uses protected memory buffers now for all secrets in ram

2025-07-15 08:32:33 +02:00
parent d3ca006886
commit 7596049828
22 changed files with 786 additions and 133 deletions
--- a/internal/cli/secrets_size_test.go
+++ b/internal/cli/secrets_size_test.go
@@ -0,0 +1,425 @@
+package cli
+
+import (
+	"bytes"
+	"crypto/rand"
+	"fmt"
+	"io"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"git.eeqj.de/sneak/secret/internal/secret"
+	"git.eeqj.de/sneak/secret/internal/vault"
+	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/spf13/afero"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestAddSecretVariousSizes tests adding secrets of various sizes through stdin
+func TestAddSecretVariousSizes(t *testing.T) {
+	tests := []struct {
+		name        string
+		size        int
+		shouldError bool
+		errorMsg    string
+	}{
+		{
+			name:        "1KB secret",
+			size:        1024,
+			shouldError: false,
+		},
+		{
+			name:        "10KB secret",
+			size:        10 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "100KB secret",
+			size:        100 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "1MB secret",
+			size:        1024 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "10MB secret",
+			size:        10 * 1024 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "99MB secret",
+			size:        99 * 1024 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "100MB secret minus 1 byte",
+			size:        100*1024*1024 - 1,
+			shouldError: false,
+		},
+		{
+			name:        "101MB secret - should fail",
+			size:        101 * 1024 * 1024,
+			shouldError: true,
+			errorMsg:    "secret too large: exceeds 100MB limit",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set up test environment
+			fs := afero.NewMemMapFs()
+			stateDir := "/test/state"
+			
+			// Set test mnemonic
+			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
+			
+			// Create vault
+			vaultName := "test-vault"
+			_, err := vault.CreateVault(fs, stateDir, vaultName)
+			require.NoError(t, err)
+			
+			// Set current vault
+			currentVaultPath := filepath.Join(stateDir, "currentvault")
+			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
+			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
+			require.NoError(t, err)
+			
+			// Get vault and set up long-term key
+			vlt, err := vault.GetCurrentVault(fs, stateDir)
+			require.NoError(t, err)
+			
+			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
+			require.NoError(t, err)
+			vlt.Unlock(ltIdentity)
+			
+			// Generate test data of specified size
+			testData := make([]byte, tt.size)
+			_, err = rand.Read(testData)
+			require.NoError(t, err)
+			
+			// Add newline that will be stripped
+			testDataWithNewline := append(testData, '\n')
+			
+			// Create fake stdin
+			stdin := bytes.NewReader(testDataWithNewline)
+			
+			// Create command with fake stdin
+			cmd := &cobra.Command{}
+			cmd.SetIn(stdin)
+			
+			// Create CLI instance
+			cli := NewCLIInstance()
+			cli.fs = fs
+			cli.stateDir = stateDir
+			cli.cmd = cmd
+			
+			// Test adding the secret
+			secretName := fmt.Sprintf("test-secret-%d", tt.size)
+			err = cli.AddSecret(secretName, false)
+			
+			if tt.shouldError {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), tt.errorMsg)
+			} else {
+				require.NoError(t, err)
+				
+				// Verify the secret was stored correctly
+				retrievedValue, err := vlt.GetSecret(secretName)
+				require.NoError(t, err)
+				assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original (without newline)")
+			}
+		})
+	}
+}
+
+// TestImportSecretVariousSizes tests importing secrets of various sizes from files
+func TestImportSecretVariousSizes(t *testing.T) {
+	tests := []struct {
+		name        string
+		size        int
+		shouldError bool
+		errorMsg    string
+	}{
+		{
+			name:        "1KB file",
+			size:        1024,
+			shouldError: false,
+		},
+		{
+			name:        "10KB file",
+			size:        10 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "100KB file",
+			size:        100 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "1MB file",
+			size:        1024 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "10MB file",
+			size:        10 * 1024 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "99MB file",
+			size:        99 * 1024 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "100MB file",
+			size:        100 * 1024 * 1024,
+			shouldError: false,
+		},
+		{
+			name:        "101MB file - should fail",
+			size:        101 * 1024 * 1024,
+			shouldError: true,
+			errorMsg:    "secret file too large: exceeds 100MB limit",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set up test environment
+			fs := afero.NewMemMapFs()
+			stateDir := "/test/state"
+			
+			// Set test mnemonic
+			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
+			
+			// Create vault
+			vaultName := "test-vault"
+			_, err := vault.CreateVault(fs, stateDir, vaultName)
+			require.NoError(t, err)
+			
+			// Set current vault
+			currentVaultPath := filepath.Join(stateDir, "currentvault")
+			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
+			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
+			require.NoError(t, err)
+			
+			// Get vault and set up long-term key
+			vlt, err := vault.GetCurrentVault(fs, stateDir)
+			require.NoError(t, err)
+			
+			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
+			require.NoError(t, err)
+			vlt.Unlock(ltIdentity)
+			
+			// Generate test data of specified size
+			testData := make([]byte, tt.size)
+			_, err = rand.Read(testData)
+			require.NoError(t, err)
+			
+			// Write test data to file
+			testFile := fmt.Sprintf("/test/secret-%d.bin", tt.size)
+			err = afero.WriteFile(fs, testFile, testData, 0o600)
+			require.NoError(t, err)
+			
+			// Create command
+			cmd := &cobra.Command{}
+			
+			// Create CLI instance
+			cli := NewCLIInstance()
+			cli.fs = fs
+			cli.stateDir = stateDir
+			
+			// Test importing the secret
+			secretName := fmt.Sprintf("imported-secret-%d", tt.size)
+			err = cli.ImportSecret(cmd, secretName, testFile, false)
+			
+			if tt.shouldError {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), tt.errorMsg)
+			} else {
+				require.NoError(t, err)
+				
+				// Verify the secret was stored correctly
+				retrievedValue, err := vlt.GetSecret(secretName)
+				require.NoError(t, err)
+				assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original")
+			}
+		})
+	}
+}
+
+// TestAddSecretBufferGrowth tests that our buffer growth strategy works correctly
+func TestAddSecretBufferGrowth(t *testing.T) {
+	// Test various sizes that should trigger buffer growth
+	sizes := []int{
+		1,        // Single byte
+		100,      // Small
+		4095,     // Just under initial 4KB
+		4096,     // Exactly 4KB
+		4097,     // Just over 4KB
+		8191,     // Just under 8KB (first double)
+		8192,     // Exactly 8KB
+		8193,     // Just over 8KB
+		12288,    // 12KB (should trigger second double)
+		16384,    // 16KB
+		32768,    // 32KB (after more doublings)
+		65536,    // 64KB
+		131072,   // 128KB
+		524288,   // 512KB
+		1048576,  // 1MB
+		2097152,  // 2MB
+	}
+
+	for _, size := range sizes {
+		t.Run(fmt.Sprintf("size_%d", size), func(t *testing.T) {
+			// Set up test environment
+			fs := afero.NewMemMapFs()
+			stateDir := "/test/state"
+			
+			// Set test mnemonic
+			t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
+			
+			// Create vault
+			vaultName := "test-vault"
+			_, err := vault.CreateVault(fs, stateDir, vaultName)
+			require.NoError(t, err)
+			
+			// Set current vault
+			currentVaultPath := filepath.Join(stateDir, "currentvault")
+			vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
+			err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
+			require.NoError(t, err)
+			
+			// Get vault and set up long-term key
+			vlt, err := vault.GetCurrentVault(fs, stateDir)
+			require.NoError(t, err)
+			
+			ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
+			require.NoError(t, err)
+			vlt.Unlock(ltIdentity)
+			
+			// Create test data of exactly the specified size
+			// Use a pattern that's easy to verify
+			testData := make([]byte, size)
+			for i := range testData {
+				testData[i] = byte(i % 256)
+			}
+			
+			// Create fake stdin without newline
+			stdin := bytes.NewReader(testData)
+			
+			// Create command with fake stdin
+			cmd := &cobra.Command{}
+			cmd.SetIn(stdin)
+			
+			// Create CLI instance
+			cli := NewCLIInstance()
+			cli.fs = fs
+			cli.stateDir = stateDir
+			cli.cmd = cmd
+			
+			// Test adding the secret
+			secretName := fmt.Sprintf("buffer-test-%d", size)
+			err = cli.AddSecret(secretName, false)
+			require.NoError(t, err)
+			
+			// Verify the secret was stored correctly
+			retrievedValue, err := vlt.GetSecret(secretName)
+			require.NoError(t, err)
+			assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original exactly")
+		})
+	}
+}
+
+// TestAddSecretStreamingBehavior tests that we handle streaming input correctly
+func TestAddSecretStreamingBehavior(t *testing.T) {
+	// Set up test environment
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+	
+	// Set test mnemonic
+	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
+	
+	// Create vault
+	vaultName := "test-vault"
+	_, err := vault.CreateVault(fs, stateDir, vaultName)
+	require.NoError(t, err)
+	
+	// Set current vault
+	currentVaultPath := filepath.Join(stateDir, "currentvault")
+	vaultPath := filepath.Join(stateDir, "vaults.d", vaultName)
+	err = afero.WriteFile(fs, currentVaultPath, []byte(vaultPath), 0o600)
+	require.NoError(t, err)
+	
+	// Get vault and set up long-term key
+	vlt, err := vault.GetCurrentVault(fs, stateDir)
+	require.NoError(t, err)
+	
+	ltIdentity, err := agehd.DeriveIdentity("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", 0)
+	require.NoError(t, err)
+	vlt.Unlock(ltIdentity)
+	
+	// Create a custom reader that simulates slow streaming input
+	// This will help verify our buffer handling works correctly with partial reads
+	testData := []byte(strings.Repeat("Hello, World! ", 1000)) // ~14KB
+	slowReader := &slowReader{
+		data:      testData,
+		chunkSize: 1000, // Read 1KB at a time
+	}
+	
+	// Create command with slow reader as stdin
+	cmd := &cobra.Command{}
+	cmd.SetIn(slowReader)
+	
+	// Create CLI instance
+	cli := NewCLIInstance()
+	cli.fs = fs
+	cli.stateDir = stateDir
+	cli.cmd = cmd
+	
+	// Test adding the secret
+	err = cli.AddSecret("streaming-test", false)
+	require.NoError(t, err)
+	
+	// Verify the secret was stored correctly
+	retrievedValue, err := vlt.GetSecret("streaming-test")
+	require.NoError(t, err)
+	assert.Equal(t, testData, retrievedValue, "Retrieved secret should match original")
+}
+
+// slowReader simulates a reader that returns data in small chunks
+type slowReader struct {
+	data      []byte
+	offset    int
+	chunkSize int
+}
+
+func (r *slowReader) Read(p []byte) (n int, err error) {
+	if r.offset >= len(r.data) {
+		return 0, io.EOF
+	}
+	
+	// Read at most chunkSize bytes
+	remaining := len(r.data) - r.offset
+	toRead := r.chunkSize
+	if toRead > remaining {
+		toRead = remaining
+	}
+	if toRead > len(p) {
+		toRead = len(p)
+	}
+	
+	n = copy(p, r.data[r.offset:r.offset+toRead])
+	r.offset += n
+	
+	if r.offset >= len(r.data) {
+		err = io.EOF
+	}
+	
+	return n, err
+}