Files
Termix/src/backend/utils/credential-system-encryption-migration.test.ts
T
LukeGus ef4969dd35 refactor(db): collapse repository rollout scaffolding into single factory
Repositories are now the only data path. Replaces the 41 current-*-repository
wrapper files, the DATABASE_LAYER_REPOSITORY_ROLLOUT flag/alias map and the
unused database/runtime adapter with repositories/factory.ts, a plain
DatabaseContext type and an in-memory TestSqliteDatabase test harness.
2026-07-15 23:56:02 -05:00

80 lines
2.7 KiB
TypeScript

import { beforeEach, describe, expect, it, vi } from "vitest";
import { CredentialSystemEncryptionMigration } from "./credential-system-encryption-migration.js";
import { DataCrypto } from "./data-crypto.js";
import { FieldCrypto } from "./field-crypto.js";
import { SystemCrypto } from "./system-crypto.js";
const credentialRepository = {
listMissingSystemEncryptionByUserId: vi.fn(),
updateSystemEncryptionForUser: vi.fn(),
};
const sharedCredentialRepository = {
markNeedsReEncryptionByOriginalCredentialId: vi.fn(),
};
vi.mock("../database/repositories/factory.js", () => ({
createCurrentCredentialRepository: vi.fn(() => credentialRepository),
createCurrentSharedCredentialRepository: vi.fn(
() => sharedCredentialRepository,
),
}));
describe("CredentialSystemEncryptionMigration", () => {
beforeEach(() => {
vi.restoreAllMocks();
credentialRepository.listMissingSystemEncryptionByUserId.mockReset();
credentialRepository.updateSystemEncryptionForUser.mockReset();
sharedCredentialRepository.markNeedsReEncryptionByOriginalCredentialId.mockReset();
});
it("migrates missing credential system-key copies through repositories", async () => {
vi.spyOn(DataCrypto, "getUserDataKey").mockReturnValue(
Buffer.from("user-key"),
);
vi.spyOn(
SystemCrypto.getInstance(),
"getCredentialSharingKey",
).mockResolvedValue(Buffer.from("system-key"));
vi.spyOn(FieldCrypto, "decryptField").mockImplementation(
(_value, _key, _recordId, fieldName) => `plain-${fieldName}`,
);
vi.spyOn(FieldCrypto, "encryptField").mockImplementation(
(value, _key, _recordId, fieldName) => `system-${fieldName}-${value}`,
);
credentialRepository.listMissingSystemEncryptionByUserId.mockResolvedValue([
{
id: 123,
userId: "user-1",
password: "encrypted-password",
key: "encrypted-key",
keyPassword: "encrypted-key-password",
},
]);
await expect(
new CredentialSystemEncryptionMigration().migrateUserCredentials(
"user-1",
),
).resolves.toEqual({ migrated: 1, failed: 0, skipped: 0 });
expect(
credentialRepository.listMissingSystemEncryptionByUserId,
).toHaveBeenCalledWith("user-1");
expect(
credentialRepository.updateSystemEncryptionForUser,
).toHaveBeenCalledWith(
"user-1",
123,
expect.objectContaining({
systemPassword: "system-password-plain-password",
systemKey: "system-key-plain-key",
systemKeyPassword: "system-key_password-plain-keyPassword",
}),
);
expect(
sharedCredentialRepository.markNeedsReEncryptionByOriginalCredentialId,
).toHaveBeenCalledWith(123);
});
});