package crypto import ( "bytes" "testing" ) func key32() []byte { k := make([]byte, 32) for i := range k { k[i] = byte(i + 1) } return k } func TestEncryptDecryptRoundTrip(t *testing.T) { c, err := NewCipher(key32()) if err != nil { t.Fatal(err) } plain := []byte("selectel-api-secret-token") enc, err := c.Encrypt(plain) if err != nil { t.Fatal(err) } if enc == string(plain) { t.Fatal("ciphertext must differ from plaintext") } dec, err := c.Decrypt(enc) if err != nil { t.Fatal(err) } if !bytes.Equal(dec, plain) { t.Fatalf("round-trip mismatch: %q != %q", dec, plain) } } func TestEncryptNonDeterministic(t *testing.T) { c, _ := NewCipher(key32()) a, _ := c.Encrypt([]byte("same")) b, _ := c.Encrypt([]byte("same")) if a == b { t.Fatal("nonce must randomize ciphertext") } } func TestDecryptTamperFails(t *testing.T) { c, _ := NewCipher(key32()) enc, _ := c.Encrypt([]byte("data")) // испортить последний символ base64 tampered := enc[:len(enc)-1] + "A" if tampered == enc { tampered = enc[:len(enc)-1] + "B" } if _, err := c.Decrypt(tampered); err == nil { t.Fatal("GCM must reject tampered ciphertext") } } func TestNewCipherRejectsBadKey(t *testing.T) { if _, err := NewCipher([]byte("short")); err == nil { t.Fatal("expected error for non-32-byte key") } }