53 lines
1.5 KiB
Python
53 lines
1.5 KiB
Python
"""Tests for decnet.web.db.secrets — Fernet encrypt/decrypt helper."""
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
from cryptography.fernet import Fernet, InvalidToken
|
|
|
|
from decnet.web.db import secrets as _mod
|
|
|
|
|
|
@pytest.fixture()
|
|
def fernet_key(monkeypatch) -> str:
|
|
key = Fernet.generate_key().decode()
|
|
monkeypatch.setenv("DECNET_SECRET_KEY", key)
|
|
return key
|
|
|
|
|
|
def test_round_trip(fernet_key):
|
|
plaintext = "sk-supersecret-api-key-12345"
|
|
ct = _mod.encrypt_secret(plaintext)
|
|
assert ct != plaintext
|
|
assert _mod.decrypt_secret(ct) == plaintext
|
|
|
|
|
|
def test_different_plaintexts_produce_different_ciphertexts(fernet_key):
|
|
ct1 = _mod.encrypt_secret("alpha")
|
|
ct2 = _mod.encrypt_secret("beta")
|
|
assert ct1 != ct2
|
|
|
|
|
|
def test_nondeterministic_encryption(fernet_key):
|
|
ct1 = _mod.encrypt_secret("same")
|
|
ct2 = _mod.encrypt_secret("same")
|
|
assert ct1 != ct2 # Fernet uses a random IV per call
|
|
|
|
|
|
def test_tampered_ciphertext_raises(fernet_key):
|
|
ct = _mod.encrypt_secret("secret")
|
|
tampered = ct[:-4] + "XXXX"
|
|
with pytest.raises(InvalidToken):
|
|
_mod.decrypt_secret(tampered)
|
|
|
|
|
|
def test_missing_key_raises_on_encrypt(monkeypatch):
|
|
monkeypatch.delenv("DECNET_SECRET_KEY", raising=False)
|
|
with pytest.raises(RuntimeError, match="DECNET_SECRET_KEY"):
|
|
_mod.encrypt_secret("anything")
|
|
|
|
|
|
def test_missing_key_raises_on_decrypt(monkeypatch):
|
|
monkeypatch.delenv("DECNET_SECRET_KEY", raising=False)
|
|
with pytest.raises(RuntimeError, match="DECNET_SECRET_KEY"):
|
|
_mod.decrypt_secret("gAAAAABanything")
|