chore: add encryption tests

Reterics · Reterics · commit ae05f51b0159 · 2025-08-27T21:03:11.000+02:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -10,7 +10,7 @@ readme = "README.md"
 requires-python = ">=3.12"
 keywords = [ "ai", "chat", "agent", "llm", "ollama", "openai",]
 classifiers = [ "Development Status :: 4 - Beta", "Intended Audience :: Developers", "License :: OSI Approved :: MIT License", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.12",]
-dependencies = [ "langchain~=0.3.25", "langchain_core~=0.3.58", "langchain_community~=0.3.24", "langchain-huggingface~=0.2.0", "sentence-transformers", "faiss-cpu", "PyYAML", "requests~=2.32.3", "hf_xet", "openai>=1.0.0", "dotenv~=0.9.9", "tiktoken~=0.9.0", "fastapi~=0.115.12", "uvicorn~=0.34.2", "pydantic~=2.11.4", "python-dotenv~=1.1.0", "openai-whisper", "coqui-tts", "sounddevice~=0.5.1", "scipy", "numpy~=1.26.4", "soundfile~=0.13.1", "python-multipart", "bs4~=0.0.2", "beautifulsoup4~=4.13.4",]
+dependencies = [ "langchain~=0.3.25", "langchain_core~=0.3.58", "langchain_community~=0.3.24", "langchain-huggingface~=0.2.0", "sentence-transformers", "faiss-cpu", "PyYAML", "requests~=2.32.3", "hf_xet", "openai>=1.0.0", "dotenv~=0.9.9", "tiktoken~=0.9.0", "fastapi~=0.115.12", "uvicorn~=0.34.2", "pydantic~=2.11.4", "python-dotenv~=1.1.0", "openai-whisper", "coqui-tts", "sounddevice~=0.5.1", "scipy", "numpy~=1.26.4", "soundfile~=0.13.1", "python-multipart", "bs4~=0.0.2", "beautifulsoup4~=4.13.4", "cryptography~=45.0.3", ]
 [[project.authors]]
 name = "Attila Reterics"
 email = "attila@reterics.com"
diff --git a/requirements-ci.txt b/requirements-ci.txt
@@ -1,20 +1,17 @@
-langchain~=0.3.25
 langchain_core~=0.3.58
 langchain_community~=0.3.24
 sentence-transformers
 PyYAML
 requests~=2.32.3
-hf_xet
-openai>=1.0.0
 dotenv~=0.9.9
 tiktoken~=0.9.0
 fastapi~=0.115.12
 uvicorn~=0.34.2
-requests
 pydantic~=2.11.4
 python-dotenv~=1.1.0
 pytest~=8.3.5
 beautifulsoup4~=4.13.4
 python-multipart
 pytest-cov
 bson~=0.5.10
+cryptography~=45.0.3
diff --git a/tests/unit/test_api_server.py b/tests/unit/test_api_server.py
@@ -3,80 +3,6 @@
 from fastapi.testclient import TestClient
 
 
-if 'cryptography' not in sys.modules:
-    crypto = types.ModuleType('cryptography')
-    sys.modules['cryptography'] = crypto
-
-    hazmat = types.ModuleType('cryptography.hazmat')
-    sys.modules['cryptography.hazmat'] = hazmat
-
-    primitives = types.ModuleType('cryptography.hazmat.primitives')
-    sys.modules['cryptography.hazmat.primitives'] = primitives
-
-    # hashes stub
-    hashes = types.ModuleType('cryptography.hazmat.primitives.hashes')
-    sys.modules['cryptography.hazmat.primitives.hashes'] = hashes
-    class SHA256: ...
-    hashes.SHA256 = SHA256
-
-    # kdf.hkdf stub
-    kdf = types.ModuleType('cryptography.hazmat.primitives.kdf')
-    sys.modules['cryptography.hazmat.primitives.kdf'] = kdf
-    hkdf = types.ModuleType('cryptography.hazmat.primitives.kdf.hkdf')
-    sys.modules['cryptography.hazmat.primitives.kdf.hkdf'] = hkdf
-    class HKDF:
-        def __init__(self, algorithm=None, length=32, salt=None, info=None):
-            self.length = length
-        def derive(self, shared_secret: bytes) -> bytes:
-            # return deterministic 32 bytes for tests
-            return (b'\x00' * self.length)
-    hkdf.HKDF = HKDF
-
-    # ciphers.aead AESGCM stub
-    ciphers = types.ModuleType('cryptography.hazmat.primitives.ciphers')
-    sys.modules['cryptography.hazmat.primitives.ciphers'] = ciphers
-    aead = types.ModuleType('cryptography.hazmat.primitives.ciphers.aead')
-    sys.modules['cryptography.hazmat.primitives.ciphers.aead'] = aead
-    class AESGCM:
-        def __init__(self, key: bytes):
-            self.key = key
-        def encrypt(self, iv: bytes, data: bytes, aad: bytes) -> bytes:
-            # return placeholder bytes; tests don't assert ciphertext
-            return b'ciphertext'
-    aead.AESGCM = AESGCM
-
-    # serialization stubs
-    serialization = types.ModuleType('cryptography.hazmat.primitives.serialization')
-    sys.modules['cryptography.hazmat.primitives.serialization'] = serialization
-    class Encoding:
-        Raw = object()
-    class PublicFormat:
-        Raw = object()
-    serialization.Encoding = Encoding
-    serialization.PublicFormat = PublicFormat
-
-    # asymmetric.x25519 stubs
-    asymmetric = types.ModuleType('cryptography.hazmat.primitives.asymmetric')
-    sys.modules['cryptography.hazmat.primitives.asymmetric'] = asymmetric
-    x25519 = types.ModuleType('cryptography.hazmat.primitives.asymmetric.x25519')
-    sys.modules['cryptography.hazmat.primitives.asymmetric.x25519'] = x25519
-    class X25519PrivateKey:
-        @staticmethod
-        def generate():
-            return X25519PrivateKey()
-        def public_key(self):
-            return self
-        def public_bytes(self, *args, **kwargs) -> bytes:
-            return b'\x00' * 32
-        def exchange(self, peer_public) -> bytes:
-            return b'\x01' * 32
-    class X25519PublicKey:
-        @staticmethod
-        def from_public_bytes(data: bytes):
-            return X25519PublicKey()
-    x25519.X25519PrivateKey = X25519PrivateKey
-    x25519.X25519PublicKey = X25519PublicKey
-
 # Ensure optional heavy/third-party modules won't break import
 # Mock AI libraries if not installed
 sys.modules['google'] = types.ModuleType('google')
diff --git a/tests/unit/test_encryption.py b/tests/unit/test_encryption.py
@@ -0,0 +1,147 @@
+import os
+from pathlib import Path
+import base64
+import json
+import shutil
+import tempfile
+import pytest
+
+from engine.security.encryption import (
+    EncryptionManager,
+    encrypt_sensitive_data,
+    decrypt_sensitive_data,
+)
+
+
+@pytest.fixture()
+def temp_dir(tmp_path: Path):
+    # Use a temp working dir to avoid polluting repo
+    cwd = os.getcwd()
+    os.chdir(tmp_path)
+    try:
+        yield tmp_path
+    finally:
+        os.chdir(cwd)
+
+
+def test_encrypt_decrypt_roundtrip_string(temp_dir: Path):
+    mgr = EncryptionManager()
+    plaintext = "hello secret"
+    token = mgr.encrypt(plaintext)
+    assert isinstance(token, (bytes, bytearray))
+    out = mgr.decrypt(token)
+    assert out == plaintext
+
+
+def test_encrypt_decrypt_roundtrip_bytes(temp_dir: Path):
+    mgr = EncryptionManager()
+    data = b"\x00\x01binary"
+    token = mgr.encrypt(data)
+    out = mgr.decrypt(token)
+    # decrypt returns str for non-JSON, so compare bytes->str decode
+    assert out == data.decode()
+
+
+def test_encrypt_decrypt_roundtrip_dict(temp_dir: Path):
+    mgr = EncryptionManager()
+    payload = {"a": 1, "b": "two"}
+    token = mgr.encrypt(payload)
+    out = mgr.decrypt(token)
+    assert isinstance(out, dict)
+    assert out == payload
+
+
+def test_encrypt_decrypt_file_flow(temp_dir: Path):
+    mgr = EncryptionManager()
+    src = Path("sample.txt")
+    src.write_text("file content", encoding="utf-8")
+
+    enc_path = mgr.encrypt_file(src)
+    assert enc_path.exists()
+    assert enc_path.suffix == ".enc"
+
+    dec_path = mgr.decrypt_file(enc_path)
+    assert dec_path.exists()
+    assert dec_path.read_text(encoding="utf-8") == "file content"
+
+
+def test_rotate_keys_and_multi_decrypt(temp_dir: Path):
+    mgr = EncryptionManager()
+    token_old = mgr.encrypt("keep me")
+
+    # rotate keys to ensure a new primary is added; keep both
+    mgr.rotate_keys(max_keys=2)
+
+    # Should still decrypt using MultiFernet
+    out = mgr.decrypt(token_old)
+    assert out == "keep me"
+
+
+def test_reencrypt_file_and_directory(temp_dir: Path):
+    mgr = EncryptionManager()
+    directory = Path("vault")
+    directory.mkdir()
+
+    # Prepare two files
+    for i in range(2):
+        p = directory / f"f{i}.txt"
+        p.write_text(f"data {i}", encoding="utf-8")
+        mgr.encrypt_file(p)
+        # remove plaintext
+        p.unlink()
+
+    # Now rotate keys and reencrypt directory
+    mgr.rotate_keys(max_keys=3)
+    success, total = mgr.reencrypt_directory(directory)
+    assert total == 2
+    assert success == 2
+
+
+def test_encrypt_sensitive_and_decrypt_sensitive_data(temp_dir: Path):
+    data = {
+        "username": "bob",
+        "password": "secret123",
+        "token": None,  # None should be ignored
+    }
+    sensitive = ["password", "token"]
+
+    enc = encrypt_sensitive_data(data, sensitive)
+    assert enc["username"] == "bob"
+    assert enc.get("password_encrypted") is True
+    # base64 string stored
+    enc_val = enc["password"]
+    assert isinstance(enc_val, str)
+
+    dec = decrypt_sensitive_data(enc)
+    assert dec.get("password_encrypted") is None
+    assert dec["password"] == "secret123"
+
+
+def test_init_with_password_derivation_creates_keys(temp_dir: Path):
+    # ensure no keys exist
+    keys_dir = Path("config") / "encryption_keys"
+    if keys_dir.exists():
+        shutil.rmtree(keys_dir)
+
+    mgr = EncryptionManager(password="passw0rd")
+    # current_keys.json should be created
+    key_file = keys_dir / "current_keys.json"
+    assert key_file.exists()
+    with open(key_file, "r") as f:
+        serialized = json.load(f)
+    assert isinstance(serialized, list) and len(serialized) >= 1
+    # keys are base64 strings
+    base64.b64decode(serialized[0]["key"])  # will raise if invalid
+
+
+def test_reencrypt_directory_handles_empty_and_invalid_path(temp_dir: Path):
+    mgr = EncryptionManager()
+
+    empty_dir = Path("empty")
+    empty_dir.mkdir()
+    succ, tot = mgr.reencrypt_directory(empty_dir)
+    assert (succ, tot) == (0, 0)
+
+    # non-existing path -> method catches and returns (0,0)
+    succ2, tot2 = mgr.reencrypt_directory(Path("no_such_dir"))
+    assert (succ2, tot2) == (0, 0)
