Skip to content

test(enterprise/dbcrypt): add Rotate/Decrypt/Delete regression tests#26979

Open
BobbyHo wants to merge 2 commits into
mainfrom
coder-25389
Open

test(enterprise/dbcrypt): add Rotate/Decrypt/Delete regression tests#26979
BobbyHo wants to merge 2 commits into
mainfrom
coder-25389

Conversation

@BobbyHo

@BobbyHo BobbyHo commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Related to #25389.

enterprise/dbcrypt/cliutil.go's Rotate, Decrypt, and Delete are the only interface for migrating database encryption keys, but had zero test coverage. Adds enterprise/dbcrypt/cliutil_test.go with per-table regression tests for all three functions.

Covered

The 7 tables currently handled by Rotate/Decrypt/Delete:

  • user_links, external_auth_links
  • user_secrets
  • gitsshkeys
  • ai_providers, ai_provider_keys, user_ai_provider_keys

Each table has a happy-path test verifying live rows (and, where the schema allows it, soft-deleted rows) round-trip correctly. Rotate and Decrypt additionally have a failure-path test per table confirming the operation aborts cleanly with a DecryptFailedError, leaving data untouched, when an active dbcrypt_keys entry isn't included in the operation. Delete takes no cipher argument, so instead each test confirms an encrypted row is wiped while a never-encrypted row is left untouched by the WHERE ... IS NOT NULL clauses in its SQL.

Gaps (follow-up)

crypto_keys, mcp_server_configs, and mcp_server_user_tokens are encrypted at rest but are not yet handled by Rotate/Decrypt/Delete at all. This is the bug reported in #25381: an incomplete --old-keys/--keys list against these tables fails with a foreign key violation on revoke. A follow-up PR will add both the cliutil.go fix and matching regression tests for these three tables.

cliutil.go's Rotate, Decrypt, and Delete are the only interface for
migrating database encryption keys, but had zero test coverage
(#25389). Adds per-table tests for the 7 currently covered
tables (user_links, external_auth_links, user_secrets, gitsshkeys,
ai_providers, ai_provider_keys, user_ai_provider_keys), covering the
happy path for all three functions plus, for Rotate/Decrypt, the
failure mode where an active dbcrypt_keys entry is omitted from the
operation.
@BobbyHo BobbyHo marked this pull request as ready for review July 2, 2026 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant