Skip to content

Commit a176328

Browse files
cmilesdevcmilesdev
committed
chore: code cov
1 parent 0f4cbd7 commit a176328

File tree

1 file changed

+120
-0
lines changed

1 file changed

+120
-0
lines changed

crypt_test.go

Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,10 @@ package crypt
22

33
import (
44
"bytes"
5+
"crypto/aes"
56
"encoding/base64"
67
"encoding/json"
8+
"io"
79
"strings"
810
"testing"
911

@@ -97,6 +99,12 @@ func TestReadAppKeySupports128And256(t *testing.T) {
9799
}
98100
}
99101

102+
func TestReadAppKeyErrorsOnPrefix(t *testing.T) {
103+
if _, err := ReadAppKey("invalidprefix"); err == nil {
104+
t.Fatalf("Expected prefix error")
105+
}
106+
}
107+
100108
func TestEncryptAndDecrypt(t *testing.T) {
101109
setTestAppKey(t)
102110

@@ -159,6 +167,13 @@ func TestDecryptTamperedPayloadFails(t *testing.T) {
159167
}
160168
}
161169

170+
func TestDecryptBase64DecodeError(t *testing.T) {
171+
setTestAppKey(t)
172+
if _, err := Decrypt("!not-base64"); err == nil || !strings.Contains(err.Error(), "base64 decode failed") {
173+
t.Fatalf("expected base64 error, got %v", err)
174+
}
175+
}
176+
162177
func TestDecryptFallsBackToPreviousKey(t *testing.T) {
163178
currentKey, currentKeyStr := generateKeyPair(t)
164179
previousKey, previousKeyStr := generateKeyPair(t)
@@ -216,6 +231,73 @@ func TestDecryptFailsWhenNoKeysMatch(t *testing.T) {
216231
}
217232
}
218233

234+
func TestDecryptFailsOnInvalidJson(t *testing.T) {
235+
_, keyStr := generateKeyPair(t)
236+
t.Setenv("APP_KEY", keyStr)
237+
238+
badJSON := base64.StdEncoding.EncodeToString([]byte("{"))
239+
if _, err := Decrypt(badJSON); err == nil || !strings.Contains(err.Error(), "json decode failed") {
240+
t.Fatalf("expected json decode error, got %v", err)
241+
}
242+
}
243+
244+
func TestDecryptErrorsOnDecodeFailures(t *testing.T) {
245+
_, keyStr := generateKeyPair(t)
246+
t.Setenv("APP_KEY", keyStr)
247+
248+
buildPayload := func(iv, val, mac string) string {
249+
p := EncryptedPayload{IV: iv, Value: val, MAC: mac}
250+
b, _ := json.Marshal(p)
251+
return base64.StdEncoding.EncodeToString(b)
252+
}
253+
254+
// iv decode error
255+
if _, err := Decrypt(buildPayload("?", "dmFsdWU=", "bWFj")); err == nil || !strings.Contains(err.Error(), "iv decode failed") {
256+
t.Fatalf("expected iv decode failure")
257+
}
258+
259+
// value decode error
260+
if _, err := Decrypt(buildPayload(base64.StdEncoding.EncodeToString(make([]byte, aes.BlockSize)), "?", "bWFj")); err == nil || !strings.Contains(err.Error(), "value decode failed") {
261+
t.Fatalf("expected value decode failure")
262+
}
263+
264+
// mac decode error
265+
if _, err := Decrypt(buildPayload(base64.StdEncoding.EncodeToString(make([]byte, aes.BlockSize)), base64.StdEncoding.EncodeToString(make([]byte, aes.BlockSize)), "?")); err == nil || !strings.Contains(err.Error(), "mac decode failed") {
266+
t.Fatalf("expected mac decode failure")
267+
}
268+
}
269+
270+
func TestDecryptErrorsOnBlockSize(t *testing.T) {
271+
key, keyStr := generateKeyPair(t)
272+
t.Setenv("APP_KEY", keyStr)
273+
274+
iv := base64.StdEncoding.EncodeToString(make([]byte, aes.BlockSize))
275+
val := base64.StdEncoding.EncodeToString([]byte{1, 2, 3}) // not multiple of block size
276+
mac := base64.StdEncoding.EncodeToString(computeHMACSHA256(append(make([]byte, aes.BlockSize), []byte{1, 2, 3}...), key))
277+
278+
payload := EncryptedPayload{IV: iv, Value: val, MAC: mac}
279+
raw, _ := json.Marshal(payload)
280+
enc := base64.StdEncoding.EncodeToString(raw)
281+
282+
if _, err := Decrypt(enc); err == nil || !strings.Contains(err.Error(), "multiple of the block size") {
283+
t.Fatalf("expected block size error, got %v", err)
284+
}
285+
}
286+
287+
func TestEncryptFailsWithoutAppKey(t *testing.T) {
288+
t.Setenv("APP_KEY", "")
289+
if _, err := Encrypt("secret"); err == nil {
290+
t.Fatalf("expected error when APP_KEY missing")
291+
}
292+
}
293+
294+
func TestGetAppKeyErrorWhenMissing(t *testing.T) {
295+
t.Setenv("APP_KEY", "")
296+
if _, err := GetAppKey(); err == nil {
297+
t.Fatalf("expected error when APP_KEY missing")
298+
}
299+
}
300+
219301
func TestDecryptFailsOnInvalidPreviousKeys(t *testing.T) {
220302
_, currentKeyStr := generateKeyPair(t)
221303
t.Setenv("APP_KEY", currentKeyStr)
@@ -281,3 +363,41 @@ func TestDecryptWithMixedKeyLengths(t *testing.T) {
281363
t.Fatalf("Expected previous AES-128 key to fail decrypting AES-256 ciphertext")
282364
}
283365
}
366+
367+
func TestPkcs7UnpadErrors(t *testing.T) {
368+
if _, err := pkcs7Unpad([]byte{}); err == nil {
369+
t.Fatalf("expected error on empty input")
370+
}
371+
if _, err := pkcs7Unpad([]byte{1, 2, 0}); err == nil {
372+
t.Fatalf("expected error on zero padding")
373+
}
374+
if _, err := pkcs7Unpad([]byte{1, 2, 3, 2}); err == nil {
375+
t.Fatalf("expected error on invalid pattern")
376+
}
377+
}
378+
379+
type failingReader struct{}
380+
381+
func (f failingReader) Read(p []byte) (int, error) {
382+
return 0, io.ErrUnexpectedEOF
383+
}
384+
385+
func TestGenerateAppKeyRandError(t *testing.T) {
386+
orig := rand.Reader
387+
rand.Reader = failingReader{}
388+
defer func() { rand.Reader = orig }()
389+
390+
if _, err := GenerateAppKey(); err == nil {
391+
t.Fatalf("expected error when rand fails")
392+
}
393+
}
394+
395+
func TestDecryptWithKeyBase64Failure(t *testing.T) {
396+
if _, err := decryptWithKey(make([]byte, 16), "???"); err == nil || !strings.Contains(err.Error(), "base64 decode failed") {
397+
t.Fatalf("expected base64 decode failure")
398+
}
399+
}
400+
401+
func TestDumpExample(t *testing.T) {
402+
dumpExample("a", 1)
403+
}

0 commit comments

Comments
 (0)