(t *testing.T)
| 304 | } |
| 305 | |
| 306 | func TestMasterKey_Decrypt(t *testing.T) { |
| 307 | t.Run("decrypt", func(t *testing.T) { |
| 308 | key := createTestMasterKey(testKMSARN) |
| 309 | kmsClient, err := createTestKMSClient(key) |
| 310 | assert.NoError(t, err) |
| 311 | |
| 312 | dataKey := []byte("it's always DNS") |
| 313 | out, err := kmsClient.Encrypt(context.TODO(), &kms.EncryptInput{ |
| 314 | Plaintext: dataKey, KeyId: &key.Arn, EncryptionContext: stringPointerToStringMap(key.EncryptionContext), |
| 315 | }) |
| 316 | assert.NoError(t, err) |
| 317 | |
| 318 | key.EncryptedKey = base64.StdEncoding.EncodeToString(out.CiphertextBlob) |
| 319 | got, err := key.Decrypt() |
| 320 | assert.NoError(t, err) |
| 321 | assert.Equal(t, dataKey, got) |
| 322 | }) |
| 323 | |
| 324 | t.Run("data key error", func(t *testing.T) { |
| 325 | key := createTestMasterKey(testKMSARN) |
| 326 | key.EncryptedKey = "invalid" |
| 327 | got, err := key.Decrypt() |
| 328 | assert.Error(t, err) |
| 329 | assert.ErrorContains(t, err, "error base64-decoding encrypted data key") |
| 330 | assert.Nil(t, got) |
| 331 | }) |
| 332 | |
| 333 | t.Run("decrypt error", func(t *testing.T) { |
| 334 | // Valid ARN but invalid for test server. |
| 335 | key := createTestMasterKey(dummyARN) |
| 336 | key.EncryptedKey = base64.StdEncoding.EncodeToString([]byte("invalid")) |
| 337 | got, err := key.Decrypt() |
| 338 | assert.Error(t, err) |
| 339 | assert.ErrorContains(t, err, "failed to decrypt sops data key with AWS KMS") |
| 340 | assert.Nil(t, got) |
| 341 | }) |
| 342 | |
| 343 | t.Run("config error", func(t *testing.T) { |
| 344 | key := createTestMasterKey("arn:gcp:kms:antartica-north-2::key/45e6-aca6-a5b005693a48") |
| 345 | got, err := key.Decrypt() |
| 346 | assert.Error(t, err) |
| 347 | assert.ErrorContains(t, err, "no valid ARN found") |
| 348 | assert.Nil(t, got) |
| 349 | }) |
| 350 | } |
| 351 | |
| 352 | func TestMasterKey_EncryptDecrypt_RoundTrip(t *testing.T) { |
| 353 | dataKey := []byte("the wheels on the bus go round and round") |
nothing calls this directly
no test coverage detected