diff --git a/test_secret_manager.sh b/test_secret_manager.sh index 92f7e67..6c9a4d9 100755 --- a/test_secret_manager.sh +++ b/test_secret_manager.sh @@ -354,30 +354,46 @@ else print_error "Failed to list secrets" fi -# Test 7: Secret management without mnemonic (traditional unlocker approach) -print_step "7" "Testing traditional unlocker approach" +# Test 7: Testing vault operations with different unlockers +print_step "7" "Testing vault operations with passphrase unlocker" -# Create a new vault without mnemonic +# Create a new vault for unlocker testing echo "Running: $SECRET_BINARY vault create traditional" $SECRET_BINARY vault create traditional -# Add a secret using traditional unlocker approach -echo "Adding secret using traditional unlocker..." +# Import mnemonic into the traditional vault (required for versioned secrets) +echo "Importing mnemonic into traditional vault..." +export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" +echo "Running: $SECRET_BINARY vault import traditional" +if $SECRET_BINARY vault import traditional; then + print_success "Imported mnemonic into traditional vault" +else + print_error "Failed to import mnemonic into traditional vault" +fi +unset SB_UNLOCK_PASSPHRASE + +# Now add a secret using the vault with unlocker +echo "Adding secret to vault with unlocker..." echo "Running: echo 'traditional-secret' | $SECRET_BINARY add traditional/secret" if echo "traditional-secret" | $SECRET_BINARY add traditional/secret; then - print_success "Added secret with traditional approach" + print_success "Added secret to vault with unlocker" else - print_error "Failed to add secret with traditional approach" + print_error "Failed to add secret to vault with unlocker" fi -# Retrieve secret using traditional unlocker approach -echo "Retrieving secret using traditional unlocker approach..." -echo "Running: $SECRET_BINARY get traditional/secret" +# Retrieve secret using passphrase (temporarily unset mnemonic to test unlocker) +echo "Retrieving secret from vault with unlocker..." +TEMP_MNEMONIC="$SB_SECRET_MNEMONIC" +unset SB_SECRET_MNEMONIC +export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" +echo "Running: $SECRET_BINARY get traditional/secret (using passphrase unlocker)" if RETRIEVED=$($SECRET_BINARY get traditional/secret 2>&1); then print_success "Retrieved: $RETRIEVED" else - print_error "Failed to retrieve secret with traditional approach" + print_error "Failed to retrieve secret from vault with unlocker" fi +unset SB_UNLOCK_PASSPHRASE +export SB_SECRET_MNEMONIC="$TEMP_MNEMONIC" # Test 8: Advanced unlocker management print_step "8" "Testing advanced unlocker management" @@ -414,6 +430,10 @@ fi # Test 9: Secret name validation and edge cases print_step "9" "Testing secret name validation and edge cases" +# Switch back to default vault for name validation tests +echo "Switching back to default vault..." +$SECRET_BINARY vault select default + # Test valid names VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths") for name in "${VALID_NAMES[@]}"; do @@ -543,15 +563,37 @@ if [ -d "$TEMP_DIR/vaults.d/default/secrets.d" ]; then if [ -d "$SECRET_DIR" ]; then print_success "Secret directory exists: database%password" - # Check required files for per-secret key architecture - FILES=("value.age" "pub.age" "priv.age" "secret-metadata.json") - for file in "${FILES[@]}"; do - if [ -f "$SECRET_DIR/$file" ]; then - print_success "Required file exists: $file" - else - print_error "Required file missing: $file" - fi - done + # Check for versions directory and current symlink + if [ -d "$SECRET_DIR/versions" ]; then + print_success "Versions directory exists" + else + print_error "Versions directory missing" + fi + + if [ -L "$SECRET_DIR/current" ] || [ -f "$SECRET_DIR/current" ]; then + print_success "Current version symlink exists" + else + print_error "Current version symlink missing" + fi + + # Check version directory structure + LATEST_VERSION=$(ls -1 "$SECRET_DIR/versions" 2>/dev/null | sort -r | head -n1) + if [ -n "$LATEST_VERSION" ]; then + VERSION_DIR="$SECRET_DIR/versions/$LATEST_VERSION" + print_success "Found version directory: $LATEST_VERSION" + + # Check required files in version directory + VERSION_FILES=("value.age" "pub.age" "priv.age" "metadata.age") + for file in "${VERSION_FILES[@]}"; do + if [ -f "$VERSION_DIR/$file" ]; then + print_success "Version file exists: $file" + else + print_error "Version file missing: $file" + fi + done + else + print_error "No version directories found" + fi else print_error "Secret directory not found" fi @@ -608,14 +650,26 @@ export SB_SECRET_STATE_DIR="$TEMP_DIR" # Test 14: Mixed approach compatibility print_step "14" "Testing mixed approach compatibility" -# Verify mnemonic can access traditional secrets +# Switch to traditional vault and test access with passphrase +echo "Switching to traditional vault..." +$SECRET_BINARY vault select traditional + +# Verify passphrase can access traditional vault secrets +unset SB_SECRET_MNEMONIC +export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE" RETRIEVED_MIXED=$($SECRET_BINARY get "traditional/secret" 2>/dev/null) -if [ "$RETRIEVED_MIXED" = "traditional-secret-value" ]; then - print_success "Mnemonic can access traditional secrets" +unset SB_UNLOCK_PASSPHRASE +export SB_SECRET_MNEMONIC="$TEST_MNEMONIC" + +if [ "$RETRIEVED_MIXED" = "traditional-secret" ]; then + print_success "Passphrase unlocker can access vault secrets" else - print_error "Mnemonic cannot access traditional secrets" + print_error "Failed to access secret from traditional vault (expected: traditional-secret, got: $RETRIEVED_MIXED)" fi +# Switch back to default vault +$SECRET_BINARY vault select default + # Test without mnemonic but with unlocker echo "Testing mnemonic-created vault access..." echo "Testing traditional unlocker access to mnemonic-created secrets..." @@ -679,10 +733,10 @@ FIRST_VERSION=$(echo "$VERSIONS" | tail -n1) if [ -n "$FIRST_VERSION" ]; then echo "Running: $SECRET_BINARY get --version $FIRST_VERSION \"database/password\"" VERSIONED_VALUE=$($SECRET_BINARY get --version "$FIRST_VERSION" "database/password" 2>/dev/null) - if [ "$VERSIONED_VALUE" = "new-password-value" ]; then + if [ "$VERSIONED_VALUE" = "my-super-secret-password" ]; then print_success "Retrieved correct value from specific version" else - print_error "Retrieved incorrect value from specific version (expected: new-password-value, got: $VERSIONED_VALUE)" + print_error "Retrieved incorrect value from specific version (expected: my-super-secret-password, got: $VERSIONED_VALUE)" fi else print_error "Could not determine version to test" @@ -697,10 +751,10 @@ if [ -n "$FIRST_VERSION" ]; then # Verify the promoted version is now current PROMOTED_VALUE=$($SECRET_BINARY get "database/password" 2>/dev/null) - if [ "$PROMOTED_VALUE" = "new-password-value" ]; then + if [ "$PROMOTED_VALUE" = "my-super-secret-password" ]; then print_success "Promoted version is now current" else - print_error "Promoted version value is incorrect" + print_error "Promoted version value is incorrect (expected: my-super-secret-password, got: $PROMOTED_VALUE)" fi else print_error "Failed to promote version" @@ -741,7 +795,7 @@ echo -e "${GREEN}✓ Import functionality with environment variable combinations echo -e "${GREEN}✓ Import error handling (non-existent vault, invalid mnemonic)${NC}" echo -e "${GREEN}✓ Unlocker management (passphrase, PGP, SEP)${NC}" echo -e "${GREEN}✓ Secret generation and storage${NC}" -echo -e "${GREEN}✓ Traditional unlocker operations${NC}" +echo -e "${GREEN}✓ Vault operations with passphrase unlocker${NC}" echo -e "${GREEN}✓ Secret name validation${NC}" echo -e "${GREEN}✓ Overwrite protection and force flag${NC}" echo -e "${GREEN}✓ Cross-vault operations${NC}"