105 lines
2.6 KiB
Go
105 lines
2.6 KiB
Go
package vault
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestDeriveKeyConsistent(t *testing.T) {
|
|
salt := []byte("test-salt-exactly-32-bytes-long!")
|
|
key1 := DeriveKey("mypassword", salt)
|
|
key2 := DeriveKey("mypassword", salt)
|
|
|
|
if len(key1) != 32 {
|
|
t.Errorf("key length = %d, want 32", len(key1))
|
|
}
|
|
if string(key1) != string(key2) {
|
|
t.Error("same password+salt produced different keys")
|
|
}
|
|
}
|
|
|
|
func TestDeriveKeyDifferentPasswords(t *testing.T) {
|
|
salt := []byte("test-salt-exactly-32-bytes-long!")
|
|
key1 := DeriveKey("password1", salt)
|
|
key2 := DeriveKey("password2", salt)
|
|
|
|
if string(key1) == string(key2) {
|
|
t.Error("different passwords produced same key")
|
|
}
|
|
}
|
|
|
|
func TestEncryptDecryptRoundTrip(t *testing.T) {
|
|
key := DeriveKey("testpassword", []byte("test-salt-exactly-32-bytes-long!"))
|
|
vs := NewVaultService(key)
|
|
|
|
plaintext := "super-secret-ssh-key-data"
|
|
encrypted, err := vs.Encrypt(plaintext)
|
|
if err != nil {
|
|
t.Fatalf("Encrypt() error: %v", err)
|
|
}
|
|
|
|
if !strings.HasPrefix(encrypted, "v1:") {
|
|
t.Errorf("encrypted does not start with v1: prefix: %q", encrypted[:10])
|
|
}
|
|
|
|
decrypted, err := vs.Decrypt(encrypted)
|
|
if err != nil {
|
|
t.Fatalf("Decrypt() error: %v", err)
|
|
}
|
|
|
|
if decrypted != plaintext {
|
|
t.Errorf("Decrypt() = %q, want %q", decrypted, plaintext)
|
|
}
|
|
}
|
|
|
|
func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
|
|
key := DeriveKey("testpassword", []byte("test-salt-exactly-32-bytes-long!"))
|
|
vs := NewVaultService(key)
|
|
|
|
enc1, _ := vs.Encrypt("same-data")
|
|
enc2, _ := vs.Encrypt("same-data")
|
|
|
|
if enc1 == enc2 {
|
|
t.Error("two encryptions of same data produced identical ciphertext (IV reuse)")
|
|
}
|
|
}
|
|
|
|
func TestDecryptWrongKey(t *testing.T) {
|
|
key1 := DeriveKey("password1", []byte("test-salt-exactly-32-bytes-long!"))
|
|
key2 := DeriveKey("password2", []byte("test-salt-exactly-32-bytes-long!"))
|
|
|
|
vs1 := NewVaultService(key1)
|
|
vs2 := NewVaultService(key2)
|
|
|
|
encrypted, _ := vs1.Encrypt("secret")
|
|
_, err := vs2.Decrypt(encrypted)
|
|
if err == nil {
|
|
t.Error("Decrypt() with wrong key should return error")
|
|
}
|
|
}
|
|
|
|
func TestDecryptInvalidFormat(t *testing.T) {
|
|
key := DeriveKey("test", []byte("test-salt-exactly-32-bytes-long!"))
|
|
vs := NewVaultService(key)
|
|
|
|
_, err := vs.Decrypt("not-valid-format")
|
|
if err == nil {
|
|
t.Error("Decrypt() with invalid format should return error")
|
|
}
|
|
}
|
|
|
|
func TestGenerateSalt(t *testing.T) {
|
|
salt1, err := GenerateSalt()
|
|
if err != nil {
|
|
t.Fatalf("GenerateSalt() error: %v", err)
|
|
}
|
|
if len(salt1) != 32 {
|
|
t.Errorf("salt length = %d, want 32", len(salt1))
|
|
}
|
|
|
|
salt2, _ := GenerateSalt()
|
|
if string(salt1) == string(salt2) {
|
|
t.Error("two calls to GenerateSalt produced identical salt")
|
|
}
|
|
}
|