fnox 1.25.1

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

#!/usr/bin/env bats

load 'test_helper/common_setup'

# Test that fnox import and fnox remove preserve TOML comments

setup() {
	_common_setup
}

teardown() {
	_common_teardown
}

# Helper function to setup age provider with comments in config
setup_age_with_comments() {
	if ! command -v age-keygen >/dev/null 2>&1; then
		skip "age-keygen not installed"
	fi

	# Generate age key
	local keygen_output
	keygen_output=$(age-keygen -o key.txt 2>&1)
	local public_key
	public_key=$(echo "$keygen_output" | grep "^Public key:" | cut -d' ' -f3)

	# Create config with comments throughout
	cat >fnox.toml <<EOF
# Main configuration file for the project
root = true

# Age encryption provider
[providers.age]
type = "age"
recipients = ["$public_key"]

# Application secrets
[secrets]
# Database connection string
DB_URL= { provider = "age", value = "plaintext-db-url" }
# API key for external service
API_KEY= { provider = "age", value = "plaintext-api-key" }
# End of secrets section
EOF
}

@test "fnox remove preserves comments in fnox.toml" {
	setup_age_with_comments

	# Remove one secret
	assert_fnox_success remove API_KEY

	# Verify all comments are preserved
	run cat fnox.toml
	assert_output --partial "# Main configuration file for the project"
	assert_output --partial "# Age encryption provider"
	assert_output --partial "# Application secrets"
	assert_output --partial "# Database connection string"
	assert_output --partial "# End of secrets section"

	# Verify the removed secret is gone
	refute_output --partial "API_KEY"

	# Verify the remaining secret is still there
	assert_output --partial "DB_URL"
}

@test "fnox remove preserves comments when removing last secret" {
	setup_age_with_comments

	# Remove both secrets
	assert_fnox_success remove DB_URL
	assert_fnox_success remove API_KEY

	# Verify comments are still preserved
	run cat fnox.toml
	assert_output --partial "# Main configuration file for the project"
	assert_output --partial "# Age encryption provider"
	assert_output --partial "# Application secrets"
}

@test "fnox import preserves existing comments in fnox.toml" {
	setup_age_with_comments

	# Create a .env file with new secrets to import
	cat >.env <<EOF
NEW_SECRET=new-secret-value
ANOTHER_SECRET=another-value
EOF

	# Import new secrets
	assert_fnox_success import -i .env --provider age --force

	# Verify all original comments are preserved
	run cat fnox.toml
	assert_output --partial "# Main configuration file for the project"
	assert_output --partial "# Age encryption provider"
	assert_output --partial "# Application secrets"
	assert_output --partial "# Database connection string"
	assert_output --partial "# API key for external service"
	assert_output --partial "# End of secrets section"

	# Verify new secrets were added
	assert_output --partial "NEW_SECRET"
	assert_output --partial "ANOTHER_SECRET"

	# Verify existing secrets are still there
	assert_output --partial "DB_URL"
	assert_output --partial "API_KEY"
}

@test "fnox import preserves comments when config file has no existing secrets" {
	if ! command -v age-keygen >/dev/null 2>&1; then
		skip "age-keygen not installed"
	fi

	local keygen_output
	keygen_output=$(age-keygen -o key.txt 2>&1)
	local public_key
	public_key=$(echo "$keygen_output" | grep "^Public key:" | cut -d' ' -f3)

	# Create config with comments but no secrets section
	cat >fnox.toml <<EOF
# Project config
root = true

# Encryption provider
[providers.age]
type = "age"
recipients = ["$public_key"]
EOF

	cat >.env <<EOF
MY_SECRET=my-value
EOF

	assert_fnox_success import -i .env --provider age --force

	# Verify comments preserved
	run cat fnox.toml
	assert_output --partial "# Project config"
	assert_output --partial "# Encryption provider"
	assert_output --partial "MY_SECRET"
}

@test "fnox import followed by remove preserves comments" {
	setup_age_with_comments

	# Import a new secret
	cat >.env <<EOF
TEMP_SECRET=temp-value
EOF
	assert_fnox_success import -i .env --provider age --force

	# Then remove it
	assert_fnox_success remove TEMP_SECRET

	# All original comments should still be there
	run cat fnox.toml
	assert_output --partial "# Main configuration file for the project"
	assert_output --partial "# Age encryption provider"
	assert_output --partial "# Application secrets"
	assert_output --partial "# Database connection string"
	assert_output --partial "# API key for external service"
	assert_output --partial "# End of secrets section"

	# Original secrets should still be there
	assert_output --partial "DB_URL"
	assert_output --partial "API_KEY"

	# Temp secret should be gone
	refute_output --partial "TEMP_SECRET"
}