(t *testing.T)
| 241 | } |
| 242 | |
| 243 | func TestMasterKey_Encrypt(t *testing.T) { |
| 244 | t.Run("encrypt", func(t *testing.T) { |
| 245 | key := createTestMasterKey(testKMSARN) |
| 246 | dataKey := []byte("UFO sightings") |
| 247 | assert.NoError(t, key.Encrypt(dataKey)) |
| 248 | assert.NotEmpty(t, key.EncryptedKey) |
| 249 | |
| 250 | kmsClient, err := createTestKMSClient(key) |
| 251 | assert.NoError(t, err) |
| 252 | |
| 253 | k, err := base64.StdEncoding.DecodeString(key.EncryptedKey) |
| 254 | assert.NoError(t, err) |
| 255 | |
| 256 | input := &kms.DecryptInput{ |
| 257 | CiphertextBlob: k, |
| 258 | EncryptionContext: stringPointerToStringMap(key.EncryptionContext), |
| 259 | } |
| 260 | decrypted, err := kmsClient.Decrypt(context.TODO(), input) |
| 261 | assert.NoError(t, err) |
| 262 | assert.Equal(t, dataKey, decrypted.Plaintext) |
| 263 | }) |
| 264 | |
| 265 | t.Run("encrypt error", func(t *testing.T) { |
| 266 | // Valid ARN but invalid for test server. |
| 267 | key := createTestMasterKey(dummyARN) |
| 268 | err := key.Encrypt([]byte("UFO sightings")) |
| 269 | assert.Error(t, err) |
| 270 | assert.ErrorContains(t, err, "failed to encrypt sops data key with AWS KMS") |
| 271 | assert.Empty(t, key.EncryptedKey) |
| 272 | }) |
| 273 | |
| 274 | t.Run("config error", func(t *testing.T) { |
| 275 | key := createTestMasterKey("arn:gcp:kms:antartica-north-2::key/45e6-aca6-a5b005693a48") |
| 276 | err := key.Encrypt([]byte("")) |
| 277 | assert.Error(t, err) |
| 278 | assert.ErrorContains(t, err, "no valid ARN found") |
| 279 | assert.Empty(t, key.EncryptedKey) |
| 280 | }) |
| 281 | } |
| 282 | |
| 283 | func TestMasterKey_EncryptIfNeeded(t *testing.T) { |
| 284 | key := createTestMasterKey(testKMSARN) |
nothing calls this directly
no test coverage detected