fnox 1.25.1

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

#!/usr/bin/env bats

setup() {
	load 'test_helper/common_setup'
	_common_setup

	if ! command -v age-keygen >/dev/null 2>&1; then
		skip "age-keygen not installed"
	fi

	local keygen_output
	keygen_output=$(age-keygen -o key.txt 2>&1)
	local public_key
	public_key=$(echo "$keygen_output" | grep "^Public key:" | cut -d' ' -f3)

	cat >test-config.toml <<EOF
[providers.age]
type = "age"
recipients = ["$public_key"]

[secrets]
EOF
}

teardown() {
	_common_teardown
}

@test "fnox set -k prompts for secret value (reads from stdin)" {
	# Pipe secret value via stdin with -k flag — should encrypt and store
	run bash -c 'echo "my-secret-value" | "$FNOX_BIN" --config test-config.toml set -p age -k custom-key-name MY_SECRET'
	assert_success

	# The config should reference the secret
	assert_file_contains test-config.toml "MY_SECRET"
	# The plaintext secret value should NOT appear in the config (it should be encrypted)
	assert_file_not_contains test-config.toml "my-secret-value"
	# key_name is silently ignored for encryption providers — it should not appear in config
	assert_file_not_contains test-config.toml "custom-key-name"
}

@test "fnox set -k with explicit value stores the secret" {
	# Provide value as argument with -k flag
	run "$FNOX_BIN" --config test-config.toml set -p age -k custom-key-name MY_SECRET "my-secret-value"
	assert_success

	# The config should reference the secret
	assert_file_contains test-config.toml "MY_SECRET"
	# The plaintext secret value should NOT appear (it should be encrypted)
	assert_file_not_contains test-config.toml "my-secret-value"
	# key_name is silently ignored for encryption providers — it should not appear in config
	assert_file_not_contains test-config.toml "custom-key-name"
}

@test "fnox set -k combined with -d still prompts for secret value" {
	# When -k is combined with metadata flags like -d, the secret value should
	# still be read (not skipped by the metadata-only path)
	run bash -c 'echo "my-secret-value" | "$FNOX_BIN" --config test-config.toml set -p age -k custom-key-name -d "my description" MY_SECRET'
	assert_success

	# The config should reference the secret with description and encrypted value
	assert_file_contains test-config.toml "MY_SECRET"
	assert_file_contains test-config.toml "my description"
	# The plaintext secret value should NOT appear (it should be encrypted)
	assert_file_not_contains test-config.toml "my-secret-value"
}