1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
package vault
import (
"encoding/json"
"os"
"path/filepath"
"testing"
"time"
)
func TestCreateSessionStoresSecretOutsideSessionFile(t *testing.T) {
t.Setenv("HOME", t.TempDir())
var storedProject string
var storedKey []byte
origPut := putSessionSecret
origGet := getSessionSecret
origDelete := deleteSessionSecret
putSessionSecret = func(project string, key []byte) error {
storedProject = project
storedKey = append([]byte(nil), key...)
return nil
}
getSessionSecret = func(project string) ([]byte, error) {
if project != storedProject {
t.Fatalf("unexpected project lookup: %s", project)
}
return append([]byte(nil), storedKey...), nil
}
deleteSessionSecret = func(project string) error { return nil }
t.Cleanup(func() {
putSessionSecret = origPut
getSessionSecret = origGet
deleteSessionSecret = origDelete
})
expires, err := CreateSession("demo", map[string]string{"DB_PASSWORD": "secret"}, time.Hour)
if err != nil {
t.Fatalf("CreateSession failed: %v", err)
}
if expires.IsZero() {
t.Fatal("expected non-zero expiry")
}
path := filepath.Join(os.Getenv("HOME"), ".envault", "sessions", safeProjectID("demo")+".json")
data, err := os.ReadFile(path)
if err != nil {
t.Fatalf("ReadFile failed: %v", err)
}
var sf map[string]any
if err := json.Unmarshal(data, &sf); err != nil {
t.Fatalf("Unmarshal failed: %v", err)
}
if _, ok := sf["key"]; ok {
t.Fatal("session file must not contain the encryption key")
}
vars, err := LoadSession("demo")
if err != nil {
t.Fatalf("LoadSession failed: %v", err)
}
if got := vars["DB_PASSWORD"]; got != "secret" {
t.Fatalf("unexpected secret value: %q", got)
}
}
|