| 10 | ) |
| 11 | |
| 12 | func TestSSEConfigEncryptionKeyRedacted(t *testing.T) { |
| 13 | const plaintext = "my-super-secret-key" |
| 14 | |
| 15 | var key flagext.Secret |
| 16 | require.NoError(t, key.Set(plaintext)) |
| 17 | |
| 18 | cfg := SSEConfig{ |
| 19 | Type: SSEC, |
| 20 | CustomerEncryptionKey: key, |
| 21 | } |
| 22 | |
| 23 | out, err := yaml.Marshal(cfg) |
| 24 | require.NoError(t, err) |
| 25 | |
| 26 | assert.NotContains(t, string(out), plaintext, "plaintext encryption key must not appear in YAML output") |
| 27 | assert.Contains(t, string(out), "********", "redacted marker must appear in YAML output") |
| 28 | } |