package session import ( "bytes" "errors" "io" "net/http" "net/http/httptest" "os" "path/filepath" "testing" "git.julianfamily.org/keepassgo/vault" "git.julianfamily.org/keepassgo/webdav" "github.com/tobischo/gokeepasslib/v3" w "github.com/tobischo/gokeepasslib/v3/wrappers" ) func TestCreateSaveAsLockAndUnlockRoundTripsVault(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } var sess Manager if err := sess.Create(model, key); err != nil { t.Fatalf("Create() error = %v", err) } path := filepath.Join(t.TempDir(), "keepassgo.kdbx") if err := sess.SaveAs(path); err != nil { t.Fatalf("SaveAs() error = %v", err) } if _, err := os.Stat(path); err != nil { t.Fatalf("Stat(saved path) error = %v", err) } if err := sess.Lock(); err != nil { t.Fatalf("Lock() error = %v", err) } if _, err := sess.Current(); !errors.Is(err, ErrLocked) { t.Fatalf("Current() error = %v, want ErrLocked", err) } if err := sess.Unlock(key); err != nil { t.Fatalf("Unlock() error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() after Unlock() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 1 || got[0].Title != "Vault Console" || got[0].Password != "token-1" { t.Fatalf("Current() entries = %#v, want persisted Vault Console entry", got) } } func TestOpenLoadsExistingKDBXFromDisk(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Surveillance Console", Username: "codex", Password: "token-2", URL: "https://surveillance.crew.example.invalid", Path: []string{"Root", "Home Assistant"}, }, }, } path := filepath.Join(t.TempDir(), "existing.kdbx") file, err := os.Create(path) if err != nil { t.Fatalf("Create(existing path) error = %v", err) } if err := vault.SaveKDBXWithKey(file, model, key); err != nil { file.Close() t.Fatalf("SaveKDBXWithKey() error = %v", err) } if err := file.Close(); err != nil { t.Fatalf("Close(existing path) error = %v", err) } var sess Manager if err := sess.Open(path, key); err != nil { t.Fatalf("Open() error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Home Assistant"}) if len(got) != 1 || got[0].Password != "token-2" { t.Fatalf("Current() entries = %#v, want Home Assistant entry", got) } } func TestSavePersistsEditsBackToCurrentPath(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } path := filepath.Join(t.TempDir(), "editable.kdbx") var sess Manager if err := sess.Create(model, key); err != nil { t.Fatalf("Create() error = %v", err) } if err := sess.SaveAs(path); err != nil { t.Fatalf("SaveAs() error = %v", err) } updated := model updated.UpsertEntry(vault.Entry{ ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-2", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }) sess.Replace(updated) if err := sess.Save(); err != nil { t.Fatalf("Save() error = %v", err) } reopened, err := os.Open(path) if err != nil { t.Fatalf("Open(saved path) error = %v", err) } defer reopened.Close() loaded, err := vault.LoadKDBXWithKey(reopened, key) if err != nil { t.Fatalf("LoadKDBXWithKey() error = %v", err) } got := loaded.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 1 || got[0].Password != "token-2" { t.Fatalf("loaded entries = %#v, want updated password token-2", got) } } func TestSaveReparentsMixedPathsUnderSingleVaultRoot(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} path := filepath.Join(t.TempDir(), "hidden-root.kdbx") var initial bytes.Buffer if err := vault.SaveKDBX(&initial, vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"keepass", "Crew", "Internet"}, }, { ID: "entry-2", Title: "Mail", Username: "dannyocean", Password: "token-2", URL: "https://dispatch.crew.example.invalid", Path: []string{"keepass", "Crew", "eMail"}, }, }, }, key.Password); err != nil { t.Fatalf("SaveKDBX() error = %v", err) } if err := os.WriteFile(path, initial.Bytes(), 0o600); err != nil { t.Fatalf("WriteFile(hidden-root.kdbx) error = %v", err) } var sess Manager if err := sess.Open(path, key); err != nil { t.Fatalf("Open() error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() error = %v", err) } current.Entries[0].Path = []string{"Crew", "Internet"} current.Groups = append(current.Groups, []string{"Crew"}, []string{"Crew", "Internet"}, []string{"Crew", "eMail"}) sess.Replace(current) if err := sess.Save(); err != nil { t.Fatalf("Save() error = %v", err) } reopened, err := os.Open(path) if err != nil { t.Fatalf("Open(saved path) error = %v", err) } defer reopened.Close() db := gokeepasslib.NewDatabase() db.Credentials = gokeepasslib.NewPasswordCredentials(key.Password) if err := gokeepasslib.NewDecoder(reopened).Decode(db); err != nil { t.Fatalf("Decode(saved path) error = %v", err) } if err := db.UnlockProtectedEntries(); err != nil { t.Fatalf("UnlockProtectedEntries() error = %v", err) } if len(db.Content.Root.Groups) != 1 || db.Content.Root.Groups[0].Name != "keepass" { t.Fatalf("top-level groups = %#v, want single keepass root", db.Content.Root.Groups) } rootGroups := db.Content.Root.Groups[0].Groups if len(rootGroups) != 1 || rootGroups[0].Name != "Crew" { t.Fatalf("keepass child groups = %#v, want single Crew group", rootGroups) } } func TestSaveWithoutPathFails(t *testing.T) { t.Parallel() var sess Manager if err := sess.Create(vault.Model{}, vault.MasterKey{Password: "correct horse battery staple"}); err != nil { t.Fatalf("Create() error = %v", err) } err := sess.Save() if !errors.Is(err, ErrNoPath) { t.Fatalf("Save() error = %v, want ErrNoPath", err) } } func TestOpenRemoteLoadsExistingKDBXFromWebDAV(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } var encoded bytes.Buffer if err := vault.SaveKDBXWithKey(&encoded, model, key); err != nil { t.Fatalf("SaveKDBXWithKey() error = %v", err) } server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodGet || r.URL.Path != "/vaults/main.kdbx" { t.Fatalf("unexpected request %s %s", r.Method, r.URL.Path) } w.Header().Set("ETag", "\"v1\"") _, _ = w.Write(encoded.Bytes()) })) defer server.Close() client := webdav.Client{BaseURL: server.URL} var sess Manager if err := sess.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("OpenRemote() error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 1 || got[0].Password != "token-1" { t.Fatalf("Current() entries = %#v, want Vault Console entry from remote vault", got) } } func TestSaveRemotePersistsEditsBackToWebDAV(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Surveillance Console", Username: "codex", Password: "token-1", URL: "https://surveillance.crew.example.invalid", Path: []string{"Root", "Home Assistant"}, }, }, } var ( savedETag string savedBytes []byte ) server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.Method { case http.MethodGet: var encoded bytes.Buffer if err := vault.SaveKDBXWithKey(&encoded, model, key); err != nil { t.Fatalf("SaveKDBXWithKey() error = %v", err) } w.Header().Set("ETag", "\"v1\"") _, _ = w.Write(encoded.Bytes()) case http.MethodPut: savedETag = r.Header.Get("If-Match") var err error savedBytes, err = io.ReadAll(r.Body) if err != nil { t.Fatalf("ReadAll(PUT body) error = %v", err) } w.Header().Set("ETag", "\"v2\"") w.WriteHeader(http.StatusNoContent) default: t.Fatalf("unexpected method %s", r.Method) } })) defer server.Close() client := webdav.Client{BaseURL: server.URL} var sess Manager if err := sess.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("OpenRemote() error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() error = %v", err) } current.UpsertEntry(vault.Entry{ ID: "entry-1", Title: "Surveillance Console", Username: "codex", Password: "token-2", URL: "https://surveillance.crew.example.invalid", Path: []string{"Root", "Home Assistant"}, }) sess.Replace(current) if err := sess.SaveRemote(); err != nil { t.Fatalf("SaveRemote() error = %v", err) } if savedETag != "\"v1\"" { t.Fatalf("If-Match header = %q, want %q", savedETag, "\"v1\"") } loaded, err := vault.LoadKDBXWithKey(bytes.NewReader(savedBytes), key) if err != nil { t.Fatalf("LoadKDBXWithKey(savedBytes) error = %v", err) } got := loaded.EntriesInPath([]string{"Root", "Home Assistant"}) if len(got) != 1 || got[0].Password != "token-2" { t.Fatalf("loaded remote entries = %#v, want updated token-2 entry", got) } } func TestSaveUsesRemoteTargetWhenVaultWasOpenedFromWebDAV(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } var putCount int server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.Method { case http.MethodGet: var encoded bytes.Buffer if err := vault.SaveKDBXWithKey(&encoded, model, key); err != nil { t.Fatalf("SaveKDBXWithKey() error = %v", err) } w.Header().Set("ETag", "\"v1\"") _, _ = w.Write(encoded.Bytes()) case http.MethodPut: putCount++ w.Header().Set("ETag", "\"v2\"") w.WriteHeader(http.StatusNoContent) default: t.Fatalf("unexpected method %s", r.Method) } })) defer server.Close() client := webdav.Client{BaseURL: server.URL} var sess Manager if err := sess.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("OpenRemote() error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() error = %v", err) } current.UpsertEntry(vault.Entry{ ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-2", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }) sess.Replace(current) if err := sess.Save(); err != nil { t.Fatalf("Save() error = %v", err) } if putCount != 1 { t.Fatalf("remote PUT count = %d, want 1", putCount) } } func TestChangeMasterKeyReencryptsSavedAndLockedVault(t *testing.T) { t.Parallel() originalKey := vault.MasterKey{Password: "old-password"} updatedKey := vault.MasterKey{ Password: "new-password", KeyFileData: []byte("updated-key-file"), } model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } path := filepath.Join(t.TempDir(), "keepassgo.kdbx") var sess Manager if err := sess.Create(model, originalKey); err != nil { t.Fatalf("Create() error = %v", err) } if err := sess.SaveAs(path); err != nil { t.Fatalf("SaveAs() error = %v", err) } if err := sess.Lock(); err != nil { t.Fatalf("Lock() error = %v", err) } if err := sess.ChangeMasterKey(updatedKey); err != nil { t.Fatalf("ChangeMasterKey() error = %v", err) } if err := sess.Save(); err != nil { t.Fatalf("Save() error = %v", err) } if err := sess.Unlock(updatedKey); err != nil { t.Fatalf("Unlock(updatedKey) error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 1 || got[0].Title != "Vault Console" { t.Fatalf("Current() entries = %#v, want Vault Console entry after ChangeMasterKey", got) } var reopened Manager if err := reopened.Open(path, updatedKey); err != nil { t.Fatalf("Open(updatedKey) error = %v", err) } if err := reopened.Open(path, originalKey); !errors.Is(err, vault.ErrInvalidMasterKey) { t.Fatalf("Open(originalKey) error = %v, want ErrInvalidMasterKey", err) } } func TestSavePreservesOpenedKDBXSecuritySettings(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} db := gokeepasslib.NewDatabase(gokeepasslib.WithDatabaseKDBXVersion4()) db.Credentials = gokeepasslib.NewPasswordCredentials(key.Password) db.Content.Root.Groups = []gokeepasslib.Group{ { Name: "Root", Entries: []gokeepasslib.Entry{ { UUID: gokeepasslib.NewUUID(), Values: []gokeepasslib.ValueData{ {Key: "Title", Value: gokeepasslib.V{Content: "Vault Console"}}, {Key: "UserName", Value: gokeepasslib.V{Content: "dannyocean"}}, {Key: "Password", Value: gokeepasslib.V{Content: "token-1", Protected: w.NewBoolWrapper(true)}}, {Key: "URL", Value: gokeepasslib.V{Content: "https://vault.crew.example.invalid"}}, }, }, }, }, } if err := db.LockProtectedEntries(); err != nil { t.Fatalf("LockProtectedEntries() error = %v", err) } path := filepath.Join(t.TempDir(), "kdbx4.kdbx") file, err := os.Create(path) if err != nil { t.Fatalf("Create(path) error = %v", err) } if err := gokeepasslib.NewEncoder(file).Encode(db); err != nil { file.Close() t.Fatalf("Encode() error = %v", err) } if err := file.Close(); err != nil { t.Fatalf("Close(path) error = %v", err) } var sess Manager if err := sess.Open(path, key); err != nil { t.Fatalf("Open() error = %v", err) } current, err := sess.Current() if err != nil { t.Fatalf("Current() error = %v", err) } current.UpsertEntry(vault.Entry{ ID: current.Entries[0].ID, Title: "Vault Console", Username: "dannyocean", Password: "token-2", URL: "https://vault.crew.example.invalid", Path: current.Entries[0].Path, }) sess.Replace(current) if err := sess.Save(); err != nil { t.Fatalf("Save() error = %v", err) } saved, err := os.Open(path) if err != nil { t.Fatalf("Open(saved path) error = %v", err) } defer saved.Close() reloaded := gokeepasslib.NewDatabase() reloaded.Credentials = gokeepasslib.NewPasswordCredentials(key.Password) if err := gokeepasslib.NewDecoder(saved).Decode(reloaded); err != nil { t.Fatalf("Decode(saved path) error = %v", err) } if !reloaded.Header.IsKdbx4() { t.Fatal("saved header is not KDBX4, want preserved KDBX4 format") } if !bytes.Equal(reloaded.Header.FileHeaders.CipherID, db.Header.FileHeaders.CipherID) { t.Fatalf("saved cipher = %x, want %x", reloaded.Header.FileHeaders.CipherID, db.Header.FileHeaders.CipherID) } if !bytes.Equal(reloaded.Header.FileHeaders.KdfParameters.UUID, db.Header.FileHeaders.KdfParameters.UUID) { t.Fatalf("saved KDF UUID = %x, want %x", reloaded.Header.FileHeaders.KdfParameters.UUID, db.Header.FileHeaders.KdfParameters.UUID) } } func TestRemoteSaveAndReopenPreservesCrossFeatureState(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-2", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, Attachments: map[string][]byte{ "token.txt": []byte("secret attachment contents"), }, History: []vault.Entry{ { ID: "entry-1-history-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, }, }, Templates: []vault.Entry{ { ID: "tpl-1", Title: "Website Login", Username: "template-user", Password: "template-password", Path: []string{"Templates", "Web"}, }, }, RecycleBin: []vault.Entry{ { ID: "deleted-1", Title: "Retired Entry", Username: "archived-user", Password: "retired-token", Path: []string{"Root", "Archive"}, }, }, Groups: [][]string{ {"Root", "Archive"}, {"Root", "Empty Group"}, {"Templates", "Web"}, }, } var remoteBytes bytes.Buffer if err := vault.SaveKDBXWithKey(&remoteBytes, model, key); err != nil { t.Fatalf("SaveKDBXWithKey(seed remote) error = %v", err) } etag := "\"v1\"" server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.Method { case http.MethodGet: w.Header().Set("ETag", etag) _, _ = w.Write(remoteBytes.Bytes()) case http.MethodPut: if got := r.Header.Get("If-Match"); got != etag { t.Fatalf("If-Match header = %q, want %q", got, etag) } payload, err := io.ReadAll(r.Body) if err != nil { t.Fatalf("ReadAll(PUT body) error = %v", err) } remoteBytes.Reset() if _, err := remoteBytes.Write(payload); err != nil { t.Fatalf("Write(remoteBytes) error = %v", err) } etag = "\"v2\"" w.Header().Set("ETag", etag) w.WriteHeader(http.StatusNoContent) default: t.Fatalf("unexpected method %s", r.Method) } })) defer server.Close() client := webdav.Client{BaseURL: server.URL} var sess Manager if err := sess.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("OpenRemote() error = %v", err) } if err := sess.SaveRemote(); err != nil { t.Fatalf("SaveRemote() error = %v", err) } var reopened Manager if err := reopened.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("reopen OpenRemote() error = %v", err) } current, err := reopened.Current() if err != nil { t.Fatalf("Current() after reopen error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 1 { t.Fatalf("len(EntriesInPath(Root/Internet)) after reopen = %d, want 1", len(got)) } if got[0].ID != "entry-1" { t.Fatalf("entry ID after remote reopen = %q, want %q", got[0].ID, "entry-1") } if len(got[0].History) != 1 || got[0].History[0].ID != "entry-1-history-1" { t.Fatalf("History after remote reopen = %#v, want stable history ID entry-1-history-1", got[0].History) } if string(got[0].Attachments["token.txt"]) != "secret attachment contents" { t.Fatalf("attachment after remote reopen = %q, want %q", string(got[0].Attachments["token.txt"]), "secret attachment contents") } if len(current.Templates) != 1 || current.Templates[0].Path[1] != "Web" { t.Fatalf("Templates after remote reopen = %#v, want Website Login in Templates/Web", current.Templates) } if len(current.RecycleBin) != 1 || current.RecycleBin[0].Path[1] != "Archive" { t.Fatalf("RecycleBin after remote reopen = %#v, want retired entry in Root/Archive", current.RecycleBin) } } func TestConfigureSecurityAppliesToCreatedVaultAndPersists(t *testing.T) { t.Parallel() var sess Manager if err := sess.ConfigureSecurity(vault.SecuritySettings{ Cipher: vault.CipherAES256, KDF: vault.KDFAES, }); err != nil { t.Fatalf("ConfigureSecurity() error = %v", err) } if err := sess.Create(vault.Model{}, vault.MasterKey{Password: "correct horse battery staple"}); err != nil { t.Fatalf("Create() error = %v", err) } path := filepath.Join(t.TempDir(), "secure.kdbx") if err := sess.SaveAs(path); err != nil { t.Fatalf("SaveAs() error = %v", err) } var reopened Manager if err := reopened.Open(path, vault.MasterKey{Password: "correct horse battery staple"}); err != nil { t.Fatalf("Open() error = %v", err) } got := reopened.SecuritySettings() if got.Cipher != vault.CipherAES256 || got.KDF != vault.KDFAES { t.Fatalf("SecuritySettings() = %#v, want aes256/aes-kdf", got) } } func TestSynchronizeRemotePreservesOverwrittenRemoteVariantInHistory(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} model := vault.Model{ Entries: []vault.Entry{ { ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "token-1", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } var remoteBytes bytes.Buffer if err := vault.SaveKDBXWithKey(&remoteBytes, model, key); err != nil { t.Fatalf("SaveKDBXWithKey(seed remote) error = %v", err) } etag := "\"v1\"" server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.Method { case http.MethodGet: w.Header().Set("ETag", etag) _, _ = w.Write(remoteBytes.Bytes()) case http.MethodPut: if got := r.Header.Get("If-Match"); got != etag { t.Fatalf("If-Match header = %q, want %q", got, etag) } payload, err := io.ReadAll(r.Body) if err != nil { t.Fatalf("ReadAll(PUT body) error = %v", err) } remoteBytes.Reset() if _, err := remoteBytes.Write(payload); err != nil { t.Fatalf("Write(remoteBytes) error = %v", err) } switch etag { case "\"v1\"": etag = "\"v2\"" default: etag = "\"v3\"" } w.Header().Set("ETag", etag) w.WriteHeader(http.StatusNoContent) default: t.Fatalf("unexpected method %s", r.Method) } })) defer server.Close() client := webdav.Client{BaseURL: server.URL} var first Manager if err := first.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("first OpenRemote() error = %v", err) } var second Manager if err := second.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("second OpenRemote() error = %v", err) } firstCurrent, err := first.Current() if err != nil { t.Fatalf("first Current() error = %v", err) } firstCurrent.UpsertEntry(vault.Entry{ ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "remote-token-2", URL: "https://vault.crew.example.invalid", Notes: "updated remotely first", Path: []string{"Root", "Internet"}, }) first.Replace(firstCurrent) if err := first.SaveRemote(); err != nil { t.Fatalf("first SaveRemote() error = %v", err) } secondCurrent, err := second.Current() if err != nil { t.Fatalf("second Current() error = %v", err) } secondCurrent.UpsertEntry(vault.Entry{ ID: "entry-1", Title: "Vault Console", Username: "dannyocean", Password: "local-token-2", URL: "https://vault.crew.example.invalid/security/badges", Path: []string{"Root", "Internet"}, }) second.Replace(secondCurrent) if err := second.Synchronize(); err != nil { t.Fatalf("second Synchronize() error = %v", err) } var reopened Manager if err := reopened.OpenRemote(client, "vaults/main.kdbx", key); err != nil { t.Fatalf("reopened OpenRemote() error = %v", err) } current, err := reopened.Current() if err != nil { t.Fatalf("reopened Current() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 1 { t.Fatalf("len(EntriesInPath(Root/Internet)) = %d, want 1", len(got)) } if got[0].Password != "local-token-2" || got[0].URL != "https://vault.crew.example.invalid/security/badges" { t.Fatalf("entry after synchronize = %#v, want local winning version", got[0]) } if len(got[0].History) == 0 { t.Fatal("len(History) = 0, want overwritten remote variant preserved") } if got[0].History[0].Password != "remote-token-2" || got[0].History[0].Notes != "updated remotely first" { t.Fatalf("History[0] = %#v, want displaced remote version first", got[0].History[0]) } } func TestSynchronizeFromLocalMergesOtherVaultIntoCurrentSource(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} currentPath := filepath.Join(t.TempDir(), "current.kdbx") otherPath := filepath.Join(t.TempDir(), "other.kdbx") currentModel := vault.Model{ Entries: []vault.Entry{ { ID: "entry-current", Title: "Vault Console", Username: "dannyocean", Password: "token-current", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } otherModel := vault.Model{ Entries: []vault.Entry{ { ID: "entry-other", Title: "Bellagio", Username: "rustyryan", Password: "token-other", URL: "https://bellagio.example.invalid", Path: []string{"Root", "Internet"}, }, }, } writeKDBXTestFile(t, currentPath, currentModel, key) writeKDBXTestFile(t, otherPath, otherModel, key) var sess Manager if err := sess.Open(currentPath, key); err != nil { t.Fatalf("Open(current) error = %v", err) } if err := sess.SynchronizeFromLocal(otherPath); err != nil { t.Fatalf("SynchronizeFromLocal() error = %v", err) } var reopened Manager if err := reopened.Open(currentPath, key); err != nil { t.Fatalf("reopen Open(current) error = %v", err) } current, err := reopened.Current() if err != nil { t.Fatalf("reopened Current() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 2 { t.Fatalf("len(EntriesInPath(Root/Internet)) = %d, want 2", len(got)) } } func TestSynchronizeToLocalWritesMergedVaultToTarget(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} currentPath := filepath.Join(t.TempDir(), "current.kdbx") otherPath := filepath.Join(t.TempDir(), "other.kdbx") currentModel := vault.Model{ Entries: []vault.Entry{ { ID: "entry-current", Title: "Vault Console", Username: "dannyocean", Password: "token-current", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } otherModel := vault.Model{ Entries: []vault.Entry{ { ID: "entry-other", Title: "Bellagio", Username: "rustyryan", Password: "token-other", URL: "https://bellagio.example.invalid", Path: []string{"Root", "Internet"}, }, }, } writeKDBXTestFile(t, currentPath, currentModel, key) writeKDBXTestFile(t, otherPath, otherModel, key) var sess Manager if err := sess.Open(currentPath, key); err != nil { t.Fatalf("Open(current) error = %v", err) } if err := sess.SynchronizeToLocal(otherPath); err != nil { t.Fatalf("SynchronizeToLocal() error = %v", err) } var reopened Manager if err := reopened.Open(otherPath, key); err != nil { t.Fatalf("reopen Open(other) error = %v", err) } current, err := reopened.Current() if err != nil { t.Fatalf("reopened Current() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 2 { t.Fatalf("len(EntriesInPath(Root/Internet)) = %d, want 2", len(got)) } } func TestSynchronizeToRemoteWritesMergedVaultToTarget(t *testing.T) { t.Parallel() key := vault.MasterKey{Password: "correct horse battery staple"} currentPath := filepath.Join(t.TempDir(), "current.kdbx") currentModel := vault.Model{ Entries: []vault.Entry{ { ID: "entry-current", Title: "Vault Console", Username: "dannyocean", Password: "token-current", URL: "https://vault.crew.example.invalid", Path: []string{"Root", "Internet"}, }, }, } remoteModel := vault.Model{ Entries: []vault.Entry{ { ID: "entry-remote", Title: "Bellagio", Username: "rustyryan", Password: "token-remote", URL: "https://bellagio.example.invalid", Path: []string{"Root", "Internet"}, }, }, } writeKDBXTestFile(t, currentPath, currentModel, key) var remoteBytes bytes.Buffer if err := vault.SaveKDBXWithKey(&remoteBytes, remoteModel, key); err != nil { t.Fatalf("SaveKDBXWithKey(remote) error = %v", err) } etag := "\"v1\"" server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.Method { case http.MethodGet: w.Header().Set("ETag", etag) _, _ = w.Write(remoteBytes.Bytes()) case http.MethodPut: payload, err := io.ReadAll(r.Body) if err != nil { t.Fatalf("ReadAll(PUT body) error = %v", err) } remoteBytes.Reset() if _, err := remoteBytes.Write(payload); err != nil { t.Fatalf("Write(remoteBytes) error = %v", err) } etag = "\"v2\"" w.Header().Set("ETag", etag) w.WriteHeader(http.StatusNoContent) default: t.Fatalf("unexpected method %s", r.Method) } })) defer server.Close() var sess Manager if err := sess.Open(currentPath, key); err != nil { t.Fatalf("Open(current) error = %v", err) } if err := sess.SynchronizeToRemote(webdav.Client{BaseURL: server.URL}, "vaults/other.kdbx"); err != nil { t.Fatalf("SynchronizeToRemote() error = %v", err) } var reopened Manager if err := reopened.OpenRemote(webdav.Client{BaseURL: server.URL}, "vaults/other.kdbx", key); err != nil { t.Fatalf("OpenRemote(reopened) error = %v", err) } current, err := reopened.Current() if err != nil { t.Fatalf("reopened Current() error = %v", err) } got := current.EntriesInPath([]string{"Root", "Internet"}) if len(got) != 2 { t.Fatalf("len(EntriesInPath(Root/Internet)) = %d, want 2", len(got)) } } func writeKDBXTestFile(t *testing.T, path string, model vault.Model, key vault.MasterKey) { t.Helper() var encoded bytes.Buffer if err := vault.SaveKDBXWithKey(&encoded, model, key); err != nil { t.Fatalf("SaveKDBXWithKey(%s) error = %v", path, err) } if err := os.WriteFile(path, encoded.Bytes(), 0o600); err != nil { t.Fatalf("WriteFile(%s) error = %v", path, err) } }