail -n1 | awk '{print $1}') if [ -n "$KEY_TO_REMOVE" ]; then echo "Attempting to remove unlock key: $KEY_TO_REMOVE" - if $SECRET_BINARY keys rm "$KEY_TO_REMOVE" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY keys rm $KEY_TO_REMOVE" + if $SECRET_BINARY keys rm "$KEY_TO_REMOVE"; then print_success "Removed unlock key: $KEY_TO_REMOVE" else print_warning "Unlock key removal not yet implemented" @@ -703,7 +756,9 @@ fi # Test without mnemonic but with unlock key unset SB_SECRET_MNEMONIC -if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then +echo "Testing traditional unlock key access to mnemonic-created secrets..." +echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY get \"database/password\"" +if echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "database/password"; then print_success "Traditional unlock key can access mnemonic-created secrets" else print_warning "Traditional unlock key cannot access mnemonic-created secrets (may need implementation)" @@ -717,11 +772,13 @@ print_step "17" "Testing refactored architecture - separation of concerns" echo "Testing that secrets handle their own data access..." # Create a test secret first -if echo "test-self-access" | $SECRET_BINARY add "test/self-access" > /dev/null 2>&1; then +echo "Running: echo \"test-self-access\" | $SECRET_BINARY add \"test/self-access\"" +if echo "test-self-access" | $SECRET_BINARY add "test/self-access"; then print_success "Created test secret for self-access testing" # Try to retrieve it (this tests that Secret.GetEncryptedData() works) - if $SECRET_BINARY get "test/self-access" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY get \"test/self-access\"" + if $SECRET_BINARY get "test/self-access"; then print_success "Secret correctly handles its own data access" else print_error "Secret failed to handle its own data access" @@ -733,7 +790,8 @@ fi echo "Testing unlock key delegation pattern..." # Test that vault delegates to unlock keys for decryption # This is tested implicitly by all our secret retrieval operations -if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY get \"database/password\"" +if $SECRET_BINARY get "database/password"; then print_success "Vault correctly delegates to unlock keys for decryption" else print_error "Vault delegation pattern failed" @@ -746,12 +804,15 @@ echo "Verifying all unlock key types implement required methods..." # Create different types of unlock keys to test interface compliance echo "Testing PassphraseUnlockKey interface compliance..." -if echo "interface-test-pass" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then +echo "Running: echo \"interface-test-pass\" | $SECRET_BINARY keys add passphrase" +if echo "interface-test-pass" | $SECRET_BINARY keys add passphrase; then print_success "PassphraseUnlockKey created successfully" # Test that we can use it (this verifies GetIdentity and DecryptSecret work) - if echo "interface-test-secret" | $SECRET_BINARY add "interface/test" > /dev/null 2>&1; then - if $SECRET_BINARY get "interface/test" > /dev/null 2>&1; then + echo "Running: echo \"interface-test-secret\" | $SECRET_BINARY add \"interface/test\"" + if echo "interface-test-secret" | $SECRET_BINARY add "interface/test"; then + echo "Running: $SECRET_BINARY get \"interface/test\"" + if $SECRET_BINARY get "interface/test"; then print_success "PassphraseUnlockKey interface methods working" else print_error "PassphraseUnlockKey interface methods failed" @@ -766,12 +827,15 @@ fi # Test Secure Enclave on macOS (if available) if [[ "$OSTYPE" == "darwin"* ]]; then echo "Testing SEPUnlockKey interface compliance on macOS..." - if $SECRET_BINARY enroll sep > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY enroll sep" + if $SECRET_BINARY enroll sep; then print_success "SEPUnlockKey created successfully" # Test that we can use it - if echo "sep-test-secret" | $SECRET_BINARY add "sep/test" > /dev/null 2>&1; then - if $SECRET_BINARY get "sep/test" > /dev/null 2>&1; then + echo "Running: echo \"sep-test-secret\" | $SECRET_BINARY add \"sep/test\"" + if echo "sep-test-secret" | $SECRET_BINARY add "sep/test"; then + echo "Running: $SECRET_BINARY get \"sep/test\"" + if $SECRET_BINARY get "sep/test"; then print_success "SEPUnlockKey interface methods working" else print_error "SEPUnlockKey interface methods failed" @@ -787,36 +851,40 @@ else fi # Test 19: Long-term Key Management Separation -print_step "19" "Testing long-term key management separation" +print_step "19" "Testing long-term key access via different unlock key types" -echo "Testing that unlock keys manage their own long-term keys..." +echo "Testing that different unlock key types can access the same long-term key..." -# Switch between different unlock methods to verify each handles its own long-term keys -echo "Testing mnemonic-based long-term key management..." +# Switch between different unlock methods to verify each can access the long-term key +echo "Testing mnemonic-based long-term key access..." export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" -if echo "mnemonic-longterm-test" | $SECRET_BINARY add "longterm/mnemonic" > /dev/null 2>&1; then - if $SECRET_BINARY get "longterm/mnemonic" > /dev/null 2>&1; then - print_success "Mnemonic-based long-term key management working" +echo "Running: echo \"mnemonic-longterm-test\" | $SECRET_BINARY add \"longterm/mnemonic\"" +if echo "mnemonic-longterm-test" | $SECRET_BINARY add "longterm/mnemonic"; then + echo "Running: $SECRET_BINARY get \"longterm/mnemonic\"" + if $SECRET_BINARY get "longterm/mnemonic"; then + print_success "Mnemonic-based long-term key access working" else - print_error "Mnemonic-based long-term key management failed" + print_error "Mnemonic-based long-term key access failed" fi else - print_error "Failed to test mnemonic-based long-term key management" + print_error "Failed to test mnemonic-based long-term key access" fi -echo "Testing passphrase-based long-term key management..." +echo "Testing passphrase unlock key accessing long-term key..." unset SB_SECRET_MNEMONIC -if echo "passphrase-longterm-test" | $SECRET_BINARY add "longterm/passphrase" > /dev/null 2>&1; then - if $SECRET_BINARY get "longterm/passphrase" > /dev/null 2>&1; then - print_success "Passphrase-based long-term key management working" +echo "Running: echo \"passphrase-unlock-test\" | $SECRET_BINARY add \"longterm/passphrase-unlock\"" +if echo "passphrase-unlock-test" | $SECRET_BINARY add "longterm/passphrase-unlock"; then + echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY get \"longterm/passphrase-unlock\"" + if echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "longterm/passphrase-unlock"; then + print_success "Passphrase unlock key accessing long-term key working" else - print_error "Passphrase-based long-term key management failed" + print_error "Passphrase unlock key accessing long-term key failed" fi else - print_error "Failed to test passphrase-based long-term key management" + print_error "Failed to test passphrase unlock key accessing long-term key" fi -# Re-enable mnemonic +# Re-enable mnemonic for remaining tests export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" # Test 20: Directory Structure and File Access Patterns @@ -826,7 +894,8 @@ echo "Verifying secrets access their own directory structure..." # Check that secret directories contain the expected structure SECRET_NAME="structure/test" -if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME" > /dev/null 2>&1; then +echo "Running: echo \"structure-test-value\" | $SECRET_BINARY add $SECRET_NAME" +if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME"; then print_success "Created secret for structure testing" # Convert secret name to directory name (URL encoding) @@ -837,7 +906,8 @@ if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME" > /dev/null 2 print_success "Secret directory structure created correctly" # Verify secret can access its own encrypted data - if $SECRET_BINARY get "$SECRET_NAME" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY get $SECRET_NAME" + if $SECRET_BINARY get "$SECRET_NAME"; then print_success "Secret correctly accesses its own encrypted data" else print_error "Secret failed to access its own encrypted data" @@ -886,7 +956,8 @@ print_step "21" "Testing error handling in refactored architecture" echo "Testing secret error handling..." # Test non-existent secret -if $SECRET_BINARY get "nonexistent/secret" > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY get \"nonexistent/secret\"" +if $SECRET_BINARY get "nonexistent/secret"; then print_error "Should have failed for non-existent secret" else print_success "Correctly handled non-existent secret" @@ -904,7 +975,8 @@ if [ -d "$FIRST_KEY_DIR" ] && [ -f "$FIRST_KEY_DIR/priv.age" ]; then # Temporarily disable mnemonic to force unlock key usage unset SB_SECRET_MNEMONIC - if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY get \"database/password\"" + if $SECRET_BINARY get "database/password"; then print_warning "Expected failure with corrupted unlock key, but succeeded (may have fallback)" else print_success "Correctly handled corrupted unlock key" @@ -925,27 +997,33 @@ print_step "22" "Testing cross-component integration" echo "Testing vault-secret-unlock key integration..." # Create a secret in one vault, switch vaults, create another secret, switch back -if $SECRET_BINARY vault create integration-test > /dev/null 2>&1; then +echo "Running: $SECRET_BINARY vault create integration-test" +if $SECRET_BINARY vault create integration-test; then print_success "Created integration test vault" # Add secret to default vault - if echo "default-vault-secret" | $SECRET_BINARY add "integration/default" > /dev/null 2>&1; then + echo "Running: echo \"default-vault-secret\" | $SECRET_BINARY add \"integration/default\"" + if echo "default-vault-secret" | $SECRET_BINARY add "integration/default"; then print_success "Added secret to default vault" # Switch to integration-test vault - if $SECRET_BINARY vault select integration-test > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY vault select integration-test" + if $SECRET_BINARY vault select integration-test; then print_success "Switched to integration-test vault" # Create unlock key in new vault - if echo "integration-passphrase" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then + echo "Running: echo \"integration-passphrase\" | $SECRET_BINARY keys add passphrase" + if echo "integration-passphrase" | $SECRET_BINARY keys add passphrase; then print_success "Created unlock key in integration-test vault" # Add secret to integration-test vault - if echo "integration-vault-secret" | $SECRET_BINARY add "integration/test" > /dev/null 2>&1; then + echo "Running: echo \"integration-vault-secret\" | $SECRET_BINARY add \"integration/test\"" + if echo "integration-vault-secret" | $SECRET_BINARY add "integration/test"; then print_success "Added secret to integration-test vault" # Verify secret retrieval works - if $SECRET_BINARY get "integration/test" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY get \"integration/test\"" + if $SECRET_BINARY get "integration/test"; then print_success "Cross-component integration working" else print_error "Cross-component integration failed" @@ -958,11 +1036,13 @@ if $SECRET_BINARY vault create integration-test > /dev/null 2>&1; then fi # Switch back to default vault - if $SECRET_BINARY vault select default > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY vault select default" + if $SECRET_BINARY vault select default; then print_success "Switched back to default vault" # Verify we can still access default vault secrets - if $SECRET_BINARY get "integration/default" > /dev/null 2>&1; then + echo "Running: $SECRET_BINARY get \"integration/default\"" + if $SECRET_BINARY get "integration/default"; then print_success "Can still access default vault secrets" else print_error "Cannot access default vault secrets after switching" @@ -999,7 +1079,7 @@ echo -e "${GREEN}✓ Mixed approach compatibility${NC}" echo -e "${GREEN}✓ Error handling${NC}" echo -e "${GREEN}✓ Refactored architecture - separation of concerns${NC}" echo -e "${GREEN}✓ Interface method compliance${NC}" -echo -e "${GREEN}✓ Long-term key management separation${NC}" +echo -e "${GREEN}✓ Long-term key access via different unlock key types${NC}" echo -e "${GREEN}✓ Directory structure and file access patterns${NC}" echo -e "${GREEN}✓ Error handling in refactored architecture${NC}" echo -e "${GREEN}✓ Cross-component integration${NC}"