elastic
diff --git a/‎internal/pkg/policy/parsed_policy_test.go‎
Lines changed: 26 additions & 0 deletions b/‎internal/pkg/policy/parsed_policy_test.go‎
Lines changed: 26 additions & 0 deletions
@@ -12,6 +12,8 @@ import (
 	"encoding/json"
 	"testing"
 
+	ftesting "github.com/elastic/fleet-server/v7/internal/pkg/testing"
+
 	"github.com/stretchr/testify/require"
 
 	"github.com/elastic/fleet-server/v7/internal/pkg/model"
@@ -29,6 +31,9 @@ var logstashOutputPolicy string
 //go:embed testdata/remote_es_policy.json
 var testPolicyRemoteES string
 
+//go:embed testdata/policy_with_secrets.json
+var policyWithSecrets string
+
 func TestNewParsedPolicy(t *testing.T) {
 	// Run two formatting of the same payload to validate that the sha2 remains the same
 	testcases := []struct {
@@ -102,3 +107,24 @@ func TestNewParsedPolicyRemoteES(t *testing.T) {
 	// Validate that default was found
 	require.Equal(t, "remote", pp.Default.Name)
 }
+
+func TestNewParsedPolicyWithSecrets(t *testing.T) {
+	// Load the model into the policy object
+	var m model.Policy
+	var d model.PolicyData
+	err := json.Unmarshal([]byte(policyWithSecrets), &d)
+	require.NoError(t, err)
+
+	m.Data = &d
+
+	bulker := ftesting.NewMockBulk()
+	pp, err := NewParsedPolicy(context.TODO(), bulker, m)
+	require.NoError(t, err)
+
+	// Validate that secrets where identified
+	require.Len(t, pp.SecretKeys, 4)
+	require.Contains(t, pp.SecretKeys, "outputs.fs-output.ssl.key")
+	require.Contains(t, pp.SecretKeys, "agent.download.ssl.key")
+	require.Contains(t, pp.SecretKeys, "inputs.0.streams.0.auth.basic.password")
+	require.Contains(t, pp.SecretKeys, "inputs.0.streams.1.auth.basic.password")
+}