test(proxy): add backwards compatibility tests for canonical config migration

freshtonic · freshtonic · commit 83611df097b8 · 2026-04-01T22:25:55.000+11:00
Add 9 unit tests covering ColumnType-to-Postgres type mapping and
CanonicalEncryptionConfig parsing to establish a safety net before
further refactoring:

- column.rs: 4 tests for column_type_to_postgres_type (text, json,
  json accessor, exhaustive variant coverage)
- config.rs: 5 tests for config map construction (identifier bridging,
  multi-table configs, invalid index validation, realistic EQL schema
  fixture, malformed JSON error handling)
diff --git a/packages/cipherstash-proxy/src/postgresql/context/column.rs b/packages/cipherstash-proxy/src/postgresql/context/column.rs
@@ -82,3 +82,55 @@ fn column_type_to_postgres_type(
         (ColumnType::Json, _) => postgres_types::Type::JSONB,
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use eql_mapper::EqlTermVariant;
+
+    #[test]
+    fn text_column_maps_to_postgres_text() {
+        assert_eq!(
+            column_type_to_postgres_type(&ColumnType::Text, EqlTermVariant::Full),
+            postgres_types::Type::TEXT
+        );
+    }
+
+    #[test]
+    fn json_column_maps_to_postgres_jsonb() {
+        assert_eq!(
+            column_type_to_postgres_type(&ColumnType::Json, EqlTermVariant::Full),
+            postgres_types::Type::JSONB
+        );
+    }
+
+    #[test]
+    fn json_accessor_maps_to_postgres_text() {
+        assert_eq!(
+            column_type_to_postgres_type(&ColumnType::Json, EqlTermVariant::JsonAccessor),
+            postgres_types::Type::TEXT
+        );
+    }
+
+    #[test]
+    fn all_column_types_have_postgres_mapping() {
+        let types = vec![
+            ColumnType::Boolean,
+            ColumnType::BigInt,
+            ColumnType::BigUInt,
+            ColumnType::Date,
+            ColumnType::Decimal,
+            ColumnType::Float,
+            ColumnType::Int,
+            ColumnType::SmallInt,
+            ColumnType::Timestamp,
+            ColumnType::Text,
+            ColumnType::Json,
+        ];
+
+        for ct in types {
+            // Should not panic
+            let _ = column_type_to_postgres_type(&ct, EqlTermVariant::Full);
+        }
+    }
+}
diff --git a/packages/cipherstash-proxy/src/proxy/encrypt_config/config.rs b/packages/cipherstash-proxy/src/proxy/encrypt_config/config.rs
@@ -285,4 +285,159 @@ mod tests {
             },
         );
     }
+
+    #[test]
+    fn config_map_preserves_table_and_column_names() {
+        let json = json!({
+            "v": 1,
+            "tables": {
+                "my_schema.users": {
+                    "email_address": {
+                        "cast_as": "text",
+                        "indexes": { "unique": {} }
+                    }
+                }
+            }
+        });
+
+        let config = parse(json);
+
+        let ident = Identifier::new("my_schema.users", "email_address");
+        let column = config.get(&ident).expect("column exists");
+        assert_eq!(column.name, "email_address");
+        assert_eq!(column.cast_type, ColumnType::Text);
+    }
+
+    #[test]
+    fn config_map_handles_multiple_tables() {
+        let json = json!({
+            "v": 1,
+            "tables": {
+                "users": {
+                    "email": { "cast_as": "text" }
+                },
+                "orders": {
+                    "total": { "cast_as": "int" }
+                }
+            }
+        });
+
+        let config = parse(json);
+
+        assert_eq!(config.len(), 2);
+
+        let email = config.get(&Identifier::new("users", "email")).expect("users.email exists");
+        assert_eq!(email.cast_type, ColumnType::Text);
+
+        let total = config.get(&Identifier::new("orders", "total")).expect("orders.total exists");
+        assert_eq!(total.cast_type, ColumnType::Int);
+    }
+
+    #[test]
+    fn invalid_config_returns_error() {
+        let json = json!({
+            "v": 1,
+            "tables": {
+                "users": {
+                    "email": {
+                        "cast_as": "text",
+                        "indexes": {
+                            "ste_vec": { "prefix": "test" }
+                        }
+                    }
+                }
+            }
+        });
+
+        let config: CanonicalEncryptionConfig = serde_json::from_value(json).unwrap();
+        let result = config.into_config_map();
+        assert!(result.is_err(), "ste_vec on text column should fail validation");
+    }
+
+    #[test]
+    fn real_eql_config_produces_correct_encrypt_config() {
+        let json = json!({
+            "v": 1,
+            "tables": {
+                "encrypted": {
+                    "encrypted_text": {
+                        "cast_as": "text",
+                        "indexes": { "unique": {}, "match": {}, "ore": {} }
+                    },
+                    "encrypted_bool": {
+                        "cast_as": "boolean",
+                        "indexes": { "unique": {}, "ore": {} }
+                    },
+                    "encrypted_int2": {
+                        "cast_as": "small_int",
+                        "indexes": { "unique": {}, "ore": {} }
+                    },
+                    "encrypted_int4": {
+                        "cast_as": "int",
+                        "indexes": { "unique": {}, "ore": {} }
+                    },
+                    "encrypted_int8": {
+                        "cast_as": "big_int",
+                        "indexes": { "unique": {}, "ore": {} }
+                    },
+                    "encrypted_float8": {
+                        "cast_as": "double",
+                        "indexes": { "unique": {}, "ore": {} }
+                    },
+                    "encrypted_date": {
+                        "cast_as": "date",
+                        "indexes": { "unique": {}, "ore": {} }
+                    },
+                    "encrypted_jsonb": {
+                        "cast_as": "jsonb",
+                        "indexes": {
+                            "ste_vec": { "prefix": "encrypted/encrypted_jsonb" }
+                        }
+                    },
+                    "encrypted_jsonb_filtered": {
+                        "cast_as": "jsonb",
+                        "indexes": {
+                            "ste_vec": {
+                                "prefix": "encrypted/encrypted_jsonb_filtered",
+                                "term_filters": [{ "kind": "downcase" }]
+                            }
+                        }
+                    }
+                }
+            }
+        });
+
+        let config = parse(json);
+
+        // All 9 columns present with correct Identifiers
+        assert_eq!(config.len(), 9);
+
+        // Verify legacy type aliases map correctly
+        let float_col = config.get(&Identifier::new("encrypted", "encrypted_float8")).unwrap();
+        assert_eq!(float_col.cast_type, ColumnType::Float);
+
+        let jsonb_col = config.get(&Identifier::new("encrypted", "encrypted_jsonb")).unwrap();
+        assert_eq!(jsonb_col.cast_type, ColumnType::Json);
+
+        // Verify index counts
+        let text_col = config.get(&Identifier::new("encrypted", "encrypted_text")).unwrap();
+        assert_eq!(text_col.indexes.len(), 3);
+
+        let bool_col = config.get(&Identifier::new("encrypted", "encrypted_bool")).unwrap();
+        assert_eq!(bool_col.indexes.len(), 2);
+
+        let jsonb_filtered = config.get(&Identifier::new("encrypted", "encrypted_jsonb_filtered")).unwrap();
+        assert_eq!(jsonb_filtered.indexes.len(), 1);
+    }
+
+    #[test]
+    fn malformed_json_returns_parse_error() {
+        let json = json!({
+            "v": 1,
+            "tables": "not a map"
+        });
+
+        let result = serde_json::from_value::<CanonicalEncryptionConfig>(json);
+        assert!(result.is_err());
+    }
 }
