IdentityShroud/IdentityShroud.Core.Tests/Services/DataEncryptionServiceTests.cs

using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Services;
using IdentityShroud.TestUtils.Substitutes;

namespace IdentityShroud.Core.Tests.Services;

public class DataEncryptionServiceTests
{
    private readonly IRealmContext _realmContext = Substitute.For<IRealmContext>();
    private readonly IDekEncryptionService _dekCryptor = new NullDekEncryptionService();// Substitute.For<IDekEncryptionService>();

    private readonly DekId _activeDekId = DekId.NewId();
    private readonly DekId _secondDekId = DekId.NewId();
    private DataEncryptionService CreateSut()
        => new(_realmContext, _dekCryptor);

    [Fact]
    public void Encrypt_UsesActiveKey()
    {
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([
            CreateRealmDek(_secondDekId, false),
            CreateRealmDek(_activeDekId, true),
        ]);

        var cipher = CreateSut().Encrypt("Hello"u8);
        
        Assert.Equal(_activeDekId, cipher.DekId);
    }

    [Fact]
    public void Decrypt_UsesCorrectKey()
    {
        var first = CreateRealmDek(_activeDekId, true);
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first ]);

        var sut = CreateSut();
        var cipher = sut.Encrypt("Hello"u8);

        // Deactivate original key
        first.Active = false;
        // Make new active
        var second = CreateRealmDek(_secondDekId, true);
        // Return both
        _realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first, second ]);


        var decoded = sut.Decrypt(cipher);

        Assert.Equal("Hello"u8, decoded);
    }
    
    private RealmDek CreateRealmDek(DekId id, bool active)
        => new()
        {
            Id = id,
            Active = active,
            Algorithm = "AES",
            KeyData = new(KekId.NewId(), RandomNumberGenerator.GetBytes(32)),
            RealmId = default,
        };
}
Improve test coverage 2026-02-27 18:50:28 +01:00			`using System.Security.Cryptography;`
			`using IdentityShroud.Core.Contracts;`
			`using IdentityShroud.Core.Model;`
			`using IdentityShroud.Core.Security;`
			`using IdentityShroud.Core.Services;`
			`using IdentityShroud.TestUtils.Substitutes;`

			`namespace IdentityShroud.Core.Tests.Services;`

			`public class DataEncryptionServiceTests`
			`{`
			`private readonly IRealmContext _realmContext = Substitute.For<IRealmContext>();`
			`private readonly IDekEncryptionService _dekCryptor = new NullDekEncryptionService();// Substitute.For<IDekEncryptionService>();`

			`private readonly DekId _activeDekId = DekId.NewId();`
			`private readonly DekId _secondDekId = DekId.NewId();`
			`private DataEncryptionService CreateSut()`
			`=> new(_realmContext, _dekCryptor);`

			`[Fact]`
			`public void Encrypt_UsesActiveKey()`
			`{`
			`_realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([`
			`CreateRealmDek(_secondDekId, false),`
			`CreateRealmDek(_activeDekId, true),`
			`]);`

			`var cipher = CreateSut().Encrypt("Hello"u8);`

			`Assert.Equal(_activeDekId, cipher.DekId);`
			`}`

			`[Fact]`
			`public void Decrypt_UsesCorrectKey()`
			`{`
			`var first = CreateRealmDek(_activeDekId, true);`
			`_realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first ]);`

			`var sut = CreateSut();`
			`var cipher = sut.Encrypt("Hello"u8);`

			`// Deactivate original key`
			`first.Active = false;`
			`// Make new active`
			`var second = CreateRealmDek(_secondDekId, true);`
			`// Return both`
			`_realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first, second ]);`


			`var decoded = sut.Decrypt(cipher);`

			`Assert.Equal("Hello"u8, decoded);`
			`}`

			`private RealmDek CreateRealmDek(DekId id, bool active)`
			`=> new()`
			`{`
			`Id = id,`
			`Active = active,`
			`Algorithm = "AES",`
			`KeyData = new(KekId.NewId(), RandomNumberGenerator.GetBytes(32)),`
			`RealmId = default,`
			`};`
			`}`