test(sqlx): add encrypted column constraint validation tests

tobyhede · tobyhede · commit fa9265b1aefd · 2025-12-01T14:07:33.000+11:00
Add three Rust/SQLx test cases for eql_v2 encrypted column constraint functions:
- add_encrypted_constraint_prevents_invalid_data: validates constraint blocks invalid JSONB
- remove_encrypted_constraint_allows_invalid_data: validates constraint removal allows invalid data
- version_metadata_validation_on_insert: validates v=2 version field enforcement

These tests verify the constraint management functions work correctly to prevent insertion of malformed eql_v2_encrypted values.
diff --git a/tests/sqlx/tests/constraint_tests.rs b/tests/sqlx/tests/constraint_tests.rs
@@ -221,3 +221,172 @@ async fn foreign_key_constraint_with_encrypted(pool: PgPool) -> Result<()> {
 
     Ok(())
 }
+
+// ========================================================================
+// EQL-Specific Constraint Tests (from src/encrypted/constraints_test.sql)
+// ========================================================================
+
+#[sqlx::test(fixtures(path = "../fixtures", scripts("encrypted_json")))]
+async fn add_encrypted_constraint_prevents_invalid_data(pool: PgPool) -> Result<()> {
+    // Test: eql_v2.add_encrypted_constraint() adds validation to encrypted column
+    // Source: constraints_test.sql lines 3-21
+
+    // First, verify that insert without constraint works (even with invalid empty JSONB)
+    sqlx::query("INSERT INTO encrypted (e) VALUES ('{}'::jsonb::eql_v2_encrypted)")
+        .execute(&pool)
+        .await?;
+
+    let count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM encrypted")
+        .fetch_one(&pool)
+        .await?;
+
+    assert_eq!(
+        count, 4,
+        "Should have 4 records (3 from fixture + 1 invalid)"
+    );
+
+    // Delete the invalid data and reset
+    sqlx::query("DELETE FROM encrypted WHERE e = '{}'::jsonb::eql_v2_encrypted")
+        .execute(&pool)
+        .await?;
+
+    // Add the encrypted constraint
+    sqlx::query("SELECT eql_v2.add_encrypted_constraint('encrypted', 'e')")
+        .execute(&pool)
+        .await?;
+
+    // Now attempt to insert invalid data - should fail
+    let result = sqlx::query("INSERT INTO encrypted (e) VALUES ('{}'::jsonb::eql_v2_encrypted)")
+        .execute(&pool)
+        .await;
+
+    assert!(
+        result.is_err(),
+        "Constraint should prevent insert of invalid eql_v2_encrypted (empty JSONB)"
+    );
+
+    // Verify count unchanged after failed insert
+    let final_count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM encrypted")
+        .fetch_one(&pool)
+        .await?;
+
+    assert_eq!(
+        final_count, 3,
+        "Should still have 3 records after constraint prevented invalid insert"
+    );
+
+    Ok(())
+}
+
+#[sqlx::test(fixtures(path = "../fixtures", scripts("encrypted_json")))]
+async fn remove_encrypted_constraint_allows_invalid_data(pool: PgPool) -> Result<()> {
+    // Test: eql_v2.remove_encrypted_constraint() removes validation from encrypted column
+    // Source: constraints_test.sql lines 24-43
+
+    // Add the encrypted constraint first
+    sqlx::query("SELECT eql_v2.add_encrypted_constraint('encrypted', 'e')")
+        .execute(&pool)
+        .await?;
+
+    // Verify constraint is working - invalid data should be rejected
+    let result = sqlx::query("INSERT INTO encrypted (e) VALUES ('{}'::jsonb::eql_v2_encrypted)")
+        .execute(&pool)
+        .await;
+
+    assert!(
+        result.is_err(),
+        "Constraint should prevent insert of invalid eql_v2_encrypted"
+    );
+
+    // Remove the constraint
+    sqlx::query("SELECT eql_v2.remove_encrypted_constraint('encrypted', 'e')")
+        .execute(&pool)
+        .await?;
+
+    // Now invalid data should be allowed
+    sqlx::query("INSERT INTO encrypted (e) VALUES ('{}'::jsonb::eql_v2_encrypted)")
+        .execute(&pool)
+        .await?;
+
+    let count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM encrypted")
+        .fetch_one(&pool)
+        .await?;
+
+    assert_eq!(
+        count, 4,
+        "Should have 4 records (3 valid + 1 invalid after constraint removed)"
+    );
+
+    Ok(())
+}
+
+#[sqlx::test(fixtures(path = "../fixtures", scripts("encrypted_json")))]
+async fn version_metadata_validation_on_insert(pool: PgPool) -> Result<()> {
+    // Test: EQL version metadata (v field) is enforced on insert
+    // Source: constraints_test.sql lines 106-138
+    //
+    // Note: The SQL test doesn't explicitly add a constraint, which suggests
+    // version validation is built into the eql_v2_encrypted type itself or
+    // is enforced automatically. However, for this test we need to ensure
+    // the constraint exists to validate version fields.
+
+    // Add encrypted constraint to enable version validation
+    sqlx::query("SELECT eql_v2.add_encrypted_constraint('encrypted', 'e')")
+        .execute(&pool)
+        .await?;
+
+    // Create a valid encrypted value with version removed
+    // We'll get a valid encrypted JSON and remove the 'v' field
+    let encrypted_without_version: String =
+        sqlx::query_scalar("SELECT (create_encrypted_json(1)::jsonb - 'v')::text")
+            .fetch_one(&pool)
+            .await?;
+
+    // Attempt to insert without version field - should fail
+    let result = sqlx::query(&format!(
+        "INSERT INTO encrypted (e) VALUES ('{}'::jsonb::eql_v2_encrypted)",
+        encrypted_without_version
+    ))
+    .execute(&pool)
+    .await;
+
+    assert!(
+        result.is_err(),
+        "Insert should fail when version field is missing"
+    );
+
+    // Create encrypted value with invalid version (v=1 instead of v=2)
+    let encrypted_invalid_version: String =
+        sqlx::query_scalar("SELECT (create_encrypted_json(1)::jsonb || '{\"v\": 1}')::text")
+            .fetch_one(&pool)
+            .await?;
+
+    // Attempt to insert with invalid version - should fail
+    let result = sqlx::query(&format!(
+        "INSERT INTO encrypted (e) VALUES ('{}'::jsonb::eql_v2_encrypted)",
+        encrypted_invalid_version
+    ))
+    .execute(&pool)
+    .await;
+
+    assert!(
+        result.is_err(),
+        "Insert should fail when version field is invalid (v=1)"
+    );
+
+    // Insert with valid version (v=2) should succeed
+    sqlx::query("INSERT INTO encrypted (e) VALUES (create_encrypted_json(1))")
+        .execute(&pool)
+        .await?;
+
+    let count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM encrypted")
+        .fetch_one(&pool)
+        .await?;
+
+    assert_eq!(
+        count, 4,
+        "Should have 4 records after successful insert with valid version"
+    );
+
+    Ok(())
+}
