all: stop depending on tink-go's testutil

creachadair · creachadair · commit 7d89605af449 · 2026-01-08T15:19:46.000-08:00
This is a follow-up to #150, because we missed a couple additional uses. Move the forked dependency to an internal package re-export the type name, and update all the usages.
diff --git a/cmd/setec/setec.go b/cmd/setec/setec.go
@@ -29,6 +29,7 @@ import (
 	"github.com/creachadair/flax"
 	"github.com/tailscale/setec/audit"
 	"github.com/tailscale/setec/client/setec"
+	"github.com/tailscale/setec/internal/tinktestutil"
 	"github.com/tailscale/setec/server"
 	"github.com/tailscale/setec/types/api"
 	"github.com/tink-crypto/tink-go-awskms/v2/integration/awskms"
@@ -188,7 +189,7 @@ func runServer(env *command.Env) error {
 			serverArgs.Hostname = "setec-dev"
 		}
 		if serverArgs.KMSKeyName == "" {
-			kek = &dummyAEAD{
+			kek = &tinktestutil.DummyAEAD{
 				Name: "SetecDevOnlyDummyEncryption",
 			}
 		}
diff --git a/internal/tinktestutil/dummy-tink.go b/internal/tinktestutil/dummy-tink.go
@@ -14,14 +14,13 @@
 //
 ////////////////////////////////////////////////////////////////////////////////
 
-// This file is a copy of tink-go's https://github.com/tink-crypto/tink-go/blob/v2.1.0/testutil/testutil.go#L90-L130
-// with its type name unexported.
+// This file a copy of tink-go's https://github.com/tink-crypto/tink-go/blob/v2.1.0/testutil/testutil.go#L90-L130
 //
 // We do this to avoid https://github.com/tink-crypto/tink-go/issues/31 happening
 // in tink-go's testutil init function, which breaks our assumptions in CI
 // that things don't hit the network.
 
-package main
+package tinktestutil
 
 import (
 	"bytes"
@@ -30,11 +29,11 @@ import (
 	"fmt"
 )
 
-// dummyAEAD is a dummy implementation of AEAD interface. It "encrypts" data
+// DummyAEAD is a dummy implementation of AEAD interface. It "encrypts" data
 // with a simple serialization capturing the dummy name, plaintext, and
 // associated data, and "decrypts" it by reversing this and checking that the
 // name and associated data match.
-type dummyAEAD struct {
+type DummyAEAD struct {
 	Name string
 }
 
@@ -45,7 +44,7 @@ type dummyAEADData struct {
 }
 
 // Encrypt encrypts the plaintext.
-func (a *dummyAEAD) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) {
+func (a *DummyAEAD) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) {
 	buf := new(bytes.Buffer)
 	encoder := gob.NewEncoder(buf)
 	err := encoder.Encode(dummyAEADData{
@@ -60,7 +59,7 @@ func (a *dummyAEAD) Encrypt(plaintext []byte, associatedData []byte) ([]byte, er
 }
 
 // Decrypt decrypts the ciphertext.
-func (a *dummyAEAD) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
+func (a *DummyAEAD) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
 	data := dummyAEADData{}
 	decoder := gob.NewDecoder(bytes.NewBuffer(ciphertext))
 	if err := decoder.Decode(&data); err != nil {
diff --git a/server/server_test.go b/server/server_test.go
@@ -17,10 +17,10 @@ import (
 	"github.com/tailscale/setec/audit"
 	"github.com/tailscale/setec/client/setec"
 	"github.com/tailscale/setec/db"
+	"github.com/tailscale/setec/internal/tinktestutil"
 	"github.com/tailscale/setec/server"
 	"github.com/tailscale/setec/setectest"
 	"github.com/tailscale/setec/types/api"
-	"github.com/tink-crypto/tink-go/v2/testutil"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/tailcfg"
 )
@@ -37,7 +37,7 @@ func TestNew(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "test.db")
 		_, err := server.New(ctx, server.Config{
 			DBPath:   path,
-			Key:      &testutil.DummyAEAD{Name: t.Name()},
+			Key:      &tinktestutil.DummyAEAD{Name: t.Name()},
 			AuditLog: audit.New(io.Discard),
 			Mux:      http.NewServeMux(),
 		})
@@ -47,7 +47,7 @@ func TestNew(t *testing.T) {
 	})
 	t.Run("DB", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "test.db")
-		kdb, err := db.Open(path, &testutil.DummyAEAD{Name: t.Name()}, audit.New(io.Discard))
+		kdb, err := db.Open(path, &tinktestutil.DummyAEAD{Name: t.Name()}, audit.New(io.Discard))
 		if err != nil {
 			t.Fatalf("Open database: %v", err)
 		}
diff --git a/setectest/dbtest.go b/setectest/dbtest.go
@@ -12,8 +12,8 @@ import (
 	"github.com/tailscale/setec/acl"
 	"github.com/tailscale/setec/audit"
 	"github.com/tailscale/setec/db"
+	"github.com/tailscale/setec/internal/tinktestutil"
 	"github.com/tailscale/setec/types/api"
-	"github.com/tink-crypto/tink-go/v2/testutil"
 	"github.com/tink-crypto/tink-go/v2/tink"
 )
 
@@ -71,7 +71,7 @@ func NewDB(t *testing.T, opts *DBOptions) *DB {
 	t.Helper()
 
 	path := filepath.Join(t.TempDir(), "test.db")
-	key := &testutil.DummyAEAD{Name: "setectest.DB." + t.Name()}
+	key := &tinktestutil.DummyAEAD{Name: "setectest.DB." + t.Name()}
 	adb, err := db.Open(path, key, opts.auditWriter())
 	if err != nil {
 		t.Fatalf("Creating test DB: %v", err)

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ import (`
`29`	`29`	`"github.com/creachadair/flax"`
`30`	`30`	`"github.com/tailscale/setec/audit"`
`31`	`31`	`"github.com/tailscale/setec/client/setec"`
	`32`	`+ "github.com/tailscale/setec/internal/tinktestutil"`
`32`	`33`	`"github.com/tailscale/setec/server"`
`33`	`34`	`"github.com/tailscale/setec/types/api"`
`34`	`35`	`"github.com/tink-crypto/tink-go-awskms/v2/integration/awskms"`
`@@ -188,7 +189,7 @@ func runServer(env *command.Env) error {`
`188`	`189`	`serverArgs.Hostname = "setec-dev"`
`189`	`190`	`}`
`190`	`191`	`if serverArgs.KMSKeyName == "" {`
`191`		`- kek = &dummyAEAD{`
	`192`	`+ kek = &tinktestutil.DummyAEAD{`
`192`	`193`	`Name: "SetecDevOnlyDummyEncryption",`
`193`	`194`	`}`
`194`	`195`	`}`