small nits

.github/workflows/release_build_infisical_cli.yml

@@ -10,10 +10,14 @@ permissions:
     contents: write
     # packages: write
     # issues: write
-
 jobs:
+    cli-integration-tests:
+        name: Run tests before deployment
+        uses: ./.github/workflows/run-cli-tests.yml
+
     goreleaser:
         runs-on: ubuntu-20.04
+        needs: [cli-integration-tests]
         steps:
             - uses: actions/checkout@v3
               with:

.github/workflows/run-cli-tests.yml

@@ -0,0 +1,34 @@
+name: Go CLI Tests
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "cli/**"
+
+    workflow_call:
+
+jobs:
+    test:
+        defaults:
+            run:
+                working-directory: ./cli
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - name: Setup Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: "1.21.x"
+            - name: Install dependencies
+              run: go get .
+            - name: Test with the Go CLI
+              env:
+                  CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+                  CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+                  CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+                  CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+                  CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+
+              run: go test -v -count=1 ./test

.gitignore

@@ -67,3 +67,5 @@ yarn-error.log*
 frontend-build
 
 *.tgz
+cli/infisical-merge
+cli/test/infisical-merge

cli/go.mod

@@ -29,6 +29,7 @@ require (
 require (
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
+	github.com/bradleyjkemp/cupaloy/v2 v2.8.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

cli/go.sum

@@ -51,6 +51,8 @@ github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGL
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/charmbracelet/lipgloss v0.5.0 h1:lulQHuVeodSgDez+3rGiuxlPVXSnhth442DATR2/8t8=
 github.com/charmbracelet/lipgloss v0.5.0/go.mod h1:EZLha/HbzEt7cYqdFPovlqy5FZPj0xFhg5SaqxScmgs=
@@ -324,6 +326,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

cli/packages/api/api.go

@@ -512,16 +512,23 @@ func CallUniversalAuthRefreshAccessToken(httpClient *resty.Client, request Unive
 
 func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Request) (GetRawSecretsV3Response, error) {
 	var getRawSecretsV3Response GetRawSecretsV3Response
-	response, err := httpClient.
+	req := httpClient.
 		R().
 		SetResult(&getRawSecretsV3Response).
 		SetHeader("User-Agent", USER_AGENT).
 		SetBody(request).
 		SetQueryParam("workspaceId", request.WorkspaceId).
 		SetQueryParam("environment", request.Environment).
-		SetQueryParam("secretPath", request.SecretPath).
+		SetQueryParam("secretPath", request.SecretPath)
-		SetQueryParam("include_imports", "false").
+
-		Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))
+	if request.IncludeImport {
+		req.SetQueryParam("include_imports", "true")
+	}
+	if request.Recursive {
+		req.SetQueryParam("recursive", "true")
+	}
+
+	response, err := req.Get(fmt.Sprintf("%v/v3/secrets/raw", config.INFISICAL_URL))
 
 	if err != nil {
 		return GetRawSecretsV3Response{}, fmt.Errorf("CallGetRawSecretsV3: Unable to complete api request [err=%w]", err)

cli/packages/api/model.go

@@ -371,6 +371,22 @@ type ImportedSecretV3 struct {
 	Secrets     []EncryptedSecretV3 `json:"secrets"`
 }
 
+type ImportedRawSecretV3 struct {
+	SecretPath  string `json:"secretPath"`
+	Environment string `json:"environment"`
+	FolderId    string `json:"folderId"`
+	Secrets     []struct {
+		ID            string `json:"id"`
+		Workspace     string `json:"workspace"`
+		Environment   string `json:"environment"`
+		Version       int    `json:"version"`
+		Type          string `json:"type"`
+		SecretKey     string `json:"secretKey"`
+		SecretValue   string `json:"secretValue"`
+		SecretComment string `json:"secretComment"`
+	} `json:"secrets"`
+}
+
 type GetEncryptedSecretsV3Response struct {
 	Secrets         []EncryptedSecretV3 `json:"secrets"`
 	ImportedSecrets []ImportedSecretV3  `json:"imports,omitempty"`
@@ -542,6 +558,6 @@ type GetRawSecretsV3Response struct {
 		SecretValue   string `json:"secretValue"`
 		SecretComment string `json:"secretComment"`
 	} `json:"secrets"`
-	Imports []any `json:"imports"`
+	Imports []ImportedRawSecretV3 `json:"imports"`
 	ETag    string
 }

cli/packages/cmd/export.go

@@ -118,6 +118,8 @@ var exportCmd = &cobra.Command{
 			secrets = util.ExpandSecrets(secrets, authParams, "")
 		}
 		secrets = util.FilterSecretsByTag(secrets, tagSlugs)
+		secrets = util.SortSecretsByKeys(secrets)
+
 		output, err = formatEnvs(secrets, format)
 		if err != nil {
 			util.HandleError(err)

cli/packages/cmd/secrets.go

@@ -116,6 +116,9 @@ var secretsCmd = &cobra.Command{
 			secrets = util.ExpandSecrets(secrets, authParams, "")
 		}
 
+		// Sort the secrets by key so we can create a consistent output
+		secrets = util.SortSecretsByKeys(secrets)
+
 		visualize.PrintAllSecretDetails(secrets)
 		Telemetry.CaptureEvent("cli-command:secrets", posthog.NewProperties().Set("secretCount", len(secrets)).Set("version", util.CLI_VERSION))
 	},

cli/packages/util/helper.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"path"
+	"sort"
 	"strings"
 	"time"
 
@@ -53,6 +54,14 @@ func GetBase64DecodedSymmetricEncryptionDetails(key string, cipher string, IV st
 	}, nil
 }
 
+// Helper function to sort the secrets by key so we can create a consistent output
+func SortSecretsByKeys(secrets []models.SingleEnvironmentVariable) []models.SingleEnvironmentVariable {
+	sort.Slice(secrets, func(i, j int) bool {
+		return secrets[i].Key < secrets[j].Key
+	})
+	return secrets
+}
+
 func IsSecretEnvironmentValid(env string) bool {
 	if env == "prod" || env == "dev" || env == "test" || env == "staging" {
 		return true

cli/packages/util/secrets.go

@@ -186,12 +186,12 @@ func GetPlainTextSecretsViaMachineIdentity(accessToken string, workspaceId strin
 		plainTextSecrets = append(plainTextSecrets, models.SingleEnvironmentVariable{Key: secret.SecretKey, Value: secret.SecretValue, Type: secret.Type, WorkspaceId: secret.Workspace})
 	}
 
-	// if includeImports {
+	if includeImports {
-	// 	plainTextSecrets, err = InjectImportedSecret(plainTextWorkspaceKey, plainTextSecrets, encryptedSecrets.ImportedSecrets)
+		plainTextSecrets, err = InjectRawImportedSecret(plainTextSecrets, rawSecrets.Imports)
-	// 	if err != nil {
+		if err != nil {
-	// 		return nil, err
+			return models.PlaintextSecretResult{}, err
-	// 	}
+		}
-	// }
+	}
 
 	return models.PlaintextSecretResult{
 		Secrets: plainTextSecrets,
@@ -252,6 +252,36 @@ func InjectImportedSecret(plainTextWorkspaceKey []byte, secrets []models.SingleE
 	return secrets, nil
 }
 
+func InjectRawImportedSecret(secrets []models.SingleEnvironmentVariable, importedSecrets []api.ImportedRawSecretV3) ([]models.SingleEnvironmentVariable, error) {
+	if importedSecrets == nil {
+		return secrets, nil
+	}
+
+	hasOverriden := make(map[string]bool)
+	for _, sec := range secrets {
+		hasOverriden[sec.Key] = true
+	}
+
+	for i := len(importedSecrets) - 1; i >= 0; i-- {
+		importSec := importedSecrets[i]
+		plainTextImportedSecrets := importSec.Secrets
+
+		for _, sec := range plainTextImportedSecrets {
+			if _, ok := hasOverriden[sec.SecretKey]; !ok {
+				secrets = append(secrets, models.SingleEnvironmentVariable{
+					Key:         sec.SecretKey,
+					WorkspaceId: sec.Workspace,
+					Value:       sec.SecretValue,
+					Type:        sec.Type,
+					ID:          sec.ID,
+				})
+				hasOverriden[sec.SecretKey] = true
+			}
+		}
+	}
+	return secrets, nil
+}
+
 func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tagSlugs string) []models.SingleEnvironmentVariable {
 	if tagSlugs == "" {
 		return plainTextSecrets

cli/test/.snapshots/test-TestServiceToken_ExportSecretsWithImports

@@ -0,0 +1,5 @@
+STAGING-SECRET-1='staging-value-1'
+STAGING-SECRET-2='staging-value-2'
+TEST-SECRET-1='test-value-1'
+TEST-SECRET-2='test-value-2'
+TEST-SECRET-3='test-value-3'

cli/test/.snapshots/test-TestServiceToken_ExportSecretsWithoutImports

@@ -0,0 +1,3 @@
+TEST-SECRET-1='test-value-1'
+TEST-SECRET-2='test-value-2'
+TEST-SECRET-3='test-value-3'

cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameRecursive

@@ -0,0 +1,7 @@
+┌─────────────────┬────────────────┬─────────────┐
+│ SECRET NAME     │ SECRET VALUE   │ SECRET TYPE │
+├─────────────────┼────────────────┼─────────────┤
+│ TEST-SECRET-1   │ test-value-1   │ shared      │
+│ TEST-SECRET-2   │ test-value-2   │ shared      │
+│ FOLDER-SECRET-1 │ folder-value-1 │ shared      │
+└─────────────────┴────────────────┴─────────────┘

cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameWithImports

@@ -0,0 +1,7 @@
+┌──────────────────┬─────────────────┬─────────────┐
+│ SECRET NAME      │ SECRET VALUE    │ SECRET TYPE │
+├──────────────────┼─────────────────┼─────────────┤
+│ TEST-SECRET-1    │ test-value-1    │ shared      │
+│ STAGING-SECRET-2 │ staging-value-2 │ shared      │
+│ FOLDER-SECRET-1  │ folder-value-1  │ shared      │
+└──────────────────┴─────────────────┴─────────────┘

cli/test/.snapshots/test-TestServiceToken_GetSecretsByNameWithNotFoundSecret

@@ -0,0 +1,8 @@
+┌─────────────────┬────────────────┬─────────────┐
+│ SECRET NAME     │ SECRET VALUE   │ SECRET TYPE │
+├─────────────────┼────────────────┼─────────────┤
+│ TEST-SECRET-1   │ test-value-1   │ shared      │
+│ TEST-SECRET-2   │ test-value-2   │ shared      │
+│ FOLDER-SECRET-1 │ folder-value-1 │ shared      │
+│ DOES-NOT-EXIST  │ *not found*    │ *not found* │
+└─────────────────┴────────────────┴─────────────┘

cli/test/.snapshots/test-TestServiceToken_RunCmdRecursiveAndImports

@@ -0,0 +1,2 @@
+ Injecting 6 Infisical secrets into your application process
+hello world

cli/test/.snapshots/test-TestServiceToken_RunCmdWithImports

@@ -0,0 +1,2 @@
+ Injecting 5 Infisical secrets into your application process
+hello world

cli/test/.snapshots/test-TestServiceToken_RunCmdWithoutImports

@@ -0,0 +1,2 @@
+ Injecting 3 Infisical secrets into your application process
+hello world

cli/test/.snapshots/test-TestServiceToken_SecretsGetWithImportsAndRecursiveCmd

@@ -0,0 +1,10 @@
+┌──────────────────┬─────────────────┬─────────────┐
+│ SECRET NAME      │ SECRET VALUE    │ SECRET TYPE │
+├──────────────────┼─────────────────┼─────────────┤
+│ FOLDER-SECRET-1  │ folder-value-1  │ shared      │
+│ STAGING-SECRET-1 │ staging-value-1 │ shared      │
+│ STAGING-SECRET-2 │ staging-value-2 │ shared      │
+│ TEST-SECRET-1    │ test-value-1    │ shared      │
+│ TEST-SECRET-2    │ test-value-2    │ shared      │
+│ TEST-SECRET-3    │ test-value-3    │ shared      │
+└──────────────────┴─────────────────┴─────────────┘

cli/test/.snapshots/test-TestServiceToken_SecretsGetWithoutImportsAndWithoutRecursiveCmd

@@ -0,0 +1,7 @@
+┌───────────────┬──────────────┬─────────────┐
+│ SECRET NAME   │ SECRET VALUE │ SECRET TYPE │
+├───────────────┼──────────────┼─────────────┤
+│ TEST-SECRET-1 │ test-value-1 │ shared      │
+│ TEST-SECRET-2 │ test-value-2 │ shared      │
+│ TEST-SECRET-3 │ test-value-3 │ shared      │
+└───────────────┴──────────────┴─────────────┘

cli/test/.snapshots/test-TestUniversalAuth_ExportSecretsWithImports

@@ -0,0 +1,5 @@
+STAGING-SECRET-1='staging-value-1'
+STAGING-SECRET-2='staging-value-2'
+TEST-SECRET-1='test-value-1'
+TEST-SECRET-2='test-value-2'
+TEST-SECRET-3='test-value-3'

cli/test/.snapshots/test-TestUniversalAuth_ExportSecretsWithoutImports

@@ -0,0 +1,3 @@
+TEST-SECRET-1='test-value-1'
+TEST-SECRET-2='test-value-2'
+TEST-SECRET-3='test-value-3'

cli/test/.snapshots/test-TestUniversalAuth_GetSecretsByNameRecursive

@@ -0,0 +1,7 @@
+┌─────────────────┬────────────────┬─────────────┐
+│ SECRET NAME     │ SECRET VALUE   │ SECRET TYPE │
+├─────────────────┼────────────────┼─────────────┤
+│ TEST-SECRET-1   │ test-value-1   │ shared      │
+│ TEST-SECRET-2   │ test-value-2   │ shared      │
+│ FOLDER-SECRET-1 │ folder-value-1 │ shared      │
+└─────────────────┴────────────────┴─────────────┘

cli/test/.snapshots/test-TestUniversalAuth_GetSecretsByNameWithImports

@@ -0,0 +1,7 @@
+┌──────────────────┬─────────────────┬─────────────┐
+│ SECRET NAME      │ SECRET VALUE    │ SECRET TYPE │
+├──────────────────┼─────────────────┼─────────────┤
+│ TEST-SECRET-1    │ test-value-1    │ shared      │
+│ STAGING-SECRET-2 │ staging-value-2 │ shared      │
+│ FOLDER-SECRET-1  │ folder-value-1  │ shared      │
+└──────────────────┴─────────────────┴─────────────┘

cli/test/.snapshots/test-TestUniversalAuth_GetSecretsByNameWithNotFoundSecret

@@ -0,0 +1,8 @@
+┌─────────────────┬────────────────┬─────────────┐
+│ SECRET NAME     │ SECRET VALUE   │ SECRET TYPE │
+├─────────────────┼────────────────┼─────────────┤
+│ TEST-SECRET-1   │ test-value-1   │ shared      │
+│ TEST-SECRET-2   │ test-value-2   │ shared      │
+│ FOLDER-SECRET-1 │ folder-value-1 │ shared      │
+│ DOES-NOT-EXIST  │ *not found*    │ *not found* │
+└─────────────────┴────────────────┴─────────────┘

cli/test/.snapshots/test-TestUniversalAuth_RunCmdRecursiveAndImports

@@ -0,0 +1,2 @@
+ Injecting 6 Infisical secrets into your application process
+hello world

cli/test/.snapshots/test-TestUniversalAuth_RunCmdWithImports

@@ -0,0 +1,2 @@
+ Injecting 5 Infisical secrets into your application process
+hello world

cli/test/.snapshots/test-TestUniversalAuth_RunCmdWithoutImports

@@ -0,0 +1,2 @@
+ Injecting 3 Infisical secrets into your application process
+hello world

cli/test/.snapshots/test-TestUniversalAuth_SecretsGetWithImportsAndRecursiveCmd

@@ -0,0 +1,10 @@
+┌──────────────────┬─────────────────┬─────────────┐
+│ SECRET NAME      │ SECRET VALUE    │ SECRET TYPE │
+├──────────────────┼─────────────────┼─────────────┤
+│ FOLDER-SECRET-1  │ folder-value-1  │ shared      │
+│ STAGING-SECRET-1 │ staging-value-1 │ shared      │
+│ STAGING-SECRET-2 │ staging-value-2 │ shared      │
+│ TEST-SECRET-1    │ test-value-1    │ shared      │
+│ TEST-SECRET-2    │ test-value-2    │ shared      │
+│ TEST-SECRET-3    │ test-value-3    │ shared      │
+└──────────────────┴─────────────────┴─────────────┘

cli/test/.snapshots/test-TestUniversalAuth_SecretsGetWithoutImportsAndWithoutRecursiveCmd

@@ -0,0 +1,7 @@
+┌───────────────┬──────────────┬─────────────┐
+│ SECRET NAME   │ SECRET VALUE │ SECRET TYPE │
+├───────────────┼──────────────┼─────────────┤
+│ TEST-SECRET-1 │ test-value-1 │ shared      │
+│ TEST-SECRET-2 │ test-value-2 │ shared      │
+│ TEST-SECRET-3 │ test-value-3 │ shared      │
+└───────────────┴──────────────┴─────────────┘

cli/test/.snapshots/test-TestUniversalAuth_SecretsGetWrongEnvironment

@@ -0,0 +1,4 @@
+error: CallGetRawSecretsV3: Unsuccessful response [GET https://app.infisical.com/api/v3/secrets/raw?environment=invalid-env&include_imports=true&recursive=true&secretPath=%2F&workspaceId=bef697d4-849b-4a75-b284-0922f87f8ba2] [status-code=500] [response={"statusCode":500,"error":"Internal Server Error","message":"'invalid-env' environment not found in project with ID bef697d4-849b-4a75-b284-0922f87f8ba2"}]
+
+
+If this issue continues, get support at https://infisical.com/slack

cli/test/export_test.go

@@ -0,0 +1,73 @@
+package tests
+
+import (
+	"testing"
+
+	"github.com/bradleyjkemp/cupaloy/v2"
+)
+
+func TestUniversalAuth_ExportSecretsWithImports(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestServiceToken_ExportSecretsWithImports(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_ExportSecretsWithoutImports(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestServiceToken_ExportSecretsWithoutImports(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}

cli/test/helper.go

@@ -0,0 +1,64 @@
+package tests
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"testing"
+)
+
+const (
+	CLI_NAME = "infisical-merge"
+)
+
+var (
+	FORMATTED_CLI_NAME = fmt.Sprintf("./%s", CLI_NAME)
+)
+
+type Credentials struct {
+	ClientID      string
+	ClientSecret  string
+	UAAccessToken string
+	ServiceToken  string
+	ProjectID     string
+	EnvSlug       string
+}
+
+var creds = Credentials{
+	UAAccessToken: "",
+	ClientID:      os.Getenv("CLI_TESTS_UA_CLIENT_ID"),
+	ClientSecret:  os.Getenv("CLI_TESTS_UA_CLIENT_SECRET"),
+	ServiceToken:  os.Getenv("CLI_TESTS_SERVICE_TOKEN"),
+	ProjectID:     os.Getenv("CLI_TESTS_PROJECT_ID"),
+	EnvSlug:       os.Getenv("CLI_TESTS_ENV_SLUG"),
+}
+
+func ExecuteCliCommand(command string, args ...string) (string, error) {
+	cmd := exec.Command(command, args...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return strings.TrimSpace(string(output)), err
+	}
+	return strings.TrimSpace(string(output)), nil
+}
+
+func SetupCli(t *testing.T) {
+
+	if creds.ClientID == "" || creds.ClientSecret == "" || creds.ServiceToken == "" || creds.ProjectID == "" || creds.EnvSlug == "" {
+		panic("Missing required environment variables")
+	}
+
+	// check if the CLI is already built, if not build it
+	alreadyBuilt := false
+	if _, err := os.Stat(FORMATTED_CLI_NAME); err == nil {
+		alreadyBuilt = true
+	}
+
+	if !alreadyBuilt {
+		if err := exec.Command("go", "build", "../.").Run(); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+}

cli/test/login_test.go

@@ -0,0 +1,29 @@
+package tests
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func MachineIdentityLoginCmd(t *testing.T) {
+	SetupCli(t)
+
+	if creds.UAAccessToken != "" {
+		return
+	}
+
+	jwtPattern := `^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$`
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "login", "--method=universal-auth", "--client-id", creds.ClientID, "--client-secret", creds.ClientSecret, "--plain", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	assert.Regexp(t, jwtPattern, output)
+
+	creds.UAAccessToken = output
+
+	// We can't use snapshot testing here because the output will be different every time
+}

cli/test/run_test.go

@@ -0,0 +1,120 @@
+package tests
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/bradleyjkemp/cupaloy/v2"
+)
+
+func TestServiceToken_RunCmdRecursiveAndImports(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent", "--", "echo", "hello world")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	output = string(bytes.Split([]byte(output), []byte("INF"))[1])
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+func TestServiceToken_RunCmdWithImports(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--", "echo", "hello world")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	output = string(bytes.Split([]byte(output), []byte("INF"))[1])
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_RunCmdRecursiveAndImports(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent", "--", "echo", "hello world")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	output = string(bytes.Split([]byte(output), []byte("INF"))[1])
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_RunCmdWithImports(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--", "echo", "hello world")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// remove the first few characters from the output because we don't care about the time, and it will change every time
+	output = string(bytes.Split([]byte(output), []byte("INF"))[1])
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_RunCmdWithoutImports(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false", "--", "echo", "hello world")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	output = string(bytes.Split([]byte(output), []byte("INF"))[1])
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestServiceToken_RunCmdWithoutImports(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false", "--", "echo", "hello world")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Remove everything before "INF" because it's not relevant to the test
+	output = string(bytes.Split([]byte(output), []byte("INF"))[1])
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}

cli/test/secrets_by_name_test.go

@@ -0,0 +1,106 @@
+package tests
+
+import (
+	"testing"
+
+	"github.com/bradleyjkemp/cupaloy/v2"
+)
+
+func TestServiceToken_GetSecretsByNameRecursive(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestServiceToken_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "DOES-NOT-EXIST", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestServiceToken_GetSecretsByNameWithImports(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "STAGING-SECRET-2", "FOLDER-SECRET-1", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_GetSecretsByNameRecursive(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "DOES-NOT-EXIST", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_GetSecretsByNameWithImports(t *testing.T) {
+	MachineIdentityLoginCmd(t)
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "STAGING-SECRET-2", "FOLDER-SECRET-1", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}

cli/test/secrets_test.go

@@ -0,0 +1,87 @@
+package tests
+
+import (
+	"testing"
+
+	"github.com/bradleyjkemp/cupaloy/v2"
+)
+
+func TestServiceToken_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestServiceToken_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.T) {
+	SetupCli(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
+	SetupCli(t)
+	MachineIdentityLoginCmd(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.T) {
+	SetupCli(t)
+	MachineIdentityLoginCmd(t)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
+
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}
+
+func TestUniversalAuth_SecretsGetWrongEnvironment(t *testing.T) {
+	SetupCli(t)
+	MachineIdentityLoginCmd(t)
+
+	output, _ := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", "invalid-env", "--recursive", "--silent")
+
+	// Use cupaloy to snapshot test the output
+	err := cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+
+}