noa-x / ev
Öffentliche Dateiansicht: Raw-Dateien, Tree, Releases und Issues sind ohne Login verfügbar.
vault/vault_test.go Raw 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275

package vault

import (
	"errors"
	"os"
	"path/filepath"
	"strings"
	"testing"
)

// --- ValidateName ---

func TestValidateName_Valid(t *testing.T) {
	cases := []string{
		"KEY", "DB_HOST", "my.key", "a-b", "A1",
		"UPPER_LOWER_123", strings.Repeat("x", 128),
	}
	for _, name := range cases {
		if err := ValidateName(name); err != nil {
			t.Errorf("ValidateName(%q) unexpected error: %v", name, err)
		}
	}
}

func TestValidateName_Invalid(t *testing.T) {
	cases := []struct {
		name string
		desc string
	}{
		{"", "empty"},
		{strings.Repeat("x", 129), "129 chars"},
		{"KEY NAME", "space"},
		{"KEY=VAL", "equals sign"},
		{"KEY\nFOO", "newline"},
		{"KEY!FOO", "exclamation"},
		{"KEY$FOO", "dollar"},
		{"KEY/FOO", "slash"},
		{"KEY@FOO", "at sign"},
	}
	for _, tc := range cases {
		if err := ValidateName(tc.name); err == nil {
			t.Errorf("ValidateName(%q) [%s]: expected error, got nil", tc.name, tc.desc)
		}
	}
}

func TestValidateName_BoundaryLength(t *testing.T) {
	if err := ValidateName(strings.Repeat("a", 128)); err != nil {
		t.Errorf("128-char name should be valid: %v", err)
	}
	if err := ValidateName(strings.Repeat("a", 129)); err == nil {
		t.Error("129-char name should be invalid")
	}
}

// --- Open ---

func TestOpen_NonExistentFile(t *testing.T) {
	v, err := Open(filepath.Join(t.TempDir(), "vault.json"), "anypassword")
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	if v == nil {
		t.Fatal("expected non-nil vault")
	}
	if projs := v.ListProjects(); len(projs) != 0 {
		t.Fatalf("expected empty vault, got projects: %v", projs)
	}
}

func TestOpen_WrongPassword(t *testing.T) {
	path := filepath.Join(t.TempDir(), "vault.json")
	v, _ := Open(path, "correctpassword")
	v.Set("p", "K", "v")
	if err := v.Save(path, "correctpassword"); err != nil {
		t.Fatal(err)
	}

	_, err := Open(path, "wrongpassword")
	if err == nil {
		t.Fatal("expected error with wrong password, got nil")
	}
	if !strings.Contains(err.Error(), "invalid password") {
		t.Errorf("error should mention 'invalid password', got: %v", err)
	}
}

func TestOpen_CorruptedFile(t *testing.T) {
	path := filepath.Join(t.TempDir(), "vault.json")
	os.WriteFile(path, []byte("not valid json {{{"), 0600)

	_, err := Open(path, "anypassword")
	if err == nil {
		t.Fatal("expected error for corrupted file, got nil")
	}
}

func TestOpen_WrongCiphertext(t *testing.T) {
	// Save a valid vault, then flip bytes in the ciphertext so GCM auth fails.
	path := filepath.Join(t.TempDir(), "vault.json")
	v, _ := Open(path, "pw")
	v.Set("p", "K", "val")
	if err := v.Save(path, "pw"); err != nil {
		t.Fatal(err)
	}

	// Read and corrupt one byte of the ciphertext in the raw JSON.
	data, _ := os.ReadFile(path)
	// Flip a byte somewhere in the middle of the file.
	mid := len(data) / 2
	data[mid] ^= 0xFF
	os.WriteFile(path, data, 0600)

	_, err := Open(path, "pw")
	if err == nil {
		t.Fatal("expected error for corrupted ciphertext, got nil")
	}
}

// --- Save + Open roundtrip ---

func TestSaveAndOpen_RoundTrip(t *testing.T) {
	path := filepath.Join(t.TempDir(), "vault.json")
	const password = "testpassword"

	v1, _ := Open(path, password)
	v1.Set("myproject", "DB_HOST", "localhost")
	v1.Set("myproject", "API_KEY", "secret123")
	v1.Set("myproject", "EMPTY_VAL", "")
	if err := v1.Save(path, password); err != nil {
		t.Fatal(err)
	}

	v2, err := Open(path, password)
	if err != nil {
		t.Fatalf("Open after Save: %v", err)
	}
	cases := map[string]string{
		"DB_HOST":   "localhost",
		"API_KEY":   "secret123",
		"EMPTY_VAL": "",
	}
	for k, want := range cases {
		got, ok := v2.Get("myproject", k)
		if !ok {
			t.Errorf("key %q not found after roundtrip", k)
			continue
		}
		if got != want {
			t.Errorf("key %q: got %q, want %q", k, got, want)
		}
	}
}

func TestSaveAndOpen_SpecialCharValues(t *testing.T) {
	path := filepath.Join(t.TempDir(), "vault.json")

	v1, _ := Open(path, "pw")
	special := "spaces and\nnewlines\ttabs\"quotes'apostrophes\\backslash"
	v1.Set("p", "SPECIAL", special)
	v1.Save(path, "pw")

	v2, _ := Open(path, "pw")
	got, ok := v2.Get("p", "SPECIAL")
	if !ok || got != special {
		t.Errorf("got %q, want %q", got, special)
	}
}

func TestSave_FilePermissions(t *testing.T) {
	path := filepath.Join(t.TempDir(), "vault.json")
	v, _ := Open(path, "pw")
	v.Set("p", "K", "v")
	if err := v.Save(path, "pw"); err != nil {
		t.Fatal(err)
	}
	fi, err := os.Stat(path)
	if err != nil {
		t.Fatal(err)
	}
	if perm := fi.Mode().Perm(); perm != 0600 {
		t.Errorf("expected 0600, got %04o", perm)
	}
}

func TestSave_UniqueCiphertextEachTime(t *testing.T) {
	dir := t.TempDir()
	path1 := filepath.Join(dir, "v1.json")
	path2 := filepath.Join(dir, "v2.json")

	v, _ := Open(path1, "pw")
	v.Set("p", "K", "val")
	v.Save(path1, "pw")
	v.Save(path2, "pw")

	b1, _ := os.ReadFile(path1)
	b2, _ := os.ReadFile(path2)
	if string(b1) == string(b2) {
		t.Error("two saves produced identical ciphertext — salt/nonce reuse suspected")
	}
}

func TestSave_NoTempFileLeft(t *testing.T) {
	path := filepath.Join(t.TempDir(), "vault.json")
	v, _ := Open(path, "pw")
	v.Set("p", "K", "v")
	v.Save(path, "pw")

	tmp := path + ".tmp"
	if _, err := os.Stat(tmp); !errors.Is(err, os.ErrNotExist) {
		t.Error("temp file should be cleaned up after Save")
	}
}

// --- CRUD ---

func TestVault_SetGetDelete(t *testing.T) {
	v, _ := Open(filepath.Join(t.TempDir(), "v.json"), "pw")

	v.Set("proj", "KEY", "value")

	got, ok := v.Get("proj", "KEY")
	if !ok || got != "value" {
		t.Errorf("Get after Set: got %q, %v", got, ok)
	}

	if err := v.Delete("proj", "KEY"); err != nil {
		t.Fatalf("Delete: %v", err)
	}
	if _, ok := v.Get("proj", "KEY"); ok {
		t.Error("key should not exist after Delete")
	}
}

func TestVault_Delete_UnknownKey(t *testing.T) {
	v, _ := Open(filepath.Join(t.TempDir(), "v.json"), "pw")
	v.Set("proj", "KEY", "v")

	if err := v.Delete("proj", "MISSING"); err == nil {
		t.Error("expected error deleting missing key")
	}
	if err := v.Delete("noproj", "KEY"); err == nil {
		t.Error("expected error deleting from missing project")
	}
}

func TestVault_GetAll_IsolatedCopy(t *testing.T) {
	v, _ := Open(filepath.Join(t.TempDir(), "v.json"), "pw")
	v.Set("proj", "A", "1")
	v.Set("proj", "B", "2")

	all := v.GetAll("proj")
	all["A"] = "mutated"

	got, _ := v.Get("proj", "A")
	if got != "1" {
		t.Error("GetAll should return an isolated copy, not a reference")
	}
}

func TestVault_MultipleProjects(t *testing.T) {
	path := filepath.Join(t.TempDir(), "vault.json")
	v, _ := Open(path, "pw")
	v.Set("alpha", "KEY", "alpha-value")
	v.Set("beta", "KEY", "beta-value")
	v.Save(path, "pw")

	v2, _ := Open(path, "pw")
	if val, _ := v2.Get("alpha", "KEY"); val != "alpha-value" {
		t.Errorf("alpha: got %q", val)
	}
	if val, _ := v2.Get("beta", "KEY"); val != "beta-value" {
		t.Errorf("beta: got %q", val)
	}
}