diff --git a/tests/unit/encryption-validation_test.bats b/tests/unit/encryption-validation_test.bats index e893542..3e7237c 100644 --- a/tests/unit/encryption-validation_test.bats +++ b/tests/unit/encryption-validation_test.bats @@ -47,3 +47,85 @@ # Should NOT reference 'kneluser' ! grep -q "kneluser" /workspace/config/hooks/installed/install-scripts.sh } + +# ============================================================================= +# ENCRYPTION PARAMETER VALIDATION (FINDING-007) +# ============================================================================= + +# Tests for preseed.cfg encryption configuration + +@test "preseed.cfg configures AES-XTS-PLAIN64 cipher" { + grep -q "partman-crypto/cipher aes-xts-plain64" /workspace/config/includes.installer/preseed.cfg || \ + grep -q "partman-crypto/cipher string aes-xts-plain64" /workspace/config/includes.installer/preseed.cfg +} + +@test "preseed.cfg configures 512-bit keysize" { + grep -q "partman-crypto/keysize 512" /workspace/config/includes.installer/preseed.cfg || \ + grep -q "partman-crypto/keysize string 512" /workspace/config/includes.installer/preseed.cfg +} + +@test "preseed.cfg enables LUKS2 format" { + grep -q "partman-crypto/use-luks2 boolean true" /workspace/config/includes.installer/preseed.cfg +} + +@test "preseed.cfg enables crypto method for full disk encryption" { + grep -q "partman-auto/method string crypto" /workspace/config/includes.installer/preseed.cfg +} + +@test "preseed.cfg enables secure disk erasure" { + grep -q "partman-crypto/erase_disks_secure boolean true" /workspace/config/includes.installer/preseed.cfg +} + +# Tests for encryption-setup.sh proper configuration + +@test "encryption-setup.sh configures cipher in crypttab" { + grep -q "cipher=aes-xts-plain64" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "encryption-setup.sh configures key-size in crypttab" { + grep -q "key-size=512" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "encryption-setup.sh includes dm_crypt module" { + grep -q "dm_crypt" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "encryption-setup.sh includes aes_xts module" { + grep -q "aes_xts" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "encryption-setup.sh configures LUKS2 type" { + grep -q "luks2\|--type luks2" /workspace/config/hooks/installed/encryption-setup.sh +} + +# Tests for encryption documentation accuracy + +@test "README documents AES-256-XTS cipher" { + grep -q "AES-256-XTS" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "README documents 512-bit key size" { + grep -q "512 bits\|Key Size: 512" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "README documents LUKS2 format" { + grep -q "Format: LUKS2\|LUKS2" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "README documents SHA-512 hash" { + grep -q "SHA-512\|Hash: SHA-512" /workspace/config/hooks/installed/encryption-setup.sh +} + +# Integration tests - consistency checks + +@test "Cipher configuration is consistent between preseed and encryption-setup" { + # Both should reference aes-xts + grep -q "aes-xts" /workspace/config/includes.installer/preseed.cfg + grep -q "aes-xts" /workspace/config/hooks/installed/encryption-setup.sh +} + +@test "Keysize configuration is consistent between preseed and encryption-setup" { + # Both should reference 512-bit key + grep -q "512" /workspace/config/includes.installer/preseed.cfg + grep -q "512" /workspace/config/hooks/installed/encryption-setup.sh +}