envseal 0.3.13

Write-only secret vault with process-level access control — post-agent secret management
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

//! Regression: inject path must reject a policy binary hash that does not match
//! the opened executable (replaces legacy `execute_pipe` coverage).
#![cfg(unix)]
use envseal::error::Error;
use envseal::inject;
use envseal::policy;
use envseal::policy::Policy;

use crate::common;

#[test]
fn inject_rejects_mismatched_policy_binary_hash() {
    let (_dir, vault) = common::temp_vault();
    vault.store("api-token", b"super-secret", false).unwrap();
    let command = vec!["/bin/cat".to_string()];
    let binary_path = policy::resolve_binary("/bin/cat").expect("need /bin/cat for this test");

    let mut pol = Policy::default();
    let wrong = "0".repeat(64);
    pol.allow_key_with_hash(&binary_path, "api-token", &wrong);
    pol.save_signed(&vault.policy_path(), vault.master_key_bytes())
        .unwrap();

    let request = inject::InjectRequest {
        secret_name: "api-token",
        env_var: "API_TOKEN",
        command: &command,
    };
    let err = inject::execute(&vault, &request).expect_err("hash verification must fail");
    assert!(
        matches!(&err, Error::BinaryTampered { .. }),
        "expected BinaryTampered, got {err:?}"
    );
}