xref: /aosp_15_r20/external/tink/go/integration/hcvault/hcvault_aead_internal_test.go (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15////////////////////////////////////////////////////////////////////////////////
16
17package hcvault
18
19import (
20	"testing"
21)
22
23func TestGetEndpointPaths(t *testing.T) {
24	for _, tc := range []struct {
25		desc string
26		uri  string
27		enc  string
28		dec  string
29		err  string
30	}{
31		{
32			desc: "simple",
33			uri:  "hcvault://vault.example.com/transit/keys/foo",
34			enc:  "transit/encrypt/foo",
35			dec:  "transit/decrypt/foo",
36		},
37		{
38			desc: "escaped",
39			uri:  "hcvault://vault.example.com/transit/keys/this%2Band+that",
40			enc:  "transit/encrypt/this%2Band+that",
41			dec:  "transit/decrypt/this%2Band+that",
42		},
43		{
44			desc: "sub-path",
45			uri:  "hcvault://vault.example.com/teams/billing/something/transit/keys/pci-key",
46			enc:  "teams/billing/something/transit/encrypt/pci-key",
47			dec:  "teams/billing/something/transit/decrypt/pci-key",
48		},
49		{
50			desc: "transit-twice",
51			uri:  "hcvault://vault.example.com/transit/keys/something/transit/keys/my-key",
52			enc:  "transit/keys/something/transit/encrypt/my-key",
53			dec:  "transit/keys/something/transit/decrypt/my-key",
54		},
55		{
56			desc: "hyphen-host",
57			uri:  "hcvault://vault-prd.example.com/transit/keys/hi",
58			enc:  "transit/encrypt/hi",
59			dec:  "transit/decrypt/hi",
60		},
61		{
62			desc: "no-host",
63			uri:  "hcvault:///transit/keys/hi",
64			enc:  "transit/encrypt/hi",
65			dec:  "transit/decrypt/hi",
66		},
67		{
68			desc: "mount-not-named-transit",
69			uri:  "hcvault:///cipher/keys/hi",
70			enc:  "cipher/encrypt/hi",
71			dec:  "cipher/decrypt/hi",
72		},
73		{
74			desc: "http",
75			uri:  "http://vault.com/hi",
76			err:  "malformed keyURL",
77		},
78		{
79			desc: "no-path",
80			uri:  "hcvault://vault.com",
81			err:  "malformed keyURL",
82		},
83		{
84			desc: "slash-only",
85			uri:  "hcvault://vault.com/",
86			err:  "malformed keyURL",
87		},
88		{
89			desc: "not-transit",
90			uri:  "hcvault://vault.example.com/foo/bar/baz",
91			err:  "malformed keyURL",
92		},
93		{
94			desc: "not-end-of-path",
95			uri:  "hcvault://vault.example.com/transit/keys/bar/baz",
96			err:  "malformed keyURL",
97		},
98	} {
99		t.Run(tc.desc, func(t *testing.T) {
100			encPath, decPath, err := getEndpointPaths(tc.uri)
101			if err == nil {
102				if tc.err != "" {
103					t.Errorf("getEndpointPaths(%q) err is nil, want %q", tc.uri, tc.err)
104				}
105			} else {
106				if tc.err != err.Error() {
107					t.Errorf("getEndpointPaths(%q) err = %v; want %q", tc.uri, err, tc.err)
108				}
109			}
110
111			if encPath != tc.enc {
112				t.Errorf("getEndpointPaths(%q) encryptPath = %q, want %q", tc.uri, encPath, tc.enc)
113			}
114			if decPath != tc.dec {
115				t.Errorf("getEndpointPaths(%q) decryptPath = %q, want %q", tc.uri, decPath, tc.dec)
116			}
117		})
118	}
119}
120