tests/test_encryption_service.py

"""
Rigorous Tests for Encryption Service.

Tests cover:
1. Private key loading (env, file, caching)
2. Direct RSA-OAEP decryption
3. Hybrid RSA+AES-GCM decryption
4. Main decrypt_data entry point
5. Multiple block decryption
6. Error handling and edge cases

Uses real cryptographic operations with test keypairs.
"""
import pytest
import base64
import json
import os
import tempfile
from unittest.mock import patch, MagicMock
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend


# =============================================================================
# Test Fixtures - Generate RSA keypair for testing
# =============================================================================

@pytest.fixture(scope="module")
def test_keypair():
    """Generate RSA keypair for testing."""
    private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )
    public_key = private_key.public_key()
    
    # Get PEM encoded private key
    private_pem = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption()
    ).decode('utf-8')
    
    return {
        "private_key": private_key,
        "public_key": public_key,
        "private_pem": private_pem
    }


def encrypt_direct(public_key, plaintext: str) -> str:
    """Encrypt data using RSA-OAEP (for testing)."""
    encrypted = public_key.encrypt(
        plaintext.encode('utf-8'),
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    payload = {
        "type": "direct",
        "data": base64.b64encode(encrypted).decode('utf-8')
    }
    return base64.b64encode(json.dumps(payload).encode('utf-8')).decode('utf-8')


def encrypt_hybrid(public_key, plaintext: str) -> str:
    """Encrypt data using hybrid RSA+AES-GCM (for testing)."""
    # Generate random AES key and IV
    aes_key = os.urandom(32)  # 256-bit AES key
    iv = os.urandom(12)  # 96-bit IV for GCM
    
    # Encrypt plaintext with AES-GCM
    cipher = Cipher(
        algorithms.AES(aes_key),
        modes.GCM(iv),
        backend=default_backend()
    )
    encryptor = cipher.encryptor()
    ciphertext = encryptor.update(plaintext.encode('utf-8')) + encryptor.finalize()
    
    # Append auth tag to ciphertext
    encrypted_data = ciphertext + encryptor.tag
    
    # Encrypt AES key with RSA-OAEP
    encrypted_aes_key = public_key.encrypt(
        aes_key,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )
    
    payload = {
        "type": "hybrid",
        "key": base64.b64encode(encrypted_aes_key).decode('utf-8'),
        "iv": base64.b64encode(iv).decode('utf-8'),
        "data": base64.b64encode(encrypted_data).decode('utf-8')
    }
    return base64.b64encode(json.dumps(payload).encode('utf-8')).decode('utf-8')


# =============================================================================
# 1. Private Key Loading Tests
# =============================================================================

class TestPrivateKeyLoading:
    """Test load_private_key function."""
    
    def test_load_key_from_env_variable(self, test_keypair):
        """Load private key from PRIVATE_KEY env variable."""
        import services.encryption_service as es
        es._private_key = None  # Reset cache
        
        with patch.dict(os.environ, {"PRIVATE_KEY": test_keypair["private_pem"]}):
            key = es.load_private_key()
            assert key is not None
    
    def test_load_key_from_file(self, test_keypair):
        """Load private key from file when env var missing."""
        import services.encryption_service as es
        es._private_key = None  # Reset cache
        
        with tempfile.NamedTemporaryFile(mode='w', suffix='.pem', delete=False) as f:
            f.write(test_keypair["private_pem"])
            temp_path = f.name
        
        try:
            with patch.dict(os.environ, {}, clear=True):
                os.environ.pop("PRIVATE_KEY", None)
                with patch.object(es, 'PRIVATE_KEY_PATH', temp_path):
                    es._private_key = None
                    key = es.load_private_key()
                    assert key is not None
        finally:
            os.unlink(temp_path)
    
    def test_returns_none_when_no_key(self):
        """Return None when both env and file are missing."""
        import services.encryption_service as es
        es._private_key = None  # Reset cache
        
        with patch.dict(os.environ, {}, clear=True):
            os.environ.pop("PRIVATE_KEY", None)
            with patch.object(es, 'PRIVATE_KEY_PATH', '/nonexistent/path.pem'):
                es._private_key = None
                key = es.load_private_key()
                assert key is None
    
    def test_key_is_cached(self, test_keypair):
        """Key is cached after first load."""
        import services.encryption_service as es
        es._private_key = None  # Reset cache
        
        with patch.dict(os.environ, {"PRIVATE_KEY": test_keypair["private_pem"]}):
            key1 = es.load_private_key()
            key2 = es.load_private_key()
            assert key1 is key2
    
    def test_invalid_pem_handling(self):
        """Invalid PEM content falls back to file."""
        import services.encryption_service as es
        es._private_key = None  # Reset cache
        
        with patch.dict(os.environ, {"PRIVATE_KEY": "not-valid-pem"}):
            with patch.object(es, 'PRIVATE_KEY_PATH', '/nonexistent/path.pem'):
                es._private_key = None
                key = es.load_private_key()
                assert key is None  # Falls through to None


# =============================================================================
# 2. Direct RSA Decryption Tests
# =============================================================================

class TestDirectDecryption:
    """Test decrypt_direct function."""
    
    def test_decrypt_valid_rsa_data(self, test_keypair):
        """Decrypt valid RSA-OAEP encrypted data."""
        from services.encryption_service import decrypt_direct
        
        plaintext = "Hello, World!"
        encrypted = test_keypair["public_key"].encrypt(
            plaintext.encode('utf-8'),
            padding.OAEP(
                mgf=padding.MGF1(algorithm=hashes.SHA256()),
                algorithm=hashes.SHA256(),
                label=None
            )
        )
        
        payload = {"data": base64.b64encode(encrypted).decode('utf-8')}
        result = decrypt_direct(payload, test_keypair["private_key"])
        
        assert result == plaintext
    
    def test_invalid_base64(self, test_keypair):
        """Handle invalid base64 input."""
        from services.encryption_service import decrypt_direct
        
        payload = {"data": "not-valid-base64!!!"}
        
        with pytest.raises(Exception):
            decrypt_direct(payload, test_keypair["private_key"])
    
    def test_corrupted_encrypted_data(self, test_keypair):
        """Handle corrupted encrypted data."""
        from services.encryption_service import decrypt_direct
        
        # Random bytes that aren't valid RSA ciphertext
        payload = {"data": base64.b64encode(os.urandom(256)).decode('utf-8')}
        
        with pytest.raises(Exception):
            decrypt_direct(payload, test_keypair["private_key"])


# =============================================================================
# 3. Hybrid RSA+AES-GCM Decryption Tests
# =============================================================================

class TestHybridDecryption:
    """Test decrypt_hybrid function."""
    
    def test_decrypt_valid_hybrid_data(self, test_keypair):
        """Decrypt valid hybrid RSA+AES-GCM data."""
        from services.encryption_service import decrypt_hybrid
        
        plaintext = "This is a longer message that exceeds 190 bytes and needs hybrid encryption!"
        
        # Encrypt with test helper
        aes_key = os.urandom(32)
        iv = os.urandom(12)
        
        cipher = Cipher(algorithms.AES(aes_key), modes.GCM(iv), backend=default_backend())
        encryptor = cipher.encryptor()
        ciphertext = encryptor.update(plaintext.encode('utf-8')) + encryptor.finalize()
        encrypted_data = ciphertext + encryptor.tag
        
        encrypted_aes_key = test_keypair["public_key"].encrypt(
            aes_key,
            padding.OAEP(
                mgf=padding.MGF1(algorithm=hashes.SHA256()),
                algorithm=hashes.SHA256(),
                label=None
            )
        )
        
        payload = {
            "key": base64.b64encode(encrypted_aes_key).decode('utf-8'),
            "iv": base64.b64encode(iv).decode('utf-8'),
            "data": base64.b64encode(encrypted_data).decode('utf-8')
        }
        
        result = decrypt_hybrid(payload, test_keypair["private_key"])
        assert result == plaintext
    
    def test_tampered_ciphertext_fails(self, test_keypair):
        """Tampered ciphertext fails GCM authentication."""
        from services.encryption_service import decrypt_hybrid
        
        plaintext = "Original message"
        aes_key = os.urandom(32)
        iv = os.urandom(12)
        
        cipher = Cipher(algorithms.AES(aes_key), modes.GCM(iv), backend=default_backend())
        encryptor = cipher.encryptor()
        ciphertext = encryptor.update(plaintext.encode('utf-8')) + encryptor.finalize()
        encrypted_data = ciphertext + encryptor.tag
        
        # Tamper with ciphertext
        tampered_data = bytearray(encrypted_data)
        tampered_data[0] ^= 0xFF  # Flip bits
        
        encrypted_aes_key = test_keypair["public_key"].encrypt(
            aes_key,
            padding.OAEP(
                mgf=padding.MGF1(algorithm=hashes.SHA256()),
                algorithm=hashes.SHA256(),
                label=None
            )
        )
        
        payload = {
            "key": base64.b64encode(encrypted_aes_key).decode('utf-8'),
            "iv": base64.b64encode(iv).decode('utf-8'),
            "data": base64.b64encode(bytes(tampered_data)).decode('utf-8')
        }
        
        with pytest.raises(Exception):  # GCM auth failure
            decrypt_hybrid(payload, test_keypair["private_key"])
    
    def test_invalid_aes_key(self, test_keypair):
        """Handle corrupted/invalid AES key."""
        from services.encryption_service import decrypt_hybrid
        
        payload = {
            "key": base64.b64encode(os.urandom(256)).decode('utf-8'),  # Random, not RSA encrypted
            "iv": base64.b64encode(os.urandom(12)).decode('utf-8'),
            "data": base64.b64encode(os.urandom(100)).decode('utf-8')
        }
        
        with pytest.raises(Exception):
            decrypt_hybrid(payload, test_keypair["private_key"])


# =============================================================================
# 4. Main decrypt_data Entry Point Tests
# =============================================================================

class TestDecryptData:
    """Test decrypt_data main entry function."""
    
    def test_no_key_returns_status(self):
        """Return no_key_available when no private key."""
        import services.encryption_service as es
        es._private_key = None
        
        with patch.object(es, 'load_private_key', return_value=None):
            result = es.decrypt_data("some-encrypted-data")
            
            assert result["decryption_status"] == "no_key_available"
            assert "encrypted_data" in result
    
    def test_decrypt_direct_type(self, test_keypair):
        """Decrypt data with type='direct'."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        plaintext = '{"message": "hello"}'
        encrypted = encrypt_direct(test_keypair["public_key"], plaintext)
        
        result = es.decrypt_data(encrypted)
        
        assert result["message"] == "hello"
    
    def test_decrypt_hybrid_type(self, test_keypair):
        """Decrypt data with type='hybrid'."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        plaintext = '{"data": "long message here"}'
        encrypted = encrypt_hybrid(test_keypair["public_key"], plaintext)
        
        result = es.decrypt_data(encrypted)
        
        assert result["data"] == "long message here"
    
    def test_unknown_type_returns_error(self, test_keypair):
        """Unknown encryption type returns error."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        payload = {"type": "unknown_type", "data": "something"}
        encrypted = base64.b64encode(json.dumps(payload).encode()).decode()
        
        result = es.decrypt_data(encrypted)
        
        assert "decryption_error" in result
        assert "unknown" in result["decryption_error"].lower()
    
    def test_invalid_outer_base64(self, test_keypair):
        """Invalid outer base64 returns error."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        result = es.decrypt_data("not-valid-base64!!!")
        
        assert "decryption_error" in result
    
    def test_invalid_json_payload(self, test_keypair):
        """Invalid JSON payload returns error."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        # Valid base64 but not JSON
        encrypted = base64.b64encode(b"not json content").decode()
        
        result = es.decrypt_data(encrypted)
        
        assert "decryption_error" in result
    
    def test_non_json_decrypted_returns_raw(self, test_keypair):
        """Non-JSON decrypted content returns raw_data."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        plaintext = "just plain text, not JSON"
        encrypted = encrypt_direct(test_keypair["public_key"], plaintext)
        
        result = es.decrypt_data(encrypted)
        
        assert result["raw_data"] == plaintext


# =============================================================================
# 5. Multiple Blocks Tests
# =============================================================================

class TestMultipleBlocks:
    """Test decrypt_multiple_blocks function."""
    
    def test_decrypt_multiple_valid_blocks(self, test_keypair):
        """Decrypt multiple valid encrypted blocks."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        plaintext1 = '{"id": 1}'
        plaintext2 = '{"id": 2}'
        
        encrypted1 = encrypt_direct(test_keypair["public_key"], plaintext1)
        encrypted2 = encrypt_direct(test_keypair["public_key"], plaintext2)
        
        combined = f"{encrypted1},{encrypted2}"
        
        results = es.decrypt_multiple_blocks(combined)
        
        assert len(results) == 2
        assert results[0]["id"] == 1
        assert results[1]["id"] == 2
    
    def test_empty_input_returns_empty_list(self):
        """Empty input returns empty list."""
        import services.encryption_service as es
        
        results = es.decrypt_multiple_blocks("")
        
        assert results == []
    
    def test_handles_whitespace(self, test_keypair):
        """Handle extra whitespace in input."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        plaintext = '{"id": 1}'
        encrypted = encrypt_direct(test_keypair["public_key"], plaintext)
        
        # Add whitespace
        combined = f"  {encrypted}  ,  {encrypted}  "
        
        results = es.decrypt_multiple_blocks(combined)
        
        assert len(results) == 2
    
    def test_mixed_valid_invalid_blocks(self, test_keypair):
        """Handle mixed valid and invalid blocks."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        valid = encrypt_direct(test_keypair["public_key"], '{"valid": true}')
        invalid = "not-valid-encrypted-data"
        
        combined = f"{valid},{invalid}"
        
        results = es.decrypt_multiple_blocks(combined)
        
        assert len(results) == 2
        assert results[0]["valid"] == True
        assert "decryption_error" in results[1]


# =============================================================================
# 6. Edge Cases and Security Tests
# =============================================================================

class TestEdgeCases:
    """Test edge cases and security scenarios."""
    
    def test_empty_plaintext(self, test_keypair):
        """Handle empty plaintext."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        plaintext = ""
        encrypted = encrypt_direct(test_keypair["public_key"], plaintext)
        
        result = es.decrypt_data(encrypted)
        
        assert result["raw_data"] == ""
    
    def test_unicode_plaintext(self, test_keypair):
        """Handle unicode plaintext."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        plaintext = '{"emoji": "🔐🔑", "chinese": "加密"}'
        encrypted = encrypt_direct(test_keypair["public_key"], plaintext)
        
        result = es.decrypt_data(encrypted)
        
        assert result["emoji"] == "🔐🔑"
        assert result["chinese"] == "加密"
    
    def test_large_payload_hybrid(self, test_keypair):
        """Handle large payload with hybrid encryption."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        # Create large payload (> 190 bytes which requires hybrid)
        large_data = {"data": "x" * 1000}
        plaintext = json.dumps(large_data)
        encrypted = encrypt_hybrid(test_keypair["public_key"], plaintext)
        
        result = es.decrypt_data(encrypted)
        
        assert len(result["data"]) == 1000
    
    def test_payload_at_rsa_limit(self, test_keypair):
        """Handle payload near RSA size limit."""
        import services.encryption_service as es
        es._private_key = test_keypair["private_key"]
        
        # RSA-OAEP with SHA-256 and 2048-bit key: max ~190 bytes
        # Test with something just under
        plaintext = '{"d":"' + 'x' * 150 + '"}'
        encrypted = encrypt_direct(test_keypair["public_key"], plaintext)
        
        result = es.decrypt_data(encrypted)
        
        assert len(result["d"]) == 150


if __name__ == "__main__":
    pytest.main([__file__, "-v"])