Skip to content

Encryption sanity checks#341

Merged
tobyhede merged 13 commits into
mainfrom
encryption-sanity-checks
Dec 16, 2025
Merged

Encryption sanity checks#341
tobyhede merged 13 commits into
mainfrom
encryption-sanity-checks

Conversation

@tobyhede
Copy link
Copy Markdown
Contributor

@tobyhede tobyhede commented Dec 15, 2025

Goal: Add encryption verification tests to ensure data is actually encrypted, preventing silent mapping failures from going undetected.

Architecture: Create a reusable assert_encrypted helper in common.rs that queries the database directly (bypassing proxy) and asserts stored value differs from plaintext. Add one sanity check test per data type.

@tobyhede tobyhede force-pushed the encryption-sanity-checks branch from a6f7c84 to 6a27d0c Compare December 15, 2025 04:08
auxesis
auxesis requested changes Dec 15, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@auxesis auxesis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The encryption tests are good, but I don't think we should be introducing complexity into which builds run in what context.

Let's strip this PR down to just the encryption tests, and we can address the build changes in a separate PR.

Comment thread .github/workflows/test.yml Outdated
@tobyhede tobyhede force-pushed the encryption-sanity-checks branch from c629f8f to 6a27d0c Compare December 16, 2025 01:10
@tobyhede
fix(clippy): replace map_or_else with unwrap_or_else for identity clo…
cc6d149 
…sure

The identity closure |t| t in map_or_else is unnecessary.
Using unwrap_or_else is more idiomatic when the Some value
doesn't need transformation.
@tobyhede
feat(tests): add assert_encrypted_text helper for encryption verifica…
1fbd29a 
…tion
@tobyhede
feat(tests): add assert_encrypted_jsonb helper for encryption verific…
8666b06 
…ation
@tobyhede
fix(tests): correct misleading comment in assert_encrypted_numeric
98e81bc
@tobyhede
feat(tests): add encryption_sanity module for encryption verification…
56765a5 
… tests
@tobyhede
test: add text encryption sanity check
2bc0576
@tobyhede
test: add jsonb encryption sanity check
627b3ed
@tobyhede
test: add float8, bool, and date encryption sanity checks
e8b6e71
@tobyhede
fix(tests): add encryption verification to insert_jsonb_for_search() …
da3be2a 
…helper
@tobyhede
chore: restore .claude configuration files
3e56d7f
@tobyhede
style: format and fix clippy warnings
01b14cf
@tobyhede
fix: remove unused imports and avoid PI approximation in tests
47592d1
@tobyhede tobyhede force-pushed the encryption-sanity-checks branch from 6a27d0c to 47592d1 Compare December 16, 2025 01:17
@tobyhede
feat(context): support unquoted identifiers for CIPHERSTASH.KEYSET_NAME
8f91e79 
Add support for unquoted PostgreSQL identifiers when setting keyset name
via SET CIPHERSTASH.KEYSET_NAME. Previously only quoted strings and
numbers were accepted; now valid PG identifiers work without quotes.

Update tests to validate the new behavior and adjust invalid test cases.
@tobyhede tobyhede requested a review from auxesis December 16, 2025 05:34
auxesis
auxesis approved these changes Dec 16, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@auxesis auxesis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this @tobyhede.

Great to have this extra layer of tests to verify the encryption works as expected.

@tobyhede tobyhede merged commit f843f1f into main Dec 16, 2025
5 checks passed
@tobyhede tobyhede deleted the encryption-sanity-checks branch December 16, 2025 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@auxesis auxesis auxesis approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tobyhede @auxesis