66 lines
2.3 KiB
Go
66 lines
2.3 KiB
Go
package secrets
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"testing"
|
|
)
|
|
|
|
func TestEncryptorRoundTrip(t *testing.T) {
|
|
key := base64.StdEncoding.EncodeToString([]byte("0123456789abcdef0123456789abcdef"))
|
|
encryptor, err := NewEncryptor(key, "test-key")
|
|
if err != nil {
|
|
t.Fatalf("NewEncryptor returned error: %v", err)
|
|
}
|
|
aad := ResourceSecretAAD("org-1", "resource-1", "rap-secret://test", "rdp")
|
|
encrypted, err := encryptor.Encrypt([]byte(`{"username":"user","password":"secret"}`), aad)
|
|
if err != nil {
|
|
t.Fatalf("Encrypt returned error: %v", err)
|
|
}
|
|
plaintext, err := encryptor.Decrypt(encrypted, aad)
|
|
if err != nil {
|
|
t.Fatalf("Decrypt returned error: %v", err)
|
|
}
|
|
if string(plaintext) != `{"username":"user","password":"secret"}` {
|
|
t.Fatalf("unexpected plaintext: %s", plaintext)
|
|
}
|
|
}
|
|
|
|
func TestEncryptorRejectsWrongAAD(t *testing.T) {
|
|
key := base64.StdEncoding.EncodeToString([]byte("0123456789abcdef0123456789abcdef"))
|
|
encryptor, err := NewEncryptor(key, "test-key")
|
|
if err != nil {
|
|
t.Fatalf("NewEncryptor returned error: %v", err)
|
|
}
|
|
encrypted, err := encryptor.Encrypt([]byte(`{"password":"secret"}`), ResourceSecretAAD("org-1", "resource-1", "ref", "rdp"))
|
|
if err != nil {
|
|
t.Fatalf("Encrypt returned error: %v", err)
|
|
}
|
|
if _, err := encryptor.Decrypt(encrypted, ResourceSecretAAD("org-2", "resource-1", "ref", "rdp")); err == nil {
|
|
t.Fatalf("expected decrypt with wrong aad to fail")
|
|
}
|
|
}
|
|
|
|
func TestMergeResourceSecretIntoAssignmentMetadata(t *testing.T) {
|
|
metadata := map[string]any{
|
|
"resource": map[string]any{
|
|
"id": "resource-1",
|
|
"metadata": map[string]any{
|
|
"rdp_host": "host",
|
|
},
|
|
},
|
|
}
|
|
merged, err := MergeResourceSecretIntoAssignmentMetadata(metadata, json.RawMessage(`{"username":"user","password":"secret","domain":"corp"}`))
|
|
if err != nil {
|
|
t.Fatalf("MergeResourceSecretIntoAssignmentMetadata returned error: %v", err)
|
|
}
|
|
resource := merged.Metadata["resource"].(map[string]any)
|
|
resourceMetadata := resource["metadata"].(map[string]any)
|
|
if resourceMetadata["rdp_host"] != "host" {
|
|
t.Fatalf("existing metadata was not preserved")
|
|
}
|
|
if resourceMetadata["username"] != "user" || resourceMetadata["password"] != "secret" || resourceMetadata["domain"] != "corp" {
|
|
t.Fatalf("secret payload was not merged: %#v", resourceMetadata)
|
|
}
|
|
}
|