forjar 1.6.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

//! Encryption-gated tests for `state_encryption.rs` (feature = "encryption").
//!
//! Extracted to a sibling file to keep `state_encryption.rs` under the 500-line
//! source-file limit.

use super::state_encryption::*;

#[test]
fn encrypt_decrypt_roundtrip() {
    let plaintext = b"hello world, this is state data!";
    let passphrase = "test-passphrase-42";
    let ciphertext = encrypt_data(plaintext, passphrase).unwrap();
    assert_ne!(&ciphertext, &plaintext[..]);
    assert!(ciphertext.len() > plaintext.len()); // age adds overhead
    let decrypted = decrypt_data(&ciphertext, passphrase).unwrap();
    assert_eq!(decrypted, plaintext);
}

#[test]
fn encrypt_decrypt_empty_data() {
    let plaintext = b"";
    let passphrase = "empty-test";
    let ciphertext = encrypt_data(plaintext, passphrase).unwrap();
    let decrypted = decrypt_data(&ciphertext, passphrase).unwrap();
    assert_eq!(decrypted, plaintext);
}

#[test]
fn decrypt_wrong_passphrase() {
    let plaintext = b"secret state data";
    let ciphertext = encrypt_data(plaintext, "correct-pass").unwrap();
    let result = decrypt_data(&ciphertext, "wrong-pass");
    assert!(result.is_err());
}

#[test]
fn decrypt_corrupted_data() {
    let result = decrypt_data(b"not valid age data", "pass");
    assert!(result.is_err());
}

#[test]
fn encrypt_state_file_roundtrip() {
    let dir = tempfile::tempdir().unwrap();
    let file = dir.path().join("state.lock.yaml");
    let original = "resources:\n  pkg:\n    state: converged\n";
    std::fs::write(&file, original).unwrap();

    let passphrase = "file-test-pass";

    // Encrypt
    let meta = encrypt_state_file(&file, passphrase).unwrap();
    assert!(is_encrypted(&file));
    assert_eq!(meta.version, 1);
    assert_eq!(meta.plaintext_hash, hash_data(original.as_bytes()));

    let encrypted_content = std::fs::read(&file).unwrap();
    assert_ne!(encrypted_content, original.as_bytes());

    // Decrypt
    let plaintext = decrypt_state_file(&file, passphrase).unwrap();
    assert_eq!(plaintext, original.as_bytes());
    assert!(!is_encrypted(&file)); // sidecar removed
}

#[test]
fn encrypt_state_file_metadata_written() {
    let dir = tempfile::tempdir().unwrap();
    let file = dir.path().join("test.lock.yaml");
    std::fs::write(&file, "data").unwrap();

    let meta = encrypt_state_file(&file, "pass").unwrap();
    let loaded = read_metadata(&file).unwrap();
    assert_eq!(loaded.plaintext_hash, meta.plaintext_hash);
    assert_eq!(loaded.ciphertext_hmac, meta.ciphertext_hmac);
}

#[test]
fn decrypt_state_file_wrong_passphrase() {
    let dir = tempfile::tempdir().unwrap();
    let file = dir.path().join("state.lock.yaml");
    std::fs::write(&file, "secret").unwrap();

    encrypt_state_file(&file, "right-pass").unwrap();
    let result = decrypt_state_file(&file, "wrong-pass");
    assert!(result.is_err());
}

/// FJ-154 (#10): encryption must write atomically (temp + rename), leaving no
/// in-place truncate window and no orphaned temp files.
#[test]
fn encrypt_state_file_uses_atomic_write_no_temp_left() {
    let dir = tempfile::tempdir().unwrap();
    let file = dir.path().join("state.lock.yaml");
    std::fs::write(&file, "resources: {}\n").unwrap();

    encrypt_state_file(&file, "atomic-test").unwrap();

    // The atomic write must clean up its temp file: no `.tmp` sibling and no
    // `.enc.meta.json.tmp` sidecar temp should remain after a successful run.
    let data_tmp = {
        let mut p = file.as_os_str().to_owned();
        p.push(".tmp");
        std::path::PathBuf::from(p)
    };
    assert!(!data_tmp.exists(), "data temp file leaked: {data_tmp:?}");
    let meta_tmp = {
        let mut p = meta_path_for(&file).as_os_str().to_owned();
        p.push(".tmp");
        std::path::PathBuf::from(p)
    };
    assert!(!meta_tmp.exists(), "meta temp file leaked: {meta_tmp:?}");

    // Metadata sidecar exists (written before the data swap).
    assert!(is_encrypted(&file));
    // And the on-disk file is real ciphertext (single atomic rename, not a
    // truncated in-place write).
    let on_disk = std::fs::read(&file).unwrap();
    assert_ne!(on_disk, b"resources: {}\n");
}

/// FJ-154 (#10): round-trip preserves content and metadata across the atomic
/// encrypt → decrypt path.
#[test]
fn encrypt_decrypt_roundtrip_preserves_content_and_metadata() {
    let dir = tempfile::tempdir().unwrap();
    let file = dir.path().join("state.lock.yaml");
    let original = "resources:\n  pkg:\n    state: converged\n";
    std::fs::write(&file, original).unwrap();

    let meta = encrypt_state_file(&file, "round-trip").unwrap();
    // Metadata persisted and matches the freshly computed plaintext hash.
    let loaded = read_metadata(&file).unwrap();
    assert_eq!(loaded.plaintext_hash, meta.plaintext_hash);
    assert_eq!(loaded.plaintext_hash, hash_data(original.as_bytes()));
    assert_eq!(loaded.ciphertext_hmac, meta.ciphertext_hmac);

    let plaintext = decrypt_state_file(&file, "round-trip").unwrap();
    assert_eq!(plaintext, original.as_bytes());
    assert!(!is_encrypted(&file)); // sidecar removed after decrypt
}

#[test]
fn decrypt_state_file_missing_metadata() {
    let dir = tempfile::tempdir().unwrap();
    let file = dir.path().join("state.lock.yaml");
    std::fs::write(&file, "data").unwrap();
    // No metadata sidecar
    let result = decrypt_state_file(&file, "pass");
    assert!(result.is_err());
}