TestKeyGroupsForFileWithExternalEncryptionContext tests that when kmsEncryptionContext is passed to parseCreationRuleForFile, the resulting KMS keys have the encryption context set. This is a regression test for https://github.com/getsops/sops/issues/1972
(t *testing.T)
| 896 | // is passed to parseCreationRuleForFile, the resulting KMS keys have the encryption context set. |
| 897 | // This is a regression test for https://github.com/getsops/sops/issues/1972 |
| 898 | func TestKeyGroupsForFileWithExternalEncryptionContext(t *testing.T) { |
| 899 | // Config with flat KMS format (not key_groups) - this is where external context applies |
| 900 | var sampleConfigWithFlatKMS = []byte(` |
| 901 | creation_rules: |
| 902 | - path_regex: "" |
| 903 | kms: "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012" |
| 904 | `) |
| 905 | |
| 906 | // External encryption context passed via --encryption-context flag |
| 907 | appName := "myapp" |
| 908 | kmsEncryptionContext := map[string]*string{ |
| 909 | "AppName": &appName, |
| 910 | } |
| 911 | |
| 912 | conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithFlatKMS, t), "/conf/path", "secrets.yaml", kmsEncryptionContext) |
| 913 | assert.Nil(t, err) |
| 914 | assert.NotNil(t, conf) |
| 915 | assert.Equal(t, 1, len(conf.KeyGroups)) |
| 916 | assert.Equal(t, 1, len(conf.KeyGroups[0])) |
| 917 | |
| 918 | // The KMS key should have the encryption context applied |
| 919 | // Format: ARN|context where context is "AppName:myapp" |
| 920 | assert.Equal(t, "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012|AppName:myapp", conf.KeyGroups[0][0].ToString()) |
| 921 | } |
nothing calls this directly
no test coverage detected