pkg/secretbox/secretbox_test.go

package secretbox

import (
	"bytes"
	"crypto/rand"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestSecretBoxEncryption(t *testing.T) {
	t.Parallel()

	key := make([]byte, keySize) // generate random 32-byte key
	_, errKey := rand.Read(key)
	require.NoError(t, errKey)

	tests := []struct {
		name    string
		data    []byte
		key     []byte
		wantErr error
	}{
		{
			name: "valid encryption/decryption",
			data: []byte("hello world"),
			key:  key,
		},
		{
			name:    "nil key returns error",
			data:    []byte("hello world"),
			key:     nil,
			wantErr: ErrNoEncryptionKey,
		},
		{
			name: "empty data",
			data: []byte{},
			key:  key,
		},
		{
			name:    "invalid key size",
			data:    []byte("hello world"),
			key:     make([]byte, 16), // Only 32 bytes allowed now
			wantErr: ErrInvalidKeySize,
		},
		{
			name:    "zero key returns error",
			data:    []byte("hello world"),
			key:     make([]byte, keySize),
			wantErr: ErrZeroKey,
		},
	}

	for _, tt := range tests {
		tt := tt
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			encrypted, err := EncryptWithKey(tt.data, tt.key)
			if tt.wantErr != nil {
				require.ErrorIs(t, err, tt.wantErr)
				return
			}
			require.NoError(t, err)

			// Verify encrypted data is different and includes nonce
			require.Greater(t, len(encrypted), 24) // At least nonce size
			if len(tt.data) > 0 {
				require.NotEqual(t, tt.data, encrypted[24:]) // Ignore nonce prefix
			}

			decrypted, err := DecryptStringWithKey(encrypted, tt.key)
			require.NoError(t, err)
			require.True(t, bytes.Equal(tt.data, decrypted))
		})
	}
}

func TestDecryptionErrors(t *testing.T) {
	t.Parallel()

	key := make([]byte, keySize)
	_, err := rand.Read(key)
	require.NoError(t, err)

	// Create valid encrypted data for tampering tests
	validData := []byte("test message")
	encrypted, err := EncryptWithKey(validData, key)
	require.NoError(t, err)

	tests := []struct {
		name   string
		data   []byte
		key    []byte
		errMsg string
	}{
		{
			name:   "short ciphertext",
			data:   make([]byte, 23), // Less than nonce size
			key:    key,
			errMsg: "ciphertext too short",
		},
		{
			name:   "invalid ciphertext",
			data:   make([]byte, 24), // Just nonce size
			key:    key,
			errMsg: "decryption failed",
		},
		{
			name:   "tampered ciphertext",
			data:   tamperWithBytes(encrypted),
			key:    key,
			errMsg: "decryption failed",
		},
		{
			name:   "missing key",
			data:   encrypted,
			key:    nil,
			errMsg: "encryption key is required",
		},
	}

	for _, tt := range tests {
		tt := tt
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			_, err := DecryptStringWithKey(tt.data, tt.key)
			require.Error(t, err)
			require.Contains(t, err.Error(), tt.errMsg)
		})
	}
}

// tamperWithBytes modifies a byte in the encrypted data to simulate tampering
func tamperWithBytes(data []byte) []byte {
	if len(data) < 25 { // Need at least nonce + 1 byte
		return data
	}
	tampered := make([]byte, len(data))
	copy(tampered, data)
	tampered[24] ^= 0x01 // Modify first byte after nonce
	return tampered
}
expose secretbox, notably for the GenerateKey() function that should be public 2024-12-12 16:04:31 +01:00			`package secretbox`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00
			`import (`
			`"bytes"`
			`"crypto/rand"`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`)`

feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`func TestSecretBoxEncryption(t *testing.T) {`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`t.Parallel()`

feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`key := make([]byte, keySize) // generate random 32-byte key`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`_, errKey := rand.Read(key)`
			`require.NoError(t, errKey)`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00
			`tests := []struct {`
			`name string`
			`data []byte`
			`key []byte`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`wantErr error`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`}{`
			`{`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`name: "valid encryption/decryption",`
			`data: []byte("hello world"),`
			`key: key,`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`},`
			`{`
address pr remarks 2024-11-04 19:11:25 +01:00			`name: "nil key returns error",`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`data: []byte("hello world"),`
			`key: nil,`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`wantErr: ErrNoEncryptionKey,`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`},`
			`{`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`name: "empty data",`
			`data: []byte{},`
			`key: key,`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`},`
			`{`
			`name: "invalid key size",`
			`data: []byte("hello world"),`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`key: make([]byte, 16), // Only 32 bytes allowed now`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`wantErr: ErrInvalidKeySize,`
			`},`
			`{`
			`name: "zero key returns error",`
			`data: []byte("hello world"),`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`key: make([]byte, keySize),`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`wantErr: ErrZeroKey,`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`},`
			`}`

			`for _, tt := range tests {`
			`tt := tt`
			`t.Run(tt.name, func(t *testing.T) {`
			`t.Parallel()`

feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`encrypted, err := EncryptWithKey(tt.data, tt.key)`
validate non-zero aes key and other refactoring 2024-11-12 16:04:33 +01:00			`if tt.wantErr != nil {`
			`require.ErrorIs(t, err, tt.wantErr)`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`return`
			`}`
			`require.NoError(t, err)`

feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`// Verify encrypted data is different and includes nonce`
			`require.Greater(t, len(encrypted), 24) // At least nonce size`
			`if len(tt.data) > 0 {`
			`require.NotEqual(t, tt.data, encrypted[24:]) // Ignore nonce prefix`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`}`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00
			`decrypted, err := DecryptStringWithKey(encrypted, tt.key)`
			`require.NoError(t, err)`
			`require.True(t, bytes.Equal(tt.data, decrypted))`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`})`
			`}`
			`}`

			`func TestDecryptionErrors(t *testing.T) {`
			`t.Parallel()`

feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`key := make([]byte, keySize)`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`_, err := rand.Read(key)`
			`require.NoError(t, err)`

feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`// Create valid encrypted data for tampering tests`
			`validData := []byte("test message")`
			`encrypted, err := EncryptWithKey(validData, key)`
			`require.NoError(t, err)`

feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`tests := []struct {`
			`name string`
			`data []byte`
			`key []byte`
			`errMsg string`
			`}{`
			`{`
			`name: "short ciphertext",`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`data: make([]byte, 23), // Less than nonce size`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`key: key,`
			`errMsg: "ciphertext too short",`
			`},`
			`{`
			`name: "invalid ciphertext",`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`data: make([]byte, 24), // Just nonce size`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`key: key,`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`errMsg: "decryption failed",`
			`},`
			`{`
			`name: "tampered ciphertext",`
			`data: tamperWithBytes(encrypted),`
			`key: key,`
			`errMsg: "decryption failed",`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`},`
address pr remarks 2024-11-04 19:11:25 +01:00			`{`
			`name: "missing key",`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`data: encrypted,`
address pr remarks 2024-11-04 19:11:25 +01:00			`key: nil,`
			`errMsg: "encryption key is required",`
			`},`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`}`

			`for _, tt := range tests {`
			`tt := tt`
			`t.Run(tt.name, func(t *testing.T) {`
			`t.Parallel()`

feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00			`_, err := DecryptStringWithKey(tt.data, tt.key)`
feat(meta): values symmetric encryption 2024-10-31 18:24:54 +01:00			`require.Error(t, err)`
			`require.Contains(t, err.Error(), tt.errMsg)`
			`})`
			`}`
			`}`
feat(meta): secretbox encryption in place of aes-gcm 2024-11-28 16:16:04 +01:00
			`// tamperWithBytes modifies a byte in the encrypted data to simulate tampering`
			`func tamperWithBytes(data []byte) []byte {`
			`if len(data) < 25 { // Need at least nonce + 1 byte`
			`return data`
			`}`
			`tampered := make([]byte, len(data))`
			`copy(tampered, data)`
			`tampered[24] ^= 0x01 // Modify first byte after nonce`
			`return tampered`
			`}`