envseal 0.3.2

//! Real-world edge case tests — simulating how developers actually use envseal day-to-day.
//!
//! These tests cover the messy, unglamorous scenarios that break tools in production:
//! weird characters in secrets, concurrent access, config edge cases, TOTP timing,
//! audit log parsing, .envseal file quirks, and more.

#[path = "common/mod.rs"]
mod common;

mod secret_content_edge_cases {
    //! Secrets with unusual content that developers actually paste in.
    use crate::common::temp_vault;

    /// API keys often contain + / = characters (base64).
    #[test]
    fn base64_secret_roundtrip() {
        let (_dir, vault) = temp_vault();
        let val = b"sk-proj-abc123+def456/ghi789==";
        vault.store("openai-key", val, false).unwrap();
        let dec = vault.decrypt("openai-key").unwrap();
        assert_eq!(&dec[..], val);
    }

    /// AWS-style secrets have mixed case, numbers, and slashes.
    #[test]
    fn aws_secret_key_roundtrip() {
        let (_dir, vault) = temp_vault();
        let val = b"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
        vault.store("aws-secret", val, false).unwrap();
        let dec = vault.decrypt("aws-secret").unwrap();
        assert_eq!(&dec[..], val);
    }

    /// JWT tokens are long base64 strings with dots.
    #[test]
    fn jwt_token_roundtrip() {
        let (_dir, vault) = temp_vault();
        let val = b"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U";
        vault.store("jwt-token", val, false).unwrap();
        let dec = vault.decrypt("jwt-token").unwrap();
        assert_eq!(&dec[..], val);
    }

    /// Connection strings often have special chars: @, :, /, ?, #
    #[test]
    fn connection_string_roundtrip() {
        let (_dir, vault) = temp_vault();
        let val = b"postgres://user:p@$$w0rd!@db.example.com:5432/mydb?sslmode=require&connect_timeout=10";
        vault.store("database-url", val, false).unwrap();
        let dec = vault.decrypt("database-url").unwrap();
        assert_eq!(&dec[..], val);
    }

    /// Some passwords contain newlines (e.g., PEM private keys).
    #[test]
    fn multiline_pem_key_roundtrip() {
        let (_dir, vault) = temp_vault();
        let val = b"-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA2mX3...\nvery-long-base64-data\n-----END RSA PRIVATE KEY-----\n";
        vault.store("ssh-key", val, false).unwrap();
        let dec = vault.decrypt("ssh-key").unwrap();
        assert_eq!(&dec[..], val);
    }

    /// Secrets with unicode (e.g., passwords in non-Latin scripts).
    #[test]
    fn unicode_password_roundtrip() {
        let (_dir, vault) = temp_vault();
        let val = "密码Пароль🔑Contraseña".as_bytes();
        vault.store("unicode-pw", val, false).unwrap();
        let dec = vault.decrypt("unicode-pw").unwrap();
        assert_eq!(&dec[..], val);
    }

    /// Empty secret value — some APIs use empty strings as "no auth".
    #[test]
    fn empty_secret_value() {
        let (_dir, vault) = temp_vault();
        vault.store("empty-val", b"", false).unwrap();
        let dec = vault.decrypt("empty-val").unwrap();
        assert!(dec.is_empty());
    }

    /// Very long secrets (e.g., Google service account JSON, 4KB+).
    #[test]
    fn large_json_service_account() {
        let (_dir, vault) = temp_vault();
        let mut val = String::from(
            "{\"type\":\"service_account\",\"project_id\":\"test\",\"private_key\":\"",
        );
        val.push_str(&"x".repeat(4096)); // simulate 4KB private key
        val.push_str("\"}");
        vault.store("gcp-sa", val.as_bytes(), false).unwrap();
        let dec = vault.decrypt("gcp-sa").unwrap();
        assert_eq!(&dec[..], val.as_bytes());
    }

    /// Secrets containing null bytes (binary tokens).
    #[test]
    fn null_byte_in_value() {
        let (_dir, vault) = temp_vault();
        let val = b"before\x00after\x00end";
        vault.store("binary-token", val, false).unwrap();
        let dec = vault.decrypt("binary-token").unwrap();
        assert_eq!(&dec[..], val);
    }

    /// Secrets that are just whitespace (user error, but shouldn't crash).
    #[test]
    fn whitespace_only_secret() {
        let (_dir, vault) = temp_vault();
        vault.store("whitespace", b"   \t\n  ", false).unwrap();
        let dec = vault.decrypt("whitespace").unwrap();
        assert_eq!(&dec[..], b"   \t\n  ");
    }
}

mod secret_naming_edge_cases {
    //! Secret names that developers actually use.
    use crate::common::temp_vault;

    /// Hyphenated names (most common pattern).
    #[test]
    fn hyphenated_name() {
        let (_dir, vault) = temp_vault();
        vault.store("openai-api-key", b"sk", false).unwrap();
        assert!(vault
            .list()
            .unwrap()
            .contains(&"openai-api-key".to_string()));
    }

    /// Underscore names (common in Python ecosystem).
    #[test]
    fn underscore_name() {
        let (_dir, vault) = temp_vault();
        vault.store("openai_api_key", b"sk", false).unwrap();
        assert!(vault
            .list()
            .unwrap()
            .contains(&"openai_api_key".to_string()));
    }

    /// Single character name — minimal but valid.
    #[test]
    fn single_char_name() {
        let (_dir, vault) = temp_vault();
        vault.store("k", b"val", false).unwrap();
        let dec = vault.decrypt("k").unwrap();
        assert_eq!(&dec[..], b"val");
    }

    /// Very long name (128 chars).
    #[test]
    fn very_long_name() {
        let (_dir, vault) = temp_vault();
        let name: String = (0..128).map(|_| 'a').collect();
        vault.store(&name, b"val", false).unwrap();
        assert!(vault.list().unwrap().contains(&name));
    }

    /// Name with dots (common for nested configs: redis.prod.password).
    #[test]
    fn dotted_name() {
        let (_dir, vault) = temp_vault();
        vault.store("redis.prod.password", b"val", false).unwrap();
        let dec = vault.decrypt("redis.prod.password").unwrap();
        assert_eq!(&dec[..], b"val");
    }

    /// Name with numbers-only prefix.
    #[test]
    fn numeric_prefix_name() {
        let (_dir, vault) = temp_vault();
        vault.store("3rd-party-key", b"val", false).unwrap();
        let dec = vault.decrypt("3rd-party-key").unwrap();
        assert_eq!(&dec[..], b"val");
    }
}

mod vault_lifecycle {
    //! Test the full lifecycle a developer follows day-to-day.
    use crate::common::temp_vault;

    /// Store → list → decrypt → revoke → verify gone.
    #[test]
    fn full_crud_lifecycle() {
        let (_dir, vault) = temp_vault();

        // Store
        vault.store("api-key", b"sk-abc123", false).unwrap();

        // List
        let names = vault.list().unwrap();
        assert!(names.contains(&"api-key".to_string()));

        // Decrypt
        let val = vault.decrypt("api-key").unwrap();
        assert_eq!(&val[..], b"sk-abc123");

        // Revoke
        vault.revoke("api-key").unwrap();

        // Verify gone
        assert!(!vault.list().unwrap().contains(&"api-key".to_string()));
        assert!(vault.decrypt("api-key").is_err());
    }

    /// Store many secrets then revoke one — others unaffected.
    #[test]
    fn revoke_one_of_many() {
        let (_dir, vault) = temp_vault();
        vault.store("a", b"1", false).unwrap();
        vault.store("b", b"2", false).unwrap();
        vault.store("c", b"3", false).unwrap();

        vault.revoke("b").unwrap();

        assert_eq!(&vault.decrypt("a").unwrap()[..], b"1");
        assert!(vault.decrypt("b").is_err());
        assert_eq!(&vault.decrypt("c").unwrap()[..], b"3");

        let names = vault.list().unwrap();
        assert!(names.contains(&"a".to_string()));
        assert!(!names.contains(&"b".to_string()));
        assert!(names.contains(&"c".to_string()));
    }

    /// Force overwrite preserves the latest value.
    #[test]
    fn force_overwrite_updates_value() {
        let (_dir, vault) = temp_vault();
        vault.store("rotating", b"v1", false).unwrap();
        vault.store("rotating", b"v2", true).unwrap();
        assert_eq!(&vault.decrypt("rotating").unwrap()[..], b"v2");
    }

    /// Revoke then re-store should work (key rotation pattern).
    #[test]
    fn revoke_and_restore_rotation() {
        let (_dir, vault) = temp_vault();
        vault.store("rotated", b"old", false).unwrap();
        vault.revoke("rotated").unwrap();
        vault.store("rotated", b"new", false).unwrap();
        assert_eq!(&vault.decrypt("rotated").unwrap()[..], b"new");
    }
}

mod envseal_file_edge_cases {
    //! .envseal file edge cases from real projects.
    use envseal::envseal_file;

    /// Typical .envseal file a developer would write.
    #[test]
    fn typical_project_file() {
        let content = "\
# .envseal — safe to commit to git
# Format: ENV_VAR=secret-name

OPENAI_API_KEY=openai-key
DATABASE_URL=database-url
REDIS_URL=redis-url
STRIPE_SECRET_KEY=stripe-key
";
        let (file, path) = crate::common::temp_file(content);
        let mappings = envseal_file::parse_envseal_file(&path).unwrap();
        assert_eq!(mappings.len(), 4);
        assert_eq!(mappings[0].env_var, "OPENAI_API_KEY");
        assert_eq!(mappings[0].secret_name, "openai-key");
        drop(file);
    }

    /// File with copious comments (documentation-heavy teams).
    #[test]
    fn heavily_commented_file() {
        let content = "\
# ===========================================
# .envseal configuration for the API gateway
# ===========================================
#
# This file maps vault secret names to env vars.
# Format: ENV_VAR=secret-name
#
# To add a secret:
#   envseal store my-secret
#
# To inject all:
#   envseal inject-file .envseal -- npm start

# --- Database ---
DB_PASSWORD=db-password

# --- External APIs ---
# OPENAI_API_KEY=openai-key  # commented out for now
STRIPE_KEY=stripe-key
";
        let (file, path) = crate::common::temp_file(content);
        let mappings = envseal_file::parse_envseal_file(&path).unwrap();
        assert_eq!(mappings.len(), 2);
        assert_eq!(mappings[0].secret_name, "db-password");
        assert_eq!(mappings[1].secret_name, "stripe-key");
        drop(file);
    }

    /// Trailing whitespace should be trimmed.
    #[test]
    fn trailing_whitespace() {
        let content = "ENV_VAR=secret-name   \n";
        let (file, path) = crate::common::temp_file(content);
        let mappings = envseal_file::parse_envseal_file(&path).unwrap();
        assert_eq!(mappings[0].env_var, "ENV_VAR");
        assert_eq!(mappings[0].secret_name, "secret-name");
        drop(file);
    }
}

mod security_config_edge_cases {
    //! SecurityConfig edge cases.
    use envseal::security_config::{SecurityConfig, SecurityTier};

    /// Default config should be Standard with zero friction.
    #[test]
    fn default_is_standard_zero_friction() {
        let config = SecurityConfig::default();
        assert_eq!(config.tier, SecurityTier::Standard);
        assert!(!config.challenge_required);
        assert_eq!(config.approval_delay_secs, 0);
        assert!(config.audit_logging);
        assert!(!config.totp_required);
        assert!(!config.relay_required);
    }

    /// Hardened preset sets expected values.
    #[test]
    fn hardened_preset_values() {
        let config = SecurityConfig::preset_hardened();
        assert_eq!(config.tier, SecurityTier::Hardened);
        assert!(!config.challenge_required);
        assert_eq!(config.approval_delay_secs, 2);
    }

    /// Lockdown preset sets expected values.
    #[test]
    fn lockdown_preset_values() {
        let config = SecurityConfig::preset_lockdown();
        assert_eq!(config.tier, SecurityTier::Lockdown);
        assert!(config.challenge_required);
        assert_eq!(config.approval_delay_secs, 5);
    }

    /// Auto-lock defaults shrink as the tier hardens — tighter
    /// idle window narrows what an idle-window attacker can do.
    #[test]
    fn auto_lock_defaults_shrink_with_tier() {
        assert_eq!(SecurityConfig::preset_standard().auto_lock_secs, 60);
        assert_eq!(SecurityConfig::preset_hardened().auto_lock_secs, 30);
        assert_eq!(SecurityConfig::preset_lockdown().auto_lock_secs, 15);
    }

    /// Applying a preset preserves TOTP secret (pairing can't be lost).
    #[test]
    fn preset_preserves_totp_secret() {
        let mut config = SecurityConfig::preset_standard();
        config.totp_required = true;
        config.totp_secret_encrypted = Some("encrypted-secret".to_string());

        config.apply_preset(SecurityTier::Hardened);

        // The encrypted secret is preserved (pairing state)
        assert_eq!(
            config.totp_secret_encrypted,
            Some("encrypted-secret".to_string())
        );
        assert_eq!(config.tier, SecurityTier::Hardened);
    }

    /// Applying preset preserves relay endpoints (pairing state).
    #[test]
    fn preset_preserves_relay_endpoints() {
        let mut config = SecurityConfig::preset_standard();
        config.relay_required = true;
        config.relay_endpoint = Some("https://relay.example.com".to_string());
        config.relay_device_id = Some("device-123".to_string());

        config.apply_preset(SecurityTier::Lockdown);

        // Pairing state preserved
        assert_eq!(
            config.relay_endpoint,
            Some("https://relay.example.com".to_string())
        );
        assert_eq!(config.relay_device_id, Some("device-123".to_string()));
    }

    /// Config serialization roundtrip via TOML.
    #[test]
    fn config_toml_roundtrip() {
        let config = SecurityConfig::preset_lockdown();
        let toml_str = toml::to_string(&config).unwrap();
        let parsed: SecurityConfig = toml::from_str(&toml_str).unwrap();
        assert_eq!(parsed.tier, config.tier);
        assert_eq!(parsed.challenge_required, config.challenge_required);
        assert_eq!(parsed.approval_delay_secs, config.approval_delay_secs);
    }
}

mod totp_edge_cases {
    //! TOTP edge cases.
    use envseal::totp;

    /// Generate many codes — all should be 6 digits.
    #[test]
    fn codes_always_6_digits() {
        let secret = totp::generate_secret();
        for _ in 0..100 {
            let code = totp::generate_code(&secret).unwrap();
            assert_eq!(code.len(), 6, "code was: {code}");
            assert!(code.chars().all(|c| c.is_ascii_digit()), "code was: {code}");
        }
    }

    /// Verify rejects empty code.
    #[test]
    fn reject_empty_code() {
        let secret = totp::generate_secret();
        assert!(!totp::verify_code(&secret, "").unwrap());
    }

    /// Verify rejects wrong-length code.
    #[test]
    fn reject_short_code() {
        let secret = totp::generate_secret();
        assert!(!totp::verify_code(&secret, "123").unwrap());
    }

    /// Verify rejects alphabetic code.
    #[test]
    fn reject_alpha_code() {
        let secret = totp::generate_secret();
        assert!(!totp::verify_code(&secret, "abcdef").unwrap());
    }

    /// Verify accepts code with whitespace padding (user might paste with spaces).
    #[test]
    fn accepts_whitespace_padded_code() {
        let secret = totp::generate_secret();
        let code = totp::generate_code(&secret).unwrap();
        let padded = format!("  {code}  ");
        assert!(totp::verify_code(&secret, &padded).unwrap());
    }

    /// Invalid base32 secret should return an error.
    #[test]
    fn invalid_base32_secret() {
        assert!(totp::generate_code("!!!not-base32!!!").is_err());
    }

    /// Encrypt with one key, decrypt with another should fail.
    #[test]
    fn decrypt_with_wrong_key_fails() {
        let secret = totp::generate_secret();
        let key1 = [1u8; 32];
        let key2 = [2u8; 32];
        let encrypted = totp::encrypt_secret(&secret, &key1).unwrap();
        assert!(totp::decrypt_secret(&encrypted, &key2).is_err());
    }

    /// Decrypt corrupted ciphertext should fail gracefully.
    #[test]
    fn decrypt_corrupted_ciphertext() {
        assert!(totp::decrypt_secret("deadbeef", &[1u8; 32]).is_err());
    }

    /// Generate secret always produces valid base32.
    #[test]
    fn secret_is_valid_base32() {
        for _ in 0..20 {
            let secret = totp::generate_secret();
            assert!(
                base32::decode(base32::Alphabet::Rfc4648 { padding: false }, &secret).is_some(),
                "invalid base32: {secret}"
            );
        }
    }

    /// URI format is compatible with Google Authenticator.
    #[test]
    fn otpauth_uri_compatible() {
        let secret = totp::generate_secret();
        let uri = totp::otpauth_uri(&secret, "dev@company.com");
        assert!(uri.starts_with("otpauth://totp/envseal:"));
        assert!(uri.contains(&secret));
        assert!(uri.contains("issuer=envseal"));
        assert!(uri.contains("digits=6"));
        assert!(uri.contains("period=30"));
        assert!(uri.contains("dev@company.com"));
    }
}

mod audit_edge_cases {
    //! Audit log edge cases.
    use envseal::audit;

    /// Log and read back events.
    #[test]
    fn log_and_read_events() {
        let event = audit::AuditEvent::ApprovalRequested {
            binary: "/usr/bin/python3".to_string(),
            secret: "openai-key".to_string(),
        };
        // Should not panic (may fail if ~/.envseal not writable in CI)
        let _ = audit::log(&event);
    }

    /// `read_last` with 0 should return empty.
    #[test]
    fn read_last_zero() {
        let entries = audit::read_last(0);
        assert!(entries.is_empty());
    }

    /// `read_last` with very large N should not panic.
    #[test]
    fn read_last_very_large() {
        let entries = audit::read_last(1_000_000);
        // Should return whatever exists (possibly empty), not panic
        assert!(entries.len() <= 1_000_000);
    }
}

mod relay_edge_cases {
    //! Relay auth edge cases.
    use envseal::relay;
    use envseal::security_config::SecurityConfig;

    /// Relay not required when all fields are default.
    #[test]
    fn relay_not_required_by_default() {
        let config = SecurityConfig::default();
        assert!(!relay::is_required(&config));
    }

    /// Relay required only when the flag and all pairing fields (endpoint, device, key) are set.
    #[test]
    #[allow(clippy::field_reassign_with_default)]
    fn relay_requires_pairing_fields() {
        let mut config = SecurityConfig::default();

        config.relay_required = true;
        assert!(!relay::is_required(&config)); // missing endpoint, device, key

        config.relay_endpoint = Some("https://relay.example.com".to_string());
        assert!(!relay::is_required(&config));

        config.relay_device_id = Some("device-123".to_string());
        assert!(!relay::is_required(&config)); // missing pairing key

        config.relay_pairing_key = Some("0123456789abcdef".to_string());
        assert!(relay::is_required(&config));
    }

    /// Relay request fails gracefully with no endpoint.
    #[test]
    fn relay_request_fails_without_endpoint() {
        let config = SecurityConfig::default();
        let result = relay::request_relay_approval(&config, "python", "key", "KEY");
        assert!(result.is_err());
    }
}

mod policy_edge_cases {
    //! Policy edge cases from real CI/CD workflows.
    use envseal::policy::Policy;

    /// Policy with many rules doesn't break serialization.
    #[test]
    fn many_rules_roundtrip() {
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("policy.toml");
        let mut policy = Policy::default();

        for i in 0..50 {
            policy.allow_key(&format!("/usr/bin/app-{i}"), &format!("secret-{i}"));
        }

        policy
            .save_signed(&path, &crate::common::TEST_KEY_BYTES)
            .unwrap();
        let loaded = Policy::load_verified(&path, &crate::common::TEST_KEY_BYTES).unwrap();

        // Verify all 50 rules are present
        for i in 0..50 {
            assert!(loaded.is_authorized(&format!("/usr/bin/app-{i}"), &format!("secret-{i}")));
        }
    }

    /// The same binary can access multiple secrets.
    #[test]
    fn binary_multiple_secrets() {
        let mut policy = Policy::default();
        policy.allow_key("/usr/bin/api", "db-url");
        policy.allow_key("/usr/bin/api", "redis-url");
        policy.allow_key("/usr/bin/api", "stripe-key");

        assert!(policy.is_authorized("/usr/bin/api", "db-url"));
        assert!(policy.is_authorized("/usr/bin/api", "redis-url"));
        assert!(policy.is_authorized("/usr/bin/api", "stripe-key"));
        assert!(!policy.is_authorized("/usr/bin/api", "unknown"));
    }
}

mod convenience_patterns {
    //! Tests for common convenience patterns developers use.
    use crate::common::temp_vault;

    /// Store multiple secrets and verify list is sorted.
    #[test]
    fn list_sorted_after_bulk_store() {
        let (_dir, vault) = temp_vault();
        vault.store("z-last", b"v", false).unwrap();
        vault.store("a-first", b"v", false).unwrap();
        vault.store("m-middle", b"v", false).unwrap();

        let names = vault.list().unwrap();
        assert_eq!(names, vec!["a-first", "m-middle", "z-last"]);
    }

    /// Store then immediately decrypt (the most common flow).
    #[test]
    fn store_then_decrypt_immediate() {
        let (_dir, vault) = temp_vault();
        let secret = b"sk-proj-1234567890abcdef";
        vault.store("quick-key", secret, false).unwrap();
        assert_eq!(&vault.decrypt("quick-key").unwrap()[..], secret);
    }

    /// Multiple vaults with different keys are completely isolated.
    #[test]
    fn vaults_are_isolated() {
        let (_dir1, vault1) = temp_vault();
        let dir2 = crate::common::vault_tempdir();
        let pass2 = crate::common::test_passphrase_alt();
        let vault2 = envseal::vault::Vault::open_with_passphrase(dir2.path(), &pass2).unwrap();

        vault1.store("shared-name", b"value-1", false).unwrap();
        vault2.store("shared-name", b"value-2", false).unwrap();

        assert_eq!(&vault1.decrypt("shared-name").unwrap()[..], b"value-1");
        assert_eq!(&vault2.decrypt("shared-name").unwrap()[..], b"value-2");
    }
}