sneak/secret
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tests pass now, not sure if they are any good

Browse Source
This commit is contained in:
Jeffrey Paul 2025-06-08 22:29:55 -07:00
parent ac81023ea0
commit e036d280c0
1 changed files with 83 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
test_secret_manager.sh
View File

@ -354,30 +354,46 @@ else
print_error "Failed to list secrets" print_error "Failed to list secrets"
fi fi
# Test 7: Secret management without mnemonic (traditional unlocker approach) # Test 7: Testing vault operations with different unlockers
print_step "7" "Testing traditional unlocker approach" print_step "7" "Testing vault operations with passphrase unlocker"
# Create a new vault without mnemonic # Create a new vault for unlocker testing
echo "Running: $SECRET_BINARY vault create traditional" echo "Running: $SECRET_BINARY vault create traditional"
$SECRET_BINARY vault create traditional $SECRET_BINARY vault create traditional
# Add a secret using traditional unlocker approach # Import mnemonic into the traditional vault (required for versioned secrets)
echo "Adding secret using traditional unlocker..." echo "Importing mnemonic into traditional vault..."
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
echo "Running: $SECRET_BINARY vault import traditional"
if $SECRET_BINARY vault import traditional; then
print_success "Imported mnemonic into traditional vault"
else
print_error "Failed to import mnemonic into traditional vault"
fi
unset SB_UNLOCK_PASSPHRASE
# Now add a secret using the vault with unlocker
echo "Adding secret to vault with unlocker..."
echo "Running: echo 'traditional-secret' | $SECRET_BINARY add traditional/secret" echo "Running: echo 'traditional-secret' | $SECRET_BINARY add traditional/secret"
if echo "traditional-secret" | $SECRET_BINARY add traditional/secret; then if echo "traditional-secret" | $SECRET_BINARY add traditional/secret; then
print_success "Added secret with traditional approach" print_success "Added secret to vault with unlocker"
else else
print_error "Failed to add secret with traditional approach" print_error "Failed to add secret to vault with unlocker"
fi fi
# Retrieve secret using traditional unlocker approach # Retrieve secret using passphrase (temporarily unset mnemonic to test unlocker)
echo "Retrieving secret using traditional unlocker approach..." echo "Retrieving secret from vault with unlocker..."
echo "Running: $SECRET_BINARY get traditional/secret" TEMP_MNEMONIC="$SB_SECRET_MNEMONIC"
unset SB_SECRET_MNEMONIC
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
echo "Running: $SECRET_BINARY get traditional/secret (using passphrase unlocker)"
if RETRIEVED=$($SECRET_BINARY get traditional/secret 2>&1); then if RETRIEVED=$($SECRET_BINARY get traditional/secret 2>&1); then
print_success "Retrieved: $RETRIEVED" print_success "Retrieved: $RETRIEVED"
else else
print_error "Failed to retrieve secret with traditional approach" print_error "Failed to retrieve secret from vault with unlocker"
fi fi
unset SB_UNLOCK_PASSPHRASE
export SB_SECRET_MNEMONIC="$TEMP_MNEMONIC"
# Test 8: Advanced unlocker management # Test 8: Advanced unlocker management
print_step "8" "Testing advanced unlocker management" print_step "8" "Testing advanced unlocker management"
@ -414,6 +430,10 @@ fi
# Test 9: Secret name validation and edge cases # Test 9: Secret name validation and edge cases
print_step "9" "Testing secret name validation and edge cases" print_step "9" "Testing secret name validation and edge cases"
# Switch back to default vault for name validation tests
echo "Switching back to default vault..."
$SECRET_BINARY vault select default
# Test valid names # Test valid names
VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths") VALID_NAMES=("valid-name" "valid.name" "valid_name" "valid/path/name" "123valid" "a" "very-long-name-with-many-parts/and/paths")
for name in "${VALID_NAMES[@]}"; do for name in "${VALID_NAMES[@]}"; do
@ -543,15 +563,37 @@ if [ -d "$TEMP_DIR/vaults.d/default/secrets.d" ]; then
if [ -d "$SECRET_DIR" ]; then if [ -d "$SECRET_DIR" ]; then
print_success "Secret directory exists: database%password" print_success "Secret directory exists: database%password"
# Check required files for per-secret key architecture # Check for versions directory and current symlink
FILES=("value.age" "pub.age" "priv.age" "secret-metadata.json") if [ -d "$SECRET_DIR/versions" ]; then
for file in "${FILES[@]}"; do print_success "Versions directory exists"
if [ -f "$SECRET_DIR/$file" ]; then else
print_success "Required file exists: $file" print_error "Versions directory missing"
else fi
print_error "Required file missing: $file"
fi if [ -L "$SECRET_DIR/current" ] || [ -f "$SECRET_DIR/current" ]; then
done print_success "Current version symlink exists"
else
print_error "Current version symlink missing"
fi
# Check version directory structure
LATEST_VERSION=$(ls -1 "$SECRET_DIR/versions" 2>/dev/null | sort -r | head -n1)
if [ -n "$LATEST_VERSION" ]; then
VERSION_DIR="$SECRET_DIR/versions/$LATEST_VERSION"
print_success "Found version directory: $LATEST_VERSION"
# Check required files in version directory
VERSION_FILES=("value.age" "pub.age" "priv.age" "metadata.age")
for file in "${VERSION_FILES[@]}"; do
if [ -f "$VERSION_DIR/$file" ]; then
print_success "Version file exists: $file"
else
print_error "Version file missing: $file"
fi
done
else
print_error "No version directories found"
fi
else else
print_error "Secret directory not found" print_error "Secret directory not found"
fi fi
@ -608,14 +650,26 @@ export SB_SECRET_STATE_DIR="$TEMP_DIR"
# Test 14: Mixed approach compatibility # Test 14: Mixed approach compatibility
print_step "14" "Testing mixed approach compatibility" print_step "14" "Testing mixed approach compatibility"
# Verify mnemonic can access traditional secrets # Switch to traditional vault and test access with passphrase
echo "Switching to traditional vault..."
$SECRET_BINARY vault select traditional
# Verify passphrase can access traditional vault secrets
unset SB_SECRET_MNEMONIC
export SB_UNLOCK_PASSPHRASE="$TEST_PASSPHRASE"
RETRIEVED_MIXED=$($SECRET_BINARY get "traditional/secret" 2>/dev/null) RETRIEVED_MIXED=$($SECRET_BINARY get "traditional/secret" 2>/dev/null)
if [ "$RETRIEVED_MIXED" = "traditional-secret-value" ]; then unset SB_UNLOCK_PASSPHRASE
print_success "Mnemonic can access traditional secrets" export SB_SECRET_MNEMONIC="$TEST_MNEMONIC"
if [ "$RETRIEVED_MIXED" = "traditional-secret" ]; then
print_success "Passphrase unlocker can access vault secrets"
else else
print_error "Mnemonic cannot access traditional secrets" print_error "Failed to access secret from traditional vault (expected: traditional-secret, got: $RETRIEVED_MIXED)"
fi fi
# Switch back to default vault
$SECRET_BINARY vault select default
# Test without mnemonic but with unlocker # Test without mnemonic but with unlocker
echo "Testing mnemonic-created vault access..." echo "Testing mnemonic-created vault access..."
echo "Testing traditional unlocker access to mnemonic-created secrets..." echo "Testing traditional unlocker access to mnemonic-created secrets..."
@ -679,10 +733,10 @@ FIRST_VERSION=$(echo "$VERSIONS" | tail -n1)
if [ -n "$FIRST_VERSION" ]; then if [ -n "$FIRST_VERSION" ]; then
echo "Running: $SECRET_BINARY get --version $FIRST_VERSION \"database/password\"" echo "Running: $SECRET_BINARY get --version $FIRST_VERSION \"database/password\""
VERSIONED_VALUE=$($SECRET_BINARY get --version "$FIRST_VERSION" "database/password" 2>/dev/null) VERSIONED_VALUE=$($SECRET_BINARY get --version "$FIRST_VERSION" "database/password" 2>/dev/null)
if [ "$VERSIONED_VALUE" = "new-password-value" ]; then if [ "$VERSIONED_VALUE" = "my-super-secret-password" ]; then
print_success "Retrieved correct value from specific version" print_success "Retrieved correct value from specific version"
else else
print_error "Retrieved incorrect value from specific version (expected: new-password-value, got: $VERSIONED_VALUE)" print_error "Retrieved incorrect value from specific version (expected: my-super-secret-password, got: $VERSIONED_VALUE)"
fi fi
else else
print_error "Could not determine version to test" print_error "Could not determine version to test"
@ -697,10 +751,10 @@ if [ -n "$FIRST_VERSION" ]; then
# Verify the promoted version is now current # Verify the promoted version is now current
PROMOTED_VALUE=$($SECRET_BINARY get "database/password" 2>/dev/null) PROMOTED_VALUE=$($SECRET_BINARY get "database/password" 2>/dev/null)
if [ "$PROMOTED_VALUE" = "new-password-value" ]; then if [ "$PROMOTED_VALUE" = "my-super-secret-password" ]; then
print_success "Promoted version is now current" print_success "Promoted version is now current"
else else
print_error "Promoted version value is incorrect" print_error "Promoted version value is incorrect (expected: my-super-secret-password, got: $PROMOTED_VALUE)"
fi fi
else else
print_error "Failed to promote version" print_error "Failed to promote version"
@ -741,7 +795,7 @@ echo -e "${GREEN}✓ Import functionality with environment variable combinations
echo -e "${GREEN}✓ Import error handling (non-existent vault, invalid mnemonic)${NC}" echo -e "${GREEN}✓ Import error handling (non-existent vault, invalid mnemonic)${NC}"
echo -e "${GREEN}✓ Unlocker management (passphrase, PGP, SEP)${NC}" echo -e "${GREEN}✓ Unlocker management (passphrase, PGP, SEP)${NC}"
echo -e "${GREEN}✓ Secret generation and storage${NC}" echo -e "${GREEN}✓ Secret generation and storage${NC}"
echo -e "${GREEN}Traditional unlocker operations${NC}" echo -e "${GREEN}Vault operations with passphrase unlocker${NC}"
echo -e "${GREEN}✓ Secret name validation${NC}" echo -e "${GREEN}✓ Secret name validation${NC}"
echo -e "${GREEN}✓ Overwrite protection and force flag${NC}" echo -e "${GREEN}✓ Overwrite protection and force flag${NC}"
echo -e "${GREEN}✓ Cross-vault operations${NC}" echo -e "${GREEN}✓ Cross-vault operations${NC}"