use assert_cmd::Command;
use predicates::str::contains;
use tempfile::tempdir;
fn tsafe() -> Command {
Command::cargo_bin("tsafe").unwrap()
}
#[test]
fn rotate_reencrypts_vault_new_password_unlocks() {
let dir = tempdir().unwrap();
let vault_dir = dir.path();
tsafe()
.args(["init"])
.env("TSAFE_VAULT_DIR", vault_dir)
.env("TSAFE_PASSWORD", "old-master-pw")
.assert()
.success();
tsafe()
.args(["set", "ROTATE_KEY", "secret-value"])
.env("TSAFE_VAULT_DIR", vault_dir)
.env("TSAFE_PASSWORD", "old-master-pw")
.assert()
.success();
tsafe()
.args(["rotate"])
.env("TSAFE_VAULT_DIR", vault_dir)
.env("TSAFE_PASSWORD", "old-master-pw")
.env("TSAFE_NEW_MASTER_PASSWORD", "new-master-pw")
.assert()
.success();
tsafe()
.args(["get", "ROTATE_KEY"])
.env("TSAFE_VAULT_DIR", vault_dir)
.env("TSAFE_PASSWORD", "old-master-pw")
.assert()
.failure()
.stderr(contains("wrong password"));
tsafe()
.args(["get", "ROTATE_KEY"])
.env("TSAFE_VAULT_DIR", vault_dir)
.env("TSAFE_PASSWORD", "new-master-pw")
.assert()
.success()
.stdout("secret-value");
}
#[test]
fn rotate_rejects_empty_tsafe_new_master_password() {
let dir = tempdir().unwrap();
tsafe()
.args(["init"])
.env("TSAFE_VAULT_DIR", dir.path())
.env("TSAFE_PASSWORD", "pw")
.assert()
.success();
tsafe()
.args(["rotate"])
.env("TSAFE_VAULT_DIR", dir.path())
.env("TSAFE_PASSWORD", "pw")
.env("TSAFE_NEW_MASTER_PASSWORD", "")
.assert()
.failure()
.stderr(contains("empty"));
}