From 0b7387d46ccb61a4a7e11f17fcf4657f9ef09c8c Mon Sep 17 00:00:00 2001
From: Matt Clay <matt@mystile.com>
Date: Mon, 23 Oct 2023 14:49:50 -0700
Subject: [PATCH] Improve filter_encryption test

- Update `data2_vaulted_string_with_id` to match the documented plaintext.
- Add a comment explaining how `data2_vaulted_string_with_id` was derived.
- Add assertions for unvaulted values to ensure they match their plaintext.
- Add round-trip tests for vault+unvault when no salt is used.
---
 .../targets/filter_encryption/tasks/main.yml          |  9 +++++++--
 .../targets/filter_encryption/vars/main.yml           | 11 ++++++-----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/test/integration/targets/filter_encryption/tasks/main.yml b/test/integration/targets/filter_encryption/tasks/main.yml
index ad83f3c1f8e..4eb765d28b7 100644
--- a/test/integration/targets/filter_encryption/tasks/main.yml
+++ b/test/integration/targets/filter_encryption/tasks/main.yml
@@ -5,10 +5,15 @@
       - data1_plaintext|vault(data1_password, salt=data1_salt)|type_debug != 'AnsibleVaultEncryptedUnicode'
       - data1_plaintext|vault(data1_password, salt=data1_salt, wrap_object=True)|type_debug == 'AnsibleVaultEncryptedUnicode'
 
+- name: check round-trip without salt
+  assert:
+    that:
+      - data2_plaintext|vault(data2_password, vault_id=data2_vault_id)|unvault(data2_password, vault_id=data2_vault_id) == data2_plaintext
+
 - name: check unvaulting
   assert:
     that:
       - data1_vaulted_string_with_id|unvault(data1_password) == data1_plaintext
       - data1_vaulted|unvault(data1_password) == data1_plaintext
-      - data2_vaulted_with_id|unvault(data2_password, vault_id=data2_vault_id)
-      - data2_vaulted_string_with_id|unvault(data2_password, vault_id=data2_vault_id)
+      - data2_vaulted_with_id|unvault(data2_password, vault_id=data2_vault_id) == data2_plaintext
+      - data2_vaulted_string_with_id|unvault(data2_password, vault_id=data2_vault_id) == data2_plaintext
diff --git a/test/integration/targets/filter_encryption/vars/main.yml b/test/integration/targets/filter_encryption/vars/main.yml
index c7314230e94..ca672f501eb 100644
--- a/test/integration/targets/filter_encryption/vars/main.yml
+++ b/test/integration/targets/filter_encryption/vars/main.yml
@@ -28,10 +28,11 @@ data2_vaulted_string_with_id: |
     32303038646437326134363662393038666538643065613136316361306132636231336233333362
     3665646531363138390a643530333038333936343262343638626535653564616537313635353633
     3865
+# value from template: {{ data2_plaintext | vault(data2_password, vault_id=data2_vault_id) }}
 data2_vaulted_with_id: !vault |
     $ANSIBLE_VAULT;1.2;AES256;test1
-    36383733336533656264393332663131613335333332346439356164383935656234663631356430
-    3533353537343834333538356366376233326364613362640a623832636339363966336238393039
-    35316562626335306534356162623030613566306235623863373036626531346364626166656134
-    3063376436656635330a363636376131663362633731313964353061663661376638326461393736
-    3863
+    65383166333033626133363239373635393635353232316433386430316265316639663234326638
+    6637623162613135623965386334313361383365326466340a316465653939333339393464623664
+    32303038646437326134363662393038666538643065613136316361306132636231336233333362
+    3665646531363138390a643530333038333936343262343638626535653564616537313635353633
+    3865