secret/internal/macse/enclave_test.go

//go:build darwin
// +build darwin

package macse

import (
	"bytes"
	"testing"
)

func TestEnclaveKeyEncryption(t *testing.T) {
	// Create a new enclave key without requiring biometric
	key, err := NewEnclaveKey(false)
	if err != nil {
		t.Fatalf("Failed to create enclave key: %v", err)
	}
	defer key.Close()
	
	// Test data
	plaintext := []byte("Hello, Secure Enclave!")
	
	// Encrypt
	encrypted, err := key.Encrypt(plaintext)
	if err != nil {
		t.Fatalf("Failed to encrypt: %v", err)
	}
	
	// Verify encrypted data is different from plaintext
	if bytes.Equal(plaintext, encrypted) {
		t.Error("Encrypted data should not equal plaintext")
	}
	
	// Decrypt
	decrypted, err := key.Decrypt(encrypted)
	if err != nil {
		t.Fatalf("Failed to decrypt: %v", err)
	}
	
	// Verify decrypted data matches original
	if !bytes.Equal(plaintext, decrypted) {
		t.Errorf("Decrypted data does not match original: got %s, want %s", decrypted, plaintext)
	}
}

func TestEnclaveKeyWithBiometric(t *testing.T) {
	// This test requires user interaction
	// Run with: CGO_ENABLED=1 go test -v -run TestEnclaveKeyWithBiometric
	if testing.Short() {
		t.Skip("Skipping biometric test in short mode")
	}
	
	key, err := NewEnclaveKey(true)
	if err != nil {
		t.Logf("Expected failure creating biometric key in test environment: %v", err)
		return
	}
	defer key.Close()
	
	plaintext := []byte("Biometric protected data")
	
	encrypted, err := key.Encrypt(plaintext)
	if err != nil {
		t.Fatalf("Failed to encrypt with biometric key: %v", err)
	}
	
	// Decryption would require biometric authentication
	decrypted, err := key.Decrypt(encrypted)
	if err != nil {
		// This is expected without proper biometric authentication
		t.Logf("Expected decryption failure without biometric auth: %v", err)
		return
	}
	
	if !bytes.Equal(plaintext, decrypted) {
		t.Errorf("Decrypted data does not match original")
	}
}