sneak/secret
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Update integration test script for new architecture - Update file checks to expect value.age instead of secret.age - Add debug output support with GODEBUG environment variable - Remove output redirections to show command execution and debug info - Fix test expectations to match per-secret key file structure

Browse Source
This commit is contained in:
Jeffrey Paul 2025-05-29 09:52:39 -07:00
parent 5ca657c104
commit 4b59d6fb82
1 changed files with 170 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

260
test_secret_manager.sh
View File

@ -15,8 +15,12 @@ TEST_PASSPHRASE="test-passphrase-123"
TEMP_DIR="$(mktemp -d)" TEMP_DIR="$(mktemp -d)"
SECRET_BINARY="./secret" SECRET_BINARY="./secret"
# Enable debug output from the secret program
export GODEBUG="berlin.sneak.pkg.secret"
echo -e "${BLUE}=== Secret Manager Comprehensive Test Script ===${NC}" echo -e "${BLUE}=== Secret Manager Comprehensive Test Script ===${NC}"
echo -e "${YELLOW}Using temporary directory: $TEMP_DIR${NC}" echo -e "${YELLOW}Using temporary directory: $TEMP_DIR${NC}"
echo -e "${YELLOW}Debug output enabled: GODEBUG=$GODEBUG${NC}"
# Function to print test steps # Function to print test steps
print_step() { print_step() {
@ -76,6 +80,7 @@ cleanup() {
unset SB_SECRET_STATE_DIR unset SB_SECRET_STATE_DIR
unset SB_SECRET_MNEMONIC unset SB_SECRET_MNEMONIC
unset SB_UNLOCK_PASSPHRASE unset SB_UNLOCK_PASSPHRASE
unset GODEBUG
echo -e "${GREEN}Cleanup complete${NC}" echo -e "${GREEN}Cleanup complete${NC}"
} }
@ -99,7 +104,8 @@ echo " SB_SECRET_MNEMONIC=$TEST_MNEMONIC"
print_step "2" "Initializing secret manager (creates default vault)" print_step "2" "Initializing secret manager (creates default vault)"
# Set passphrase for init command only # Set passphrase for init command only
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
if $SECRET_BINARY init > /dev/null 2>&1; then echo "Running: $SECRET_BINARY init"
if $SECRET_BINARY init; then
print_success "Secret manager initialized with default vault" print_success "Secret manager initialized with default vault"
else else
print_error "Failed to initialize secret manager" print_error "Failed to initialize secret manager"
@ -119,7 +125,8 @@ print_step "3" "Testing vault management"
# List vaults (should show default) # List vaults (should show default)
echo "Listing vaults..." echo "Listing vaults..."
if $SECRET_BINARY vault list > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault list"
if $SECRET_BINARY vault list; then
VAULTS=$($SECRET_BINARY vault list) VAULTS=$($SECRET_BINARY vault list)
echo "Available vaults: $VAULTS" echo "Available vaults: $VAULTS"
print_success "Listed vaults successfully" print_success "Listed vaults successfully"
@ -129,7 +136,8 @@ fi
# Create a new vault # Create a new vault
echo "Creating new vault 'work'..." echo "Creating new vault 'work'..."
if $SECRET_BINARY vault create work > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create work"
if $SECRET_BINARY vault create work; then
print_success "Created vault 'work'" print_success "Created vault 'work'"
else else
print_error "Failed to create vault 'work'" print_error "Failed to create vault 'work'"
@ -137,7 +145,8 @@ fi
# Create another vault # Create another vault
echo "Creating new vault 'personal'..." echo "Creating new vault 'personal'..."
if $SECRET_BINARY vault create personal > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create personal"
if $SECRET_BINARY vault create personal; then
print_success "Created vault 'personal'" print_success "Created vault 'personal'"
else else
print_error "Failed to create vault 'personal'" print_error "Failed to create vault 'personal'"
@ -145,7 +154,8 @@ fi
# List vaults again (should show default, work, personal) # List vaults again (should show default, work, personal)
echo "Listing vaults after creation..." echo "Listing vaults after creation..."
if $SECRET_BINARY vault list > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault list"
if $SECRET_BINARY vault list; then
VAULTS=$($SECRET_BINARY vault list) VAULTS=$($SECRET_BINARY vault list)
echo "Available vaults: $VAULTS" echo "Available vaults: $VAULTS"
print_success "Listed vaults after creation" print_success "Listed vaults after creation"
@ -155,7 +165,8 @@ fi
# Switch to work vault # Switch to work vault
echo "Switching to 'work' vault..." echo "Switching to 'work' vault..."
if $SECRET_BINARY vault select work > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault select work"
if $SECRET_BINARY vault select work; then
print_success "Switched to 'work' vault" print_success "Switched to 'work' vault"
else else
print_error "Failed to switch to 'work' vault" print_error "Failed to switch to 'work' vault"
@ -170,7 +181,8 @@ reset_state
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
# Create a vault first # Create a vault first
if $SECRET_BINARY vault create test-vault > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create test-vault"
if $SECRET_BINARY vault create test-vault; then
print_success "Created test-vault for import testing" print_success "Created test-vault for import testing"
else else
print_error "Failed to create test-vault" print_error "Failed to create test-vault"
@ -178,7 +190,8 @@ fi
# Import should prompt for passphrase # Import should prompt for passphrase
echo "Importing with mnemonic env var set, should prompt for passphrase..." echo "Importing with mnemonic env var set, should prompt for passphrase..."
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY import test-vault > /dev/null 2>&1; then echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY vault import test-vault"
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY vault import test-vault; then
print_success "Import succeeded with mnemonic env var (prompted for passphrase)" print_success "Import succeeded with mnemonic env var (prompted for passphrase)"
else else
print_error "Import failed with mnemonic env var" print_error "Import failed with mnemonic env var"
@ -190,7 +203,8 @@ reset_state
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
# Create a vault first # Create a vault first
if $SECRET_BINARY vault create test-vault2 > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create test-vault2"
if $SECRET_BINARY vault create test-vault2; then
print_success "Created test-vault2 for import testing" print_success "Created test-vault2 for import testing"
else else
print_error "Failed to create test-vault2" print_error "Failed to create test-vault2"
@ -198,7 +212,8 @@ fi
# Import should prompt for mnemonic # Import should prompt for mnemonic
echo "Importing with passphrase env var set, should prompt for mnemonic..." echo "Importing with passphrase env var set, should prompt for mnemonic..."
if echo "$TEST_MNEMONIC" | $SECRET_BINARY import test-vault2 > /dev/null 2>&1; then echo "Running: echo \"$TEST_MNEMONIC\" | $SECRET_BINARY vault import test-vault2"
if echo "$TEST_MNEMONIC" | $SECRET_BINARY vault import test-vault2; then
print_success "Import succeeded with passphrase env var (prompted for mnemonic)" print_success "Import succeeded with passphrase env var (prompted for mnemonic)"
else else
print_error "Import failed with passphrase env var" print_error "Import failed with passphrase env var"
@ -211,7 +226,8 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
# Create a vault first # Create a vault first
if $SECRET_BINARY vault create test-vault3 > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create test-vault3"
if $SECRET_BINARY vault create test-vault3; then
print_success "Created test-vault3 for import testing" print_success "Created test-vault3 for import testing"
else else
print_error "Failed to create test-vault3" print_error "Failed to create test-vault3"
@ -219,7 +235,8 @@ fi
# Import should not prompt for anything # Import should not prompt for anything
echo "Importing with both env vars set, should not prompt..." echo "Importing with both env vars set, should not prompt..."
if $SECRET_BINARY import test-vault3 > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault import test-vault3"
if $SECRET_BINARY vault import test-vault3; then
print_success "Import succeeded with both env vars (no prompts)" print_success "Import succeeded with both env vars (no prompts)"
else else
print_error "Import failed with both env vars" print_error "Import failed with both env vars"
@ -230,7 +247,8 @@ echo -e "\n${YELLOW}Test 4d: Import with neither SB_SECRET_MNEMONIC nor SB_UNLOC
reset_state reset_state
# Create a vault first # Create a vault first
if $SECRET_BINARY vault create test-vault4 > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create test-vault4"
if $SECRET_BINARY vault create test-vault4; then
print_success "Created test-vault4 for import testing" print_success "Created test-vault4 for import testing"
else else
print_error "Failed to create test-vault4" print_error "Failed to create test-vault4"
@ -239,7 +257,7 @@ fi
# Import should prompt for both mnemonic and passphrase # Import should prompt for both mnemonic and passphrase
echo "Importing with neither env var set, should prompt for both..." echo "Importing with neither env var set, should prompt for both..."
if expect -c " if expect -c "
spawn $SECRET_BINARY import test-vault4 spawn $SECRET_BINARY vault import test-vault4
expect \"Enter your BIP39 mnemonic phrase:\" expect \"Enter your BIP39 mnemonic phrase:\"
send \"$TEST_MNEMONIC\n\" send \"$TEST_MNEMONIC\n\"
expect \"Enter passphrase for unlock key:\" expect \"Enter passphrase for unlock key:\"
@ -247,7 +265,7 @@ if expect -c "
expect \"Confirm passphrase:\" expect \"Confirm passphrase:\"
send \"$TEST_PASSPHRASE\n\" send \"$TEST_PASSPHRASE\n\"
expect eof expect eof
" > /dev/null 2>&1; then "; then
print_success "Import succeeded with no env vars (prompted for both)" print_success "Import succeeded with no env vars (prompted for both)"
else else
print_error "Import failed with no env vars" print_error "Import failed with no env vars"
@ -260,7 +278,7 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
echo "Importing into non-existent vault (should fail)..." echo "Importing into non-existent vault (should fail)..."
if $SECRET_BINARY import nonexistent-vault > /dev/null 2>&1; then if $SECRET_BINARY vault import nonexistent-vault; then
print_error "Import should have failed for non-existent vault" print_error "Import should have failed for non-existent vault"
else else
print_success "Import correctly failed for non-existent vault" print_success "Import correctly failed for non-existent vault"
@ -273,14 +291,15 @@ export SB_SECRET_MNEMONIC="invalid mnemonic phrase that should not work"
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
# Create a vault first # Create a vault first
if $SECRET_BINARY vault create test-vault5 > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create test-vault5"
if $SECRET_BINARY vault create test-vault5; then
print_success "Created test-vault5 for invalid mnemonic testing" print_success "Created test-vault5 for invalid mnemonic testing"
else else
print_error "Failed to create test-vault5" print_error "Failed to create test-vault5"
fi fi
echo "Importing with invalid mnemonic (should fail)..." echo "Importing with invalid mnemonic (should fail)..."
if $SECRET_BINARY import test-vault5 > /dev/null 2>&1; then if $SECRET_BINARY vault import test-vault5; then
print_error "Import should have failed with invalid mnemonic" print_error "Import should have failed with invalid mnemonic"
else else
print_success "Import correctly failed with invalid mnemonic" print_success "Import correctly failed with invalid mnemonic"
@ -294,14 +313,15 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
print_step "5" "Testing original import functionality" print_step "5" "Testing original import functionality"
# Initialize to create default vault # Initialize to create default vault
if (echo "$TEST_PASSPHRASE"; echo "$TEST_PASSPHRASE") | $SECRET_BINARY init > /dev/null 2>&1; then if (echo "$TEST_PASSPHRASE"; echo "$TEST_PASSPHRASE") | $SECRET_BINARY init; then
print_success "Initialized for Step 5 testing" print_success "Initialized for Step 5 testing"
else else
print_error "Failed to initialize for Step 5 testing" print_error "Failed to initialize for Step 5 testing"
fi fi
# Create work vault for import testing # Create work vault for import testing
if $SECRET_BINARY vault create work > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create work"
if $SECRET_BINARY vault create work; then
print_success "Created work vault for import testing" print_success "Created work vault for import testing"
else else
print_error "Failed to create work vault" print_error "Failed to create work vault"
@ -309,7 +329,8 @@ fi
# Switch to work vault # Switch to work vault
echo "Switching to 'work' vault..." echo "Switching to 'work' vault..."
if $SECRET_BINARY vault select work > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault select work"
if $SECRET_BINARY vault select work; then
print_success "Switched to 'work' vault" print_success "Switched to 'work' vault"
else else
print_error "Failed to switch to 'work' vault" print_error "Failed to switch to 'work' vault"
@ -319,7 +340,8 @@ fi
echo "Importing mnemonic into 'work' vault..." echo "Importing mnemonic into 'work' vault..."
# Set passphrase for import command only # Set passphrase for import command only
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
if $SECRET_BINARY import work > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault import work"
if $SECRET_BINARY vault import work; then
print_success "Imported mnemonic into 'work' vault" print_success "Imported mnemonic into 'work' vault"
else else
print_error "Failed to import mnemonic into 'work' vault" print_error "Failed to import mnemonic into 'work' vault"
@ -329,7 +351,8 @@ unset SB_UNLOCK_PASSPHRASE
# Switch back to default vault # Switch back to default vault
echo "Switching back to 'default' vault..." echo "Switching back to 'default' vault..."
if $SECRET_BINARY vault select default > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault select default"
if $SECRET_BINARY vault select default; then
print_success "Switched back to 'default' vault" print_success "Switched back to 'default' vault"
else else
print_error "Failed to switch back to 'default' vault" print_error "Failed to switch back to 'default' vault"
@ -341,7 +364,8 @@ print_step "6" "Testing unlock key management"
# Create passphrase-protected unlock key # Create passphrase-protected unlock key
echo "Creating passphrase-protected unlock key..." echo "Creating passphrase-protected unlock key..."
# Note: This test uses stdin input instead of environment variable to test the traditional approach # Note: This test uses stdin input instead of environment variable to test the traditional approach
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY keys add passphrase"
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY keys add passphrase; then
print_success "Created passphrase-protected unlock key" print_success "Created passphrase-protected unlock key"
else else
print_error "Failed to create passphrase-protected unlock key" print_error "Failed to create passphrase-protected unlock key"
@ -349,7 +373,8 @@ fi
# List unlock keys # List unlock keys
echo "Listing unlock keys..." echo "Listing unlock keys..."
if $SECRET_BINARY keys list > /dev/null 2>&1; then echo "Running: $SECRET_BINARY keys list"
if $SECRET_BINARY keys list; then
KEYS=$($SECRET_BINARY keys list) KEYS=$($SECRET_BINARY keys list)
echo "Available unlock keys: $KEYS" echo "Available unlock keys: $KEYS"
print_success "Listed unlock keys" print_success "Listed unlock keys"
@ -364,28 +389,32 @@ print_step "7" "Testing mnemonic-based secret operations (keyless)"
echo "Adding secrets using mnemonic-based long-term key..." echo "Adding secrets using mnemonic-based long-term key..."
# Test secret 1 # Test secret 1
if echo "my-super-secret-password" | $SECRET_BINARY add "database/password" > /dev/null 2>&1; then echo "Running: echo \"my-super-secret-password\" | $SECRET_BINARY add \"database/password\""
if echo "my-super-secret-password" | $SECRET_BINARY add "database/password"; then
print_success "Added secret: database/password" print_success "Added secret: database/password"
else else
print_error "Failed to add secret: database/password" print_error "Failed to add secret: database/password"
fi fi
# Test secret 2 # Test secret 2
if echo "api-key-12345" | $SECRET_BINARY add "api/key" > /dev/null 2>&1; then echo "Running: echo \"api-key-12345\" | $SECRET_BINARY add \"api/key\""
if echo "api-key-12345" | $SECRET_BINARY add "api/key"; then
print_success "Added secret: api/key" print_success "Added secret: api/key"
else else
print_error "Failed to add secret: api/key" print_error "Failed to add secret: api/key"
fi fi
# Test secret 3 (with path) # Test secret 3 (with path)
if echo "ssh-private-key-content" | $SECRET_BINARY add "ssh/private-key" > /dev/null 2>&1; then echo "Running: echo \"ssh-private-key-content\" | $SECRET_BINARY add \"ssh/private-key\""
if echo "ssh-private-key-content" | $SECRET_BINARY add "ssh/private-key"; then
print_success "Added secret: ssh/private-key" print_success "Added secret: ssh/private-key"
else else
print_error "Failed to add secret: ssh/private-key" print_error "Failed to add secret: ssh/private-key"
fi fi
# Test secret 4 (with dots and underscores) # Test secret 4 (with dots and underscores)
if echo "jwt-secret-token" | $SECRET_BINARY add "app.config_jwt_secret" > /dev/null 2>&1; then echo "Running: echo \"jwt-secret-token\" | $SECRET_BINARY add \"app.config_jwt_secret\""
if echo "jwt-secret-token" | $SECRET_BINARY add "app.config_jwt_secret"; then
print_success "Added secret: app.config_jwt_secret" print_success "Added secret: app.config_jwt_secret"
else else
print_error "Failed to add secret: app.config_jwt_secret" print_error "Failed to add secret: app.config_jwt_secret"
@ -420,7 +449,8 @@ fi
# List all secrets # List all secrets
echo "Listing all secrets..." echo "Listing all secrets..."
if $SECRET_BINARY list > /dev/null 2>&1; then echo "Running: $SECRET_BINARY list"
if $SECRET_BINARY list; then
SECRETS=$($SECRET_BINARY list) SECRETS=$($SECRET_BINARY list)
echo "Secrets in current vault:" echo "Secrets in current vault:"
echo "$SECRETS" | while read -r secret; do echo "$SECRETS" | while read -r secret; do
@ -439,20 +469,25 @@ unset SB_SECRET_MNEMONIC
# Add a secret using traditional unlock key approach # Add a secret using traditional unlock key approach
echo "Adding secret using traditional unlock key..." echo "Adding secret using traditional unlock key..."
if echo "traditional-secret-value" | $SECRET_BINARY add "traditional/secret" > /dev/null 2>&1; then echo "Running: echo \"traditional-secret-value\" | $SECRET_BINARY add \"traditional/secret\""
if echo "traditional-secret-value" | $SECRET_BINARY add "traditional/secret"; then
print_success "Added secret using traditional approach: traditional/secret" print_success "Added secret using traditional approach: traditional/secret"
else else
print_error "Failed to add secret using traditional approach" print_error "Failed to add secret using traditional approach"
fi fi
# Retrieve secret using traditional unlock key approach # Retrieve secret using traditional unlock key approach
RETRIEVED_TRADITIONAL=$($SECRET_BINARY get "traditional/secret" 2>/dev/null) echo "Retrieving secret using traditional unlock key approach..."
RETRIEVED_TRADITIONAL=$(echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "traditional/secret" 2>/dev/null)
if [ "$RETRIEVED_TRADITIONAL" = "traditional-secret-value" ]; then if [ "$RETRIEVED_TRADITIONAL" = "traditional-secret-value" ]; then
print_success "Retrieved and verified traditional secret: traditional/secret" print_success "Retrieved and verified traditional secret: traditional/secret"
else else
print_error "Failed to retrieve or verify traditional secret" print_error "Failed to retrieve or verify traditional secret"
fi fi
# Re-enable mnemonic for remaining tests
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
# Test 9: Advanced unlock key management # Test 9: Advanced unlock key management
print_step "9" "Testing advanced unlock key management" print_step "9" "Testing advanced unlock key management"
@ -463,7 +498,8 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
echo "Testing PGP unlock key creation..." echo "Testing PGP unlock key creation..."
if command -v gpg >/dev/null 2>&1; then if command -v gpg >/dev/null 2>&1; then
# This would require a GPG key ID - for testing we'll just check the command exists # This would require a GPG key ID - for testing we'll just check the command exists
if $SECRET_BINARY keys add pgp --help > /dev/null 2>&1; then echo "Running: $SECRET_BINARY keys add pgp --help"
if $SECRET_BINARY keys add pgp --help; then
print_success "PGP unlock key command available" print_success "PGP unlock key command available"
else else
print_warning "PGP unlock key command not yet implemented" print_warning "PGP unlock key command not yet implemented"
@ -475,7 +511,8 @@ fi
# Test Secure Enclave (macOS only) # Test Secure Enclave (macOS only)
if [[ "$OSTYPE" == "darwin"* ]]; then if [[ "$OSTYPE" == "darwin"* ]]; then
echo "Testing Secure Enclave unlock key creation..." echo "Testing Secure Enclave unlock key creation..."
if $SECRET_BINARY enroll sep > /dev/null 2>&1; then echo "Running: $SECRET_BINARY enroll sep"
if $SECRET_BINARY enroll sep; then
print_success "Created Secure Enclave unlock key" print_success "Created Secure Enclave unlock key"
else else
print_warning "Secure Enclave unlock key creation not yet implemented" print_warning "Secure Enclave unlock key creation not yet implemented"
@ -486,14 +523,16 @@ fi
# Get current unlock key ID for testing # Get current unlock key ID for testing
echo "Getting current unlock key for testing..." echo "Getting current unlock key for testing..."
if $SECRET_BINARY keys list > /dev/null 2>&1; then echo "Running: $SECRET_BINARY keys list"
if $SECRET_BINARY keys list; then
CURRENT_KEY_ID=$($SECRET_BINARY keys list | head -n1 | awk '{print $1}') CURRENT_KEY_ID=$($SECRET_BINARY keys list | head -n1 | awk '{print $1}')
if [ -n "$CURRENT_KEY_ID" ]; then if [ -n "$CURRENT_KEY_ID" ]; then
print_success "Found unlock key ID: $CURRENT_KEY_ID" print_success "Found unlock key ID: $CURRENT_KEY_ID"
# Test key selection # Test key selection
echo "Testing unlock key selection..." echo "Testing unlock key selection..."
if $SECRET_BINARY key select "$CURRENT_KEY_ID" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY key select $CURRENT_KEY_ID"
if $SECRET_BINARY key select "$CURRENT_KEY_ID"; then
print_success "Selected unlock key: $CURRENT_KEY_ID" print_success "Selected unlock key: $CURRENT_KEY_ID"
else else
print_warning "Unlock key selection not yet implemented" print_warning "Unlock key selection not yet implemented"
@ -507,7 +546,8 @@ print_step "10" "Testing secret name validation and edge cases"
# Test valid names # Test valid names
VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths") VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths")
for name in "${VALID_NAMES[@]}"; do for name in "${VALID_NAMES[@]}"; do
if echo "test-value" | $SECRET_BINARY add "$name" --force > /dev/null 2>&1; then echo "Running: echo \"test-value\" | $SECRET_BINARY add $name --force"
if echo "test-value" | $SECRET_BINARY add "$name" --force; then
print_success "Valid name accepted: $name" print_success "Valid name accepted: $name"
else else
print_error "Valid name rejected: $name" print_error "Valid name rejected: $name"
@ -518,7 +558,8 @@ done
echo "Testing invalid names (should fail)..." echo "Testing invalid names (should fail)..."
INVALID_NAMES=("Invalid-Name" "invalid name" "invalid@name" "invalid#name" "invalid%name" "") INVALID_NAMES=("Invalid-Name" "invalid name" "invalid@name" "invalid#name" "invalid%name" "")
for name in "${INVALID_NAMES[@]}"; do for name in "${INVALID_NAMES[@]}"; do
if echo "test-value" | $SECRET_BINARY add "$name" > /dev/null 2>&1; then echo "Running: echo \"test-value\" | $SECRET_BINARY add $name"
if echo "test-value" | $SECRET_BINARY add "$name"; then
print_error "Invalid name accepted (should have been rejected): '$name'" print_error "Invalid name accepted (should have been rejected): '$name'"
else else
print_success "Invalid name correctly rejected: '$name'" print_success "Invalid name correctly rejected: '$name'"
@ -529,14 +570,16 @@ done
print_step "11" "Testing overwrite protection and force flag" print_step "11" "Testing overwrite protection and force flag"
# Try to add existing secret without --force (should fail) # Try to add existing secret without --force (should fail)
if echo "new-value" | $SECRET_BINARY add "database/password" > /dev/null 2>&1; then echo "Running: echo \"new-value\" | $SECRET_BINARY add \"database/password\""
if echo "new-value" | $SECRET_BINARY add "database/password"; then
print_error "Overwrite protection failed - secret was overwritten without --force" print_error "Overwrite protection failed - secret was overwritten without --force"
else else
print_success "Overwrite protection working - secret not overwritten without --force" print_success "Overwrite protection working - secret not overwritten without --force"
fi fi
# Try to add existing secret with --force (should succeed) # Try to add existing secret with --force (should succeed)
if echo "new-password-value" | $SECRET_BINARY add "database/password" --force > /dev/null 2>&1; then echo "Running: echo \"new-password-value\" | $SECRET_BINARY add \"database/password\" --force"
if echo "new-password-value" | $SECRET_BINARY add "database/password" --force; then
print_success "Force overwrite working - secret overwritten with --force" print_success "Force overwrite working - secret overwritten with --force"
# Verify the new value # Verify the new value
@ -555,18 +598,21 @@ print_step "12" "Testing cross-vault operations"
# Switch to work vault and add secrets there # Switch to work vault and add secrets there
echo "Switching to 'work' vault for cross-vault testing..." echo "Switching to 'work' vault for cross-vault testing..."
if $SECRET_BINARY vault select work > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault select work"
if $SECRET_BINARY vault select work; then
print_success "Switched to 'work' vault" print_success "Switched to 'work' vault"
# Add work-specific secrets # Add work-specific secrets
if echo "work-database-password" | $SECRET_BINARY add "work/database" > /dev/null 2>&1; then echo "Running: echo \"work-database-password\" | $SECRET_BINARY add \"work/database\""
if echo "work-database-password" | $SECRET_BINARY add "work/database"; then
print_success "Added work-specific secret" print_success "Added work-specific secret"
else else
print_error "Failed to add work-specific secret" print_error "Failed to add work-specific secret"
fi fi
# List secrets in work vault # List secrets in work vault
if $SECRET_BINARY list > /dev/null 2>&1; then echo "Running: $SECRET_BINARY list"
if $SECRET_BINARY list; then
WORK_SECRETS=$($SECRET_BINARY list) WORK_SECRETS=$($SECRET_BINARY list)
echo "Secrets in work vault: $WORK_SECRETS" echo "Secrets in work vault: $WORK_SECRETS"
print_success "Listed work vault secrets" print_success "Listed work vault secrets"
@ -579,11 +625,13 @@ fi
# Switch back to default vault # Switch back to default vault
echo "Switching back to 'default' vault..." echo "Switching back to 'default' vault..."
if $SECRET_BINARY vault select default > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault select default"
if $SECRET_BINARY vault select default; then
print_success "Switched back to 'default' vault" print_success "Switched back to 'default' vault"
# Verify default vault secrets are still there # Verify default vault secrets are still there
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"database/password\""
if $SECRET_BINARY get "database/password"; then
print_success "Default vault secrets still accessible" print_success "Default vault secrets still accessible"
else else
print_error "Default vault secrets not accessible" print_error "Default vault secrets not accessible"
@ -645,15 +693,17 @@ fi
print_step "14" "Testing environment variable error handling" print_step "14" "Testing environment variable error handling"
# Test with non-existent state directory # Test with non-existent state directory
export SB_SECRET_STATE_DIR="/nonexistent/directory" export SB_SECRET_STATE_DIR="$TEMP_DIR/nonexistent/directory"
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"database/password\""
if $SECRET_BINARY get "database/password"; then
print_error "Should have failed with non-existent state directory" print_error "Should have failed with non-existent state directory"
else else
print_success "Correctly failed with non-existent state directory" print_success "Correctly failed with non-existent state directory"
fi fi
# Test init with non-existent directory (should work) # Test init with non-existent directory (should work)
if $SECRET_BINARY init > /dev/null 2>&1; then echo "Running: $SECRET_BINARY init"
if $SECRET_BINARY init; then
print_success "Init works with non-existent state directory" print_success "Init works with non-existent state directory"
else else
print_error "Init should work with non-existent state directory" print_error "Init should work with non-existent state directory"
@ -671,15 +721,18 @@ export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
# Create another unlock key for testing removal # Create another unlock key for testing removal
echo "Creating additional unlock key for removal testing..." echo "Creating additional unlock key for removal testing..."
# Use stdin input instead of environment variable # Use stdin input instead of environment variable
if echo "another-passphrase" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then echo "Running: echo \"another-passphrase\" | $SECRET_BINARY keys add passphrase"
if echo "another-passphrase" | $SECRET_BINARY keys add passphrase; then
print_success "Created additional unlock key" print_success "Created additional unlock key"
# Get the key ID and try to remove it # Get the key ID and try to remove it
if $SECRET_BINARY keys list > /dev/null 2>&1; then echo "Running: $SECRET_BINARY keys list"
if $SECRET_BINARY keys list; then
KEY_TO_REMOVE=$($SECRET_BINARY keys list | tail -n1 | awk '{print $1}') KEY_TO_REMOVE=$($SECRET_BINARY keys list | tail -n1 | awk '{print $1}')
if [ -n "$KEY_TO_REMOVE" ]; then if [ -n "$KEY_TO_REMOVE" ]; then
echo "Attempting to remove unlock key: $KEY_TO_REMOVE" echo "Attempting to remove unlock key: $KEY_TO_REMOVE"
if $SECRET_BINARY keys rm "$KEY_TO_REMOVE" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY keys rm $KEY_TO_REMOVE"
if $SECRET_BINARY keys rm "$KEY_TO_REMOVE"; then
print_success "Removed unlock key: $KEY_TO_REMOVE" print_success "Removed unlock key: $KEY_TO_REMOVE"
else else
print_warning "Unlock key removal not yet implemented" print_warning "Unlock key removal not yet implemented"
@ -703,7 +756,9 @@ fi
# Test without mnemonic but with unlock key # Test without mnemonic but with unlock key
unset SB_SECRET_MNEMONIC unset SB_SECRET_MNEMONIC
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then echo "Testing traditional unlock key access to mnemonic-created secrets..."
echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY get \"database/password\""
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "database/password"; then
print_success "Traditional unlock key can access mnemonic-created secrets" print_success "Traditional unlock key can access mnemonic-created secrets"
else else
print_warning "Traditional unlock key cannot access mnemonic-created secrets (may need implementation)" print_warning "Traditional unlock key cannot access mnemonic-created secrets (may need implementation)"
@ -717,11 +772,13 @@ print_step "17" "Testing refactored architecture - separation of concerns"
echo "Testing that secrets handle their own data access..." echo "Testing that secrets handle their own data access..."
# Create a test secret first # Create a test secret first
if echo "test-self-access" | $SECRET_BINARY add "test/self-access" > /dev/null 2>&1; then echo "Running: echo \"test-self-access\" | $SECRET_BINARY add \"test/self-access\""
if echo "test-self-access" | $SECRET_BINARY add "test/self-access"; then
print_success "Created test secret for self-access testing" print_success "Created test secret for self-access testing"
# Try to retrieve it (this tests that Secret.GetEncryptedData() works) # Try to retrieve it (this tests that Secret.GetEncryptedData() works)
if $SECRET_BINARY get "test/self-access" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"test/self-access\""
if $SECRET_BINARY get "test/self-access"; then
print_success "Secret correctly handles its own data access" print_success "Secret correctly handles its own data access"
else else
print_error "Secret failed to handle its own data access" print_error "Secret failed to handle its own data access"
@ -733,7 +790,8 @@ fi
echo "Testing unlock key delegation pattern..." echo "Testing unlock key delegation pattern..."
# Test that vault delegates to unlock keys for decryption # Test that vault delegates to unlock keys for decryption
# This is tested implicitly by all our secret retrieval operations # This is tested implicitly by all our secret retrieval operations
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"database/password\""
if $SECRET_BINARY get "database/password"; then
print_success "Vault correctly delegates to unlock keys for decryption" print_success "Vault correctly delegates to unlock keys for decryption"
else else
print_error "Vault delegation pattern failed" print_error "Vault delegation pattern failed"
@ -746,12 +804,15 @@ echo "Verifying all unlock key types implement required methods..."
# Create different types of unlock keys to test interface compliance # Create different types of unlock keys to test interface compliance
echo "Testing PassphraseUnlockKey interface compliance..." echo "Testing PassphraseUnlockKey interface compliance..."
if echo "interface-test-pass" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then echo "Running: echo \"interface-test-pass\" | $SECRET_BINARY keys add passphrase"
if echo "interface-test-pass" | $SECRET_BINARY keys add passphrase; then
print_success "PassphraseUnlockKey created successfully" print_success "PassphraseUnlockKey created successfully"
# Test that we can use it (this verifies GetIdentity and DecryptSecret work) # Test that we can use it (this verifies GetIdentity and DecryptSecret work)
if echo "interface-test-secret" | $SECRET_BINARY add "interface/test" > /dev/null 2>&1; then echo "Running: echo \"interface-test-secret\" | $SECRET_BINARY add \"interface/test\""
if $SECRET_BINARY get "interface/test" > /dev/null 2>&1; then if echo "interface-test-secret" | $SECRET_BINARY add "interface/test"; then
echo "Running: $SECRET_BINARY get \"interface/test\""
if $SECRET_BINARY get "interface/test"; then
print_success "PassphraseUnlockKey interface methods working" print_success "PassphraseUnlockKey interface methods working"
else else
print_error "PassphraseUnlockKey interface methods failed" print_error "PassphraseUnlockKey interface methods failed"
@ -766,12 +827,15 @@ fi
# Test Secure Enclave on macOS (if available) # Test Secure Enclave on macOS (if available)
if [[ "$OSTYPE" == "darwin"* ]]; then if [[ "$OSTYPE" == "darwin"* ]]; then
echo "Testing SEPUnlockKey interface compliance on macOS..." echo "Testing SEPUnlockKey interface compliance on macOS..."
if $SECRET_BINARY enroll sep > /dev/null 2>&1; then echo "Running: $SECRET_BINARY enroll sep"
if $SECRET_BINARY enroll sep; then
print_success "SEPUnlockKey created successfully" print_success "SEPUnlockKey created successfully"
# Test that we can use it # Test that we can use it
if echo "sep-test-secret" | $SECRET_BINARY add "sep/test" > /dev/null 2>&1; then echo "Running: echo \"sep-test-secret\" | $SECRET_BINARY add \"sep/test\""
if $SECRET_BINARY get "sep/test" > /dev/null 2>&1; then if echo "sep-test-secret" | $SECRET_BINARY add "sep/test"; then
echo "Running: $SECRET_BINARY get \"sep/test\""
if $SECRET_BINARY get "sep/test"; then
print_success "SEPUnlockKey interface methods working" print_success "SEPUnlockKey interface methods working"
else else
print_error "SEPUnlockKey interface methods failed" print_error "SEPUnlockKey interface methods failed"
@ -787,36 +851,40 @@ else
fi fi
# Test 19: Long-term Key Management Separation # Test 19: Long-term Key Management Separation
print_step "19" "Testing long-term key management separation" print_step "19" "Testing long-term key access via different unlock key types"
echo "Testing that unlock keys manage their own long-term keys..." echo "Testing that different unlock key types can access the same long-term key..."
# Switch between different unlock methods to verify each handles its own long-term keys # Switch between different unlock methods to verify each can access the long-term key
echo "Testing mnemonic-based long-term key management..." echo "Testing mnemonic-based long-term key access..."
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
if echo "mnemonic-longterm-test" | $SECRET_BINARY add "longterm/mnemonic" > /dev/null 2>&1; then echo "Running: echo \"mnemonic-longterm-test\" | $SECRET_BINARY add \"longterm/mnemonic\""
if $SECRET_BINARY get "longterm/mnemonic" > /dev/null 2>&1; then if echo "mnemonic-longterm-test" | $SECRET_BINARY add "longterm/mnemonic"; then
print_success "Mnemonic-based long-term key management working" echo "Running: $SECRET_BINARY get \"longterm/mnemonic\""
if $SECRET_BINARY get "longterm/mnemonic"; then
print_success "Mnemonic-based long-term key access working"
else else
print_error "Mnemonic-based long-term key management failed" print_error "Mnemonic-based long-term key access failed"
fi fi
else else
print_error "Failed to test mnemonic-based long-term key management" print_error "Failed to test mnemonic-based long-term key access"
fi fi
echo "Testing passphrase-based long-term key management..." echo "Testing passphrase unlock key accessing long-term key..."
unset SB_SECRET_MNEMONIC unset SB_SECRET_MNEMONIC
if echo "passphrase-longterm-test" | $SECRET_BINARY add "longterm/passphrase" > /dev/null 2>&1; then echo "Running: echo \"passphrase-unlock-test\" | $SECRET_BINARY add \"longterm/passphrase-unlock\""
if $SECRET_BINARY get "longterm/passphrase" > /dev/null 2>&1; then if echo "passphrase-unlock-test" | $SECRET_BINARY add "longterm/passphrase-unlock"; then
print_success "Passphrase-based long-term key management working" echo "Running: echo \"$TEST_PASSPHRASE\" | $SECRET_BINARY get \"longterm/passphrase-unlock\""
if echo "$TEST_PASSPHRASE" | $SECRET_BINARY get "longterm/passphrase-unlock"; then
print_success "Passphrase unlock key accessing long-term key working"
else else
print_error "Passphrase-based long-term key management failed" print_error "Passphrase unlock key accessing long-term key failed"
fi fi
else else
print_error "Failed to test passphrase-based long-term key management" print_error "Failed to test passphrase unlock key accessing long-term key"
fi fi
# Re-enable mnemonic # Re-enable mnemonic for remaining tests
export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
# Test 20: Directory Structure and File Access Patterns # Test 20: Directory Structure and File Access Patterns
@ -826,7 +894,8 @@ echo "Verifying secrets access their own directory structure..."
# Check that secret directories contain the expected structure # Check that secret directories contain the expected structure
SECRET_NAME="structure/test" SECRET_NAME="structure/test"
if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME" > /dev/null 2>&1; then echo "Running: echo \"structure-test-value\" | $SECRET_BINARY add $SECRET_NAME"
if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME"; then
print_success "Created secret for structure testing" print_success "Created secret for structure testing"
# Convert secret name to directory name (URL encoding) # Convert secret name to directory name (URL encoding)
@ -837,7 +906,8 @@ if echo "structure-test-value" | $SECRET_BINARY add "$SECRET_NAME" > /dev/null 2
print_success "Secret directory structure created correctly" print_success "Secret directory structure created correctly"
# Verify secret can access its own encrypted data # Verify secret can access its own encrypted data
if $SECRET_BINARY get "$SECRET_NAME" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get $SECRET_NAME"
if $SECRET_BINARY get "$SECRET_NAME"; then
print_success "Secret correctly accesses its own encrypted data" print_success "Secret correctly accesses its own encrypted data"
else else
print_error "Secret failed to access its own encrypted data" print_error "Secret failed to access its own encrypted data"
@ -886,7 +956,8 @@ print_step "21" "Testing error handling in refactored architecture"
echo "Testing secret error handling..." echo "Testing secret error handling..."
# Test non-existent secret # Test non-existent secret
if $SECRET_BINARY get "nonexistent/secret" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"nonexistent/secret\""
if $SECRET_BINARY get "nonexistent/secret"; then
print_error "Should have failed for non-existent secret" print_error "Should have failed for non-existent secret"
else else
print_success "Correctly handled non-existent secret" print_success "Correctly handled non-existent secret"
@ -904,7 +975,8 @@ if [ -d "$FIRST_KEY_DIR" ] && [ -f "$FIRST_KEY_DIR/priv.age" ]; then
# Temporarily disable mnemonic to force unlock key usage # Temporarily disable mnemonic to force unlock key usage
unset SB_SECRET_MNEMONIC unset SB_SECRET_MNEMONIC
if $SECRET_BINARY get "database/password" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"database/password\""
if $SECRET_BINARY get "database/password"; then
print_warning "Expected failure with corrupted unlock key, but succeeded (may have fallback)" print_warning "Expected failure with corrupted unlock key, but succeeded (may have fallback)"
else else
print_success "Correctly handled corrupted unlock key" print_success "Correctly handled corrupted unlock key"
@ -925,27 +997,33 @@ print_step "22" "Testing cross-component integration"
echo "Testing vault-secret-unlock key integration..." echo "Testing vault-secret-unlock key integration..."
# Create a secret in one vault, switch vaults, create another secret, switch back # Create a secret in one vault, switch vaults, create another secret, switch back
if $SECRET_BINARY vault create integration-test > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault create integration-test"
if $SECRET_BINARY vault create integration-test; then
print_success "Created integration test vault" print_success "Created integration test vault"
# Add secret to default vault # Add secret to default vault
if echo "default-vault-secret" | $SECRET_BINARY add "integration/default" > /dev/null 2>&1; then echo "Running: echo \"default-vault-secret\" | $SECRET_BINARY add \"integration/default\""
if echo "default-vault-secret" | $SECRET_BINARY add "integration/default"; then
print_success "Added secret to default vault" print_success "Added secret to default vault"
# Switch to integration-test vault # Switch to integration-test vault
if $SECRET_BINARY vault select integration-test > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault select integration-test"
if $SECRET_BINARY vault select integration-test; then
print_success "Switched to integration-test vault" print_success "Switched to integration-test vault"
# Create unlock key in new vault # Create unlock key in new vault
if echo "integration-passphrase" | $SECRET_BINARY keys add passphrase > /dev/null 2>&1; then echo "Running: echo \"integration-passphrase\" | $SECRET_BINARY keys add passphrase"
if echo "integration-passphrase" | $SECRET_BINARY keys add passphrase; then
print_success "Created unlock key in integration-test vault" print_success "Created unlock key in integration-test vault"
# Add secret to integration-test vault # Add secret to integration-test vault
if echo "integration-vault-secret" | $SECRET_BINARY add "integration/test" > /dev/null 2>&1; then echo "Running: echo \"integration-vault-secret\" | $SECRET_BINARY add \"integration/test\""
if echo "integration-vault-secret" | $SECRET_BINARY add "integration/test"; then
print_success "Added secret to integration-test vault" print_success "Added secret to integration-test vault"
# Verify secret retrieval works # Verify secret retrieval works
if $SECRET_BINARY get "integration/test" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"integration/test\""
if $SECRET_BINARY get "integration/test"; then
print_success "Cross-component integration working" print_success "Cross-component integration working"
else else
print_error "Cross-component integration failed" print_error "Cross-component integration failed"
@ -958,11 +1036,13 @@ if $SECRET_BINARY vault create integration-test > /dev/null 2>&1; then
fi fi
# Switch back to default vault # Switch back to default vault
if $SECRET_BINARY vault select default > /dev/null 2>&1; then echo "Running: $SECRET_BINARY vault select default"
if $SECRET_BINARY vault select default; then
print_success "Switched back to default vault" print_success "Switched back to default vault"
# Verify we can still access default vault secrets # Verify we can still access default vault secrets
if $SECRET_BINARY get "integration/default" > /dev/null 2>&1; then echo "Running: $SECRET_BINARY get \"integration/default\""
if $SECRET_BINARY get "integration/default"; then
print_success "Can still access default vault secrets" print_success "Can still access default vault secrets"
else else
print_error "Cannot access default vault secrets after switching" print_error "Cannot access default vault secrets after switching"
@ -999,7 +1079,7 @@ echo -e "${GREEN}✓ Mixed approach compatibility${NC}"
echo -e "${GREEN}✓ Error handling${NC}" echo -e "${GREEN}✓ Error handling${NC}"
echo -e "${GREEN}✓ Refactored architecture - separation of concerns${NC}" echo -e "${GREEN}✓ Refactored architecture - separation of concerns${NC}"
echo -e "${GREEN}✓ Interface method compliance${NC}" echo -e "${GREEN}✓ Interface method compliance${NC}"
echo -e "${GREEN}✓ Long-term key management separation${NC}" echo -e "${GREEN}✓ Long-term key access via different unlock key types${NC}"
echo -e "${GREEN}✓ Directory structure and file access patterns${NC}" echo -e "${GREEN}✓ Directory structure and file access patterns${NC}"
echo -e "${GREEN}✓ Error handling in refactored architecture${NC}" echo -e "${GREEN}✓ Error handling in refactored architecture${NC}"
echo -e "${GREEN}✓ Cross-component integration${NC}" echo -e "${GREEN}✓ Cross-component integration${NC}"