diff --git a/app/redis_tls_auth_test.go b/app/redis_tls_auth_test.go index bb1a919..ec5060b 100644 --- a/app/redis_tls_auth_test.go +++ b/app/redis_tls_auth_test.go @@ -147,7 +147,7 @@ func TestRateLimiterRedisAuthUsername(t *testing.T) { } func TestRateLimiterRedisTLSAuthRequiresVerification(t *testing.T) { - key, _ := rsa.GenerateKey(rand.Reader, 1024) + key, _ := rsa.GenerateKey(rand.Reader, 2048) tmpl := &x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{CommonName: "srv"}, @@ -201,7 +201,7 @@ func TestRateLimiterRedisTLSAuthRequiresVerification(t *testing.T) { } func TestRateLimiterRedisTLSWithCA(t *testing.T) { - key, _ := rsa.GenerateKey(rand.Reader, 1024) + key, _ := rsa.GenerateKey(rand.Reader, 2048) tmpl := &x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{CommonName: "srv"}, diff --git a/app/secrets/plugins/keychain/plugin.go b/app/secrets/plugins/keychain/plugin.go index 29ef216..16b86ac 100644 --- a/app/secrets/plugins/keychain/plugin.go +++ b/app/secrets/plugins/keychain/plugin.go @@ -47,7 +47,7 @@ func (keychainPlugin) Load(ctx context.Context, id string) (string, error) { return "", fmt.Errorf("keychain lookup failed: %w", err) } - return string(out), nil + return trimCommandLineTerminator(out), nil } func parseKeychainID(id string) (service, account string, err error) { @@ -65,4 +65,8 @@ func parseKeychainID(id string) (service, account string, err error) { return service, account, nil } +func trimCommandLineTerminator(out []byte) string { + return strings.TrimSuffix(string(out), "\n") +} + func init() { secrets.Register(keychainPlugin{}) } diff --git a/app/secrets/plugins/keychain/plugin_test.go b/app/secrets/plugins/keychain/plugin_test.go index 249ad37..1771a26 100644 --- a/app/secrets/plugins/keychain/plugin_test.go +++ b/app/secrets/plugins/keychain/plugin_test.go @@ -23,7 +23,7 @@ func TestKeychainPluginLoad(t *testing.T) { if err != nil { t.Fatalf("unexpected error: %v", err) } - if got != "super-secret\n" { + if got != "super-secret" { t.Fatalf("expected exact secret bytes, got %q", got) } @@ -46,11 +46,29 @@ func TestKeychainPluginLoadPreservesWhitespace(t *testing.T) { if err != nil { t.Fatalf("unexpected error: %v", err) } - if got != " secret with spaces \n" { + if got != " secret with spaces " { t.Fatalf("expected exact secret bytes, got %q", got) } } +func TestKeychainPluginLoadPreservesTrailingCRBeforeCommandLF(t *testing.T) { + old := execSecurityCommand + t.Cleanup(func() { execSecurityCommand = old }) + + execSecurityCommand = func(ctx context.Context, args ...string) ([]byte, error) { + return []byte("secret\r\n"), nil + } + + p := keychainPlugin{} + got, err := p.Load(context.Background(), "svc") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "secret\r" { + t.Fatalf("expected trailing carriage return to be preserved, got %q", got) + } +} + func TestKeychainPluginLoadServiceOnly(t *testing.T) { old := execSecurityCommand t.Cleanup(func() { execSecurityCommand = old }) diff --git a/app/secrets/plugins/secretservice/plugin_test.go b/app/secrets/plugins/secretservice/plugin_test.go index f6514b0..23b9c6a 100644 --- a/app/secrets/plugins/secretservice/plugin_test.go +++ b/app/secrets/plugins/secretservice/plugin_test.go @@ -50,6 +50,24 @@ func TestSecretServicePluginLoadPreservesWhitespace(t *testing.T) { } } +func TestSecretServicePluginLoadPreservesCRLFTrailingBytes(t *testing.T) { + old := execSecretTool + t.Cleanup(func() { execSecretTool = old }) + + execSecretTool = func(ctx context.Context, args ...string) ([]byte, error) { + return []byte("secret\r\n"), nil + } + + p := secretServicePlugin{} + got, err := p.Load(context.Background(), "service=slack") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "secret\r\n" { + t.Fatalf("expected exact secret bytes, got %q", got) + } +} + func TestSecretServicePluginLoadInvalidID(t *testing.T) { p := secretServicePlugin{} if _, err := p.Load(context.Background(), "bad"); err == nil {