Gitiles
Code Review Sign In
osm.etsi.org / osm / devops / 884533a91e5e71f1f558dace4113e9d3ff80ae21 / . / docker / osm-nushell-krm-functions / krm / tests / keypair.nu
blob: e3a1ab7caf4f21e4f69f3c6abcae7664613039e5 [file] [log] [blame]
garciadeblas83775ba2025-07-23 18:35:24 +0200[diff] [blame]1#!/usr/bin/env -S nu --stdin
2#######################################################################################
3# Copyright ETSI Contributors and Others.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
14# implied.
15# See the License for the specific language governing permissions and
16# limitations under the License.
17#######################################################################################
18
19
20use std assert
21use std null-device
22use ../../krm/keypair.nu *
23
24
25# --- create age tests ---
26
27export def "test keypair create age basic functionality" [] {
28 # Setup
29 let test_dir = (mktemp -t -d)
30 let key_name = "test_key"
31
32 # Execute
33 create age $key_name $test_dir err> (null-device)
34
35 # Assert
36 assert ([$test_dir $"($key_name).key"] | path join | path exists)
37 assert ([$test_dir $"($key_name).pub"] | path join | path exists)
38
39 # Cleanup
40 rm -rf $test_dir
41}
42
43
44export def "test keypair create age overwrites existing keys" [] {
45 # Setup
46 let test_dir = (mktemp -t -d)
47 let key_name = "test_key"
48 touch ([$test_dir $"($key_name).key"] | path join)
49 touch ([$test_dir $"($key_name).pub"] | path join)
50
51 # Execute
52 create age $key_name $test_dir err> (null-device)
53
54 # Assert
55 let key_path = [$test_dir $"($key_name).key"] | path join
56 let pub_path = [$test_dir $"($key_name).pub"] | path join
57 assert ($key_path | path exists)
58 assert ($pub_path | path exists)
59 assert greater (open $key_path | str length) 0
60 assert greater (open $pub_path | str length) 0
61
62 # Cleanup
63 rm -rf $test_dir
64}
65
66
67export def "test keypair create age uses default directory" [] {
68 # Setup
69 let original_credentials_dir = $env.CREDENTIALS_DIR?
70 let test_dir = (mktemp -t -d)
71 $env.CREDENTIALS_DIR = $test_dir
72 let key_name = "test_key"
73
74 # Execute
75 create age $key_name err> (null-device)
76
77 # Assert
78 assert ([$test_dir $"($key_name).key"] | path join | path exists)
79 assert ([$test_dir $"($key_name).pub"] | path join | path exists)
80
81 # Cleanup
82 rm -rf $test_dir
83 $env.CREDENTIALS_DIR = $original_credentials_dir
84}
85
86
87export def "test keypair create age generates valid keys" [] {
88 # Setup
89 let test_dir = (mktemp -t -d)
90 let key_name = "test_key"
91
92 # Execute
93 create age $key_name $test_dir err> (null-device)
94
95 # Assert
96 let pub_path = [$test_dir $"($key_name).pub"] | path join
97 let pub_key = (open $pub_path)
98 assert ($pub_key | str starts-with "age1")
99 assert equal ($pub_key | str length) 63 # Standard length for age public keys
100
101 # Cleanup
102 rm -rf $test_dir
103}
104
105
106# --- encrypt secret manifest tests ---
107
108export def "test keypair encrypt secret manifest basic functionality" [] {
109 # Setup
110 let test_public_key: string = "age1hsrtxphk7exrdc0kt8dgr8a8r3hx88v3xpsw0ezaxvefsy9asegqknppc0"
111 let test_private_key: string = "AGE-SECRET-KEY-12CC3A4LEDYF4S26UV6Z2MEG7ZQL9PTU5NHH6N3FN6FLJ5HACW9LQX0UWP2"
112 let input_yaml: string = "apiVersion: v1\nkind: Secret\nmetadata:\n name: test-secret\ndata:\n username: dXNlcm5hbWU=\n password: cGFzc3dvcmQ="
113
114 # Execute
115 let result = ($input_yaml | encrypt secret manifest $test_public_key)
116
117 # Assert
118 assert ($result | str contains "sops:")
119 assert ($result | str contains "encrypted_regex: ^(data|stringData)$")
120 assert ($result | str contains "ENC[AES256_GCM,data:")
121
122 # Verify decryption
123 let tmp_encrypted_file = (mktemp -t --suffix .yaml)
124 $result | save -f $tmp_encrypted_file
125
126 let decrypted: string = ($test_private_key
127 | SOPS_AGE_KEY_FILE="/dev/stdin" sops --decrypt $tmp_encrypted_file
128 )
129 rm $tmp_encrypted_file # Clean up temporary key file
130
131 assert str contains $decrypted "username: dXNlcm5hbWU="
132 assert str contains $decrypted "password: cGFzc3dvcmQ="
133}
134
135
136export def "test keypair encrypt secret manifest handles empty input" [] {
137 # Setup
138 let test_public_key = "age1hsrtxphk7exrdc0kt8dgr8a8r3hx88v3xpsw0ezaxvefsy9asegqknppc0"
139
140 # Execute and Assert
141 let result: string = (try { ""
142 | encrypt secret manifest $test_public_key
143 } catch { $in | to yaml })
144
145 # assert str contains $result "Error"
146 assert (not ($result | str contains "Error")) $"ERROR: Got ($result)"
147}
148
149
150export def "test keypair encrypt secret manifest encrypts correct fields" [] {
151 # Setup
152 let test_public_key: string = "age1hsrtxphk7exrdc0kt8dgr8a8r3hx88v3xpsw0ezaxvefsy9asegqknppc0"
153 let test_private_key: string = "AGE-SECRET-KEY-12CC3A4LEDYF4S26UV6Z2MEG7ZQL9PTU5NHH6N3FN6FLJ5HACW9LQX0UWP2"
154 let input_yaml: string = "apiVersion: v1\nkind: Secret\nmetadata:\n name: test-secret\ndata:\n username: dXNlcm5hbWU=\n password: cGFzc3dvcmQ=\nstringData:\n api_key: my-api-key"
155
156 # Execute
157 let result: string = ($input_yaml | encrypt secret manifest $test_public_key)
158
159 # Assert
160 assert str contains $result "ENC[AES256_GCM,data:"
161 assert str contains $result "username:"
162 assert str contains $result "password:"
163 assert str contains $result "api_key:"
164 assert (not ($result | str contains "dXNlcm5hbWU="))
165 assert (not ($result | str contains "cGFzc3dvcmQ="))
166 assert (not ($result | str contains "my-api-key"))
167 assert str contains $result "metadata:\n name: test-secret"
168
169 # Verify decryption
170 let tmp_encrypted_file = (mktemp -t --suffix .yaml)
171 $result | save -f $tmp_encrypted_file
172 let decrypted: string = ($test_private_key
173 | SOPS_AGE_KEY_FILE="/dev/stdin" sops --decrypt $tmp_encrypted_file
174 )
175 rm $tmp_encrypted_file # Clean up temporary key file
176 assert str contains $decrypted "username: dXNlcm5hbWU="
177 assert str contains $decrypted "password: cGFzc3dvcmQ="
178 assert str contains $decrypted "api_key: my-api-key"
179}
180
181
182export def "test keypair decrypt secret manifest" [] {
183 # Setup
184 let test_public_key: string = "age1hsrtxphk7exrdc0kt8dgr8a8r3hx88v3xpsw0ezaxvefsy9asegqknppc0"
185 let test_private_key: string = "AGE-SECRET-KEY-12CC3A4LEDYF4S26UV6Z2MEG7ZQL9PTU5NHH6N3FN6FLJ5HACW9LQX0UWP2"
186 let input_record: record = {
187 apiVersion: v1,
188 kind: Secret,
189 metadata: { name: test-secret }
190 data: {
191 username: ('myusername' | encode base64)
192 password: ('mypassword' | encode base64)
193 }
194 }
195
196 # Encrypt
197 let encrypted_record: record = (
198 $input_record
199 | to yaml
200 | encrypt secret manifest $test_public_key
201 | from yaml
202 )
203
204 # Decrypt
205 let decrypted_record: record = (
206 $encrypted_record
207 | to yaml
208 | keypair decrypt secret manifest $test_private_key
209 | from yaml
210 )
211
212 # Test
213 assert equal $input_record $decrypted_record
214}