git.stella-ops.org/src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/CasAccessSecretParserTests.cs

using System.Collections.Generic;
using System.Text;
using StellaOps.Scanner.Surface.Secrets;
using Xunit;

namespace StellaOps.Scanner.Surface.Secrets.Tests;

public sealed class CasAccessSecretParserTests
{
    [Fact]
    public void ParseCasAccessSecret_WithRustFsPayload_ReturnsExpectedValues()
    {
        const string json = """
        {
          "driver": "rustfs",
          "endpoint": "https://surface.test.local",
          "region": "us-gov-west-1",
          "bucket": "stellaops-surface",
          "rootPrefix": "scanner",
          "apiKey": "secret-api-key",
          "apiKeyHeader": "X-Api-Key",
          "allowInsecureTls": true,
          "headers": {
            "X-Surface-Tenant": "tenant-a"
          }
        }
        """;

        using var handle = SurfaceSecretHandle.FromBytes(Encoding.UTF8.GetBytes(json));
        var secret = SurfaceSecretParser.ParseCasAccessSecret(handle);

        Assert.Equal("rustfs", secret.Driver);
        Assert.Equal("https://surface.test.local", secret.Endpoint);
        Assert.Equal("us-gov-west-1", secret.Region);
        Assert.Equal("stellaops-surface", secret.Bucket);
        Assert.Equal("scanner", secret.RootPrefix);
        Assert.Equal("secret-api-key", secret.ApiKey);
        Assert.Equal("X-Api-Key", secret.ApiKeyHeader);
        Assert.True(secret.AllowInsecureTls);
        Assert.Single(secret.Headers);
        Assert.Equal("tenant-a", secret.Headers["X-Surface-Tenant"]);
    }

    [Fact]
    public void ParseCasAccessSecret_UsesMetadataFallback_WhenFieldsMissing()
    {
        const string json = @"{ ""driver"": ""s3"" }";
        var metadata = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
        {
            ["endpoint"] = "https://s3.test.local",
            ["accessKeyId"] = "AKIA123",
            ["secretAccessKey"] = "s3-secret",
            ["header:X-Custom"] = "value"
        };

        using var handle = SurfaceSecretHandle.FromBytes(Encoding.UTF8.GetBytes(json), metadata);
        var secret = SurfaceSecretParser.ParseCasAccessSecret(handle);

        Assert.Equal("s3", secret.Driver);
        Assert.Equal("https://s3.test.local", secret.Endpoint);
        Assert.Equal("AKIA123", secret.AccessKeyId);
        Assert.Equal("s3-secret", secret.SecretAccessKey);
        Assert.Equal("value", secret.Headers["X-Custom"]);
    }
}