uses protected memory buffers now for all secrets in ram

internal/vault/integration_test.go

@@ -8,6 +8,7 @@ import (
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
 )
 
@@ -107,8 +108,13 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 		// Create a secret with a deeply nested path
 		deepPath := "api/credentials/production/database/primary"
 		secretValue := []byte("supersecretdbpassword")
+		expectedValue := make([]byte, len(secretValue))
+		copy(expectedValue, secretValue)
 
-		err = vlt.AddSecret(deepPath, secretValue, false)
+		secretBuffer := memguard.NewBufferFromBytes(secretValue)
+		defer secretBuffer.Destroy()
+
+		err = vlt.AddSecret(deepPath, secretBuffer, false)
 		if err != nil {
 			t.Fatalf("Failed to add secret with deep path: %v", err)
 		}
@@ -137,9 +143,9 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 			t.Fatalf("Failed to retrieve deep path secret: %v", err)
 		}
 
-		if string(retrievedValue) != string(secretValue) {
+		if string(retrievedValue) != string(expectedValue) {
 			t.Errorf("Retrieved value doesn't match. Expected %q, got %q",
-				string(secretValue), string(retrievedValue))
+				string(expectedValue), string(retrievedValue))
 		}
 	})
 
@@ -368,7 +374,11 @@ func TestVaultWithRealFilesystem(t *testing.T) {
 		// Add a secret to vault1
 		secretName := "test-secret"
 		secretValue := []byte("secret in vault1")
-		if err := vault1.AddSecret(secretName, secretValue, false); err != nil {
+
+		secretBuffer := memguard.NewBufferFromBytes(secretValue)
+		defer secretBuffer.Destroy()
+
+		if err := vault1.AddSecret(secretName, secretBuffer, false); err != nil {
 			t.Fatalf("Failed to add secret to vault1: %v", err)
 		}