test.shunit2

#!/usr/bin/env bash            # -*- mode: shell-script -*-
#
# Test ots.bash, using shUnit2, and provide lots of usage examples.
# shUnit2: https://github.com/kward/shunit2
##

oneTimeSetUp() {
  # source for use anonymously (secrets created anonymously)
  source ots.bash --anonymously

  # source with specific auth credentials
  APIUSER="USERNAME"
  APIKEY="APIKEY"
  test -e ".ots.creds" && source .ots.creds
  #source ots.bash -u $APIUSER -k $APIKEY

  # or specify / store them by function
  #ots_set_host "https://onetimesecret.com"
  #ots_set_user "USERNAME"
  #ots_set_key  "APIKEY"

  # turn on debugging, which makes most test fail, of course
  #ots_set_debug

  # Generate a random string to reuse for a secret
  SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
}

testJQ() {
  local JQIN='{
  "foo": "bar"
}'
  assertEquals "JQ parse 1"    "$JQIN" "$(jq '.' <<<"$JQIN")"
  assertEquals "JQ parse 2"    '"bar"' "$(jq '.foo' <<<"$JQIN")"
  assertEquals "JQ parse 3"    '"moo"' "$(jq '.xxx // "moo"' <<<"$JQIN")"
  assertEquals "JQ parse fail" 'null'  "$(jq '.xxx' <<<'{ "foo": "bar" }')"

  return 0
}

testJoin() {
  assertNull                        "$(_ots_join \& )"
  assertEquals 'foo' 	            "$(_ots_join \& foo )"
  assertEquals 'foo&bar&baz'        "$(_ots_join \& foo bar baz)"
  assertEquals 'foo -- bar -- baz'  "$(_ots_join ' -- ' foo bar baz)"

  return 0
}


testValidateArgs() {
  assertFalse "No args get()"  $(ots_get 2>/dev/null)
  assertFalse "No args burn()" $(ots_burn 2>/dev/null)

  return 0
}

testStatus() {
  assertEquals $(ots_status) "nominal"
  assertEquals $(./ots status) "nominal"

  return 0
}

testCommandLineSecrets() {
  local URL=$(./ots share \
                    -s "secret-s string" \
                    -s="secret -s=string" \
                    secret="secret=string" \
                    "no-arg string" \
                    -- \
                    Remaining args are part of the secret too)
  assertTrue "Command line secret created" $?

  assertEquals "Command line secret retrieved" \
               "$(_ots_join " " \
                          "secret-s string" \
                          "secret -s=string" \
                          "secret=string" \
                          "no-arg string" \
                          Remaining args are part of the secret too)" \
               "$(./ots get "$URL")"

  return 0
}

testSTDINSecrets() {
  local URL=$(echo "$SECRET" \
                | ./ots share)
  assertTrue "SDTIN secret created" $?
  assertEquals "STDIN secret retrieved" \
               "$SECRET" \
               "$(ots_get "$URL")"

  # not really different, just for example
  local URL=$(ots_share <<-EOF
	$SECRET
	$SECRET
	EOF
        )
  assertTrue "HEREDOC SDTIN secret created" $?
  assertEquals "HEREDOC STDIN secret retrieved" \
               "$SECRET
$SECRET" \
               "$(ots_get "$URL")"

  return 0
}

testGetWithURLsOrKey() {
  local URL=$(ots_share <<< "$SECRET")
  assertEquals "Fetch Secret with URL" \
               "$SECRET" \
               "$(ots_retrieve "$URL")"

  local URL=$(ots_share <<< "$SECRET")
  local KEY="${URL##*/}"
  assertEquals "Fetch Secret with KEY" \
               "$SECRET" \
               "$(ots_retrieve "$KEY")"

  return 0
}

testShareAndBurn() {
  local KEY=$(./ots metashare <<< "$SECRET")

  assertTrue    "Secret created" $?
  assertNotNull "Secret created; non null" "$KEY"

  assertEquals "State Secret: 'new'" 'new' \
               "$(ots_state "$KEY")"

  assertEquals "State Secret: 'viewed'" 'viewed' \
               "$(ots_state "$KEY")"

  assertEquals "Burn a secret." 'burned' \
               "$(ots_burn "$KEY")"

  assertEquals "State Secret: 'burned'" 'burned' \
               "$(ots_state "$KEY")"

  assertEquals "Try to burn again." 'Unknown secret' \
               "$(ots_burn "$KEY")"

  assertEquals "Try get burned secret." 'Unknown secret' \
               "$(ots_get "$KEY")"

  return 0
}


testGenerate() {
  local KEY=$(ots_metagenerate <<< "$SECRET")

  assertTrue    "Secret generated" $?
  assertNotNull "Secret generated; non null" "$KEY"

  # For some reason, generated secrets are "immediately" viewed.
  # assertEquals "State Secret: 'new'" 'new' \
  #              "$(ots_state "$KEY")"

  assertEquals "State Secret: 'viewed'" 'viewed' \
               "$(ots_state "$KEY")"

  assertEquals "Burn a secret." 'burned' \
               "$(ots_burn "$KEY")"

  assertEquals "State Secret: 'burned'" 'burned' \
               "$(ots_state "$KEY")"

  return 0
}

testMetadata() {
  local METAKEY=$(ots_metashare <<< "$SECRET")

  assertTrue    "Secret generated" $?
  assertNotNull "Secret generated; non null" "$METAKEY"

  local DATA=$(ots_metadata "$METAKEY")
  assertNotNull "Empty Metadata?" "$DATA"

  assertEquals "Metadata key matches'" "\"$METAKEY\"" \
               "$(jq ".metadata_key" <<< "$DATA")"

  assertEquals "Metadata State: 'new'" '"new"' \
               "$(jq ".state" <<< "$DATA")"

  # Now get the secret key, given the metadata key
  local KEY=$(ots_key $METAKEY)
  assertNotNull "Empty Secret Key?" "$KEY"

  # fetch the secret, compare, then check state again
  assertEquals "Secret isn't valid." "$SECRET" \
               $(ots_get "$KEY")

  # refetch the metadata
  DATA=$(ots_metadata "$METAKEY")
  assertNotNull "Empty Metadata?" "$DATA"

  assertEquals "Metadata State: 'received'" '"received"' \
               $(jq ".state" <<< "$DATA")

  assertEquals "Secret State: 'received'" 'received' \
               $(ots_state "$METAKEY")

  return 0
}

testRecent() {
  # unauthenticated should fail
  assertEquals "Unauth recent() call" \
               'Authentication Required' \
               "$(ots_recent 2>&1)"
  #assertFalse "Recent() call failed" $?

  # remaining tests require credentials
  if [ \! -e ".ots.creds" ]; then
    echo "SKIPPING auth-required tests"
    return
  fi

  # get the credentials
  source .ots.creds

  # resource/setup ots.bash
  #source ots.bash -u $APIUSER -k $APIKEY

  # or specify / store them by function
  #ots_set_host "https://onetimesecret.com"
  ots_set_user "$APIUSER"
  ots_set_key  "$APIKEY"

  # Create a new secret.
  local METAKEY=$(ots_metashare <<< "$SECRET")
  local FIRST=$(ots_recent | head -1)

  # check that they are the same
  assertEquals "Recent secrets not equal" "$METAKEY" "$FIRST"

  # check state, fetch the secret, compare, then check state again

  assertEquals "Secret State: 'new'" 'new' \
               $(ots_state "$METAKEY")

  assertEquals "Secret isn't valid." "$SECRET" \
               $(ots_retrieve $(ots_key "$METAKEY"))

  assertEquals "Secret State: 'received'" 'received' \
               $(ots_state "$METAKEY")

  # remove authentication credentials
  ots_set_user ""
  ots_set_key  ""

  # unauthenticated should fail, again
  assertEquals "Unauth recent() call 2" \
               'Authentication Required' \
               "$(ots_recent 2>&1)"
  #assertFalse "Recent() call failed 2" $?

  return 0
}

testMetadataTTL() {
  local TTL=56789
  local TTLx2=$(( $TTL * 2 ))
  local TTL_4W=$(( 60 * 60 * 24 * 28 ))
  local TTL_2W=$(( 60 * 60 * 24 * 14 ))
  local TTL_1W=$(( 60 * 60 * 24 * 07 ))

  # Default and Max TTLs
  #          TTL   metadata_TTL  secret_TTL
  #   auth   4W      4W            2W
  #   anon   2W      2W            1W
  
  local MKEY=$(ots_metashare ttl=$TTL -- "$SECRET")
  local META=$(ots_metadata "$MKEY")

  assertEquals "TTL set properly" \
               "$TTLx2" \
               "$(jq ".ttl" <<<"$META")"

  local metaTTL=$(jq ".metadata_ttl" <<<"$META")
  local delta=$(( $TTLx2 - $metaTTL ))
  [[ $delta -gt 0 ]] && [[ $delta -lt 10 ]]
  assertTrue "Metadata TTL set properly" "$?"

  local secretTTL=$(jq ".secret_ttl" <<<"$META")
  local delta=$(( $TTL - $secretTTL ))
  [[ $delta -gt 0 ]] && [[ $delta -lt 10 ]]
  assertTrue "Secret TTL set properly" "$?"

  return 0
}


testEncryptedSecrets() {
  local PASSPHRASE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

  local MKEY=$(ots_metashare passphrase="$PASSPHRASE" -- "$SECRET")
  local META=$(ots_metadata "$MKEY")

  assertEquals "Metadata shows passphrase required" \
               "true" \
               "$(jq ".passphrase_required" <<<"$META")"

  local SKEY=$(ots_key "$MKEY")
  assertEquals "Get encrypted secret with passphrase" \
               "$SECRET" \
               "$(ots_get passphrase="$PASSPHRASE" -- "$SKEY")"

  return 0
}

#testSecretRecipients() {
#  fail "need to write 'share --recipient' tests"
#}

# load shunit2 - assumes (symlink) in current directory
source ./shunit2

# EOF