breakpilot-pwa/voice-service/tests/test_encryption.py

"""
Tests for Encryption Service
"""
import pytest
from services.encryption_service import EncryptionService


class TestEncryptionService:
    """Tests for encryption functionality."""

    @pytest.fixture
    def service(self):
        """Create encryption service instance."""
        return EncryptionService()

    def test_verify_key_hash_valid(self, service):
        """Test validating a correctly formatted key hash."""
        # SHA-256 produces 32 bytes = 44 chars in base64 (with padding)
        valid_hash = "sha256:eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg="  # 32 bytes base64
        assert service.verify_key_hash(valid_hash) is True

    def test_verify_key_hash_invalid_prefix(self, service):
        """Test rejecting hash with wrong prefix."""
        invalid_hash = "md5:dGVzdGtleWhhc2g="
        assert service.verify_key_hash(invalid_hash) is False

    def test_verify_key_hash_empty(self, service):
        """Test rejecting empty hash."""
        assert service.verify_key_hash("") is False
        assert service.verify_key_hash(None) is False

    def test_verify_key_hash_invalid_base64(self, service):
        """Test rejecting invalid base64."""
        invalid_hash = "sha256:not-valid-base64!!!"
        assert service.verify_key_hash(invalid_hash) is False

    def test_encrypt_decrypt_roundtrip(self, service):
        """Test that encryption and decryption work correctly."""
        plaintext = "Notiz zu Max: heute wiederholt gestoert"
        namespace_id = "test-ns-12345678"

        # Encrypt
        encrypted = service.encrypt_content(plaintext, namespace_id)
        assert encrypted.startswith("encrypted:")
        assert encrypted != plaintext

        # Decrypt
        decrypted = service.decrypt_content(encrypted, namespace_id)
        assert decrypted == plaintext

    def test_encrypt_different_namespaces(self, service):
        """Test that different namespaces produce different ciphertexts."""
        plaintext = "Same content"

        encrypted1 = service.encrypt_content(plaintext, "namespace-1")
        encrypted2 = service.encrypt_content(plaintext, "namespace-2")

        assert encrypted1 != encrypted2

    def test_decrypt_wrong_namespace_fails(self, service):
        """Test that decryption with wrong namespace fails."""
        plaintext = "Secret content"
        encrypted = service.encrypt_content(plaintext, "correct-namespace")

        with pytest.raises(Exception):
            service.decrypt_content(encrypted, "wrong-namespace")

    def test_decrypt_unencrypted_content(self, service):
        """Test that unencrypted content is returned as-is."""
        plaintext = "Not encrypted"
        result = service.decrypt_content(plaintext, "any-namespace")
        assert result == plaintext

    def test_register_namespace_key(self, service):
        """Test registering a namespace key hash."""
        valid_hash = "sha256:eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg="
        assert service.register_namespace_key("test-ns", valid_hash) is True

    def test_register_namespace_key_invalid(self, service):
        """Test registering invalid key hash."""
        invalid_hash = "invalid"
        assert service.register_namespace_key("test-ns", invalid_hash) is False

    def test_generate_key_hash(self):
        """Test key hash generation."""
        key = b"test-key-32-bytes-long-exactly!!"  # 32 bytes
        hash_result = EncryptionService.generate_key_hash(key)
        assert hash_result.startswith("sha256:")
        assert len(hash_result) > 10

    def test_generate_namespace_id(self):
        """Test namespace ID generation."""
        ns_id = EncryptionService.generate_namespace_id()
        assert ns_id.startswith("ns-")
        assert len(ns_id) == 3 + 32  # "ns-" + 32 hex chars

    def test_encryption_special_characters(self, service):
        """Test encryption of content with special characters."""
        plaintext = "Schüler mit Umlauten: äöüß 日本語 🎓"
        namespace_id = "test-ns"

        encrypted = service.encrypt_content(plaintext, namespace_id)
        decrypted = service.decrypt_content(encrypted, namespace_id)

        assert decrypted == plaintext

    def test_encryption_empty_string(self, service):
        """Test encryption of empty string."""
        encrypted = service.encrypt_content("", "test-ns")
        decrypted = service.decrypt_content(encrypted, "test-ns")
        assert decrypted == ""