sops-decoder-node icon indicating copy to clipboard operation
sops-decoder-node copied to clipboard
verified publisher icon koblas

Fix mac creation, enhance error handling, add tests/coverage

Open tbrockmeyer-a opened this issue 1 year ago • 1 comments

  • change Buffer to UInt8Array when using instanceof
  • fix mac creation
  • encryption modifiers
  • simplify walkAndDecrypt and decryptScalar
  • improve error output
  • Add integration tests and coverage library

Work to enable #14 for all use cases

Mac hash creation for some of the key encryption types was broken in the last update (10.2). The change from Buffer to UInt8Array in getKey prevents some false-positive errors that I was seeing. UInt8Array is a superclass of Buffer, and the Plaintext field of the KMS output was a UInt8Array for me, so the instanceof check was failing despite the duck typing being valid still. These changes should also bring the encryptionModifier implementation in line with the get-sops/sops implementation of the shouldBeEncrypted function.

In order to provide this improvement, I've also improved some of the error output for easier debugging, which also aligns the errors a bit more with the cli sops tool. I also simplified the walkAndDecrypt function, and factored out some logic from decryptScalar to make it simpler to reason about.

To assure correctness, I added some integration tests which encrypt various files using the sops cli client before trying to decrypt them using decodeFile. The tests use a variety of key encryption modes (unencrypted_suffix, encrypted_regex, etc), data structures (various data types and nesting levels), and it has support for multiple decryption methods (kms, gcp, pgp, etc) for the future if needed. I also added a coverage library but did not mark any amount of coverage as mandatory (I recommend 100% function coverage for integration tests).

With these changes, I was able to get the update_aws branch to run correctly with all tests passing.

tbrockmeyer-a avatar Aug 07 '24 15:08 tbrockmeyer-a

I realize now that the workflow runs npm test, but the tests I added require using an environment variable to specify a KMS key to use for the tests. I'm not sure how you want to handle that (either disable the tests in CI, or add your own KMS key to the workflow steps).

tbrockmeyer-a avatar Aug 07 '24 15:08 tbrockmeyer-a