getsops/sops
1
0
Fork 0
mirror of https://github.com/getsops/sops.git synced 2026-02-05 12:45:21 +01:00
Code Issues Activity
Files
v3.9.0
sops/sops_test.go

1214 lines
25 KiB
Go
Raw Permalink Normal View History

Added Makefile
2016-08-24 12:37:18 -07:00
package sops
import (
"bytes"
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
"fmt"
Added Makefile
2016-08-24 12:37:18 -07:00
"reflect"
Add check to avoid that UnencryptedCommentRegex matches encrypted comments. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-27 18:23:27 +01:00
"strings"
Added Makefile
2016-08-24 12:37:18 -07:00
"testing"
Encrypt comments
2017-08-15 13:48:55 -07:00
"github.com/stretchr/testify/assert"
Sort masterkeys according to decryption-order Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
2023-11-07 19:28:34 +02:00
"github.com/getsops/sops/v3/age"
"github.com/getsops/sops/v3/hcvault"
"github.com/getsops/sops/v3/pgp"
Added Makefile
2016-08-24 12:37:18 -07:00
)
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
type reverseCipher struct{}
Encrypt comments
2017-08-15 13:48:55 -07:00
// reverse returns its argument string reversed rune-wise left to right.
func reverse(s string) string {
r := []rune(s)
for i, j := 0, len(r)-1; i < len(r)/2; i, j = i+1, j-1 {
r[i], r[j] = r[j], r[i]
}
return string(r)
}
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
func (c reverseCipher) Encrypt(value interface{}, key []byte, path string) (string, error) {
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
b, err := ToBytes(value)
if err != nil {
return "", err
}
return reverse(string(b)), nil
Encrypt comments
2017-08-15 13:48:55 -07:00
}
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
func (c reverseCipher) Decrypt(value string, key []byte, path string) (plaintext interface{}, err error) {
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
if value == "error" {
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
return nil, fmt.Errorf("Error")
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
}
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
return reverse(value), nil
Encrypt comments
2017-08-15 13:48:55 -07:00
}
Add check to avoid that UnencryptedCommentRegex matches encrypted comments. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-27 18:23:27 +01:00
type encPrefixCipher struct{}
func (c encPrefixCipher) Encrypt(value interface{}, key []byte, path string) (string, error) {
b, err := ToBytes(value)
if err != nil {
return "", err
}
return "ENC:" + string(b), nil
}
func (c encPrefixCipher) Decrypt(value string, key []byte, path string) (plaintext interface{}, err error) {
v, ok := strings.CutPrefix(value, "ENC:")
if !ok {
return nil, fmt.Errorf("String not prefixed with 'ENC:'")
}
return v, nil
}
Added Makefile
2016-08-24 12:37:18 -07:00
func TestUnencryptedSuffix(t *testing.T) {
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo_unencrypted",
Value: "bar",
},
TreeItem{
Key: "bar_unencrypted",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
Fix issue #113
2016-09-08 13:02:20 -07:00
},
},
},
Added Makefile
2016-08-24 12:37:18 -07:00
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedSuffix: "_unencrypted"}}
Added Makefile
2016-08-24 12:37:18 -07:00
expected := TreeBranch{
TreeItem{
Key: "foo_unencrypted",
Value: "bar",
},
Fix issue #113
2016-09-08 13:02:20 -07:00
TreeItem{
Key: "bar_unencrypted",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
Added Makefile
2016-08-24 12:37:18 -07:00
}
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
cipher := reverseCipher{}
Encapsulate stash inside cipher
2017-09-12 20:41:02 -07:00
_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
Added Makefile
2016-08-24 12:37:18 -07:00
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected)
Added Makefile
2016-08-24 12:37:18 -07:00
}
Encapsulate stash inside cipher
2017-09-12 20:41:02 -07:00
_, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher)
Added Makefile
2016-08-24 12:37:18 -07:00
if err != nil {
t.Errorf("Decrypting the tree failed: %s", err)
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected)
Added Makefile
2016-08-24 12:37:18 -07:00
}
}
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
func TestEncryptedSuffix(t *testing.T) {
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo_encrypted",
Value: "bar",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
},
},
},
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
tree := Tree{Branches: branches, Metadata: Metadata{EncryptedSuffix: "_encrypted"}}
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
expected := TreeBranch{
TreeItem{
Key: "foo_encrypted",
Value: "rab",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
}
cipher := reverseCipher{}
_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
added encrypted-regex option
2019-08-14 15:39:21 -04:00
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected)
}
_, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Decrypting the tree failed: %s", err)
}
expected[0].Value = "bar"
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected)
}
}
func TestEncryptedRegex(t *testing.T) {
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "enc:foo",
Value: "bar",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
},
}
tree := Tree{Branches: branches, Metadata: Metadata{EncryptedRegex: "^enc:"}}
expected := TreeBranch{
TreeItem{
Key: "enc:foo",
Value: "rab",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
}
cipher := reverseCipher{}
_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected)
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
}
_, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Decrypting the tree failed: %s", err)
}
expected[0].Value = "bar"
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected)
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
}
}
Add support for --unencrypted-regex (#715) * Add support for --unencrypted-regex * Fix grammar mistake * Add gofmt'd files
2020-09-02 13:15:50 -04:00
func TestUnencryptedRegex(t *testing.T) {
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "dec:foo",
Value: "bar",
},
TreeItem{
Key: "dec:bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
},
}
tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedRegex: "^dec:"}}
expected := TreeBranch{
TreeItem{
Key: "dec:foo",
Value: "bar",
},
TreeItem{
Key: "dec:bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
}
cipher := reverseCipher{}
_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
// expected[1].Value[] = "bar"
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected)
}
_, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Decrypting the tree failed: %s", err)
}
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected)
}
}
Support computing MAC only over values which end up encrypted Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-18 21:50:57 +01:00
func TestMACOnlyEncrypted(t *testing.T) {
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo_encrypted",
Value: "bar",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
},
}
tree := Tree{Branches: branches, Metadata: Metadata{EncryptedSuffix: "_encrypted", MACOnlyEncrypted: true}}
onlyEncrypted := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo_encrypted",
Value: "bar",
},
},
}
treeOnlyEncrypted := Tree{Branches: onlyEncrypted, Metadata: Metadata{EncryptedSuffix: "_encrypted", MACOnlyEncrypted: true}}
cipher := reverseCipher{}
mac, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
macOnlyEncrypted, err := treeOnlyEncrypted.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Encrypting the treeOnlyEncrypted failed: %s", err)
}
if mac != macOnlyEncrypted {
t.Errorf("MACs don't match:\ngot \t\t%+v,\nexpected \t\t%+v", mac, macOnlyEncrypted)
}
}
func TestMACOnlyEncryptedNoConfusion(t *testing.T) {
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo_encrypted",
Value: "bar",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
},
},
},
}
tree := Tree{Branches: branches, Metadata: Metadata{EncryptedSuffix: "_encrypted", MACOnlyEncrypted: true}}
onlyEncrypted := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo_encrypted",
Value: "bar",
},
},
}
treeOnlyEncrypted := Tree{Branches: onlyEncrypted, Metadata: Metadata{EncryptedSuffix: "_encrypted"}}
cipher := reverseCipher{}
mac, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
macOnlyEncrypted, err := treeOnlyEncrypted.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Encrypting the treeOnlyEncrypted failed: %s", err)
}
if mac == macOnlyEncrypted {
t.Errorf("MACs match but they should not")
}
}
Support using comments to select parts to encrypt Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-20 00:03:19 +01:00
func TestEncryptedCommentRegex(t *testing.T) {
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: Comment{"sops:enc"},
Value: nil,
},
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: Comment{"before"},
Value: nil,
},
TreeItem{
Key: Comment{"sops:enc"},
Value: nil,
},
TreeItem{
Key: "encrypted",
Value: "bar",
},
},
},
TreeItem{
Key: "array",
Value: []interface{}{
"bar",
Comment{"sops:enc"},
"baz",
},
},
TreeItem{
Key: Comment{"sops:enc"},
Value: nil,
},
TreeItem{
Key: Comment{"after"},
Value: nil,
},
TreeItem{
Key: "encarray",
Value: []interface{}{
"bar",
"baz",
},
},
},
}
tree := Tree{Branches: branches, Metadata: Metadata{EncryptedCommentRegex: "sops:enc"}}
expected := TreeBranch{
TreeItem{
Key: Comment{"sops:enc"},
Value: nil,
},
TreeItem{
Key: "foo",
Value: "rab",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: Comment{"before"},
Value: nil,
},
TreeItem{
Key: Comment{"sops:enc"},
Value: nil,
},
TreeItem{
Key: "encrypted",
Value: "rab",
},
},
},
TreeItem{
Key: "array",
Value: []interface{}{
"bar",
Comment{"sops:enc"},
"zab",
},
},
TreeItem{
Key: Comment{"sops:enc"},
Value: nil,
},
TreeItem{
Key: Comment{"retfa"},
Value: nil,
},
TreeItem{
Key: "encarray",
Value: []interface{}{
"rab",
"zab",
},
},
}
cipher := reverseCipher{}
_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected)
}
_, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Decrypting the tree failed: %s", err)
}
expected[1].Value = "bar"
expected[2].Value.(TreeBranch)[3].Value = "bar"
expected[3].Value.([]interface{})[2] = "baz"
expected[5].Key = Comment{"after"}
expected[6].Value = []interface{}{
"bar",
"baz",
}
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected)
}
}
func TestUnencryptedCommentRegex(t *testing.T) {
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: Comment{"sops:noenc"},
Value: nil,
},
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: Comment{"before"},
Value: nil,
},
TreeItem{
Key: Comment{"sops:noenc"},
Value: nil,
},
TreeItem{
Key: "notencrypted",
Value: "bar",
},
},
},
TreeItem{
Key: "array",
Value: []interface{}{
"bar",
Comment{"sops:noenc"},
"baz",
},
},
TreeItem{
Key: Comment{"sops:noenc"},
Value: nil,
},
TreeItem{
Key: Comment{"after"},
Value: nil,
},
TreeItem{
Key: "notencarray",
Value: []interface{}{
"bar",
"baz",
},
},
},
}
tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedCommentRegex: "sops:noenc"}}
expected := TreeBranch{
TreeItem{
Key: Comment{"sops:noenc"},
Value: nil,
},
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foo",
Value: "rab",
},
TreeItem{
Key: Comment{"erofeb"},
Value: nil,
},
TreeItem{
Key: Comment{"sops:noenc"},
Value: nil,
},
TreeItem{
Key: "notencrypted",
Value: "bar",
},
},
},
TreeItem{
Key: "array",
Value: []interface{}{
"rab",
Comment{"sops:noenc"},
"baz",
},
},
TreeItem{
Key: Comment{"sops:noenc"},
Value: nil,
},
TreeItem{
Key: Comment{"after"},
Value: nil,
},
TreeItem{
Key: "notencarray",
Value: []interface{}{
"bar",
"baz",
},
},
}
cipher := reverseCipher{}
_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Encrypting the tree failed: %s", err)
}
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected)
}
_, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher)
if err != nil {
t.Errorf("Decrypting the tree failed: %s", err)
}
expected[2].Value.(TreeBranch)[0].Value = "bar"
expected[2].Value.(TreeBranch)[1].Key = Comment{"before"}
expected[3].Value.([]interface{})[0] = "bar"
if !reflect.DeepEqual(tree.Branches[0], expected) {
t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected)
}
}
Add check to avoid that UnencryptedCommentRegex matches encrypted comments. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-27 18:23:27 +01:00
func TestUnencryptedCommentRegexFail(t *testing.T) {
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: Comment{"sops:noenc"},
Value: nil,
},
TreeItem{
Key: "foo",
Value: "bar",
},
},
}
tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedCommentRegex: "ENC"}}
cipher := encPrefixCipher{}
_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Encrypted comment \"ENC:sops:noenc\" matches UnencryptedCommentRegex!")
}
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
type MockCipher struct{}
Encapsulate stash inside cipher
2017-09-12 20:41:02 -07:00
func (m MockCipher) Encrypt(value interface{}, key []byte, path string) (string, error) {
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
return "a", nil
}
Encapsulate stash inside cipher
2017-09-12 20:41:02 -07:00
func (m MockCipher) Decrypt(value string, key []byte, path string) (interface{}, error) {
return "a", nil
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
}
func TestEncrypt(t *testing.T) {
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: "baz",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: 5,
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeItem{
Key: "bar",
Value: false,
},
TreeItem{
Key: "foobar",
Value: 2.12,
},
TreeItem{
Key: "barfoo",
Value: nil,
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo2",
Value: "bar",
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo3",
Value: "bar",
},
Fixed bug when encrypting nil values
2017-09-16 21:54:52 +02:00
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
expected := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo",
Value: "a",
},
TreeItem{
Key: "baz",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: "a",
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeItem{
Key: "bar",
Value: "a",
},
TreeItem{
Key: "foobar",
Value: "a",
},
TreeItem{
Key: "barfoo",
Value: nil,
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo2",
Value: "a",
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo3",
Value: "a",
},
Fixed bug when encrypting nil values
2017-09-16 21:54:52 +02:00
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedSuffix: DefaultUnencryptedSuffix}}
Encapsulate stash inside cipher
2017-09-12 20:41:02 -07:00
tree.Encrypt(bytes.Repeat([]byte{'f'}, 32), MockCipher{})
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
if !reflect.DeepEqual(tree.Branches, expected) {
t.Errorf("%s does not equal expected tree: %s", tree.Branches, expected)
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
}
}
func TestDecrypt(t *testing.T) {
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: "baz",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: "5",
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeItem{
Key: "bar",
Value: "false",
},
TreeItem{
Key: "foobar",
Value: "2.12",
},
TreeItem{
Key: "barfoo",
Value: nil,
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo",
Value: "bar",
},
TreeItem{
Key: "baz",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: "6",
},
},
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo3",
Value: "bar",
},
Decrypting tests added
2017-09-20 08:28:52 +02:00
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
expected := TreeBranches{
TreeBranch{
TreeItem{
Key: "foo",
Value: "a",
},
TreeItem{
Key: "baz",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: "a",
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeItem{
Key: "bar",
Value: "a",
},
TreeItem{
Key: "foobar",
Value: "a",
},
TreeItem{
Key: "barfoo",
Value: nil,
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo",
Value: "a",
},
TreeItem{
Key: "baz",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: "a",
},
},
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
},
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
TreeBranch{
TreeItem{
Key: "foo3",
Value: "a",
},
Decrypting tests added
2017-09-20 08:28:52 +02:00
},
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
}
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedSuffix: DefaultUnencryptedSuffix}}
Encapsulate stash inside cipher
2017-09-12 20:41:02 -07:00
tree.Decrypt(bytes.Repeat([]byte{'f'}, 32), MockCipher{})
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
if !reflect.DeepEqual(tree.Branches, expected) {
t.Errorf("%s does not equal expected tree: %s", tree.Branches[0], expected)
Added tests for encryption and decryption
2016-08-24 17:12:46 -07:00
}
}
Added tree truncation
2016-08-26 12:01:06 -07:00
func TestTruncateTree(t *testing.T) {
tree := TreeBranch{
TreeItem{
Key: "foo",
Value: 2,
},
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "foobar",
Value: []int{
1,
2,
3,
4,
},
},
},
},
}
expected := 3
Clean up encrypt and decrypt commands
2017-08-24 12:04:28 -07:00
result, err := tree.Truncate([]interface{}{
"bar",
"foobar",
2,
})
Added tree truncation
2016-08-26 12:01:06 -07:00
assert.Equal(t, nil, err)
assert.Equal(t, expected, result)
}
Fix removing items from slice while iterating
2016-11-01 16:08:33 +01:00
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
func TestEncryptComments(t *testing.T) {
tree := Tree{
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
Branches: TreeBranches{
TreeBranch{
TreeItem{
Key: Comment{"foo"},
Value: nil,
},
TreeItem{
Key: "list",
Value: []interface{}{
"1",
Comment{"bar"},
"2",
},
Merge branch 'master' into yaml-list-comments
2017-09-15 19:29:06 -07:00
},
},
},
Metadata: Metadata{
UnencryptedSuffix: DefaultUnencryptedSuffix,
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
},
}
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
tree.Encrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{})
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
assert.Equal(t, "oof", tree.Branches[0][0].Key.(Comment).Value)
assert.Equal(t, "rab", tree.Branches[0][1].Value.([]interface{})[1])
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
}
func TestDecryptComments(t *testing.T) {
tree := Tree{
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
Branches: TreeBranches{
TreeBranch{
TreeItem{
Key: Comment{"oof"},
Value: nil,
},
TreeItem{
Key: "list",
Value: []interface{}{
"1",
Comment{"rab"},
"2",
},
},
TreeItem{
Key: "list",
Value: nil,
Merge branch 'master' into yaml-list-comments
2017-09-15 19:29:06 -07:00
},
Decrypting tests added
2017-09-20 08:28:52 +02:00
},
Merge branch 'master' into yaml-list-comments
2017-09-15 19:29:06 -07:00
},
Metadata: Metadata{
UnencryptedSuffix: DefaultUnencryptedSuffix,
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
},
}
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
tree.Decrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{})
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
assert.Equal(t, "foo", tree.Branches[0][0].Key.(Comment).Value)
assert.Equal(t, "bar", tree.Branches[0][1].Value.([]interface{})[1])
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
}
func TestDecryptUnencryptedComments(t *testing.T) {
tree := Tree{
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
Branches: TreeBranches{
TreeBranch{
TreeItem{
// We use `error` to simulate an error decrypting, the fake cipher will error in this case
Key: Comment{"error"},
Value: nil,
},
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
},
},
Metadata: Metadata{},
}
Merge branch 'master' into encrypt-comments
2017-09-15 10:28:26 -07:00
tree.Decrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{})
Add multidoc encrypt/decrypt for YAML sources
2018-09-20 11:18:34 -06:00
assert.Equal(t, "error", tree.Branches[0][0].Key.(Comment).Value)
Add Go tests for comment decryption
2017-08-15 21:01:29 -07:00
}
Rewrite set functionality to make it work with nested structures Fixes #297
2018-02-20 17:15:02 +01:00
func TestSetNewKey(t *testing.T) {
branch := TreeBranch{
TreeItem{
Key: "foo",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
Key: "baz",
Rewrite set functionality to make it work with nested structures Fixes #297
2018-02-20 17:15:02 +01:00
Value: "foobar",
},
},
},
},
},
}
set := branch.Set([]interface{}{"foo", "bar", "foo"}, "hello")
assert.Equal(t, "hello", set[0].Value.(TreeBranch)[0].Value.(TreeBranch)[1].Value)
}
fix: `set` feature when adding a new root hierarchy fixes #407 with this fix, when adding a new root hierarchy, the existing root entries won't be dropped anymore Signed-off-by: Vincent Behar <v.behar@free.fr>
2021-07-02 14:42:07 +02:00
func TestSetNewBranch(t *testing.T) {
branch := TreeBranch{
TreeItem{
Key: "key",
Value: "value",
},
}
set := branch.Set([]interface{}{"foo", "bar", "baz"}, "hello")
assert.Equal(t, TreeBranch{
TreeItem{
Key: "key",
Value: "value",
},
TreeItem{
Key: "foo",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "baz",
Value: "hello",
},
},
},
},
},
}, set)
}
Rewrite set functionality to make it work with nested structures Fixes #297
2018-02-20 17:15:02 +01:00
func TestSetArrayDeepNew(t *testing.T) {
branch := TreeBranch{
TreeItem{
Key: "foo",
Value: []interface{}{
"one",
"two",
},
},
}
set := branch.Set([]interface{}{"foo", 2, "bar"}, "hello")
assert.Equal(t, "hello", set[0].Value.([]interface{})[2].(TreeBranch)[0].Value)
}
func TestSetNewKeyDeep(t *testing.T) {
branch := TreeBranch{
TreeItem{
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
Key: "foo",
Rewrite set functionality to make it work with nested structures Fixes #297
2018-02-20 17:15:02 +01:00
Value: "bar",
},
}
set := branch.Set([]interface{}{"foo", "bar", "baz"}, "hello")
assert.Equal(t, "hello", set[0].Value.(TreeBranch)[0].Value.(TreeBranch)[0].Value)
}
func TestSetNewKeyOnEmptyBranch(t *testing.T) {
branch := TreeBranch{}
set := branch.Set([]interface{}{"foo", "bar", "baz"}, "hello")
assert.Equal(t, "hello", set[0].Value.(TreeBranch)[0].Value.(TreeBranch)[0].Value)
}
func TestSetArray(t *testing.T) {
branch := TreeBranch{
TreeItem{
Key: "foo",
Value: []interface{}{
"one",
"two",
"three",
},
},
}
set := branch.Set([]interface{}{"foo", 0}, "uno")
assert.Equal(t, "uno", set[0].Value.([]interface{})[0])
}
Add a few extra tests
2018-02-20 23:32:19 +01:00
func TestSetArrayNew(t *testing.T) {
branch := TreeBranch{}
set := branch.Set([]interface{}{"foo", 0, 0}, "uno")
assert.Equal(t, "uno", set[0].Value.([]interface{})[0].([]interface{})[0])
}
func TestSetExisting(t *testing.T) {
branch := TreeBranch{
TreeItem{
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
Key: "foo",
Add a few extra tests
2018-02-20 23:32:19 +01:00
Value: "foobar",
},
}
set := branch.Set([]interface{}{"foo"}, "bar")
assert.Equal(t, "bar", set[0].Value)
}
func TestSetArrayLeafNewItem(t *testing.T) {
branch := TreeBranch{
TreeItem{
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
Key: "array",
Add a few extra tests
2018-02-20 23:32:19 +01:00
Value: []interface{}{},
},
}
set := branch.Set([]interface{}{"array", 2}, "hello")
assert.Equal(t, TreeBranch{
TreeItem{
Key: "array",
Value: []interface{}{
"hello",
},
},
}, set)
}
func TestSetArrayNonLeaf(t *testing.T) {
branch := TreeBranch{
TreeItem{
Key: "array",
Value: []interface{}{
1,
},
},
}
set := branch.Set([]interface{}{"array", 0, "hello"}, "hello")
assert.Equal(t, TreeBranch{
TreeItem{
Key: "array",
Value: []interface{}{
TreeBranch{
TreeItem{
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
Key: "hello",
Add a few extra tests
2018-02-20 23:32:19 +01:00
Value: "hello",
},
},
},
},
}, set)
}
Adds support for sops publish-ing to Vault (#494) * Add vault/api to vendor/ * Adds support for sops publish-ing to Vault * Adds support for publishing secrets (unencrypted) to Vault * Adds a new EmitAsMap for TreeBanches * Adds documentation about sops publish-ing to Vault * Initial integration/functional test for publishing to vault
2019-07-16 14:33:59 -07:00
func TestEmitAsMap(t *testing.T) {
expected := map[string]interface{}{
"foobar": "barfoo",
"number": 42,
"foo": map[string]interface{}{
"bar": map[string]interface{}{
"baz": "foobar",
},
},
}
branches := TreeBranches{
TreeBranch{
TreeItem{
Key: "foobar",
Value: "barfoo",
},
TreeItem{
Key: "number",
Value: 42,
},
},
TreeBranch{
TreeItem{
Key: "foo",
Value: TreeBranch{
TreeItem{
Key: "bar",
Value: TreeBranch{
TreeItem{
Key: "baz",
Value: "foobar",
},
},
},
},
},
},
}
data, err := EmitAsMap(branches)
if assert.NoError(t, err) {
assert.Equal(t, expected, data)
}
}
Sort masterkeys according to decryption-order Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
2023-11-07 19:28:34 +02:00
func TestSortKeyGroupIndices(t *testing.T) {
t.Run("default order", func(t *testing.T) {
group := KeyGroup{&hcvault.MasterKey{}, &age.MasterKey{}, &pgp.MasterKey{}}
expected := []int{1, 2, 0}
indices := sortKeyGroupIndices(group, DefaultDecryptionOrder)
assert.Equal(t, expected, indices)
})
t.Run("different keygroup", func(t *testing.T) {
group := KeyGroup{&hcvault.MasterKey{}, &pgp.MasterKey{}, &age.MasterKey{}}
expected := []int{2, 1, 0}
indices := sortKeyGroupIndices(group, DefaultDecryptionOrder)
assert.Equal(t, expected, indices)
})
t.Run("repeated key", func(t *testing.T) {
group := KeyGroup{&pgp.MasterKey{}, &hcvault.MasterKey{}, &pgp.MasterKey{}, &age.MasterKey{}}
expected := []int{3, 0, 2, 1}
indices := sortKeyGroupIndices(group, DefaultDecryptionOrder)
assert.Equal(t, expected, indices)
})
t.Run("full order", func(t *testing.T) {
group := KeyGroup{&hcvault.MasterKey{}, &pgp.MasterKey{}, &age.MasterKey{}}
expected := []int{1, 2, 0}
indices := sortKeyGroupIndices(group, []string{"pgp", "age", "hc_vault"})
assert.Equal(t, expected, indices)
})
t.Run("empty order", func(t *testing.T) {
group := KeyGroup{&hcvault.MasterKey{}, &pgp.MasterKey{}, &age.MasterKey{}}
expected := []int{0, 1, 2}
indices := sortKeyGroupIndices(group, []string{})
assert.Equal(t, expected, indices)
})
t.Run("one match", func(t *testing.T) {
group := KeyGroup{&hcvault.MasterKey{}, &pgp.MasterKey{}, &age.MasterKey{}}
expected := []int{2, 0, 1}
indices := sortKeyGroupIndices(group, []string{"azure_kv", "age"})
assert.Equal(t, expected, indices)
})
t.Run("nonmatching order", func(t *testing.T) {
group := KeyGroup{&pgp.MasterKey{}, &hcvault.MasterKey{}, &age.MasterKey{}}
expected := []int{0, 1, 2}
indices := sortKeyGroupIndices(group, []string{"azure_kv"})
assert.Equal(t, expected, indices)
})
t.Run("nonexistent keys", func(t *testing.T) {
group := KeyGroup{&hcvault.MasterKey{}, &pgp.MasterKey{}, &age.MasterKey{}}
expected := []int{2, 1, 0}
indices := sortKeyGroupIndices(group, []string{"dummy1", "age", "dummy2", "pgp", "dummy3"})
assert.Equal(t, expected, indices)
})
}
Copy Permalink