secret/internal/macse/enclave_test.go

//go:build darwin
// +build darwin

package macse

import (
	"bytes"
	"testing"
)

func TestEnclaveKeyEncryption(t *testing.T) {
	// Skip: Secure Enclave access requires Apple Developer Enterprise (ADE) membership,
	// proper code signing, and entitlements for non-ephemeral keys.
	// Without these, only ephemeral keys work which are not suitable for our use case.
	t.Skip("Skipping: Requires ADE membership, signing, and entitlements for non-ephemeral keys")
	
	// Create a new enclave key without requiring biometric
	key, err := NewEnclaveKey(false)
	if err != nil {
		t.Fatalf("Failed to create enclave key: %v", err)
	}
	defer key.Close()

	// Test data
	plaintext := []byte("Hello, Secure Enclave!")

	// Encrypt
	encrypted, err := key.Encrypt(plaintext)
	if err != nil {
		t.Fatalf("Failed to encrypt: %v", err)
	}

	// Verify encrypted data is different from plaintext
	if bytes.Equal(plaintext, encrypted) {
		t.Error("Encrypted data should not equal plaintext")
	}

	// Decrypt
	decrypted, err := key.Decrypt(encrypted)
	if err != nil {
		t.Fatalf("Failed to decrypt: %v", err)
	}

	// Verify decrypted data matches original
	if !bytes.Equal(plaintext, decrypted) {
		t.Errorf("Decrypted data does not match original: got %s, want %s", decrypted, plaintext)
	}
}

func TestEnclaveKeyWithBiometric(t *testing.T) {
	// Skip: Secure Enclave access requires Apple Developer Enterprise (ADE) membership,
	// proper code signing, and entitlements for non-ephemeral keys.
	// Without these, only ephemeral keys work which are not suitable for our use case.
	t.Skip("Skipping: Requires ADE membership, signing, and entitlements for non-ephemeral keys")
	
	// This test requires user interaction
	// Run with: CGO_ENABLED=1 go test -v -run TestEnclaveKeyWithBiometric
	if testing.Short() {
		t.Skip("Skipping biometric test in short mode")
	}

	key, err := NewEnclaveKey(true)
	if err != nil {
		t.Logf("Expected failure creating biometric key in test environment: %v", err)
		return
	}
	defer key.Close()

	plaintext := []byte("Biometric protected data")

	encrypted, err := key.Encrypt(plaintext)
	if err != nil {
		t.Fatalf("Failed to encrypt with biometric key: %v", err)
	}

	// Decryption would require biometric authentication
	decrypted, err := key.Decrypt(encrypted)
	if err != nil {
		// This is expected without proper biometric authentication
		t.Logf("Expected decryption failure without biometric auth: %v", err)
		return
	}

	if !bytes.Equal(plaintext, decrypted) {
		t.Errorf("Decrypted data does not match original")
	}
}