internal/cryptutil: fixed panic on nil pubkey

internal/cryptutil/encrypt_test.go

@@ -1,4 +1,4 @@
-package cryptutil
+package cryptutil // import "github.com/pomerium/pomerium/internal/cryptutil"
 
 import (
 	"crypto/rand"
@@ -33,6 +33,12 @@ func TestEncodeAndDecodeAccessToken(t *testing.T) {
 		t.Fatalf("unexpected err decrypting: %v", err)
 	}
 
+	// if less than 32 bytes, fail
+	_, err = c.Decrypt([]byte("oh"))
+	if err == nil {
+		t.Fatalf("should fail if <32 bytes output: %v", err)
+	}
+
 	if !reflect.DeepEqual(got, plaintext) {
 		t.Logf(" got: %v", got)
 		t.Logf("want: %v", plaintext)
@@ -189,3 +195,67 @@ func TestGenerateRandomString(t *testing.T) {
 		})
 	}
 }
+
+func TestXChaCha20Cipher_Marshal(t *testing.T) {
+
+	tests := []struct {
+		name    string
+		s       interface{}
+		wantErr bool
+	}{
+		{"unsupported type",
+			struct {
+				Animal string `json:"animal"`
+				Func   func() `json:"sound"`
+			}{
+				Animal: "cat",
+				Func:   func() {},
+			},
+			true},
+		{"simple",
+			struct {
+				Animal string `json:"animal"`
+				Sound  string `json:"sound"`
+			}{
+				Animal: "cat",
+				Sound:  "meow",
+			},
+			false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+
+			c, err := NewCipher(GenerateKey())
+			if err != nil {
+				t.Fatalf("unexpected err: %v", err)
+			}
+			_, err = c.Marshal(tt.s)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("XChaCha20Cipher.Marshal() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+		})
+	}
+}
+
+func TestNewCipher(t *testing.T) {
+
+	tests := []struct {
+		name    string
+		secret  []byte
+		wantErr bool
+	}{
+		{"simple 32 byte key", GenerateKey(), false},
+		{"key too short", []byte("what is entropy"), true},
+		{"key too long", []byte(GenerateRandomString(33)), true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := NewCipher(tt.secret)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewCipher() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+		})
+	}
+}