package crypto import ( "bytes" "encoding/base64" "strings" "testing" ) func testKey() []byte { k := make([]byte, 32) for i := range k { k[i] = byte(i) } return k } func TestSealOpenRoundTrip(t *testing.T) { key := testKey() msg := []byte("hunter2-the-password") blob, err := Seal(key, msg) if err != nil { t.Fatalf("Seal: %v", err) } if bytes.Contains(blob, msg) { t.Fatal("ciphertext must not contain plaintext") } got, err := Open(key, blob) if err != nil { t.Fatalf("Open: %v", err) } if !bytes.Equal(got, msg) { t.Fatalf("round-trip mismatch: %q", got) } } func TestSealUsesRandomNonce(t *testing.T) { key := testKey() a, _ := Seal(key, []byte("x")) b, _ := Seal(key, []byte("x")) if bytes.Equal(a, b) { t.Fatal("two seals of same plaintext must differ (random nonce)") } } func TestOpenWrongKeyFails(t *testing.T) { blob, _ := Seal(testKey(), []byte("secret")) wrong := make([]byte, 32) // all zeros if _, err := Open(wrong, blob); err == nil { t.Fatal("Open with wrong key must fail") } } func TestAgentAndAdminKeyFromEnv(t *testing.T) { good := base64.StdEncoding.EncodeToString(testKey()) t.Setenv("EMCLI_KEY", good) if k, err := AgentKeyFromEnv(); err != nil || len(k) != 32 { t.Fatalf("AgentKeyFromEnv: key=%d err=%v", len(k), err) } t.Setenv("EMCLI_ADMIN_KEY", good) if k, err := AdminKeyFromEnv(); err != nil || len(k) != 32 { t.Fatalf("AdminKeyFromEnv: key=%d err=%v", len(k), err) } t.Setenv("EMCLI_ADMIN_KEY", "") if _, err := AdminKeyFromEnv(); err == nil || !strings.Contains(err.Error(), "EMCLI_ADMIN_KEY") { t.Fatalf("empty admin key: want EMCLI_ADMIN_KEY error, got %v", err) } t.Setenv("EMCLI_KEY", base64.StdEncoding.EncodeToString([]byte("tooshort"))) if _, err := AgentKeyFromEnv(); err == nil || !strings.Contains(err.Error(), "32 bytes") { t.Fatalf("short key: want length error, got %v", err) } } func TestNewDEKIsRandom32(t *testing.T) { a, err := NewDEK() if err != nil || len(a) != 32 { t.Fatalf("NewDEK: len=%d err=%v", len(a), err) } b, _ := NewDEK() if bytes.Equal(a, b) { t.Fatal("two DEKs must differ") } }