infra/cli/cmd_vault_test.go

package main

import (
	"reflect"
	"strings"
	"testing"
)

func TestVaultCommandsRegistered(t *testing.T) {
	want := map[string]Tier{
		"vault setup":  TierWrite,
		"vault status": TierRead,
		"vault list":   TierRead,
		"vault get":    TierRead,
		"vault search": TierRead,
		"vault code":   TierRead,
		"vault lock":   TierWrite,
	}
	got := map[string]Tier{}
	for _, c := range vaultCommands() {
		got[c.name()] = c.Tier
	}
	for name, tier := range want {
		if got[name] != tier {
			t.Errorf("command %q: tier=%q, want %q (registered=%v)", name, got[name], tier, got[name] != "")
		}
	}
}

func TestVaultGroupInRegistry(t *testing.T) {
	if !isCommandGroup(buildRegistry(), "vault") {
		t.Fatal("`vault` group not wired into buildRegistry()")
	}
}

func TestVaultCredsPath(t *testing.T) {
	if got := vwCredsPath("emo"); got != "secret/workstation/claude-users/emo" {
		t.Fatalf("vwCredsPath = %q", got)
	}
}

func TestBwAppDataDir(t *testing.T) {
	if got := bwAppDataDir("1001"); got != "/run/user/1001/homelab-bw" {
		t.Fatalf("bwAppDataDir = %q", got)
	}
}

// fakeRunner records calls and returns canned stdout/err keyed by argv[0]+first arg.
type fakeRunner struct {
	calls   [][]string
	out     map[string]string // key: name+" "+strings.Join(argv," ") prefix-matched
	err     map[string]error
	lastEnv []string
}

func (f *fakeRunner) run(name string, argv, envv []string) (string, error) {
	f.calls = append(f.calls, append([]string{name}, argv...))
	f.lastEnv = envv
	key := name + " " + strings.Join(argv, " ")
	for k, v := range f.out {
		if strings.HasPrefix(key, k) {
			return v, f.err[k]
		}
	}
	return "", f.err[key]
}

func TestLoadCredsReadsFourFields(t *testing.T) {
	f := &fakeRunner{out: map[string]string{
		"vault kv get -field=vaultwarden_email secret/workstation/claude-users/emo":          "emo@x.me",
		"vault kv get -field=vaultwarden_master_password secret/workstation/claude-users/emo": "hunter2",
		"vault kv get -field=vaultwarden_client_id secret/workstation/claude-users/emo":       "user.abc",
		"vault kv get -field=vaultwarden_client_secret secret/workstation/claude-users/emo":   "sek",
	}}
	c, err := loadCreds(f.run, "emo")
	if err != nil {
		t.Fatalf("loadCreds: %v", err)
	}
	want := vwCreds{Email: "emo@x.me", MasterPassword: "hunter2", ClientID: "user.abc", ClientSecret: "sek"}
	if !reflect.DeepEqual(c, want) {
		t.Fatalf("loadCreds = %+v want %+v", c, want)
	}
}

func TestLoadCredsUnconfigured(t *testing.T) {
	f := &fakeRunner{out: map[string]string{}} // every field empty
	if _, err := loadCreds(f.run, "emo"); err == nil || !strings.Contains(err.Error(), "not configured") {
		t.Fatalf("want 'not configured' error, got %v", err)
	}
}

func TestBwEnvCarriesSecretsNotArgv(t *testing.T) {
	c := vwCreds{ClientID: "user.abc", ClientSecret: "sek", MasterPassword: "hunter2"}
	env := bwSecretEnv("/run/user/1001/homelab-bw", c, "SESSIONKEY")
	joined := strings.Join(env, "\n")
	for _, want := range []string{
		"BW_CLIENTID=user.abc", "BW_CLIENTSECRET=sek", "BW_PASSWORD=hunter2",
		"BW_SESSION=SESSIONKEY", "BITWARDENCLI_APPDATA_DIR=/run/user/1001/homelab-bw",
	} {
		if !strings.Contains(joined, want) {
			t.Errorf("bwSecretEnv missing %q", want)
		}
	}
	if strings.Contains(joined, "PATH=") == false {
		t.Error("bwSecretEnv must keep a PATH so node/bw resolve")
	}
}

func TestBwGetArgsHasNoSessionInArgv(t *testing.T) {
	argv := bwGetArgs("password", "github")
	for _, a := range argv {
		if strings.Contains(a, "SESSION") || a == "--session" {
			t.Fatalf("session must travel via env, not argv: %v", argv)
		}
	}
	if !reflect.DeepEqual(argv, []string{"get", "password", "github"}) {
		t.Fatalf("bwGetArgs = %v", argv)
	}
}

func TestBwListArgs(t *testing.T) {
	if got := bwListArgs(""); !reflect.DeepEqual(got, []string{"list", "items"}) {
		t.Fatalf("bwListArgs('') = %v", got)
	}
	if got := bwListArgs("git"); !reflect.DeepEqual(got, []string{"list", "items", "--search", "git"}) {
		t.Fatalf("bwListArgs('git') = %v", got)
	}
}

func TestBwUnlockReturnsSession(t *testing.T) {
	f := &fakeRunner{out: map[string]string{"bw unlock": "THE-SESSION-KEY"}}
	env := bwSecretEnv("/run/user/1001/homelab-bw", vwCreds{MasterPassword: "pw"}, "")
	sess, err := bwUnlock(f.run, env)
	if err != nil || sess != "THE-SESSION-KEY" {
		t.Fatalf("bwUnlock = %q, %v", sess, err)
	}
	// argv must use --passwordenv + --raw, never the password literal
	last := f.calls[len(f.calls)-1]
	if strings.Join(last, " ") != "bw unlock --passwordenv BW_PASSWORD --raw" {
		t.Fatalf("unlock argv = %v", last)
	}
}
feat(cli): register homelab vault command group skeleton 2026-06-24 10:14:24 +00:00			`package main`

feat(cli): vault creds loading from per-user Vault path 2026-06-24 10:15:32 +00:00			`import (`
			`"reflect"`
			`"strings"`
			`"testing"`
			`)`
feat(cli): register homelab vault command group skeleton 2026-06-24 10:14:24 +00:00
			`func TestVaultCommandsRegistered(t *testing.T) {`
			`want := map[string]Tier{`
			`"vault setup": TierWrite,`
			`"vault status": TierRead,`
			`"vault list": TierRead,`
			`"vault get": TierRead,`
			`"vault search": TierRead,`
			`"vault code": TierRead,`
			`"vault lock": TierWrite,`
			`}`
			`got := map[string]Tier{}`
			`for _, c := range vaultCommands() {`
			`got[c.name()] = c.Tier`
			`}`
			`for name, tier := range want {`
			`if got[name] != tier {`
			`t.Errorf("command %q: tier=%q, want %q (registered=%v)", name, got[name], tier, got[name] != "")`
			`}`
			`}`
			`}`

			`func TestVaultGroupInRegistry(t *testing.T) {`
			`if !isCommandGroup(buildRegistry(), "vault") {`
			t.Fatal("`vault` group not wired into buildRegistry()")
			`}`
			`}`
feat(cli): vault creds loading from per-user Vault path 2026-06-24 10:15:32 +00:00
			`func TestVaultCredsPath(t *testing.T) {`
			`if got := vwCredsPath("emo"); got != "secret/workstation/claude-users/emo" {`
			`t.Fatalf("vwCredsPath = %q", got)`
			`}`
			`}`

			`func TestBwAppDataDir(t *testing.T) {`
			`if got := bwAppDataDir("1001"); got != "/run/user/1001/homelab-bw" {`
			`t.Fatalf("bwAppDataDir = %q", got)`
			`}`
			`}`

			`// fakeRunner records calls and returns canned stdout/err keyed by argv[0]+first arg.`
			`type fakeRunner struct {`
			`calls [][]string`
			`out map[string]string // key: name+" "+strings.Join(argv," ") prefix-matched`
			`err map[string]error`
			`lastEnv []string`
			`}`

			`func (f *fakeRunner) run(name string, argv, envv []string) (string, error) {`
			`f.calls = append(f.calls, append([]string{name}, argv...))`
			`f.lastEnv = envv`
			`key := name + " " + strings.Join(argv, " ")`
			`for k, v := range f.out {`
			`if strings.HasPrefix(key, k) {`
			`return v, f.err[k]`
			`}`
			`}`
			`return "", f.err[key]`
			`}`

			`func TestLoadCredsReadsFourFields(t *testing.T) {`
			`f := &fakeRunner{out: map[string]string{`
			`"vault kv get -field=vaultwarden_email secret/workstation/claude-users/emo": "emo@x.me",`
			`"vault kv get -field=vaultwarden_master_password secret/workstation/claude-users/emo": "hunter2",`
			`"vault kv get -field=vaultwarden_client_id secret/workstation/claude-users/emo": "user.abc",`
			`"vault kv get -field=vaultwarden_client_secret secret/workstation/claude-users/emo": "sek",`
			`}}`
			`c, err := loadCreds(f.run, "emo")`
			`if err != nil {`
			`t.Fatalf("loadCreds: %v", err)`
			`}`
			`want := vwCreds{Email: "emo@x.me", MasterPassword: "hunter2", ClientID: "user.abc", ClientSecret: "sek"}`
			`if !reflect.DeepEqual(c, want) {`
			`t.Fatalf("loadCreds = %+v want %+v", c, want)`
			`}`
			`}`

			`func TestLoadCredsUnconfigured(t *testing.T) {`
			`f := &fakeRunner{out: map[string]string{}} // every field empty`
			`if _, err := loadCreds(f.run, "emo"); err == nil \|\| !strings.Contains(err.Error(), "not configured") {`
			`t.Fatalf("want 'not configured' error, got %v", err)`
			`}`
			`}`
feat(cli): vault bw engine env/arg builders + unlock 2026-06-24 10:16:19 +00:00
			`func TestBwEnvCarriesSecretsNotArgv(t *testing.T) {`
			`c := vwCreds{ClientID: "user.abc", ClientSecret: "sek", MasterPassword: "hunter2"}`
			`env := bwSecretEnv("/run/user/1001/homelab-bw", c, "SESSIONKEY")`
			`joined := strings.Join(env, "\n")`
			`for _, want := range []string{`
			`"BW_CLIENTID=user.abc", "BW_CLIENTSECRET=sek", "BW_PASSWORD=hunter2",`
			`"BW_SESSION=SESSIONKEY", "BITWARDENCLI_APPDATA_DIR=/run/user/1001/homelab-bw",`
			`} {`
			`if !strings.Contains(joined, want) {`
			`t.Errorf("bwSecretEnv missing %q", want)`
			`}`
			`}`
			`if strings.Contains(joined, "PATH=") == false {`
			`t.Error("bwSecretEnv must keep a PATH so node/bw resolve")`
			`}`
			`}`

			`func TestBwGetArgsHasNoSessionInArgv(t *testing.T) {`
			`argv := bwGetArgs("password", "github")`
			`for _, a := range argv {`
			`if strings.Contains(a, "SESSION") \|\| a == "--session" {`
			`t.Fatalf("session must travel via env, not argv: %v", argv)`
			`}`
			`}`
			`if !reflect.DeepEqual(argv, []string{"get", "password", "github"}) {`
			`t.Fatalf("bwGetArgs = %v", argv)`
			`}`
			`}`

			`func TestBwListArgs(t *testing.T) {`
			`if got := bwListArgs(""); !reflect.DeepEqual(got, []string{"list", "items"}) {`
			`t.Fatalf("bwListArgs('') = %v", got)`
			`}`
			`if got := bwListArgs("git"); !reflect.DeepEqual(got, []string{"list", "items", "--search", "git"}) {`
			`t.Fatalf("bwListArgs('git') = %v", got)`
			`}`
			`}`

			`func TestBwUnlockReturnsSession(t *testing.T) {`
			`f := &fakeRunner{out: map[string]string{"bw unlock": "THE-SESSION-KEY"}}`
			`env := bwSecretEnv("/run/user/1001/homelab-bw", vwCreds{MasterPassword: "pw"}, "")`
			`sess, err := bwUnlock(f.run, env)`
			`if err != nil \|\| sess != "THE-SESSION-KEY" {`
			`t.Fatalf("bwUnlock = %q, %v", sess, err)`
			`}`
			`// argv must use --passwordenv + --raw, never the password literal`
			`last := f.calls[len(f.calls)-1]`
			`if strings.Join(last, " ") != "bw unlock --passwordenv BW_PASSWORD --raw" {`
			`t.Fatalf("unlock argv = %v", last)`
			`}`
			`}`