test: add jsonb encryption sanity check

Author: tobyhede

packages/cipherstash-proxy-integration/src/encryption_sanity.rs

@@ -12,6 +12,7 @@ mod tests {
         connect_with_tls, random_id, random_limited, trace, PROXY,
     };
     use chrono::NaiveDate;
+    use serde_json;
 
     #[tokio::test]
     async fn text_encryption_sanity_check() {
@@ -39,4 +40,31 @@ mod tests {
             "DECRYPTION FAILED: Round-trip value doesn't match original!"
         );
     }
+
+    #[tokio::test]
+    async fn jsonb_encryption_sanity_check() {
+        trace();
+        clear().await;
+
+        let id = random_id();
+        let plaintext_json = serde_json::json!({"key": "value", "number": 42});
+
+        // Insert through proxy (should encrypt)
+        let client = connect_with_tls(PROXY).await;
+        let sql = "INSERT INTO encrypted (id, encrypted_jsonb) VALUES ($1, $2)";
+        client.query(sql, &[&id, &plaintext_json]).await.unwrap();
+
+        // Verify encryption occurred
+        assert_encrypted_jsonb(id, &plaintext_json).await;
+
+        // Round-trip: query through proxy should decrypt back to original
+        let sql = "SELECT encrypted_jsonb FROM encrypted WHERE id = $1";
+        let rows = client.query(sql, &[&id]).await.unwrap();
+        assert_eq!(rows.len(), 1, "Expected exactly one row for round-trip");
+        let decrypted: serde_json::Value = rows[0].get(0);
+        assert_eq!(
+            decrypted, plaintext_json,
+            "DECRYPTION FAILED: Round-trip value doesn't match original!"
+        );
+    }
 }