tests/test_rotation.py
1.8 KB · 56 lines · python Raw
1 """Tests for KeyRotationPolicy."""
2
3 from __future__ import annotations
4
5 import time
6
7 from pqc_kv_cache.rotation import KeyRotationPolicy, RotationTrigger
8 from pqc_kv_cache.session import TenantIdentity, establish_tenant_session
9
10
11 def test_policy_no_trigger_below_thresholds() -> None:
12 s = establish_tenant_session(TenantIdentity(tenant_id="t1"))
13 policy = KeyRotationPolicy(max_entries=1000, max_age_seconds=3600)
14 should, trigger = policy.should_rotate(s)
15 assert should is False
16 assert trigger is None
17
18
19 def test_policy_triggers_on_entry_count() -> None:
20 s = establish_tenant_session(TenantIdentity(tenant_id="t1"))
21 policy = KeyRotationPolicy(max_entries=3, max_age_seconds=3600)
22 for _ in range(3):
23 s.consume_sequence()
24 should, trigger = policy.should_rotate(s)
25 assert should is True
26 assert trigger is RotationTrigger.ENTRY_COUNT
27
28
29 def test_policy_triggers_on_time_elapsed() -> None:
30 s = establish_tenant_session(TenantIdentity(tenant_id="t1"))
31 policy = KeyRotationPolicy(max_entries=1000, max_age_seconds=1)
32 time.sleep(1.1)
33 should, trigger = policy.should_rotate(s)
34 assert should is True
35 assert trigger is RotationTrigger.TIME_ELAPSED
36
37
38 def test_rotate_produces_new_32_byte_key() -> None:
39 s = establish_tenant_session(TenantIdentity(tenant_id="t1"))
40 policy = KeyRotationPolicy()
41 old_key = s.symmetric_key
42 new_key = policy.rotate(s)
43 assert len(new_key) == 32
44 assert new_key != old_key
45 assert s.symmetric_key == new_key
46
47
48 def test_rotate_resets_entries_encrypted() -> None:
49 s = establish_tenant_session(TenantIdentity(tenant_id="t1"))
50 for _ in range(5):
51 s.consume_sequence()
52 assert s.entries_encrypted == 5
53 KeyRotationPolicy().rotate(s)
54 assert s.entries_encrypted == 0
55 assert s.next_sequence == 1
56