Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix mac creation, enhance error handling, add tests/coverage #15

Open
wants to merge 1 commit into
base: update_aws
Choose a base branch
from
Open

Fix mac creation, enhance error handling, add tests/coverage #15

wants to merge 1 commit into from

Conversation

tbrockmeyer-a
Copy link

@tbrockmeyer-a tbrockmeyer-a commented Aug 7, 2024
edited
Loading

  • change Buffer to UInt8Array when using instanceof
  • fix mac creation
  • encryption modifiers
  • simplify walkAndDecrypt and decryptScalar
  • improve error output
  • Add integration tests and coverage library

Work to enable #14 for all use cases

Mac hash creation for some of the key encryption types was broken in the last update (10.2). The change from Buffer to UInt8Array in getKey prevents some false-positive errors that I was seeing. UInt8Array is a superclass of Buffer, and the Plaintext field of the KMS output was a UInt8Array for me, so the instanceof check was failing despite the duck typing being valid still. These changes should also bring the encryptionModifier implementation in line with the get-sops/sops implementation of the shouldBeEncrypted function.

In order to provide this improvement, I've also improved some of the error output for easier debugging, which also aligns the errors a bit more with the cli sops tool. I also simplified the walkAndDecrypt function, and factored out some logic from decryptScalar to make it simpler to reason about.

To assure correctness, I added some integration tests which encrypt various files using the sops cli client before trying to decrypt them using decodeFile. The tests use a variety of key encryption modes (unencrypted_suffix, encrypted_regex, etc), data structures (various data types and nesting levels), and it has support for multiple decryption methods (kms, gcp, pgp, etc) for the future if needed. I also added a coverage library but did not mark any amount of coverage as mandatory (I recommend 100% function coverage for integration tests).

With these changes, I was able to get the update_aws branch to run correctly with all tests passing.

@tbrockmeyer-a tbrockmeyer-a mentioned this pull request Aug 7, 2024
Open
@tbrockmeyer-a
Copy link
Author

I realize now that the workflow runs npm test, but the tests I added require using an environment variable to specify a KMS key to use for the tests. I'm not sure how you want to handle that (either disable the tests in CI, or add your own KMS key to the workflow steps).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tbrockmeyer-a